Tag Archives: Azure Active Directory Domain Services

STEP-BY-STEP GUIDE TO AZURE AD PRIVILEGED IDENTITY MANAGEMENT – PART 2

In my previous post on this series I have explain about azure AD privileged identity management including its features and how to get it enabled. If you not read it yet you can find it using this link.

in this post I am going to show you more of its features and capabilities. 

How to manage privileged roles?

The main point of the identity management is that administrators will have the required privileges when they needed. In part 1 of the post billing administrators and service administrator roles were eligible for the Identity management. So it will remove its permanent permissions which is assigned to role. 

So if you still need to make one of the account permanent administrator let’s see how we can do it. 

Log in to the azure portal as global administrator (it should be associated with relevant AD instance)

Open the azure identity management from portal

idm2-1

Then click on managed privileged roles

idm2-2

In next page it will list down the summary of the roles. Let’s assume we need to make one of the billing administrators “permanent”. To do that click on billing administrators

idm2-3

It will list down the users which is eligible for the role and click on the account you need to make permanent. 

idm2-4

Then click on more in next page and click on option make perm

idm2-5

Once completed its shows as permanent

idm2-6

Same way we can add an administrator to the roles. To do it go to roles, if you need to add new role it can do too. Click on roles on the manage privileges roles page

idm2-10roles

Then click on add

idm2-11roles

Then from roles click on the role you going to add

idm2-12roles

Then under the select users, select the user using search and click on done

idm2-13roles

 

How to activate roles?

Now we have the roles but how we can use them with time bound activation (Just in time administration

Go to the role page again like in previous page. In my demo I am going to use service administrator role

Then click on settings

idm2-7

In next window we can see that option to define the time. Also we can enable notifications so email notification will send to admin in event of role activation. Also option to request ticket or incident number. This is important to justify the privileged access. Also can use the multifactor authentication in activation to make sure the request is legitimate. 

idm2-8

idm2-9

Once you satisfied with settings, click on save to apply. 

Then for the testing I logged in as the security administrator to the azure portal. 

idm2-14

Then go to the privileged identity management page

Click on the service administrator 

idm2-15

Then click on the activate button, to activate the role

idm2-16

According to the settings its asking for ticket number for activation. Once put the information click on ok

idm2-17

Perfect, now its saying when it expires and it also shows the that roles been activated

idm2-18

Now I change the login and logged back as global administrator.

Then if go to privileged management page and click on audit history you can see all the events. 

idm2-19

idm2-20

Hope this series add knowledge about azure AD privileged identity management and if you have any questions feel free to contact me on rebeladm@live.com

Step-by-Step Guide to enable password synchronization to Azure Active Directory Domain Services (AAD DS)

In my previous post I have explain how to enable azure ad domain services. If you not read it yet you can find it here.

Once the domain service are enabled the next step to sync the credentials to the Azure AD domain services. Then users can use their logins to log in to the managed domain services. This post is to explain how we can do it in cloud-only environment as well as in hybrid setup.

Cloud-Only Setup

If you have cloud only setup the users who is going to use azure ad domain services need to change their passwords. Once user reset the password it generate the credential hashes which is uses by azure ad domain services for Kerberos and NTLM Authentication.

There is 2 ways to do it,

1)    Force password reset – in the console we can reset the password for user. It will generate temporally password for the user. So in next login, user need to provide new password.

To do this, log in to Azure AD instance (which is enabled with Azure AD Domain services) and then click on users tab.

pass1

Then select the user to reset the password and in the bottom click on RESET PASSWORD button

pass2

pass3

2)    Change Passwords from use logins – By login in to the Azure portal, users can reset their passwords. (https://portal.azure.com)

Once user log in to the portal click on the right hand corner where user name displays and then click on “change password

pass4

pass5

Hybrid Setup

If you have on-premises AD and sync it already with Azure AD, we need to sync credential hashes required for NTLM and Kerberos authentication via Azure AD Connect. These are not sync with azure ad by default.

First thing first, if you have Azure AD connect installed in your servers, it need to upgrade with latest version. The latest recommended version is 1.1.130.0 – published on April 12, 2016. You can download it using https://www.microsoft.com/en-us/download/details.aspx?id=47594 , this is important as older version of Azure AD Connect do not have this sync feature.

After upgrade (or new install) make sure the password synchronization is enabled. To do that,

•    Log in to the server which have Azure Ad sync installed (with appropriate permissions).
•    Double click on Azure AD Connect

pass6

•    Then in new window select the option “View current configuration” and click on “Next

pass7

•    In next window check if the password sync is enabled

pass8

•    If not go back to the previous window and select option “Customize Synchronization Options” and click next 

pass9

•    Then under the “Optional Features” enable password hash synchronization.

pass10

With the install if use the express settings this is enabled by default. Also check if the synchronization happening without errors.

To check that go to start > azure ad connect > synchronization services

pass11

pass12

To do a full forceful password sync you can use following PowerShell script

$adConnector = "<CASE SENSITIVE AD CONNECTOR NAME>"
$aadConnector = "<CASE SENSITIVE AAD CONNECTOR NAME>"
Import-Module adsync
$c = Get-ADSyncConnector -Name $adConnector
$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter “Microsoft.Synchronize.ForceFullPasswordSync”, String, ConnectorGlobal, $null, $null, $null
$p.Value = 1
$c.GlobalParameters.Remove($p.Name)
$c.GlobalParameters.Add($p)
$c = Add-ADSyncConnector -Connector $c
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $false
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $true

In here
$adConnector = "<CASE SENSITIVE AD CONNECTOR NAME>"
$aadConnector = "<CASE SENSITIVE AAD CONNECTOR NAME>"

Should replace with the info related to your setup, this can find using “synchronization services” window. Click the “connectors” tab.

pass13

Once it’s edited with relevant info it can execute.

pass14

Hope this helped and if you have any questions about post feel free to contact me on rebeladm@live.com