Describe Azure identity, access, and security

Learning objectives
After completing this module, you’ll be able to:
 Describe directory services in Azure, including Azure Active Directory
(AD) and Azure AD DS.
 Describe authentication methods in Azure, including single sign-on
(SSO), multifactor authentication (MFA), and passwordless.
 Describe external identities and guest access in Azure.
 Describe Azure AD Conditional Access.
 Describe Azure Role Based Access Control (RBAC).
 Describe the concept of Zero Trust.
 Describe the purpose of the defense in depth model.
 Describe the purpose of Microsoft Defender for Cloud.
Describe Azure directory services
Azure Active Directory (Azure AD) is a directory service that enables you to sign
in and access both Microsoft cloud applications and cloud applications that you
develop.
Azure AD is Microsoft's cloud-based identity and access management service.
When you secure identities on-premises with Active Directory, Microsoft
doesn't monitor sign-in attempts.
Who uses Azure AD?
Azure AD is for:
 IT administrators.
 App developers. Developers can use Azure AD to provide a standards-
based approach for adding functionality to applications that they build,
such as adding SSO functionality to an app or enabling an app to work
with a user's existing credentials.
  Online service subscribers. Microsoft 365, Microsoft Office 365, Azure,
and Microsoft Dynamics CRM Online subscribers are already using Azure
AD to authenticate into their account.
What does Azure AD do?
Azure AD provides services such as:
 Authentication: This includes verifying identity to access applications and
resources. It also includes providing functionality such as self-service
password reset, multifactor authentication, a custom list of banned
passwords, and smart lockout services.
 Single sign-on: Single sign-on (SSO) enables you to remember only one
username and one password to access multiple applications. A single
identity is tied to a user, which simplifies the security model. As users
change roles or leave an organization, access modifications are tied to
that identity, which greatly reduces the effort needed to change or
disable accounts.
 Application management: You can manage your cloud and on-premises
apps by using Azure AD. Features like Application Proxy, SaaS apps, the
My Apps portal, and single sign-on provide a better user experience.
 Device management: Along with accounts for individual people, Azure
AD supports the registration of devices. Registration enables devices to
be managed through tools like Microsoft Intune. It also allows for
device-based Conditional Access policies to restrict access attempts to
only those coming from known devices, regardless of the requesting
user account.
Can I connect my on-premises AD with Azure AD?
One method of connecting Azure AD with your on-premises AD is using Azure
AD Connect. Azure AD Connect synchronizes user identities between on-
premises Active Directory and Azure AD. Azure AD Connect synchronizes
changes between both identity systems, so you can use features like SSO,
multifactor authentication, and self-service password reset under both
systems.
What is Azure Active Directory Domain Services?
Azure Active Directory Domain Services (Azure AD DS) is a service that
provides managed domain services such as domain join, group policy,
lightweight directory access protocol (LDAP), and Kerberos/NTLM
authentication. Just like Azure AD lets you use directory services without
having to maintain the infrastructure supporting it, with Azure AD DS, you get
the benefit of domain services without the need to deploy, manage, and patch
domain controllers (DCs) in the cloud.
An Azure AD DS managed domain lets you run legacy applications in the cloud
that can't use modern authentication methods, or where you don't want
directory lookups to always go back to an on-premises AD DS environment.
Azure AD DS integrates with your existing Azure AD tenant. This integration
lets users sign into services and applications connected to the managed
domain using their existing credentials. You can also use existing groups and
user accounts to secure access to resources. These features provide a
smoother lift-and-shift of on-premises resources to Azure.
How does Azure AD DS work?
When you create an Azure AD DS managed domain, you define a unique
namespace. This namespace is the domain name. Two Windows Server
domain controllers are then deployed into your selected Azure region. This
deployment of DCs is known as a replica set.
You don't need to manage, configure, or update these DCs. The Azure platform
handles the DCs as part of the managed domain, including backups and
encryption at rest using Azure Disk Encryption.
Is information synchronized?
A managed domain is configured to perform a one-way synchronization from
Azure AD to Azure AD DS. You can create resources directly in the managed
domain, but they aren't synchronized back to Azure AD. In a hybrid
environment with an on-premises AD DS environment, Azure AD Connect
synchronizes identity information with Azure AD, which is then synchronized to

the managed domain.

Applications, services, and VMs in Azure that connect to the managed domain
can then use common Azure AD DS features such as domain join, group policy,
LDAP, and Kerberos/NTLM authentication.
Layers of defense-in-depth

Here's a brief overview of the role of each layer:

 The physical security layer is the first line of defense to protect
computing hardware in the datacenter.
 The identity and access layer controls access to infrastructure and
change control.
 The perimeter layer uses distributed denial of service (DDoS) protection
to filter large-scale attacks before they can cause a denial of service for
users.
 The network layer limits communication between resources through
segmentation and access controls.
 The compute layer secures access to virtual machines.
 The application layer helps ensure that applications are secure and free
of security vulnerabilities.
 The data layer controls access to business and customer data that you
need to protect.
These layers provide a guideline for you to help make security configuration
decisions in all of the layers of your applications.
Azure provides security tools and features at every level of the defense-in-
depth concept. Let's take a closer look at each layer:
Physical security
Physically securing access to buildings and controlling access to computing
hardware within the datacenter are the first line of defense.
Identity and access
The identity and access layer is all about ensuring that identities are secure,
that access is granted only to what's needed, and that sign-in events and
changes are logged.
At this layer, it's important to:
 Control access to infrastructure and change control.
 Use single sign-on (SSO) and multifactor authentication.
 Audit events and changes.
Perimeter
The network perimeter protects from network-based attacks against your
resources. Identifying these attacks, eliminating their impact, and alerting you
when they happen are important ways to keep your network secure.
At this layer, it's important to:
 Use DDoS protection to filter large-scale attacks before they can affect
the availability of a system for users.
 Use perimeter firewalls to identify and alert on malicious attacks against
your network.
Network
At this layer, the focus is on limiting the network connectivity across all your
resources to allow only what's required. By limiting this communication, you
reduce the risk of an attack spreading to other systems in your network.
At this layer, it's important to:
 Limit communication between resources.
 Deny by default.
 Restrict inbound internet access and limit outbound access where
appropriate.
 Implement secure connectivity to on-premises networks.
Compute
Malware, unpatched systems, and improperly secured systems open your
environment to attacks. The focus in this layer is on making sure that your
compute resources are secure and that you have the proper controls in place
to minimize security issues.
At this layer, it's important to:
 Secure access to virtual machines.
 Implement endpoint protection on devices and keep systems patched
and current.
Application
Data
In almost all cases, attackers are after data:
 Stored in a database.
 Stored on disk inside virtual machines.
 Stored in software as a service (SaaS) applications, such as Office 365.
 Managed through cloud storage.
Describe Microsoft Defender for Cloud
When necessary, Defender for Cloud can automatically deploy a Log Analytics
agent to gather security-related data. For Azure machines, deployment is
handled directly.
For hybrid and multi-cloud environments, Microsoft Defender plans are
extended to non Azure machines with the help of Azure Arc. Cloud security
posture management (CSPM) features are extended to multi-cloud machines
without the need for any agents.
Azure-native protections
Defender for Cloud helps you detect threats across:
 Azure PaaS services – Detect threats targeting Azure services including
Azure App Service, Azure SQL, Azure Storage Account, and more data
services. You can also perform anomaly detection on your Azure activity
logs using the native integration with Microsoft Defender for Cloud Apps
(formerly known as Microsoft Cloud App Security).
  Azure data services – Defender for Cloud includes capabilities that help
you automatically classify your data in Azure SQL. You can also get
assessments for potential vulnerabilities across Azure SQL and Storage
services, and recommendations for how to mitigate them.
 Networks – Defender for Cloud helps you limit exposure to brute force
attacks. By reducing access to virtual machine ports, using the just-in-
time VM access, you can harden your network by preventing
unnecessary access. You can set secure access policies on selected ports,
for only authorized users, allowed source IP address ranges or IP
addresses, and for a limited amount of time.
Defend your hybrid resources
To extend protection to on-premises machines, deploy Azure Arc and enable
Defender for Cloud's enhanced security features.
Defend resources running on other clouds
Defender for Cloud can also protect resources in other clouds (such as AWS
and GCP).
For example, if you've connected an Amazon Web Services (AWS) account to
an Azure subscription, you can enable any of these protections:
 Defender for Cloud's CSPM features extend to your AWS resources.
 Microsoft Defender for Kubernetes extends its container threat
detection and advanced defenses to your Amazon EKS Linux clusters.
 Microsoft Defender for servers brings threat detection and advanced
defenses to your Windows and Linux EC2 instances.
Assess, Secure, and Defend
Defender for Cloud fills three vital needs as you manage the security of your
resources and workloads in the cloud and on-premises:
 Continuously assess – Know your security posture. Identify and track
vulnerabilities.
 Secure – Harden resources and services with Azure Security Benchmark.
 Defend – Detect and resolve threats to resources, workloads, and
services.