Introduction to basic governance in Azure - #GABDK
1. Introduction to basic governance in Azure
Peter Selch Dahl – Azure MVP – I’m ALL Cloud First
- Taking back control of your Azure Subscription with light-weight governance and logging
2. Microsoft MCSA: Cloud Platform - Certified 2018,
Microsoft MCSA: Office 365 - Certified 2018,
Microsoft MCSE: Cloud Platform and Infrastructure - Certified 2018
Microsoft MCSA: 2016 Windows Server 2016,
Microsoft MCSA: 2012 Windows Server 2012,
Microsoft MCITP: 2008 Server and Enterprise Administrator,
Microsoft MCSA: 2008 Windows Server 2008,
Microsoft MCSA/MCSE : 2003 Security,
Microsoft MCSA/MCSE : 2000 Security,
VMWare Certified Professional VI3/VI4/VI5,
CompTIA A+, Network+,
EC-Council: Certified Ethical Hacker (CEH v7),
And more
Peter Selch Dahl
Cloud Architect, Azure MVP
Twitter: @PeterSelchDahl
www: www.peterdahl.net
Blog : http://blog.peterdahl.net
Mail : psd@apento.com
3. • Azure AD PIM
• Azure Locks
• Azure AD Access Review
• And more
11. Azure AD Privileged Identity Management (PIM)
Azure Active Directory (Azure AD) Privileged Identity Management (PIM) is a service that
enables you to manage, control, and monitor access to important resources in your
organization. This includes access to resources in Azure AD, Azure resources, and other
Microsoft Online Services like Office 365 or Microsoft Intune.
• Provide just-in-time privileged access to Azure AD and Azure resources
• Assign time-bound access to resources using start and end dates
• Require approval to activate privileged roles
• Enforce multi-factor authentication to activate any role
• Use justification to understand why users activate
• Get notifications when privileged roles are activated
• Conduct access reviews to ensure users still need roles
• Download audit history for internal or external audit
20. Protect your keys and secrets!
In-code passwords Azure KeyVault MSI
BAD Better BEST
21. Managed identities for Azure resources
Automatically managed service principals in Azure Active Directory, exclusively dedicated
for Azure services instances.
They enable Azure workloads to authenticate to cloud services*, without needing
credentials in code.
22. Analogy
Keys
Built-in garage door opener
Hand-held garage door
opener
Virtual Machine
App Services
Functions
Etc.
Azure Storage, Key Vault,
Resource Manager, etc.
Keys
SAS Keys, username and
password, etc.
Built-in garage door opener
System assigned
managed identity
Hand-held garage door
opener
User assigned
managed identity
One resourceShared between
multiple resource
23. The bigger picture…
Application / script
Azure Active Directory
MSI Endpoint / Id Object
Azure VM, App Service, Function, etc.
Get token
25. Managed identity provisioning (ExampleusingVM)
1. Azure Resource Manager is the
orchestrator. Supported via: Portal, PowerShell,
CLI, Template, REST and Azure SDKs.
2. Service Principal gets created in Azure
AD. These are treated as special service
principals, which belong to a Managed Identity.
3. Service Principal details are given to
Compute Resource Provider. Resource is
created/updated with the identity details.
4. Managed Identity (service principal) can
be granted permissions via RBAC.
5. Code running inside the VM can request
tokens via IMDS.
6. Managed Identity sub-system requests
the actual token from Azure AD.
27. Access patterns using managed identities
1. Services that support Azure AD authentication
Azure Resource Manager
Azure Key Vault
Azure Data Lake
Azure SQL
Azure Event Hubs
Azure Service Bus
Azure Storage
Azure AD Graph API
2. Services that depend on Access Keys for authentication
Access keys stored in: Azure Key Vault or Azure Resource Manager
28.
29. Azure Locks
• CanNotDelete means authorized users can still read and modify a resource, but they
can't delete the resource.
• ReadOnly means authorized users can read a resource, but they can't delete or update
the resource. Applying this lock is similar to restricting all authorized users to the
permissions granted by the Reader role.
33. Azure Sentinel
Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security
orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and
threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive
hunting, and threat response.
34. Azure Active Directory Activity logs in Azure Log Analytics
Microsoft provides some great tools for auditing and
insights into the data that have been logged. Most of
these tools depend on extra configuration and licensing
to give you the insight that is needed.
How would you lookup data that older than 100 days?
• https://docs.microsoft.com/en-us/azure/active-
directory/reports-monitoring/reference-reports-data-
retention
• https://docs.microsoft.com/en-
us/office365/securitycompliance/search-the-audit-log-in-
security-and-compliance#before-you-begin
Back in our global administrators portal, we can track the changes in privileged role assignments and role activation history.
CLICK STEP(S)
On the Manage privileged roles blade, click Audit history.
Point out: the business justification entered above, which is displayed in the Reasoning column.
The admin can see Isaiah requested access as a Global Administrator and the reasoning given. This information can be critical for auditing and forensic investigations.
Closing remarks:
With Azure Active Directory Privileged Identity Management, you can manage, control, and monitor access within your organization. This includes access to resources in Azure AD and other Microsoft online services like Office 365 or Microsoft Intune.
Organizations want to minimize the number of people who have access to secure information or resources, because that reduces the chance of a malicious user getting that access. However, users still need to carry out privileged operations in Azure, Office 365, or SaaS apps. Organizations give users privileged access in Azure AD without monitoring what those users are doing with their admin privileges. Azure AD Privileged Identity Management helps to resolve this risk.
Azure AD Privileged Identity Management helps you:
See which users are Azure AD administrators
Enable on-demand, "just in time" administrative access to Microsoft Online Services like Office 365 and Intune
Get reports about administrator access history and changes in administrator assignments
Get alerts about access to a privileged role
CLICK STEP(S)
Click anywhere on the slide to end the presentation.