ENow Blog | Azure & Active Directory Center

Active Directory Monitoring: Stuck with a COVID Tenant? Start Integrating it into your Infrastructure Today

Written by Sander Berkouwer | Apr 2, 2021 8:45:00 PM

In the first quarters of 2020, when organizations were confronted with the demand to work any place, any device, all the time, some had to scramble to make things work. One of the common approaches we found was creating a “COVID Microsoft 365 tenant” and provisioning other temporary solutions.

However, in IT, things that were meant as temporary solutions often turn out to be the most permanent solutions.

There are many technological advantages to integrating these “COVID tenants” with your on-premises environment. Everything starts with identity with Microsoft, so let’s see why integrating your COVID Azure AD tenant with your on-premises Active Directory is a good idea and an important step in successful Active Directory Monitoring.

The thought process behind temporary tenants

Even though a lot of Active Directory environments still use *.local DNS domain names, these environments are rarely air-gapped. They’re not completely disconnected from the Internet. Interestingly, that was the main intent for the *.local DNS domain name. Emerging trends like federation and cloud have placed organizations further on the path of connectivity with the outside world. Even before COVID, installing updates often dictated connectivity.

COVID, however, provided the ultimate push. Every organization embraced Zoom, WebEx, Teams and the likes. This way, organizations offered solutions to their suddenly geographically dispersed teams. With this push also came a new importance for Active Directory Monitoring in order to fully support these new tools. These tools also replaced face to face meetings with partners, even on the highest government and international levels. Now, being connected to the Internet proved to be the organization’s lifeline. In the second quarter of 2020 it was a matter of adapt or die.

Sitting in the war rooms of this type of organizations, one can certainly envision the security-savvy person raising a hand and exclaiming: “But surely that doesn’t mean we need to integrate our cloud stuff with our on-premises infrastructure!?”. Good point. Indeed, it doesn’t. Not necessarily.

Not integrating Azure AD with Active Directory saves time and effort. Not having to trust an outside service means not having to verify its intentions or traffic flows… and repeating the process every few months.

I get it.

Drawbacks of non-integrated tenants

Not integrating an Azure AD or Microsoft 365 tenant, however, also has some serious drawbacks:

There is no single sign-on.

Single sign-on is often regarded as an employee productivity nice-to-have. Less credential prompts mean employees can work seamlessly with multiple applications, including cloud applications. There are more serious benefits from single sign-on, though:

  • When a malicious website or criminal attacker tries to phish credentials, employees enjoying single sign-on would frown upon the credential prompt. Well-instructed employees would immediately raise an alert with the proper department(s).
  • Single sign-on puts an organization on the path of passwordless authentication and zero trust.
  • When a certain amount of functionality is accessible through single sign-on, this type of access becomes the norm. From a business perspective, new functionality is expected to provide this functionality or face non-adoption.

Ironically, all these outcomes are beneficial to the security department.

Cloud Artificial Intelligence isn’t available for Identity.

The Microsoft Cloud provides meaningful opportunities to strengthen the security of on-premises Active Directory and AD FS environments:

-Azure AD Connect Health
The Azure AD Connect Health service communicates to health agents installed on Domain Controllers, AD FS servers, Web Application Proxies and Azure AD Connect installations. When anything is wrong in the synchronization or in the synthetic sign-ins, admins get notifications. On top of that, admins gain insight in the utilization of these components beyond the Microsoft cloud.
 
- Azure AD Identity Protection
The built-in Identity Protection feature of Azure AD assigns a risk score to every sign-in. Outliers to the normal sign-in activities gain a higher risk score. These risky sign-ins may prompt multi-factor authentication. Too many risky sign-ins label the corresponding user object as a risky user. Billions of signals are poured into Identity Protection’s model daily to tweak it, including leaked credentials. Beyond a certain risk threshold, the person needs to change the password.
 
- Microsoft Defender for Identity
Gone are Microsoft’s days of having on-premises servers scour through piles of Domain Controller logs to search for anomalies with its Advanced Threat Analytics (ATA) solution. ATA‘s mainstream support ended on January 12, 2021. However, its successor, Microsoft Defender for Identity, is here to assist you in protecting Active Directory. From the cloud.
 
- Azure Sentinel
Following the same ‘all your logs are belong to us’ playbook as Defender for Identity, organizations may rely on Azure Sentinel as their cloud-powered and automatically scaling Security Information and Event Monitoring (SIEM) and Security Automation, Orchestration and Response (SOAR) solution.

Again, these services are especially beneficial to the security department. All user objects don’t even need to be synchronized from Active Directory to Azure AD in all cases.

High availability is your issue on-premises.

For on-premises organizations, providing high availability is a heavy burden. Multiple datacenter locations, (virtually) private interconnectivity between the datacenters, synchronous storage and active-active implementations of high-priority workload chains; it all adds up.

By extending into Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS), making on-premises infrastructure and platforms geographically redundant is easy. By design, services like SharePoint Online and OneDrive for Business are spread out over multiple geographies within legal boundaries. When using Teams, SharePoint Online and OneDrive for Business are automatically part of the mix. Yet, your organization also meddles on-premises with technologies like Distributed File System, SQL Server Always On Availability groups, etc. to make files geographically redundant and databases for SharePoint Server highly available.

If the data is not too sensitive, you can migrate functionality from on-premises Exchange Server, SharePoint Server and file server implementations to Microsoft 365 services, going forward. Even if this move does not include all mailboxes, sites, files and folders, at least the on-premises burden diminishes. The cost of synchronous data replication, storage and the associated complexity to manage them diminishes significantly when your organization only needs it for some of its business.

Cloud adoption doesn’t have to be a matter of principle. It can be a matter of practicality.

But wait a minute. “Don’t we want to use credentials with the same information security assurances as we do on-premises?”, would be what your security team asks. Indeed, for this purpose synchronizing user objects and (a subset of) their attributes would be required.

Support for on-premises identity and access management solutions is waning.

For large organizations, manually provisioning and deprovisioning user objects in directory systems only leads to long provisioning times and loss of attribute integrity. Many solutions to automate these processes – and even introduce pre-provisioning and pre-deprovisioning process steps – seem to be moving away from supporting Active Directory and its 20-year-old protocols. Instead, a lot of solutions now feature support for Azure AD, with its open protocols.

As more vendors switch to Azure AD, the table will be turned on identity and access management. Competitors are already reaping the benefits of expedited provisioning through their Azure AD investments, while your organization still holds on to a point solution based on clunky protocols to keep things going…

Integrating your tenant

Integrating Microsoft 365 and Azure tenants with your organization’s on-premises identity and access management (IAM) systems makes sense for the security-savvy departments in organizations. Of course, they will need to warm their cold feet into cloud feet.

Board members may ask the uncomfortable question if the security department’s overcautiousness towards the cloud simply leads to:

- higher costs for IT infrastructure;
- an overabundance of security signals leading to an insurmountable SOC workload and possible oversight of important incidents;
- degradation of the organization’s information security awareness, and;
- inefficient provisioning and deprovisioning processes.

Adding single sign-on, artificial intelligence for security incidents and high availability through a cloud tier can significantly improve these three areas and are is an integral component of Active Directory Monitoring, but only when the security department and regulations allow an organization to do so.

If the benefits add up for your organization, it’s best to start integrating your COVID tenant into your infrastructure today.

Active Directory Monitoring and Reporting

Active Directory is the foundation of your network, and the structure that controls access to the most critical resources in your organization. The ENow Active Directory Monitoring and Reporting tool uncovers cracks in your Active Directory that can cause a security breach or poor end-user experience and enables you to quickly identify and remove users that have inappropriate access to privileged groups (Schema Admins, Domain Administrators). While ENow is not an auditing software, our reports reduce the amount of work required to cover HIPAA, SOX, and other compliance audits.

Access your FREE 14-day trial to accelerate your security awareness and simplify your compliance audits. Includes entire library of reports.