Azure Active Directory (Azure AD) is Microsoft’s enterprise cloud-based identity and access management (IAM) solution. Azure AD is the backbone of the Office 365 system, and it can sync with on-premise Active Directory and provide authentication to other cloud-based systems via OAuth.
During the 2020 pandemic, Microsoft Teams saw a drastic 70% increase in daily Teams users in a single month. While it is unclear how many of those users are net new to Azure AD, we can assume that the 2020 pandemic jump-started both adoption and implementation of Azure AD to meet the demands of a remote workforce.
Get the Free Pen Testing Active Directory Environments EBook
It’s week eleventeen of the pandemic at the time of this writing, and it seems more likely that enterprises won’t be returning the way things were in the before times. Sysadmins dealing with hybrid cloud environments should understand how Azure AD works, and most importantly, how to keep our data safe in this cloud-first world without the luxury of a secure perimeter.
What is Windows Active Directory?
Windows Active Directory (AD) is Microsoft’s predecessor to Azure AD. Microsoft released Active Directory in Windows 2000 server, and it became a standard for enterprise identity management.
Active Directory lives on-premise in servers called Domain Controllers (DC). Each DC contains a catalog of users and computers that are authorized to access resources on the network. Users authenticate to DCs via Kerberos or NTLM authentication.
AD security is one of our favorite topics because many attacks the Varonis Incident Response team researches involve AD at some point in the cyber kill chain. It could be a simple brute force attack to crack an old NTLM password or a privilege escalation attempt to take over an administrator account. AD security has been the topic of many conference talks and we even wrote a comprehensive guide to pen testing your AD environment to ensure its resilience to common off-the-shelf attacks.
Any conversation about Azure AD has to mention AD classic, and we will explain why further along in the blog.
Difference Between Windows and Azure AD
Azure AD and Windows AD are both created by Microsoft, and they are both IAM systems, but that’s pretty much where the comparisons stop. They are fundamentally different systems that exist in an interconnected enterprise environment.
Azure Active Directory
- REST APIs: Azure AD uses Representational State Transfer (REST) APIs to support communication to other web-based services
- Authentication: Azure AD uses cloud-based authentication protocols like OAuth2, SAML, and WS-Security for user authentication
- Network Organization: Each Azure AD instance is called a “tenant” which is a flat structure of users and groups
- Entitlement Management: Admins organize users into groups, and then give groups access to apps and resources
- Devices: Azure AD provides mobile device management with Microsoft Intune
- Desktops: Windows desktops can join Azure AD with Microsoft Intune
- Servers: Azure AD uses Azure AD Domain Services to manage servers that live in the Azure cloud virtual machine environment
Windows Active Directory
- LDAP: Windows AD uses Lightweight Directory Access Protocol (LDAP) to pass data between clients and servers and DCs.
- Authentication: Windows AD uses Kerberos and NTLM to validate user credentials
- Network Organization: Windows AD is organized into Organizational Units, Domains, and Forests
- Entitlement Management: Admins or data owners assign users to groups, and those groups have access to resources on the network
- Devices: Windows AD does not manage mobile devices
- Desktops: Desktops joined to Windows AD are governed by Group Policy (GPOs)
- Servers: Servers in Windows AD are managed and governed by GPOs or other on-premise server management system
The answer to the question, “so which one do I use?” is probably both. If you are running an established enterprise network, you most likely already have Windows AD, and you are adding Azure AD to manage your cloud infrastructure.
If you are starting a brand new organization from scratch, Azure AD could meet all of your needs, especially if you plan on using an entirely cloud-based infrastructure.
The other question you might ask is “which one is harder to configure than the other?” And I would say that neither one is more or less configurable than the other, and neither one is more or less secure than the other. Both systems require a qualified expert to manage and protect your network for companies larger than 100 users or so. Smaller shops will find Azure AD easier to manage overall.
Azure AD Connect for Hybrid Deployments
Azure AD Connect is Microsoft’s solution to enable hybrid Windows AD and Azure AD deployments. Azure AD Connect syncs data between the on-premise DCs and the cloud.
Azure AD Connect will let you sync user accounts from your on-premise system to your Azure tenant. It also provides password hash synchronization, pass-through authentication, federation, and health monitoring.
Those features allow your users to have the same user id and password on-premise and in the cloud and to ease the management of your hybrid environment. In short, you need Azure AD Connect if you have a hybrid environment.
As a sysadmin or security pro, it’s important that your security solutions give you a unified view of each user regardless of whether they’re accessing cloud or on-prem resources. The Varonis Data Security Platform, for example, makes it easy to pinpoint a user and see their activity in Azure AD and Windows AD. Even though there are two user repositories behind the scenes, Varonis treats them as a single user with a comprehensive user behavior profile that includes on-prem and cloud activity.
Azure Active Directory Considerations
OK, so if you have made it this far, you might be considering implementing Azure AD for your organization. Now you have real decisions to make.
1. Licensing: Azure AD licensing follows the same monthly subscription licensing as the Office 365 licenses. There are four license levels – Free, Office 365 Apps, Premium P1, and Premium P2.
Office 365 Apps comes as part of your Office 365 subscription, and the Premium packages are a separate item. You get the Free license as part of a subscription to Azure, Dynamics 365, Intune, and Power Platform.
The Premium tier adds features like advanced password protection, self-service password management for your users, advanced group access management, and conditional access.
The features lists for Azure AD and Microsoft 365 are separate, and you need to look at both of them to understand everything available to you so you can build your implementation strategy.
Ed. Note: Office 365 recently got renamed to Microsoft 365. At the time of this writing, Microsoft’s documentation contains both names, but they are the same thing.
2. Choose your scenario: Hybrid Azure AD or Azure AD? If you already have Windows AD, Hybrid might be your best option. If you are trying to build a cloud-only infrastructure, Azure AD is the better choice.
For your Hybrid environment, you can go with Managed or Federated configurations. If you are going to create users in Windows AD, you need to have Azure AD Connect to sync with Azure AD.
Are you going to use the device management in Azure AD? If so, you need Windows 10 on all those devices.
3. SSO: Are you going to enable Single Sign-on(SSO) with Azure AD? You will need to configure your cloud apps and services to use the Azure SSO, and set up a hybrid cloud for printing.
4. User Provisioning: How are you going to add your existing users to Azure? You can set up self-enrollment where users run the process themselves, Windows Autopilot, or have an admin enroll your users.
Those four steps will set you on the right path. You will have to do some more homework to figure out all the answers, which will lead you to more questions that need different answers.
How Does Azure Active Directory Work?
Azure AD is a new system that Microsoft designed from the ground up to support cloud infrastructure. Azure AD uses REST APIs to pass data from one system to other cloud applications and systems that support REST (which is most cloud applications).
Unlike Windows AD, Azure AD is a flat structure in a single tenant. Think of the tenant as a circle that surrounds all your stuff. You can control the stuff inside the tenant, but once it leaves that circle you lose some agency over what happens to your stuff.
At Varonis, our approach to data security aligns with zero-trust principles, so as we continue we will weave in zero-trust when appropriate.
Users and Groups
Users and groups are the basic building blocks for Azure AD. You can further organize users into groups that will all behave similarly. For example, you may put your Product Management team in one Azure AD group and grant permissions at the group level, so when users leave the organization, you only need to deactivate one account, and the rest of the group stays the same.
Users in Azure AD can come from both inside and outside of Azure AD. Let me restate that. Your Azure AD can contain identities for users inside of your organization and users from outside your organization that have a Microsoft account. See below:
What this means is that you can bring people outside of your organization inside your tenant and grant them specific permissions just like they are part of your organization. When done correctly, this provides an additional level of security to the organization’s data.
Adding User and Groups to Azure AD
There are several methods to populate your users and groups in Azure AD.
- Use Azure AD Connect to sync users from Windows AD to Azure AD. Most enterprises that already have Windows AD use this method.
- You can create users manually in the Azure AD Management Portal.
- You can script the process to add new users with PowerShell.
- Or you could program the process with the Azure AD Graph API.
No matter which option you start with or use, later on, there are a few key points to make about adding users in Azure AD.
- Establish your authentication method and password policies, and enforce multi-factor authentication.
- Only add users that you need to Azure AD. Leave service accounts or stale accounts in Windows AD, or delete them.
- Keep privileged access in Azure AD to a minimum and follow Microsoft’s guidance to keep privileged access secure.
- Organize users into groups, and only give groups access to the applications and resources they need to do their job.
- Connect users to their devices (mobile phones, laptops, etc.), so you can establish limits on how confidential data is downloaded or saved from approved and monitored devices.
Adding a custom domain to Azure AD will reduce the frustration that your users’ experience as they migrate to the new system. The default Azure AD domain looks like this:
That’s a lot to type. If you configured Azure AD to use a domain that you own, your users would thank you. It would look something like @notarealdomain.com instead. That’s much easier to deal with.
Common Attacks Against Azure AD
I’d like to say that the transition to Azure AD was smooth and without issue, but alas. Any significant transformation to a cloud-enabled infrastructure is bound to attract malicious attackers that want to infiltrate the new frontier. And so they did.
The Varonis IR team investigates many brute force attacks against Azure AD. Attackers love to use vast collections of usernames and passwords from data breach dumps to try to break into Azure AD accounts—a method known as credential stuffing.
Azure AD is available from the internet, so it’s a relatively easy target. A good password policy and multi-factor authentication, as well as behavioral monitoring of login activity and geo-hopping, can thwart most brute force attacks. Most. You still need to monitor your data to detect malicious activity inside your tenant in the event an attacker succeeds with a single login attempt.
Phishing is the other top attack we see against Azure AD users. Phishing can lead to credential theft or malware infection, which can provide attackers with a foothold to access your tenant. One of the better enhancements Azure AD provides is warnings when you open an email from an outsider or untrusted source.
You can enable this setting, and other email protections in the Azure AD Management Console. The Varonis IR team demonstrates how to use phishing to infiltrate and steal data in this Live Cyber Security Lab.
Azure Skeleton Key Attack
This attack has to with Azure AD Connect, which we described above as the way to synchronize your Azure and on-prem AD. Azure AD Connect can be configured via a method called Pass-Through Authentication. When this method is used, a server called the “Azure Agent” is installed on-prem.
Should an attacker compromise an organization’s Azure agent server they can create a backdoor that allows them to log in as any synchronized user. Varonis created a proof-of-concept that manipulates the Azure authentication function to 1.) give us a ‘skeleton key’ password that will work for all users, and 2.) dump all real clear-text usernames and passwords into a file.
You can read the details and see the Azure Skeleton Key attack POC in action here.
What Else Can I Configure in Azure AD?
Microsoft provides enhancements and tools to Azure AD and Microsoft 365 to further securing and protecting your organization’s data in the cloud. Here are a few more options that you can enable to keep your organization more secure.
- Integrate applications with Azure AD to enable Single Sign-On (SSO)
- Automate application provisioning to new users based on group membership
- Restrict user’s ability to consent to applications – this can be a phishing attack, and once the user clicks the attacker has a foothold in your tenant
- Block legacy protocols that have security issues, like SMTP, POP3, or MAPI
- Enable Microsoft Cloud Access Security (MCAS) to provide monitoring inside your tenant, and augment that monitoring with Azure Skeleton Key attack
- Now that you have Varonis, classify all of your sensitive data and tag it with Microsoft Azure Information Protection (AIP)
That’s not nearly a comprehensive list of tools to manage and secure Azure AD. Do check out the webinar about Microsoft Teams and see some other ways to prevent data leaks and to learn why one security professional said, “We wouldn’t even be considering OneDrive if we didn’t have Varonis in place.”
What you should do now
Below are three ways we can help you begin your journey to reducing data risk at your company:
- Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
- Download our free report and learn the risks associated with SaaS data exposure.
- Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Twitter, Reddit, or Facebook.
Michael has worked as a sysadmin and software developer for Silicon Valley startups, the US Navy, and everything in between.