5/19/2018 6:29 PM BRK1051 Locking down access to the Azure Cloud: SSO, Roles Based Access Control, and Conditional Access Stuart Kwan Principal Program Manager @stuartkwan skwan@Microsoft.com © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Agenda Understand the tools at your disposal to control access 5/19/2018 6:29 PM Agenda Understand the tools at your disposal to control access Control who can sign in: identity lifecycle management Control how they sign in: authentication Control what they can do: authorization Brief peek at future investments © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Best Practices for Locking Down Access Make sure people automatically lose access when they leave Use multi-factor authentication for all Azure users Use “break glass” accounts for Account & Service Admins Give people minimum access needed for day to day work Use Managed Service Identity to keep credentials out of code

Best practice #1: Make sure people automatically lose access when they leave the organization

Identity for Azure: Azure Active Directory 5/19/2018 6:29 PM Identity for Azure: Azure Active Directory Every subscription trusts an Azure AD tenant as source of security principals Azure AD is identity system for Microsoft business services If you create a sub with a personal account, an Azure AD tenant is created for you Subs can be transferred between Azure AD tenants Azure AD tenant Sub1 Sub2 Sub3 © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Demo Transfer subscription between Azure AD tenants 5/19/2018 6:29 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

For Reference Move a subscription between tenants https://docs.microsoft.com/azure/billing/billing-subscription-transfer Sign up for a new subscription with an Azure AD account During sign up process, sign-in with your work account Sign up for new sub & new Azure AD tenant at same time https://account.azure.com/organization

5/19/2018 6:29 PM A Big Question Should I parent my subscriptions to an Azure AD tenant managed by central IT… … or should I isolate my environment from IT and parent my subscriptions to my own Azure AD? Answer: either is sufficient if identity lifecycle and tenant policy is being proactively managed, for example accounts are disabled or removed when people leave organization © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Connect to On-Premises: Azure AD Connect Cloud Azure AD Connect Sync AD FS Health Active Directory Azure AD tenant ? HR User and group lifecycle management Dynamics 365 ERP Azure Office 365

Azure AD Connect: Choice of Sign-In Methods Separate passwords on- premises and cloud Password sync Same password sign-in Hashed passwords stored in cloud Pass-through authentication Password check done on-premises Federation with AD FS Single Sign On (SSO) Passwords never visible to cloud

How Microsoft Guards Azure AD https://blogs.technet.microsoft.com/enterprisemobility/2017/09/05/how-we-secure-your-data-in-azure-ad/ How Microsoft Guards Azure AD 3. Bitlocker encrypted servers 4. Just In Time operator access 5. Operators must use Privileged Access Workstation and smartcard 2. Locked cage with 24/7 camera monitoring 7. TLS protected channel and token-based authentication required 1. Controlled datacenter access 6. Active threat monitoring

Best practice #2: Use multi-factor authentication for Azure users

Why Multi-Factor Authentication? 5/19/2018 6:29 PM Why Multi-Factor Authentication? Today’s #1 cyber weapon: good grammar © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Multi-Factor Authentication 5/19/2018 6:29 PM Multi-Factor Authentication Enforce from cloud Azure AD phone-based MFA Phone call SMS message Microsoft Authenticator mobile app (recommended) Enforce from on-premises Do MFA at federation server Azure AD signals MFA required, federation server sends MFA claims AD FS supports pluggable MFA https://myapps.microsoft.com  Profile  Additional security verification © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Per-User MFA versus Conditional Access Require MFA always, for all applications Free of charge for all Azure AD admins and all Azure admins Conditional Access Require MFA under specific conditions For a specific app e.g. Azure When not on work network When sign-in considered high risk Azure AD Premium feature P1 SKU Licenses needed for users who are affected by policy

Best Current MFA Option: Windows Hello Formula: Windows 10 workstation Azure AD-joined Windows Hello protected by biometric or PIN Microsoft Edge browser and not in In-Private mode Result: Sign-in via TPM-protected asymmetric key

Demo Multi-factor Authentication and Conditional Access 5/19/2018 6:29 PM Demo Multi-factor Authentication and Conditional Access © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Best practice #3: Use “break glass” accounts for Account Administrator and Service Administrator

Important Top Level Azure Roles 5/19/2018 6:29 PM Important Top Level Azure Roles Account administrator Can manage billing information One per subscription Can create subscriptions Can designate Service administrator Change using the Transfer function Service administrator Full control over all resources in a subscription Can designate Co-Admins (legacy – do not use) https://account.azure.com  Subscription  Edit Subscription © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Use “Break Glass” Accounts 5/19/2018 6:29 PM Use “Break Glass” Accounts Do not use account for daily work Write down strong random password and lock it away Do not share password Change password every time you use it and on scheduled basis Enable per-user MFA © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Best practice #4: Give people the minimum access they need to do their daily work

Azure Role-Based Access Control (RBAC) Fine-grained access control to Azure “control plane” Grant access by assigning Security Principal a Role at a Scope Security Principal: User, group, or service principal Role: Built-in or custom role Scope: Subscription, resource group, or resource Assignments are inherited down the resource hierarchy Subscription Reader Resource Group Owner Resource Contributor

Resource Providers Support Actions 5/19/2018 6:29 PM Resource Providers Support Actions (Get-AzureRmProviderOperation Microsoft.Compute/*).Operation Microsoft.Compute/register/action Microsoft.Compute/restorePointCollections/read Microsoft.Compute/restorePointCollections/write Microsoft.Compute/restorePointCollections/delete Microsoft.Compute/restorePointCollections/restorePoints/read Microsoft.Compute/restorePointCollections/restorePoints/write Microsoft.Compute/restorePointCollections/restorePoints/delete Microsoft.Compute/restorePointCollections/restorePoints/retrieveS… Microsoft.Compute/virtualMachineScaleSets/read Microsoft.Compute/virtualMachineScaleSets/write (and more…) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

A Role is a Collection of Actions Get-AzureRmRoleDefinition -Name Owner Name : Owner Id : 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 IsCustom : False Description : Lets you manage everything, including access to resources. Actions : {*} NotActions : {} AssignableScopes : {/}

Role Definition: Contributor Get-AzureRmRoleDefinition -Name Contributor Name : Contributor Id : b24988ac-6180-42a0-ab88-20f7382dd24c IsCustom : False Description : Lets you manage everything except access to resources. Actions : {*} NotActions : {Microsoft.Authorization/*/Delete, Microsoft.Authorization/*/Write, Microsoft.Authorization/elevateAccess/Action} AssignableScopes : {/}

Role Definition: Reader Get-AzureRmRoleDefinition -Name Reader Name : Reader Id : acdd72a7-3385-48ef-bd42-f606fba81ae7 IsCustom : False Description : Lets you view everything, but not make any changes. Actions : {*/read} NotActions : {} AssignableScopes : {/}

Role Definition: Virtual Machine Contributor Get-AzureRmRoleDefinition -Name "Virtual Machine Contributor" Name : Virtual Machine Contributor Id : 9980e02c-c2be-4d73-94e8-173b1dc7cf3c IsCustom : False Description : Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they’re connected to. Actions : {Microsoft.Authorization/*/read, Microsoft.Compute/availabilitySets/*, Microsoft.Compute/locations/*, Microsoft.Compute/virtualMachines/*...} NotActions : {} AssignableScopes : {/}

For Reference List all Resource Providers: Get-AzureRmResourceProvider List all Actions supported by a Resource Provider: Get-AzureRmProviderOperation <SearchString> View Role Definition: GetAzureRmRoleDefinition –Name <RoleName>

Demo Roles-Based Access Control 5/19/2018 6:29 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

There is no deny. There is only grant.

Azure RBAC versus Azure AD RBAC 5/19/2018 6:29 PM Azure RBAC versus Azure AD RBAC Several roles span Azure AD and Office 365, for example: Global admin User admin Azure AD By default, roles do not span Azure AD and Azure. Azure AD Global admin has no default access* to Azure subscriptions * Except if https://portal.azure.com  Azure AD  Properties Azure Office 365 © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Best Practice: Manage to Least Privilege 5/19/2018 6:29 PM Best Practice: Manage to Least Privilege More actions More scope Reader Resource-specific or Custom role Contributor Owner Subscription Resource Group Resource “Blast radius” © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Best Practice: Manage to Least Privilege 5/19/2018 6:29 PM Best Practice: Manage to Least Privilege Reader Resource-specific or Custom role Contributor Owner Subscription Resource Group Resource Observers People doing real work Use “break glass” account Single-purpose robots or targeted debug “Use minimum role assignments to get normal work done.” © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Privileged Identity Management (PIM) for Azure 5/19/2018 6:29 PM Privileged Identity Management (PIM) for Azure Enable “Just In Time" access to Azure Expire access automatically Assign temporary access for quick tasks, on-call schedules Get alerts when new users or groups are assigned resource access, and when they activate eligible assignments Reduce need for “break glass” accounts Now in public preview! © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Demo Privileged Identity Managed for Azure RBAC 5/19/2018 6:29 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

OK, but what about robots? I need credentials to do my job.

Best practice #5: Use Managed Service Identity to keep credentials out of code

Azure AD Managed Service Identity 5/19/2018 6:29 PM Azure AD Managed Service Identity Auto-managed identity in Azure AD for Azure resource Use local MSI endpoint to get access tokens from Azure AD Direct authentication with services, or retrieve creds from Azure Key Vault No additional charge for MSI Now in preview Azure VM Azure Service (e.g. ARM, Key Vault) Your code 3 1 Azure Active Directory http://localhost/oauth2/token MSI VM Extension 2 Credentials Azure (inject and roll credentials) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Demo Managed Service Identity 5/19/2018 6:29 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Futures

Sign-In to Azure VMs using Azure AD Challenge: Must manage local accounts to sign in to Azure VMs Huge temptation to share name/password among dev/ops Must remember to remove accounts, rotate passwords when people leave organization Solution: “As dev/ops, I can sign in to an Azure VM with the same account I use to sign in to the Azure portal.” SSH on Linux, RDP on Windows Enable requiring MFA for sign-in RBAC enforce who can sign-in

“Standalone” Managed Service Identity Challenge: I have a logical service that is made up of several different compute resources, but I want it to have one logical identity I want to assign access to a managed identity before I create the compute resource Solution: “As a developer, I can assign a managed identity to one or more compute resources independent of lifecycle of the resource.” First service to be enabled: Azure Virtual Machines Assign multiple identities to a VM to enable per-container identity Assign access before compute resource is created

RBAC “Constrained Delegation” Challenge: Only Owner and User Access Administrator roles can manage RBAC Cannot limit what permissions can be granted; if you can manage RBAC, you can assign someone Owner Solution: “As dev/ops or IT, I can give a user the ability to grant others the same access that they have.” Example: If user is Contributor for Resource Group and granted delegation, then can assign others Contributor for Resource Group User with delegation permission cannot grant others delegation permission

Best Practices for Locking Down Access Make sure people automatically lose access when they leave Use multi-factor authentication for all Azure users Use “break glass” accounts for Account & Service Admins Give people minimum access needed for day to day work Use Managed Service Identity to keep credentials out of code Reference for managing access to Azure: http://aka.ms/azureiam

Identity @ Ignite | Monday 5/19/2018 6:29 PM Identity @ Ignite | Monday BRK3020 What's new and upcoming in AD FS to securely sign-in your users to Office 365 and other applications OCCC Valencia W415 CD Monday 4:00–5:15 Sam Devasahayam Identity @ Ignite | Tuesday BRK2019 Productivity and protection for your employees, partners, and customers with Azure Active Directory OCCC West Hall F2 Tue 9:00–10:15 Alex Simons Nasos Kladakis THR2072 Migrate your apps from legacy APIs to Microsoft Graph OCCC South – Expo Theater #6 Tue 11:35-11:55 Jeff Sakowicz, Dan Kershaw BRK2017 Saying goodbye to passwords OCCC West Hall F3-4 Tue 12:45-1:30 Manini Roy THR2071 Managing enterprise applications, permissions, and consent in Azure Active Directory OCCC West Building Theater - Level 2 Tue 2:10–2:30 Jeff Sakowicz BRK1051 Locking down access to the Azure Cloud using SSO, Roles Based Access Control, and Conditional Access OCCC W308 Tue 2:15–3:30 Stuart Kwan © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Identity @ Ignite | Wednesday 5/19/2018 6:29 PM Identity @ Ignite | Wednesday BRK3388 Build applications to secure and manage your enterprise using Microsoft Graph OCCC S210 Wed 09:00-09:45 Jeff Sakowicz, Dan Kershaw BRK3225 Office development: Authentication demystified OCCC W315 Wed 10:45–12:00 Vittorio Bertocci BRK3146 The power of common identity across any cloud OCCC W240 Wed 12:45-1:30 Sam Devasahayam THR2126 Azure Active Directory: Your options explained from AD sync to pass through authentication & more OCCC West – Microsoft Ignite Studio Wed 1:35-1:55 Alex Simons Simon May   BRK3352 Windows devices in Azure Active Directory: Why should I care? OCCC Valencia W415 AB Wed 2:15–3:30 Jairo Cadena THR2007 How to get Office 365 to the next level with Azure Active Directory Premium OCCC South – Expo Theater Wed 3:15-4:00 Brjann Brekkan BRK3295 What’s new in Azure Active Directory Domain Services Hyatt Regency Windermere Z Wed 4:00–5:15 Mahesh Unnikrishnan BRK3016 Shut the door to cybercrime with Azure Active Directory risk-based identity protection OCCC Valencia W415 CD Alex Weinert Nitika Gupta © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Identity @ Ignite | Thursday 5/19/2018 6:29 PM Identity @ Ignite | Thursday BRK2018 Share corporate resources with your partners using Azure Active Directory B2B collaboration OCCC W230 Thu 9:00–10:15 Mary Lynch Sarat Subramaniam Laith Al Shamri BRK3207 The keys to the cloud: Use Microsoft identities to sign in and access API from your mobile+web apps OCCC S310 Thu 10:45-12:00 Vittorio Bertocci BRK3012 Secure access to Office 365, SaaS and on-premises apps with Microsoft Enterprise Mobility + Security OCCC W311 Caleb Baker Chris Green BRK3013 Ensure users have the right access with Azure Active Directory OCCC Valencia W415 AB Thu 12:30–1:45 Joseph Dadzie Mark Wahl BRK3015 Deep-dive: Azure Active Directory Authentication and Single-Sign-On OCCC West Hall E1 Thu 2:15-3:30 John Craddock BRK3014 Azure Active Directory best practices from around the world Thu 4:00–5:15 Tarek Dawoud Mark Morowczynski Identity @ Ignite | Friday BRK2276 Modernize your customer identity management with Azure Active Directory B2C OCCC W314 Friday 9:00-9:45 Saeed Akhter © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Please evaluate this session Tech Ready 15 5/19/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite https://myignite.microsoft.com/evaluations Phone: download and use the Microsoft Ignite mobile app https://aka.ms/ignite.mobileapp Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5/19/2018 6:29 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Appendix

All the subscriptions you see here trust this directory tenant 5/19/2018 6:29 PM For Reference All the subscriptions you see here trust this directory tenant © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Least Privilege & Azure AD Role Management If you decide to manage your own Azure AD tenant Create “break glass” account to be member of Global Admin Use Azure AD RBAC built-in roles to grant minimum access Check out PIM for Azure AD RBAC preview

Grant Access To People Outside Your Org: B2B 5/19/2018 6:29 PM Grant Access To People Outside Your Org: B2B When making role assignment, enter email of person outside organization Person is invited and guest account created in Azure AD Guest must use Microsoft personal or work account Azure AD Global Admin can control who can invite guests https://portal.azure.com  Azure Active Directory  User settings © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

How Guest Accounts Work: MSA Guest Microsoft account (personal) helen@outlook.com “helen@outlook.com@fabrikam.com” “helen@outlook.com@contoso.com” Contoso.com Fabrikam.com

How Guest Accounts Work: Azure AD Guest “helen@contoso.com@fabrikam.com” helen@contoso.com Contoso.com (Helen’s home tenant) Fabrikam.com

Safe Handling of App and Script Credentials Apps and scripts need credentials to authenticate to cloud services Don’t want credentials to appear on dev/ops workstations or in source control How safely deliver credentials to apps and scripts? Azure Web App Azure SQL Azure Key Vault

Extend RBAC to Azure Storage Data Plane Challenge: Authenticating to Azure Storage data plane requires using & managing storage keys or Shared Access Signature (SAS) credentials Only coarse-grained access control – if you have the keys you have full control Solution: “As dev/ops, I can centrally control access to the data plane of Azure Storage using Azure RBAC.” Control access at container-level Roles to vary levels of access Integrate with Azure AD sign-in to enable access by users, groups and Managed Service Identities