Azure Active Directory, B2C and Rights

Azure Identity Management is a fairly large body on knowledge.  Basically, dividing it into different areas makes if easier to understand.

RBAC in Azure:
Azure AD and B2C bother offer a way to authenticate a user thru the user providing an identity.
The user is assigned to 1 or more groups, and then the groups (or individual users) are assigned to Roles.  The diagram below shows internal and external users and how permissions can be given out.  Resulting in Role Based Access Control (RBAC).  The application itself deals with the operations a user can perform but having the users role/claims allows the individual applications to figure out what action the user can perform.

RBAC can be assigned at 1 of these 4 levels to manage Azure Resources:

Tip: For small Azure Tenants, managing resources are the resource level works well, but in most enterprises, you should mange at the Resource group or even subscription level to keep management controllable.

Note: There is the concept of "Directory", multiple "Resource Groups" are setup to a directory.  I believe all companies should have a single directory but it is more common to find even relatively small businesses common to have multiple directories. 

"Multiple subscriptions can trust the same Azure AD directory. Each subscription can only trust a single directory." Microsoft Docs

Adding users to all new SQL database using Azure AD groups

Problem:  I have a dedicated SQL 2017 VM on Azure that is joined to my Azure AD tenant e.g. int.contoso.com (Azure AD Domain Service).  I need a set of users to have read and write access to all databases that get provisioned on the SQL 2017 instance.

Initial Hypothesis: 
Create an Azure AD security group and add all the AAD users and
Add the AAD group to the Model database with the permissions that all new database should have.

Resolution:
1. Using Azure AD create a new security group, I called my group developers and add the users as members Fig 1.& Fig2.

Fig 1. Azure Portal, go to Azure AD and Groups

Fig2. Add the security group

2. Add the AAD Group e.g. int.contoso.com\Developers to the System "Model Database", I have given the group read and write access below in Fig 3.

Fig3. Add permissions to the Model DB

3. Create a new database and validate that the new permissions are added to the new database as shown in fig4.

Fig4.

Note: Changing exsiting DB permissions
To add permissions to existing database, an option is to run
EXEC sp_MSForEachDB 'exec sp_addrolemember ''db_datareader'',''INT\paul.beck'''
T-SQL to list of Daatbase: EXEC sp_MSforeachdb 'USE ? SELECT SF.Name FROM sys.databases SF'

PowerBI Pro for Licencing

Problem:  Requirement to provide reporting and dashboards quickly and securely at a reasonable price.

Hypothesis: There are great reporting solutions and a couple of enterprise leading products are Tableau, Qlik.  These can get pretty expensive installing and paying for licencing.

Proposed Resolution: PowerBI Pro (PowerBI Premium is for larger enterprise solutions) is a cloud based solution that can connect to multiple data source and on-prem using the Gateway.  E5 licences include the PowerBI Pro licence for creating and publishing reports.  E3 licence can get a add-on for about £7.50 per month.  This is only needed by the people creating the reports.
 
To paraphrase "You can embed the report (not dashboard) on a SharePoint web page and share it with company users. You will then only be needing one licence to publish the report. The downside of this option is there is no builtin security for the report. Anyone who has access to the web page can access the report."

Disclaimer: These are my thoughts and understanding, pls check your licencing with Microsoft and a licencing professional.

Updated: Nov 2022

3 Power BI licence types:

1. Free (per user)
2. Pro (per user per month) $
3. Premium (resource/capacity based)  $$$ - 2 options

Choose depending on usage patter, so Premium is great for enterprises level but out of the range for most SME businesses.  Feature and pricing comparison

Azure Security Checklist

Overview:  Constantly improving Security on Azure and Office 365 is essential to a lot of companies.  Microsoft provide outstanding infrastructure and monitoring for companies and it is also the companies responsibility to configure and secure O365 and Azure to ensure security and allow for the appropriate liberalization of services so the business can operate effectively.  This post outlines some basic items to look at to optimize the balance of security and it meeting you business needs.

I generally go through the infrastructure and write up a report for management in the form of:  Finding, Recommendation and Management Comment.

Finding:  The company users login using their Azure AD accounts and the credentials page has not got customized branding to help user know they are logging into the companies secure resources (SharePoint, email etc.)
Recommendation:  Using the "Azure Portal", use the "Azure Active Directory" Service > "Company Branding" to upload the company logo in banner and square format and update the color/theme for match the firms branding.

Management Comment: We accept the finding and wish to mark the changes immediately.

Microsoft Provide Tooling to help identify improvements and below are two tools you can use to help clarify the current environment so improvements can be recommended.

Network Security Groups (NSG's)
NSG's are basically firewall on Azure.  Fantastic and simple.  They can get really complex with multiple policies.  Azure gives you great tooling for Azure networks called "Network Watcher".

MCAS overview MSIgnite London

Work in progress from MSIgniteTour London

Microsoft Cloud app security brokers (CASB) helps manage Shadow IT, detect high-risk OAuth apps, and control high-risk user sessions in real-time for your Office 365 environment.

Covers:

1. Azure AD (AAD)
2. Threat protection
3. Information protection 
4. SaaS e.g. box, SPO, ODfB

Shadow IT discovery:

Log collector uses proxy or proxy logs.  Find apps people are using.  

Can write back to block app usage at the proxy.  See people using dodgy saas apps. Supports script generation for most devices.

OAuth e.g. G-suite, attackers faking to get access to user info.  MCAS has risk score for apps used. Show all usage, correct users access.

O365 apps:

Check all apps against score:

MCAS protects for:

• Malicious employees
• Malware & ransomware
• Rogue applications
• Compromised accounts

Investigate:

Helps investigate abnormal behaviour.  Alert and highlight concerns.  Gain insight into user activity.

Can take action such as lock account, or req re-login.

File security:

Prevent sensitive info in the cloud, uses MIP Framework that uses AIP. Show public internet available info, only show SaaS services business control.  Can also force governance on 3rd party SaaS such as box

Block download of data:

Conditional access, so user using an unmanaged device, route user thru MCAS.  Can calc risk and decide on how they access e.g., an unmanaged device could for MFA.  Lots of controls, boilerplate web access, block, MFA, ...

SPO & O365 groups coming March 201

Multi-geo Phase 2 (SPO) : SPO & O365 groups coming March 2019 into GA by 30 March 2019 confirmed.  DLP per satellite geo.  Hub sites can span multi geos.  Search works across geo I.e. all user access across geos is returned.

Today notes:

• SC can’t be moved between geo locations.  
• Satellite only in 14 core data regions I.e can’t use China but could use Hong Komg or Singapore.
• Aimed at 2500 user tenants or bigger, with min 5% users moved.

Microsoft Information Protection Update

Microsoft as of 2019 Feb is still using Microsoft Information Protection (MIP)/ Azure Information Protection AIP interchangeably as this video from Ignite 2018 Oct highlights.  Today I went to the Ignite tour and AIP and MIP are being used to mean the same topic that I'm referring to as AIP in this post.

MIP is a framework that includes AIP includes AIP scanner (files share and SharePoint on-prem.), DLP (cloud), RMS, Azure Advanced Threat Protection, MCAS (cloud), Windows Information Protection (integrates, understands AIP labels), need a central portal to monitor in to the "Security and Compliance Centre" (SCC).

The screenshot from the Ignite London presentation shows where AIP is today as presented by Maayan Nasman Rand.  The presentation was a good overview of AIP.  The big improvement to AIP over the past 3 months is the Analytics/Monitoring, this was not working and now it's very good but still in preview.

• AIP is getting closer but I feel the big missing piece is the encryption used by AIP does not allow SPO to provide previews and more importantly search cannot index the data in SPO.  Despite this key missing piece, I'd use it on O365 without encryption if I'm in a SharePoint store.   
• The native applications auto labelling is improving quickly.
• The Auto-labeling feature is new and useful.
• A few months ago, AIP labels were merged into the Security & Compliance Centre, worth noting is if you had labels in AIP admin, you need to migrate the labels using "Unified labelling" option and the policies need to be manually brought into the Security & Compliance Centre.
• Auto-labeling is now in the Mac Office suite and also it is coming to the Office apps in Droid and iOS (preview).
• AIP is an add on, new Office and Office for Mac and Android have the AIP plug-in already installed.  Applies to all office products including Outlook, Word, Excel, PPTX.
• The UI ribbon for AIP in Office on Windows has also been updated to a new look.
• Microsoft Cloud App Security (MCAS) has scanners to perform labelling (like AIP scanner) but also works on g-suite and Box others are coming
• AIP Scanner works on file shares (CIFS) and SP2013 and SP2016 on-prem.
• 3rd party product Adobe Pro does not do yet have the ability to update labels, but it's coming soon (Jun 2020?).  They use the SDK that developers can all use.  
• The Monitoring/Reporting is actually working, a year back it was flakey and the UI and find-ability UI is much improved.
• A couple of Preview Screens show today:

Previous AIP Posts:
AIP - Protect your companies documents (Catching up to Symantec's product quickly)
SharePoint Saturday AIP Notes

MCAS access functionality to 3rd party apps https://docs.microsoft.com/en-us/cloud-app-security/enable-instant-visibility-protection-and-governance-actions-for-your-apps