The Hard Part of Soft Matching between Active Directory and Azure AD
One of the pieces of feedback we received from a previous ENow post (integrating your temporary...
There are many types of organizations. Some organizations have started as cloud-only. Other organizations are still very much entrenched on-premises. From the last group of organizations, I hear the following sentence a lot: “We don’t use Azure AD.”
I think this is an interesting but dangerous thing to say.
There are many on-premises organizations that have not (yet) started the transition of their strictly on-premises identity infrastructure to a hybrid identity implementation. In Microsoft terms: They haven’t started coupling their on-premises Active Directory forests to Azure Active Directory. The usual way organizations go about this change is by implementing Azure AD Connect – Microsoft’s free object synchronization solution – and choosing a hybrid sign-in method like Active Directory Federation Services (AD FS), Pass-through Authentication (PTA), Password Hash Synchronization (PHS), or a mix of two or more of the above.
As its core benefit, hybrid identity offers single sign-on access to both on-premises applications and systems (through Active Directory) and cloud services (through Azure AD).
When I hear “We don’t use Azure AD.”, typically, organizations refer to the fact that they haven’t implemented Azure AD Connect, or one of the many other options to synchronize objects between Active Directory and Azure AD. In these cases, I translate what people tell me into the following:
- “We have Microsoft 365, but have no idea Azure AD acts as its identity platform.”Azure AD started out as the Microsoft Online Directory Services (MSODS). Later, it evolved to the cloud identity platform we know today. It became a service with its own name. Azure AD now underpins all of Azure’s and Microsoft 365’s services, applications and systems. I vividly remember Yammer being one of the services to succumb to this transition and the fun projects we had.
As a service provider, it’s a good strategy to focus on cash cows. Office 365 is Microsoft’s cloud cash cow. As organizations embraced Exchange Online in the past few years, many of the wording in Microsoft tools revolved around Office 365. Even today, when you use Active Directory Federation Services (AD FS) to have people in your organization authenticate to Azure AD-integrated services, the corresponding relying party trust is aptly named ‘Microsoft Office 365 Identity Platform’. Under the hood, however, a connection is made to Azure AD.
I feel it’s dangerous to say “We don’t use Azure AD” in the context of an organization that is unaware of Azure AD acting as the underlying identity platform to all Microsoft cloud services.
Your organization does use Azure AD, yet your admins are not managing it. Organizationally speaking you don’t use it, so admins wouldn’t have it in scope of their administrative responsibilities. However, with its default settings focused on adoption, Azure AD can be a platform that attackers can take advantage of in multiple ways. Attackers may:
- Introduce rogue applications siphoning organizational data with the default app registration and consent settings.It’s also dangerous to say “We don’t use Azure AD” in the context of an organization that has no hybrid identity implementation and therefore assumes that the organization doesn’t use Azure AD.
Let me explain. My most fun projects are implementing hybrid identity for large organizations. Most of them have been lagging in terms of technology for years and are now getting around to adopting Azure AD, because of the inevitable migration to Exchange Online or an application vendor who no longer supports any other identity platform than Azure AD.
Without exception, people in these organizations have been using Azure AD for years already. In my project forecasts, I explicitly account for inventory and remediation of the shadow IT that I undoubtedly encounter the moment I verify the DNS domain name for the organization in Azure AD. That’s the moment I get an overview of all the accounts for the people already using Azure AD-integrated functionality, based on invitations and registrations with their corporate email addresses.
Until March 2021, Microsoft created accounts in Azure AD automatically when an invitation was redeemed. These accounts were placed in Microsoft-managed tenants. Before GDPR, these tenants were officially referred to as “unmanaged tenants” and unofficially referred to as “viral tenants”.
Invitations could be sent from within SharePoint Online, Teams, Power BI and many other Azure AD-integrated services. But people could also sign up for trial services with their corporate email addresses, to take a look at Microsoft’s Power Platform for instance. A third common scenario plays out when admins manage Enterprise Agreement (EA) licenses in the EA portal.
Uncovering this wide shadow IT tethered to Azure AD is quite disconcerting to many of my customers. I often canalize this energy into an urgency to manage Azure AD properly after the implementation project is delivered.
Going forward, I’m betting that we won’t see many organizations mismanaging Azure AD.
There are two main reasons for my optimism:
Microsoft has made fantastic steps in recent months towards educating IT professionals to learn and understand Azure AD and hybrid identity. There is now a specialized Microsoft exam for people who design, implement, and operate an organization’s identity and access management (IAM) systems by using Azure AD: Exam SC-300 Microsoft Identity and Access Administrator. My hope is that this will help organizations become aware of the role Azure AD plays, as fresh administrators and consultants gain and spread Azure AD-specific knowledge.
Another change addresses the dangerous technical aspects of Azure AD-instilled shadow IT. Microsoft is quitting its practice of creating Azure AD accounts and Microsoft-managed Azure AD tenants when redeeming invitations.
Instead, Microsoft rolls out the email one-time passcode authentication (email OTP) feature to redeem invitations, for people who don’t have an Azure AD account yet. This feature has already been enabled for new Azure AD tenants and will be enabled for all existing Azure AD tenants in October 2021.
With this feature, people in strictly on-premises organizations no longer have to go through the process of registering an Azure AD account with the ability to perform self-service password reset. Instead, they click the link they receive to collaborate and then get a one-time passcode sent to their email address. The OTP grants them access to the shared resource within 30 minutes.
In my opinion, the arrival of email OTP as the default authentication method for external collaboration leads to a decrease in complexity and attack surface for organizations that do not manage Azure AD.
People in strictly on-premises organizations now have to supply a one-time password every time they start a session to the shared resource. However, I believe that the absence of single sign-on and the inability to save the password to a browser or password manager leads to an increased internal pressure to adopt hybrid identity, especially when a C-level executive comes across this experience.
With educated IT professionals and more hybrid identity implementations, the future is bright.
Active Directory is the foundation of your network, and the structure that controls access to the most critical resources in your organization. The ENow Active Directory Monitoring and Reporting tool uncovers cracks in your Active Directory that can cause a security breach or poor end-user experience and enables you to quickly identify and remove users that have inappropriate access to privileged groups (Schema Admins, Domain Administrators). While ENow is not an auditing software, our reports reduce the amount of work required to cover HIPAA, SOX, and other compliance audits.
Access your FREE 14-day trial to accelerate your security awareness and simplify your compliance audits. Includes entire library of reports.
Sander's qualities extend beyond the typical triple-A stories in the area of Identity and Access Management. Of course, authentication, authorization and auditing are necessities but my out of the box solutions get the most out of software, hardware and the cloud. Rapid technological advancements have resulted in cutting-edge solutions around Active Directory, Azure Active Directory and Identity Management. Keeping up with these is just a small challenge, compared to my true goal: helping people use the technology on a daily basis. In a way that ICT is not a mere hurdle, but an infinite enabler. His work as a consultant, blogger and trainer are all means to achieve this goal. His multiple Microsoft Most Valuable Professional (MVP) status, Veeam Vanguard status and extensive certification aids him. Through direct communications with the product teams in Redmond, he remains up to date, exchanges feedback and accelerates support. Sander is also a Virtual Product Owner for AppGov and ENow.
One of the pieces of feedback we received from a previous ENow post (integrating your temporary...
Exchange admins have enjoyed the Group writeback optional feature in Azure AD Connect for a long...