Azure AD has near 35 different Directory roles. Each of these roles have different level of privileges. Using Azure PIM access reviews, we can review access and activities of member’s in these privilege groups and adjust their memberships accordingly. let’s see why it is important to review access of privilege accounts periodically. 

• Too much administrators – How many of you aware of all the administrators (including local admins) of your local AD infrastructure? I got you isn’t it! in local AD environment it is handful of privilege user groups, but Azure AD have near 35 roles. So, yes it will be difficult to keep track of the administrator with out proper review. 

• Not doing what they supposed to do – Azure AD roles have predefined level of privileges. you may assign a higher privilege role to member as he/she can’t match privilege available under existing roles. How we know they are only doing what they supposed to do? using access reviews we can track down their activities and make sure they not misuse the privileges. 

• Audit takes time – We can review the group memberships & their activities manually. But it takes time. if its manual tasks and also if it takes time most probably administrators will not do it more regularly. PIM access review is fully automated so you can schedule it run according to your requirements.  

Now it is time to look in to implementation. In my demo I am going to create an access review for Global administrator role. To do this, 

1. Log in to Azure portal as Global Administrator

2. Go to All Services and search for azure ad PIM then click on it.

 

 

3. If this is your first-time using PIM, you need to click on onboard and complete the process. 

 

 

 

4. Then click on Azure AD Roles under Manage

In on-premises Active Directory environments, we use “trusts” to establish identity infrastructure collaboration between businesses. In that way, partner organization can use their own user accounts to authenticate in to trusted organization resources. When it comes to cloud/hybrid identity, Azure AD B2B allow organizations to establish cross-organization identity connections. Unlike on-premises, it is not required additional infrastructure changes. In my previous article about Azure B2B explains how we can allow external users to authenticate in to cloud app using their own accounts. You can find it here http://www.rebeladmin.com/2018/11/cross-organization-collaboration-azure-ad-b2b/ . However, when external user’s sign up process it is asking to create “Microsoft Account” to continue. 

If users are having Google Accounts, now Azure AD B2B can initiate federation with google to allow users to use their own google accounts to authenticate instead of Microsoft Accounts. In this demo I am going to demonstrate how we can initiate federation with google. 

Prerequisites

• Valid Azure AD B2B Subscription – If the guest users are going to use Azure AD paid services, make sure you have enough licenses allocated. More info about licensing can find here https://docs.microsoft.com/en-us/azure/active-directory/b2b/licensing-guidance

• Shared Google Account – During the setup we need to create credentials at Google APIs. To do that we need to use existing google account. It is recommended to use separate google account for this instead of existing user account. 

To start the configuration,

1. Go to https://console.developers.google.com and log in with the Google account you have selected for the task. 

2. In Dashboard, Click on Create to start new project. 

3. Then in new window, give unique name to project and click on Create.

4. Once project is created, select it from the project drop down box. 

5. Then click on Credentials. 

Last month or so I have done few blog posts which explained about Azure information Protection (AIP)’s capabilities. In there, I mainly talked about how to protect sensitive data in organization when we know the data type, audience and permissions. 

Step-by-Step Guide: Protect confidential data using Azure information protection – http://www.rebeladmin.com/2018/12/step-step-guide-protect-confidential-data-using-azure-information-protection/ 

Step-by-Step Guide: Automatic Data Classification via Azure Information Protection – http://www.rebeladmin.com/2018/12/step-step-guide-automatic-data-classification-via-azure-information-protection/

Step-by-Step Guide: On-premise Data Protection via Azure Information Protection Scanner – http://www.rebeladmin.com/2018/12/step-step-guide-premise-data-protection-via-azure-information-protection-scanner/

Step-by-Step Guide: How to protect confidential emails using Azure information protection? – http://www.rebeladmin.com/2019/01/step-step-guide-protect-confidential-emails-using-azure-information-protection/ 

When we work with information, sometime we have to share information with internal/external peoples, organizations. Usually It is hard to apply strict data protection polices if it’s not sensitive data. With document tracking, we can review who access shared document, when and from where. It also allows to setup notifications so we know when someone access it. if the document is starting to appear in places where it shouldn’t, we can revoke the permissions as well. In this blog post I am going to demonstrate how we can do this. 

Prerequisites 

1. We need supported subscription first. This feature is available under Enterprise Mobility + Security E3 & E5, Office 365 Enterprise plans. Or else it is available as standalone solution https://azure.microsoft.com/en-gb/pricing/details/information-protection/

2. We need Microsoft Azure Information Protection Viewer app https://www.microsoft.com/en-us/download/details.aspx?id=54536&WT.mc_id=rss_alldownloads_all or Azure Information Protection client https://www.microsoft.com/en-us/download/details.aspx?id=53018 installed in the pc. It will allow to view, protect office documents using office apps. 

In my demo pc, I have installed Azure Information Protection client.

Once agent & subscription is ready,

1. Open up document that you like to share using office app (Word, Excel etc.) and then click on Protect | Custom Permissions  

2. It will open up new window, click on protect with custom permission. Then under select permissions, choose the permissions level you like to apply. 

Azure Cloud App Security is a great service to gain visibility in to your cloud apps and its data. It helps to identify security threats and take relevant actions to mitigate those based on policies. 

Using File Policies in cloud app security, we can scan and find sensitive information stored in cloud apps. Once these information are found we can associate different actions to it such as send alert, apply classification, change permissions etc.… . It also allows to move data found by a file policy in to a separated folder with limited access. This called as Admin Quarantine. When this is enabled under a policy,

• File will move to the admin quarantine folder

• system will delete original file

• System will place a tombstone file in original location. This file includes data which will help to releases the file. 

Prerequisites 

• In order to use cloud app security, we need E5 licenses. More details about licenses available here https://www.microsoft.com/en-gb/cloud-platform/enterprise-mobility-security-pricing

• Before start with polices, we need to get cloud apps connected. You can find more details under https://docs.microsoft.com/en-us/cloud-app-security/enable-instant-visibility-protection-and-governance-actions-for-your-apps . In this demo I am going to use Office 365 and I already got it configured as connected app. 

In this demo I am going to setup file policy to recognize files with credit card details. If policy finds a matching file it will automatically move it to admin quarantine. 

To configure,

1) Log in to cloud app security portal on https://portal.cloudappsecurity.com as Global Administrator 

2) Then go to Control | Policies

3) To create new policy, click on Create policy and from drop down list select File Policy

In my previous blog post I explained how to protect sensitive email data using Azure information protection. Using data classifications and policies we can prevent users from sharing sensitive information via email. You can read more about it using http://www.rebeladmin.com/2019/01/step-step-guide-protect-confidential-emails-using-azure-information-protection/. Azure information protection can do many things to protect sensitive data in an organization. Email protection is just one feature of it. it even can protect data in hybrid environments. 

Data loss prevention (DLP) policies also capable of preventing sensitive data sharing via email. But it is only applying to office 365 services. Also, it doesn’t include classification, it only works with real-time data. let’s see some of the capabilities of DLP policies. 

• Support pre-defined data patterns on custom data patterns – Organizations can use pre-defined data patterns comes with DLP policies such as U.S Financial Data, HIPPA or create custom patterns to identify different type of data across different locations such as Exchange Online, OneDrive etc.  

• Educate Users – Using DLP policies we can send notifications to senders in a policy breach. These notifications will include, data types, reason for block etc. So next time users can prevent doing it. 

• Reporting – DLP policy can send detailed email report to administrators in a policy breach. 

• Support Office Apps – DLP policies supports Office 2016 and later desktop clients. 

In today demo I am going to setup a DLP policy to detect credit card details in emails. Also, if someone try to send it to external user via email, policy should block it. in policy breach it will send notification to sender and a detailed report to administrator. 

1. To start, log in to https://portal.office.com as Global Administrator & open Admin Center 

2. Then go to Admin Centers | Security and Compliances 

3. It will open up a new window, in there go to Data loss prevention | Policy

4. Then click on Create a policy

In my previous blog posts, I explained what Azure information protection is and how we can use it to do data classification and protect sensitive data. In those, I was using data stored in corporate OneDrive accounts. But in most cases organizations use on-premises file servers. in this blog post I am going to explain how we can use Azure information protection with on-premises file shares.

To do this we are going to use component called Azure Information Protection Scanner. This comes with Azure Information Protection add-on that we normally install in user computers. 

Pre-requisites 

1) Windows Server 2012 R2 or newer

2) Minimum SQL Server 2012 (Express, Standard or Enterprise)

3) Service Account to run the service – Ideally this should be AD sync account and should have log on locally & log on as a service permission. If you have lockdown environment, you can use local account to run service and separate Azure AD account to do authentication. In my demo I am going to use this method. 

4) The Azure Information Protection client installed

5) Classification with automatic protection – More details can find under http://www.rebeladmin.com/2018/12/step-step-guide-automatic-data-classification-via-azure-information-protection/

Create Service Account

In my demo server I have created a local user called aipsa and assign local administrator rights. 

File Share

For demo purpose I have created a file share called DataShare and add different types of files to it. 

SQL Server 2017 Express

In my demo server I have SQL Server 2017 Express installed. This will use for AIP Scanner. 

AIP Client Install

We need full AIP client install before we start the scanner configuration. 

1) Log in to the server as Administrator

2) Download AIP client from https://www.microsoft.com/en-gb/download/details.aspx?id=53018

3) Run the AzInfoProtection.exe as Administrator

4) Accept terms & conditions in first screen

5) It will start the installation

In my previous blog post I explained how we can use Azure information protection to protect sensitive data in an organization. You can access it using http://www.rebeladmin.com/2018/12/step-step-guide-protect-confidential-data-using-azure-information-protection/ . In that post I have created labels with permissions and assign it to documents to protect sensitive data. But in an organization, we deal with lots of data. So, applying label manually is not practical. Therefore, AIP offers automatic data classification to overcome this challenge. Using this feature, we can apply conditions to labels. When conditions are met, it will automatically apply the relevant label to data. 

This feature supports many industry recognized information types. It also allows to create our own conditions with information patterns specific for our requirements. In below I list some examples for predefined information types available in AIP.

• Canada Bank Account Number

• Canada Driver's License Number

• Canada Health Service Number

• Canada Passport Number

• Canada Personal Health Identification Number (PHIN)

• Canada Social Insurance Number

• Chile Identity Card Number

• China Resident Identity Card (PRC) Number

• Credit Card Number

• EU Debit Card Number

• EU Driver's License Number

• EU National Identification Number

• EU Passport Number

• EU Social Security Number or Equivalent ID

• EU Tax Identification Number

• U.K. Driver's License Number

• U.K. Electoral Roll Number

• U.K. National Health Service Number

• U.K. National Insurance Number (NINO)

• U.S. / U.K. Passport Number

• U.S. Bank Account Number

• U.S. Driver's License Number

• U.S. Individual Taxpayer Identification Number (ITIN)

• U.S. Social Security Number (SSN) 

Actions followed by condition can be either automatic classification or recommended classification. If it is automatic classification, label will apply immediately after conditions are met. If its recommended classification, system will recommend the label but will not apply it to data. 

So, let’s see it in actions. 

in my demo environment I have a label setup under AIP called Sales confidential. In my previous blog post I have demonstrate how to setup a label so I am not going to repeat it again. You can read step-by-step guide about it using http://www.rebeladmin.com/2018/12/step-step-guide-protect-confidential-data-using-azure-information-protection/ 

in my label I have setup my sales manager Megan as the co-owner for the data and sales executive Isaiah a viewer. I am going to apply this label to any document which have credit card number in it. My label settings are as following,

Data is the new oil. It created new currency, it opened up new opportunities, new revenue streams. When more and more data been transferred in to digital format, it opens up new security concerns about confidential data. How we can make sure corporate confidential data not been shared? 

I have some confidential data saved in OneDrive. It is being shared with my sales team. Majority of team members are working from home at least 2-3 days in the week. I need to make sure this confidential data not been shared with anyone else. In this demo I am going to show how I fix with this issue. 

The solution that I am going to use in here is Azure Information protection. This works with labels & permissions. We can label data and associate relevant permissions to it. Permissions define what users can do and can’t do with data.

So, let’s see this in action. As first step we need to go ahead and setup labels. To do that,

1. Log in to https://portal.azure.com as global administrator

2. Then go to All Services | Azure Information Protection 

3. Then click on Labels | Add a new label 

4. In new page, provide name and description for the label. Then click on protect under Set permissions for documents and emails containing this label. 

5. Click on Azure (cloud key) and in new window click on Add permissions. 

In my previous post I explained how we can enroll Windows 10 devices into Microsoft Intune. You can access it using http://www.rebeladmin.com/2018/11/step-step-guide-enroll-windows-10-devices-microsoft-intune-using-autopilot/ . In this post I am going to demonstrate how to publish applications to windows 10 devices via Microsoft Intune (To devices which is enrolled successfully).

Tip

Before you enroll devices make sure you already have enabled MDM & MAM auto enrollment for all users/selected users. Otherwise device will not auto-enroll with Intune. 

These settings are under Azure Active Directory | Mobility (MDM & MAM) 

1. Log in to Azure Portal as Global Administrator

2. Then go to Intune | Devices | All Devices & Verify the status of enrolled devices

3. As next step, I am going to create device group. it will help us to publish applications in to target easily. To do that, go back to Intune home page and click on Groups | New Group

In on-premises Active Directory environment, we use “trusts” to establish identity infrastructure connection between businesses. Based on trust type and access permissions, users from one organization can access resources/services in other infrastructure using their own domain credentials. Azure AD B2B does the same thing for cloud resources but in much more easier way. In this demo I am going to demonstrate how easily we can allow users from other organizations to access our cloud resources using Azure AD B2B. 

In my demo environment, I do have an Azure AD user group called sg-Finance . All the users from Finance department are members of this group. I have assign several SaaS applications to them. Company Contoso recently merge with another company. Few privileged users from new company like to access some financial data belongs to Contoso. The relevant data is currently available via SaaS applications which is used by sg-Finance group members. In this demo, I am going to invite external user to be part of sg-Finance group so they can access same applications. 

1. To start, log in to Azure Portal https://portal.azure.com as Global Administrator

2. Then go to Azure Active Directory | Groups

3. Then go to sg-Finance group and then Members.

4. In here, Megan is a member of this group. I log in to http://myapps.microsoft.com as Megan to verify SaaS application access. In this demo I am using Box as sample app. 

5. Now go back to group page and click on Add members