Step-by-Step guide to migrate active directory FSMO roles from windows server 2012 R2 to windows server 2016

Windows server 2016 was released for public (GA) on mid oct 2016. Its exciting time as businesses are already working on migrating their services in to new windows server 2016 infrastructures. In this post, I am going to explain how you can migrate from active directory running on windows server 2012 R2 to windows server 2016 active directory. The same steps are valid for migrating from windows server 2012, windows server 2008 R2 and windows server 2008.

In my demo setup, I have a windows server 2012 R2 domain controller as PDC. I setup windows server 2016 and already added to the existing domain.

updc1

Current domain and forest functional level of the domain is windows server 2012 R2.

updc2

So, let’s start with the migrate process. 

Install Active Directory on windows server 2016
 
1. Log in to windows server 2016 as domain administrator or enterprise administrator
2. Check the IP address details and put the local host IP address as the primary DNS and another AD server as secondary DNS. This is because after AD install, server itself will act as DNS server
3. Run servermanager.exe form PowerShell to open server manager (there is many ways to open it) 
updc3
 
4. Then click on Add Roles and Features
updc4
 
5. It will open up the wizard, click next to continue
updc5
 
6. In next window keep the default and click next
updc6
 
7. Roles will be installed on same server, so leave the default selection and click next to continue
updc7
 
8. Under the server roles tick on Active Directory Domain Services, then it will prompt with the features needs for the role. Click on add features. Then click next to proceed
updc8
updc9
updc10
 
9. On the features windows keep the default and click next
updc11
 
10. In next window, it will give brief description about AD DS, click next to proceed 
updc12
 
11. Then in next window it will give brief description about configuration and click on install to start the role installation process. 
updc13
updc14
 
12. Once installation completed, click on promote this server to a domain controller option
updc15
 
13. It will open up the Active Directory Domain Service configuration wizard, leave the option Add a domain controller to existing domain selected and click next.
updc16
 
14. In next window define a DSRM password and click next
updc17
 
15. In next window click on next to proceed
updc18
 
16. In next windows, it asks from where to replicate domain information. You can select the specific server or leave it default. Once done click next to proceed. 
updc19
 
17. Then it shows the paths for AD DS database, log files and SYSVOL folder. You can change the paths or leave default. In demo, I will keep default and click next to continue
updc20
 
18. In next windows, it will explain about preparation options. Since this is first windows server 2016 AD on the domain it will run forest and domain preparation task as part of the configuration process. Click next to proceed.
updc21
 
19. In next window, it will list down the options we selected. Click next to proceed. 
updc22
 
20. Then it will run prerequisite check, if all good click on install to start the configuration process.
updc23
 
21. Once the installation completes it will restart the server. 
updc24
 
Migrate FSMO Roles to windows server 2016 AD
 
I assume by now you have idea what is FSMO roles. If not search my blog and you will find article explaining those roles. 
There are 2 ways to move the FSMO roles from one AD server to another. One is using GUI and other one is using command line. I had already written articles about GUI method before so I am going to use PowerShell this time to move FSMO roles. If you like to use GUI mode search my blog and you will find articles on it. 
 
1) Log in to windows server 2016 AD as enterprise administrator
2) Open up the Powershell as administrator. Then type netdom query fsmo. This will list down the FSMO roles and its current owner. 
updc25
 
3) In my demo, the windows server 2012 R2 DC server holds all 5 fsmo roles. Now to move fsmo roles over, type Move-ADDirectoryServerOperationMasterRole -Identity REBELTEST-PDC01 -OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster and press enter
 
In here REBELTEST-PDC01 is the windows server 2016 DC. If FSMO roles are placed on different servers, you can migrate each and every FSMO roles to different servers. 
updc26
 
4) Once its completed, type netdom query fsmo again and you can see now its windows server 2016 DC is the new FSMO roles owner. 
updc27

 
Uninstall AD role from windows server 2012 R2
 
Now we moved FSMO roles but we still running system on windows 2012 R2 domain and forest functional levels. In order to upgrade it, first we need to decommission AD roles from existing windows server 2012 R2 servers. 
 
1) Log in to windows 2012 R2 domain server as enterprise administrator
2) Open the PowerShell as administrator
3) Then type Uninstall-ADDSDomainController -DemoteOperationMasterRole -RemoveApplicationPartition and press enter. It will ask for local administrator password. provide new password for local administrator and press enter.
updc28
updc29
updc30
 
4) Once its completed it will restart the server.
 
Upgrade the forest and domain functional levels to windows server 2016
 
Now we have the windows server 2012 R2 domain controllers demoted, next step is to upgrade domain and forest functional levels. 
 
1) Log in to windows server 2016 DC as enterprise administrator 
2) Open PowerShell as administrator
3) Then type Set-ADDomainMode –identity rebeladmin.net -DomainMode Windows2016Domain to upgrade domain functional level to windows server 2016.  In here rebeladmin.net is the domain name. 
updc31
 
4) Then type Set-ADForestMode -Identity rebeladmin.net -ForestMode Windows2016Forest to upgrade forest functional level.
updc32
 
5) Once done you can run Get-ADDomain | fl Name,DomainMode and Get-ADForest | fl Name,ForestMode to confirm new domain and functional level 
updc33
 
Hope this post was useful and if you got any questions feel free to contact me on rebeladm@live.com


Share and Enjoy:
  • Print
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • Live
  • RSS
  • StumbleUpon
  • Twitter

Step-by-Step guide to setup Active Directory on Windows Server 2016

Long wait is over for windows server 2016 and its available for public from Oct 12, 2016. So most looking for upgrade paths or at least start testing in their lab environments. (if it wasn’t brave enough to try with technical previews :) ). 

What is new in Active Directory? 

There are interesting new features such as time based group membership, privileged access management etc. but in this post I am not going to discuss those as I am going to write separate articles to provide more info about those new features. But still you can find more details https://technet.microsoft.com/en-us/windows-server-docs/identity/whats-new-active-directory-domain-services

In this post I am going to demonstrate how to install active directory on windows server 2016. 

Before the AD install it is important to understand what is the minimum requirement to install windows server 2016. This information can find in https://technet.microsoft.com/en-us/windows-server-docs/get-started/system-requirements–and-installation

Processor

1.4 GHz 64-bit processor

Compatible with x64 instruction set

Supports NX and DEP

Supports CMPXCHG16b, LAHF/SAHF, and PrefetchW

Supports Second Level Address Translation (EPT or NPT)

Coreinfo is a tool you can use to confirm which of these capabilities you CPU has.

RAM

512 MB (2 GB for Server with Desktop Experience installation option)

ECC (Error Correcting Code) type or similar technology

Storage controller and disk space requirements

Computers that run Windows Server 2016 must include a storage adapter that is compliant with the PCI Express architecture specification. Persistent storage devices on servers classified as hard disk drives must not be PATA. Windows Server 2016 does not allow ATA/PATA/IDE/EIDE for boot, page, or data drives.

The following are the estimated minimum disk space requirements for the system partition.

Minimum: 32 GB

Network adapter requirements

Minimum:

An Ethernet adapter capable of at least gigabit throughput

Compliant with the PCI Express architecture specification.

Supports Pre-boot Execution Environment (PXE).

A network adapter that supports network debugging (KDNet) is useful, but not a minimum requirement.

So in my demo I am using a virtual server with windows server 2016 datacenter. In order to setup active directory we need to log in as local administrator. First thing to check is IP address configuration. 

1) Once Active directory setup on the server, it also going to act as DNS server. There for change the DNS settings in network interface and set the server IP address (or local host IP 127.0.0.1) as the primary DNS server.

2016AD1

2) Then open the server manager. Go to PowerShell (as administrator) and type ServerManager.exe and press enter.

2016AD2

3) Then on server manager click on add roles and features

2016AD3

4) Then it opens the add roles and features wizard. Click on next to proceed. 

2016AD4

5) Then in next window keep the default and click next

2016AD5

6) Since its going to be local server, in next window keep the default selection. 

2016AD6

7) In next window from the roles put tick box for active directory domain services. Then it will prompt to show you what are the associated features for the role. Click on add features to add those. Then click next to continue.

2016AD7

2016AD8

2016AD9

8) The features page, keep it default and click on next to proceed. 

2016AD10

9) In next windows it gives brief description about AD DS service. Click next to proceed.

2016AD11

10) Then it will give the confirmation about install, click on install to start the role installation process. 

2016AD12

11) Once done, it will start the installation process

2016AD13

12) Once installation completes, click on option promote this server to a domain controller.

2016AD14

13) Then it will open the active directory configuration wizard. In my demo I am going to setup new forest. But if you adding this to existing domain you can choose relevant option. (I am going to write separate article to cover how you can upgrade from older version of Active Directory). Select the option to add new forest and type FQDN for the domain. Then click next.

2016AD15

14) In next page you can select the domain and forest functional levels. I am going to set it up with latest. Then type a password for DSRM. Then click next

2016AD16

15) For the DNS options, this going to be the first DNS server in new forest. So no need any modifications. Click next to proceed. 

2016AD17

16) For the NETBIOS name keep the default and click next 

2016AD18

17) Next page is to define the NTDS, SYSVOL and LOG file folders. You can keep default or define different path for these. In demo I will be keeping default. Once changes are done, click next to continue

2016AD19

18) Next page will give option to review the configuration changes. If everything okay you can click next to proceed or otherwise can go back and change the settings. 

2016AD20

19) In next windows it will do prerequisite check. If it’s all good it will enable option to install. Click on install to begin installation process. 

2016AD21

20) Then it will start the installation process. 

2016AD22

21) After the installation system will restart automatically. Once it comes back log in to the server as domain admin.

2016AD23

22) Once log in open the powershell (as administrator) and type dsac.exe and press enter. It will open up the active directory administrative center. There you can start managing the resources. 

2016AD24

2016AD25

23) Also you can use Get-ADDomain | fl Name,DomainMode and Get-ADForest | fl Name,ForestMode from powershell to confirm domain and forest functional levels

2016AD26

Hope this was helpful and if you have any questions feel free to contact me on rebeladm@live.com

Share and Enjoy:
  • Print
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • Live
  • RSS
  • StumbleUpon
  • Twitter

Azure Active Directory management experience in preview

Azure Active Directory management experience now in preview. This is very big step as now in one place you can management all your azure active directory related functions. Previously we had to move through few screens to access different AD related functions. For example, if I need to access identity management or Azure AD connect health both functions are in different pages. Navigation was painful sometime. But now it’s all integrated in once console. You also do not need to go to classic portal anymore to access Azure AD. And more importantly monitoring and reporting is nicely integrated and its allows to review the health of your azure AD infrastructure more sufficiently. Idea of this post is to show you these functions available in preview. 

To access the Azure Active Directory management experience preview, log in to azure portal and click on the azure active directory from the left hand options. 

pre1

If it’s not there go to more services and then type azure active directory. It will list the option down and click on the yellow start next to name to add it to the above list. 

pre2

The initial tile contain links to different options and also quick links to the functions such as add users, add groups, access application and quickly check the health of azure AD connect. 

pre3

Other capabilities tile gives links to feature such as PIM and IM. 

pre4

Recommended tab gives you recommendations to make your setup better. Beauty is if you click on each link it will directly bring you to the task to enable or configure it

pre5

pre6

In the top if you click on the notification it will bring you to the page where it lists down more info about preview and quick links to setup your Azure AD infrastructure. 

pre7

pre8

pre9

The right hand navigation link to different section. 

pre10

Users and groups link will bring you to the section where you can manage your users and groups. What I like is it’s also list all the associated functions for the feature such as password reset. 

pre11

By clicking on a user account it will list down its activities, group membership and profile details. Also in same page it has option to reset password or even to delete. 

pre12

Under the activity you can review sign in and audit logs.

pre13

Enterprise application option will bring you to the page to review your application usage under the directory. 

pre21

App Registration option will bring you to manage your app registration

pre14

Azure AD Connect link will give you option to setup the initial sync or to manage already setup sync. Also it gives links to load up the azure AD connect health

pre15

Domain Names option allow you to manage your domain names. You can add domain names, delete names etc. 

pre16

Password reset option gives you option to setup/manage the self-service password reset feature. By the way you need Azure premium subscriptions to use this feature.

pre17

Company branding option – this is really useful feature. There you have options to customize the login pages using company own logo, texts etc. 

pre18

User settings are to manage the user privileges to the azure active directory instance. 

pre19

Last but not least if you still wish to manage azure AD using classic portal you can navigate it to it using classic portal option

pre20

This new feature is really big improvement for the Azure AD management and hope lots of you agree. 

If you have any questions, feel free to contact me on rebeladm@live.com

Share and Enjoy:
  • Print
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • Live
  • RSS
  • StumbleUpon
  • Twitter

Which azure active directory edition I should buy?

4ac52e5b-b3ac-4fbd-bbc7-bd4bae8403da

Azure active directory is responsible for providing identity service for Microsoft online service’s needs. When I talk to people about azure AD one of most common problem they ask is what version I should buy? my existing subscription will work for the features I looking for? The myth is, lot of people still thinks azure subscriptions and prices are complicated, but if you understand what each subscription can do it’s not that hard. I have seen people paying for Azure AD premium version when azure AD free version can give the features they needed for their environment and some people struggling to implement features only available for premium version using their free azure AD instance. In this blog post I am going to list down the features for each azure AD version and hope it will help you to decide the version you need for your setup.

There are 4 Azure AD editions,

1) Free

2) Basic

3) Premium P1

4) Premium P2

Free – if you subscribed to any Microsoft online service such as azure or office 365 you will get the free azure AD version. You do not need to pay for this. But it got limited features which I will explain later in this post.

Basic – Designed for task workers with cloud-first needs, this edition provides cloud centric application access and self-service identity management solutions. With the Basic edition of Azure Active Directory, you get productivity enhancing and cost reducing features like group-based access management, self-service password reset for cloud applications, and Azure Active Directory Application Proxy (to publish on-premises web applications using Azure Active Directory), all backed by an enterprise-level SLA of 99.9 percent uptime.
 
Premium P1 – Designed to empower organizations with more demanding identity and access management needs, Azure Active Directory Premium edition adds feature-rich enterprise-level identity management capabilities and enables hybrid users to seamlessly access on-premises and cloud capabilities. This edition includes everything you need for information worker and identity administrators in hybrid environments across application access, self-service identity and access management (IAM), identity protection and security in the cloud. It supports advanced administration and delegation resources like dynamic groups and self-service group management. It includes Microsoft Identity Manager (an on-premises identity and access management suite) and provides cloud write-back capabilities enabling solutions like self-service password reset for your on-premises users.
 
Premium P2 – Designed with advanced protection for all your users and administrators, this new offering includes all the capabilities in Azure AD Premium P1 as well as our new Identity Protection and Privileged Identity Management. Azure Active Directory Identity Protection leverages billions of signals to provide risk-based conditional access to your applications and critical company data. We also help you manage and protect privileged accounts with Azure Active Directory Privileged Identity Management so you can discover, restrict and monitor administrators and their access to resources and provide just-in-time access when needed.
 
azure ad version 1
azure ad version 2
azure ad version 3
 
You can find more info about the subscriptions from 
 
if you got any question feel free to contact me on rebeladm@live.com

 
Note : Image Source https://f.ch9.ms/thumbnail/4ac52e5b-b3ac-4fbd-bbc7-bd4bae8403da.png
Share and Enjoy:
  • Print
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • Live
  • RSS
  • StumbleUpon
  • Twitter

Getting Started with Azure AD B2B collaboration

What is Azure AD B2B ?

By now I assume you have idea what is Azure AD and how it works. If you are new to my blog, please search for Azure AD on my blog and you will be able to find articles explaining about it and its capabilities. Azure AD manage identities for the company and it will allow to control access to resources such as applications. Sometime based on business requirements companies have to share their resources with partners, other companies in group etc. in such scenario Azure AD B2B collaboration supports to share resources with another party using their own identities.

Using Azure AD B2B partners can use Azure AD account they create using the invitation process. Then azure admins can control the access to the applications. Once the tasks are completed those accounts easily can remove from the azure AD and all the permissions to the resources will be revoked. The partner company do not need to have any azure subscription and it allow to provide quick access to the resource with minimum changes.  

How it works?

1) Administrator invites the partner users by uploading the user details using CSV file. This file need to create with specific fields and values and more details can find on https://azure.microsoft.com/en-gb/documentation/articles/active-directory-b2b-references-csv-file-format/

2) Azure portal sends invite emails to the users which is imported using CSV file

3) Users click on email link and sign in using their work credentials (if they have azure AD account) or sign up as an Azure AD B2B collaboration user

4) User log in and access the shared resources

Let’s see it in action 

To enable azure AD B2B collaboration for an Azure AD instance you need to have global administrator privileges. So before you start make sure you got the relevant permissions. 

As I said previously the user accounts details need to be uploaded via a CSV file. In here I have created a simple CSV file with test account.

b2b1

After that log in to azure portal and load the Azure AD instance you already have.

b2b2

Then go to users and click on Add

b2b3

From the wizard select the “Users in Partner Companies” as the type of the user

b2b4

then brows for the CSV file and import

b2b5

after few minutes the user got email with link

b2b6

once click on the link it will load up a page and click next to continue

b2b7

in next page provide a password and click next

b2b8

it will send code to verify email address and once you put it there click on finish

b2b9

once process finish, we can see the new user under the azure AD users

b2b10

now I have application under my directory and when I go to users I can see the new user we setup. I have assign the permission for the new user for the app.

b2b11

So when login to the azure portal as the new partner user now can see the applications which is assigned for the user.

b2b12

Hope this was helpful and if you have questions feel free to contact me on rebeladm@live.com 

Share and Enjoy:
  • Print
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • Live
  • RSS
  • StumbleUpon
  • Twitter

Step-by-Step Guide to assign Reserved IP address to Azure VM

In azure all the IP address assignments are dynamic by default. Which means IP addresses can change in restart. There are 2 methods you can use to assign IP address to a VM in azure. its dynamic and static

Why we need static IP addresses ?

1) Application requirements – sometime applications need to connect with fixed IP address. For example, if it’s a database VM it’s important to have static IP address so application settings always can refer to that. 

2) Security – when VM uses static IP addresses we can create firewall rules easily. So there is more control over traffic flow as well. 

In azure, static IP address (public) is count as a service so there will be addition charge for it. 

In azure there is 2 methods to deploy and manage a VM. 

1) By Using Classic Mode

2) By Using Resources Manager 

Assigning a static IP address (public) is different for these 2 methods. In this blog post I am going to demonstrate how to do it using both modes. 

Assign Static IP Address in classic deployment model

Before we start need to make sure following prerequisites are in place. 

Global Administrator account for the Azure Subscription

Azure PowerShell Module installed in local computer – you can download it from http://aka.ms/webpi-azps

In my demo I got a classic virtual machine running and it’s got dynamic public IP address assigned. In demo I am going to show how we can make it as reserved IP address. 

1) Log in to PC where Azure PowerShell Module installed and open the powershell as administrator

2) Then type Add-AzureAccount and press enter

3) Then it will prompt for the azure credential and login as global administrator

rip2

4) Then type New-AzureReservedIP –ReservedIPName DCM01ReservedIP –Location "East US" -ServiceName DCM01  – in the command DCM01ReservedIP is the name for the reserved IP address and Location define the location of the IP address ( can be US, Europe etc.). 

rip3

5) Now it’s done and when I go to DCM01 VM now its shows the IP address as reserved. 

rip4

6) Also in power shell type Get-AzureReservedIP and it will show the reserved IP details 

rip5
 

Using Resource Manager deployment mode

In the resource manager I have a VM running and the public address by default. I need to change it to static. 

rip6

1) To change click on the VM from the virtual machine container 

2) Then click on the public IP address and DNS name

rip7

3) Then it will load the configuration and to change click on the configuration option

rip8

4) It will then list down the public IP configuration, as can see by default its dynamic to set it to static need to click on static option and click on save. This will make the IP address static.

rip9

rip10

Hope this post was helpful and if you have any question feel free to contact me on rebeladm@live.com 

Share and Enjoy:
  • Print
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • Live
  • RSS
  • StumbleUpon
  • Twitter

STEP-BY-STEP GUIDE TO AZURE AD PRIVILEGED IDENTITY MANAGEMENT – PART 2

In my previous post on this series I have explain about azure AD privileged identity management including its features and how to get it enabled. If you not read it yet you can find it using this link.

in this post I am going to show you more of its features and capabilities. 

How to manage privileged roles?

The main point of the identity management is that administrators will have the required privileges when they needed. In part 1 of the post billing administrators and service administrator roles were eligible for the Identity management. So it will remove its permanent permissions which is assigned to role. 

So if you still need to make one of the account permanent administrator let’s see how we can do it. 

Log in to the azure portal as global administrator (it should be associated with relevant AD instance)

Open the azure identity management from portal

idm2-1

Then click on managed privileged roles

idm2-2

In next page it will list down the summary of the roles. Let’s assume we need to make one of the billing administrators “permanent”. To do that click on billing administrators

idm2-3

It will list down the users which is eligible for the role and click on the account you need to make permanent. 

idm2-4

Then click on more in next page and click on option make perm

idm2-5

Once completed its shows as permanent

idm2-6

Same way we can add an administrator to the roles. To do it go to roles, if you need to add new role it can do too. Click on roles on the manage privileges roles page

idm2-10roles

Then click on add

idm2-11roles

Then from roles click on the role you going to add

idm2-12roles

Then under the select users, select the user using search and click on done

idm2-13roles

 

How to activate roles?

Now we have the roles but how we can use them with time bound activation (Just in time administration

Go to the role page again like in previous page. In my demo I am going to use service administrator role

Then click on settings

idm2-7

In next window we can see that option to define the time. Also we can enable notifications so email notification will send to admin in event of role activation. Also option to request ticket or incident number. This is important to justify the privileged access. Also can use the multifactor authentication in activation to make sure the request is legitimate. 

idm2-8

idm2-9

Once you satisfied with settings, click on save to apply. 

Then for the testing I logged in as the security administrator to the azure portal. 

idm2-14

Then go to the privileged identity management page

Click on the service administrator 

idm2-15

Then click on the activate button, to activate the role

idm2-16

According to the settings its asking for ticket number for activation. Once put the information click on ok

idm2-17

Perfect, now its saying when it expires and it also shows the that roles been activated

idm2-18

Now I change the login and logged back as global administrator.

Then if go to privileged management page and click on audit history you can see all the events. 

idm2-19

idm2-20

Hope this series add knowledge about azure AD privileged identity management and if you have any questions feel free to contact me on rebeladm@live.com

Share and Enjoy:
  • Print
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • Live
  • RSS
  • StumbleUpon
  • Twitter

Step-by-Step Guide to Azure AD Privileged Identity Management – Part 1

Privileged Identity Management is boarder topic to discuss with. First thing first do not think it as another feature or product from Microsoft. The way I see it as a lot of methodologies, technologies came together and making a new process. I am saying it because with this concept we need to rethink about how current identities been managed in infrastructure. Administrators, users need to change the way they think about the permissions. 

In any infrastructure we have different type of administrators. It can be domain administrators, local administrators, service administrators. If its hybrid setup it may have cloud administrators too. The question is do you have fully control over these accounts and its permissions? do you aware of their activities using these permissions? how do you know it’s not been compromised already? If I say solution is to revoke these administrator privileges yes it will work but problem is how much additional work to restore this permission when needed? and also how practical it is? it’s also have a social impact too, if you walk down to your users and say that I’m going to revoke your admin privileges what will be their response? 

Privileged access management is not a new topic it’s been in industry for long but problem is still not lot considering about it. Microsoft step up and introduce new products, concepts to bring it forward again as this is definitely needed in current infrastructures to address modern threats towards identities. The good thing about this new tools and technologies, its more automated and the user accounts will have the required permissions whenever they needed. In your infrastructure this can achieve using Microsoft identity manager 2016 but need lot more work with new concepts which I will explain in future posts. Microsoft introduce same concept to the azure cloud as well. In this post we going to look in to this new feature. 

Using azure privileged identity management, we can manage, control and monitor the permissions to the azure resources such as azure AD, office 365, intune and SaaS applications. Identity management will help to do following,

Identify the current azure AD administrators your azure subscriptions have

Just-in-Time administration – This is something I really like. Now you can assign administration permissions on demand for period of time. For example, user A can be office 365 administrator for 11am to 12pm. Once the time limit reach system will revoke the administrator privileges automatically

Reports to view the privileged accounts access history and changes in administrator assignments

Alerts when access to privileged role

Azure AD privileged identity management can manage following organizational roles,

Global Administrator – Has access to all administrative features. The person who signs up for the Azure account becomes a global administrator. Only global administrators can assign other administrator roles. There can be more than one global administrator at your company.

Billing Administrator – Makes purchases, manages subscriptions, manages support tickets, and monitors service health.

Service Administrator – Manages service requests and monitors service health.

User Administrator – Resets passwords, monitors service health, and manages user accounts, user groups, and service requests. Some limitations apply to the permissions of a user management administrator. For example, they cannot delete a global administrator or create other administrators. Also, they cannot reset passwords for billing, global, and service administrators.

Password Administrator – Resets passwords, manages service requests, and monitors service health. Password administrators can reset passwords only for users and other password administrators.

Let’s see how to enable azure AD privileged identity management,
Before start make sure you got global administrator privileges to the azure AD directory that you going to enable this feature.
 
1) Log in to the azure portal as global administrator
2) Go to New > Security + Identity > Azure AD privileged identity management 
 
aim1
 
3) Then click on create to start the process
 
aim2
 
4) In first step it will identify the privileged roles exist in current directory. In my demo I have 3 roles. In same page you can view what are these accounts by clicking on each role. After review click on next
 
aim3
 
5) In next window its list which accounts eligible for activate the roles. Select the account you want and click on next
 
aim4
 
6) In next window can review the changes. As per my selection only one account will remain as permanent admin. To complete click on OK
 
aim5
 
7) Once it’s done, you can load the console from the dashboard. 
 
aim6
 
In part 2 of the post I will explain what we can do with it in details. 
If you got any questions feel free to contact me on rebeladm@live.com
 
Reference :  https://azure.microsoft.com/en-us/documentation/articles/active-directory-privileged-identity-management-configure/

Share and Enjoy:
  • Print
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • Live
  • RSS
  • StumbleUpon
  • Twitter

Get Started with Azure Security Center

Whenever we talk about cloud, one of the main questions still comes from customers is “what about security?“. Azure cloud built by using SDL (Security Development Lifecycle) from initial planning to product launch. It’s continues uses different measurements, safeguards to protect the infrastructures and customer data. You can find details about azure security on https://www.microsoft.com/en-us/TrustCenter/Security/AzureSecurity

Microsoft releases Azure Security Center to allow you to prevent, detect and respond to the threats against you azure resources with more visibility. Based on your requirements, can use different policies with resources groups.

Azure security center capabilities focused on 3 areas (https://azure.microsoft.com/en-us/documentation/articles/security-center-intro/),

Capabilities

Details

Prevent

·         Monitors the security state of your Azure resources

·         Defines policies for your Azure subscriptions and resource groups based on your company’s security requirements, the types of applications that you use, and the sensitivity of your data

·         Uses policy-driven security recommendations to guide service owners through the process of implementing needed controls

·         Rapidly deploys security services and appliances from Microsoft and partners

 

Detect

·         Automatically collects and analyzes security data from your Azure resources, the network, and partner solutions like antimalware programs and firewalls

·         Leverages global threat intelligence from Microsoft products and services, the Microsoft Digital Crimes Unit (DCU), the Microsoft Security Response Center (MSRC), and external feeds

·         Applies advanced analytics, including machine learning and behavioral analysis

 

Respond

·         Provides prioritized security incidents/alerts

·         Offers insights into the source of the attack and impacted resources

·         Suggests ways to stop the current attack and help prevent future attacks

Azure Security Center currently in Preview but it’s still worth to try and see its capabilities.
Let’s see how we can enable and start using it.

1)    You need to have valid azure subscription and you need to log in as global administrator.
2)    Then go to browse and type security. There you can see security center. Click on there to start.

sec1

3)    Then we can see the main window.

sec2

4)    If it’s red something not right :) to start with lets click on virtual machines.

sec3

5)    As we can see the data collection off. We need data collect from VM to detect the problems. Let’s go ahead and enable data collection.
6)    Click on Policy tile, and then it will load up the policy page. As can see data collection is off.  Click on the policy.

sec4

sec5

7)    Click on “On” and then click on Save

sec6

sec7

8)    After that we can see the recommendations based on collected data and security policy.  We can follow each recommendation and fix the security threats.

sec8

sec15


How to apply custom policy for the different resources?

1)    By default the default prevention policy will be inherited to all the resources. But we can apply custom policy based on the requirement. To start with click on policy tile again, and click on the arrow next to policy to list the resources. As we can see security policy inherited.

sec9

2)    To change, click on the resource to select, and in next tile, for the inherit policy click “unique” and click on “Save

sec10

3)    After save, click on prevention policy

sec11

4)    There you can change the policy settings and click ok to apply the policy settings.

sec12

5)    This new settings are unique for the resource now.

sec13

Enable Email Notifications

You can enable notifications in azure security center so if any issues detected you will get notifications. It’s currently runs with limited features.
Currently it can only enable on default prevention policy.

sec14

Hope this article helps and if you got any question feel free to contact me on rebeladm@live.com

Share and Enjoy:
  • Print
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • Live
  • RSS
  • StumbleUpon
  • Twitter

Azure Rights Management (Azure RMS) – Part 1

Microsoft Right management service help organizations to protect organization’s sensitive data getting unauthorized access. This service been used on-premises active directory infrastructures in years and it’s also available in azure.

If you not familiar with RMS let me explain it in simpler way. Let’s say user A got a document which contain some sensitive data about company stock prices. User A sending it to User B. This we know should be a conversation between user A and B. and how we can verify these data not been to pass to another user? What if someone gets a printed copy of this document? What if the user B edit this and add some false information? Using RMS you can prevent those. RMS can use to encrypt, managed identities and apply authorization policies in to your files and emails. The files you can define to open only by the person who you wished to open it, set it to read-only and also prevent user from printing it.

Using Azure RMS you can integrate the above features with your cloud applications, office 365 to protect the confidential data.

azrms_elements

In order to enable the Azure RMS you need the following prerequisites.

1)    Valid Azure Subscription – You need to have valid azure subscription to start with. If you not have paid version you still can start with a trial.
2)    Azure AD – You must have Azure AD configured to have RMS. I have written articles about how to get Azure AD services enable and you can simply search the blog if you need help with it. Also you can integrate it with your on-premises Ad infrastructure.
3)    RMS Supported Devices – you need to have devices runs with RMS supported OS to use this features. The list is available at https://docs.microsoft.com/en-us/rights-management/get-started/requirements-client-devices
4)    RMS Supported Applications – to use RMS features its need to be used with RMS supported applications. The list is available here https://docs.microsoft.com/en-us/rights-management/get-started/requirements-client-devices

Once you are ready with above first step is to enable the Azure RMS Service.
1)    Log in to the Azure Portal with a privileged account
2)    Go to Brows and then type rms, then it will list the RMS service then click on it.

rms1

3)    It will load the classic portal. In here you can see all the azure Ad instance running and its RMS service status. In my demo I do not have any instance enable with RMS.

rms2

4)    To enable the RMS service, select the AD instance and the click on “Activate” button in the bottom of the page.

rms3

Once it’s activated we have RMS enabled. In next part of the article let’s see how to use its features.

If you have any questions feel free to get back to me on rebeladm@live.com

Share and Enjoy:
  • Print
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • Live
  • RSS
  • StumbleUpon
  • Twitter