The Protected Users security group was introduced with Windows Server 2012 R2 and continued in Windows Server 2019. This group was developed to provide better protection for high privileged accounts from credential theft attacks. Members of this group have non-configurable protection applied. In order to use the Protected Users group, PDC should be running with a minimum of Windows Server 2012 R2 and the client computers should be running with a minimum of Windows 8.1 or Windows 2012 R2.

If a member of this group logs into Windows 8.1, Windows Server 2012 R2, Windows 10, Windows Server 2016 or Windows server 2019, we can expect the following:

• Members of this group cannot use NTLM, digest authentication, or CredSSP for authentication. Plain text passwords are not cached. So, any of the devices using these protocols will fail to authenticate to the domain.

• Kerberos long-term keys not cached. For accounts in this group, the Kerberos protocol verifies authentication at each request (the TGT acquired at log on).

• Sign-in is offline. A cached verifier is not created at sign-in.

For the Protected Users group feature, it is not a must to have a domain or forest functional level run on Windows Server 2012 R2 or higher (Windows Server 2008 is the minimum as Kerberos needs to use AES). The only requirement is to run the PDC emulator FSMO role in the Windows Server 2012 R2 domain controller.

If the AD environment uses Windows Server 2012 R2 or Windows Server 2016 domain functional levels, it provides additional protections with Protected User groups, as:

• No NTLM authentication

• No DES or RC4 encryption in Kerberos pre-authentication

• No delegation using the unconstrained or constrained method

• No Kerberos TGT valid more than 4 hours

To start with, we can review the Protected Users security group using the following command:

Get-ADGroup -Identity "Protected Users"

The following screenshot shows the output for the preceding command:

We can add users to the Protected Users group using ADAC, ADUC MMC, and PowerShell. This group is located in the default Users container in AD.

In here, we are going to add the user account Adam in to the Protected Users group using the following command:

Get-ADGroup -Identity "Protected Users" | Add-ADGroupMember –Members "CN=Adam,CN=Users,DC=rebeladmin,DC=com"

The first part of the command will retrieve the group and the second part will add the user Adam to it.

There are 3 different methods which we can use to integrate on-premises Active Directory with Azure AD. 

• Pass Password hash synchronization

• Federation using Microsoft AD FS or PingFederate

• Pass-through Authentication 

All above methods allow on-premises users to use their existing domain user names and passwords in order to authenticate in to Azure AD integrated services. However, even users can use same user name and passwords, when they access Azure AD integrated services from corporate device (Domain member), they still have to authenticate via sign in page. Azure AD Seamless SSO allow users to access Azure AD integrated services via corporate devices without re-authentication. Azure AD Seamless SSO can use with password hash synchronization and pass-through authentication method. It is not supported to use with federated authentication method (AD FS already capable of provide SSO).

• Azure AD Seamless SSO feature can enable via Azure AD connect. So, it is not required any additional component in environment. 

• This is a free feature. We do not need to pay anything for it.

• Azure AD Seamless SSO works only in domain-joined devices (no need to be Azure AD join)

• If SSO process is fail for any reason, user can still authenticate using user name and password.

• It is supported to work with browser-based web applications and Office 365 clients with app versions 16.0.8730 and above.

• Azure AD Seamless SSO accepts user names as value associated with userPrincipalName attribute or Azure AD connect Alternate ID attribute. 

• Azure AD Seamless SSO uses the securityIdentifier claim in the Kerberos ticket to find the relevant user object in Azure AD.

• Once Azure AD Seamless SSO is enabled, if an application can forward domain_hint (OpenID Connect) or whr (SAML) parameter to identify tenant and login_hint (OpenID Connect) parameter to identify user, we can log in to Azure AD without typing user names. It is also possible if the application uses unique URL and pass the domain info or tenant info. 

• Once user is logged in via SSO, if required user can still sign out and log in as a different user at any time. 

In my previous blog post, I explained how we can manage Azure AD users by using Azure Active Directory PowerShell for Graph module. In there I also shared many examples. You can access it via http://www.rebeladmin.com/2019/05/step-step-guide-manager-users-using-azure-active-directory-powershell-graph-module/

In this blog post I am going to show how we can manage Groups, using same method. 

Azure AD Groups also works similar to on-premises AD groups. It can use to manage permissions in affective manner. In Hybrid environment there will be cloud-only groups as well as synced groups from on-premises AD environment. In this section we are going to look in to group management using Azure Active Directory PowerShell for Graph module. 

Let’s start with listing groups.

We can search for a group using,

Get-AzureADGroup -SearchString "sg"

In above command, SearchString is used to define the search criteria. Above example will list down any group containing “sg” in Display name field. 

In search result, we can see the objectId for the group. Once we know the ObjectId, we can see the details of the group using,

Get-AzureADGroup -ObjectId 93291438-be19-472e-a1d6-9b178b7ac619 | fl

In hybrid environment, there will be security groups which is synced from on-premises Active Directory. We can filter this groups using,

Get-AzureADGroup -Filter 'DirSyncEnabled eq true' | select ObjectId,DisplayName,LastDirSyncTime

In above example, LastDirSyncTime column display the last successful sync time of the group. 

We can filter cloud-only groups using,

Get-AzureADGroup -All $true | where-Object {$_.OnPremisesSecurityIdentifier -eq $null}

In preceding command, we are using attribute OnPremisesSecurityIdentifier to filter the groups. This attribute only has value if it is synced from on-premises AD.  

We can view group memberships by using,

Get-AzureADGroupMember -ObjectId 2a11d5ee-8383-44d1-9fbd-85cb4dcc2d5a

In above command, we are using ObjectId to uniquely identify the group. 

We can add members to group using Add-AzureADGroupMember cmdlet. 

Add-AzureADGroupMember -ObjectId 2a11d5ee-8383-44d1-9fbd-85cb4dcc2d5a -RefObjectId a6aeced9-909e-4684-8712-d0f242451338

In preceding command, ObjectId value represent the group and RefObjectId value represent the user. 

We can remove a member from group by using,

Remove-AzureADGroupMember -ObjectId 2a11d5ee-8383-44d1-9fbd-85cb4dcc2d5a -MemberId a6aeced9-909e-4684-8712-d0f242451338

In preceding command, ObjectId value represent the group and MemberId value represent the user’s Object Id.

We also can combine Add-AzureADGroupMember cmdlet with Get-AzureADUser cmdlet to add bulk users to a group. 

In below script, I used Get-AzureADUser cmdlet to search users in Marketing Department. Then used Add-AzureADGroupMember to add those users to Sales group as members. 

#######Script to Add Multiple users to Security Group#############

Import-Module AzureAD

Connect-AzureAD

##### Search for users in Marketing Department ##########

Get-AzureADUser -All $true -Filter "Department eq 'Marketing'" | select ObjectId | Out-File -FilePath C:\salesusers.txt

#####Add Users to Sales Group#########

(Get-Content "C:\salesusers.txt" | select-object -skip 3) | ForEach { Add-AzureADGroupMember -ObjectId f9f51d29-e093-4e57-ad79-2fc5ae3517db -RefObjectId $_ }

 In hybrid environment, the security groups are mainly synced from on-premises AD. But there can be requirements for cloud-only groups as well. We can create cloud-only group by using, 

New-AzureADGroup -DisplayName "REBELADMIN Sales Team" -MailEnabled $false -MailNickName "salesteam" -SecurityEnabled $true

Preceding command creates a security group called "REBELADMIN Sales Team". This group is not a mail enabled group. 

We can remove Azure AD group using,

Remove-AzureADGroup -ObjectId 7592b555-343d-4f73-a6f1-2270d7cf014f

In above, Object ID value defines the group. 

Apart from security groups, Azure AD also have predefined administrative roles which can use to assign access permissions to Azure AD and other cloud services. There are more than 35 predefined administrative roles. Each of role have their own set of permissions. More details about this roles can find in https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles 

We can list down all the administrative roles using,

Get-AzureADDirectoryRoleTemplate

By default, only few administrative roles are enabled. We can list these roles using,

Get-AzureADDirectoryRole

We can enable Administrative role using,

Enable-AzureADDirectoryRole -RoleTemplateId e6d1a23a-da11-4be4-9570-befc86d067a7

In above command, RoleTemplateId value represent the Administrative Role.

We can assign administrative role to a user by using,

Add-AzureADDirectoryRoleMember -ObjectId b63c1671-625a-4a80-8bae-6487423909ca -RefObjectId 581c7265-c8cc-493b-9686-771b2f10a77e

In preceding command, ObjectId value represent the Administrative Role. RefObjectId is the object id value of the user. 

We can list down members of Administrative role using,

Get-AzureADDirectoryRoleMember -ObjectId 36b9ac02-9dfc-402a-8d44-ba2d8995dc06

In above command, ObjectId represent the Administrative role. 

We can remove a member from the role using,

Remove-AzureADDirectoryRoleMember -ObjectId 36b9ac02-9dfc-402a-8d44-ba2d8995dc06 -MemberId 165ebcb7-f07d-42d2-a52e-90f44e71e4a1

In preceding command, MemberId is equal to user’s object id value. 

This marks the end of this post. I hope this was useful and If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Similar to the on-premises Active Directory, we also can use PowerShell to manage Azure Active Directory. Let's see why we should use PowerShell to manage Azure Active Directory. 

Early bird access to features– Microsoft keeps releasing new features, bug fixes, updates, feature enhancements more frequently to Azure AD services than on-premises Active Directory. Microsoft releases new features to the public in two stages. In the first stage, it will be released as a preview version. It is not recommended to use in production but IT professionals can use it for testing and provide feedback to Microsoft. In this stage, the feature can have many updates and most of the time it will take some time to update GUI accordingly. Some of these changes will not be available on GUI until the general release. But if we are using PowerShell, we do not have to wait. We can have early access to features as soon as it is released. 

Faster Response – Azure Active Directory portal has many different windows, wizards, forms to configure & manage users, groups, roles, and associated features. GUI makes it easy to do things but it takes time. As an example, if you add a user account using the Azure AD portal, you have to go to four sub-windows at least. But PowerShell allows us to do it using in one window and few lines of commands. 

Granular control – Azure AD Portal visualize the data and configuration of the service using different windows. But it may not always show what we want. As an example, let's assume we are looking for a specific value in two user accounts. if we use GUI, we need to go to a few different windows to gather this information. But using PowerShell command or script we will be able to gather the same info in one window. This is really helpful in troubleshooting. 

Microsoft Graph Integration – Microsoft Graph provides a unified programmability model to access a vast amount of data in Microsoft 365, Azure Active Directory, Enterprise Mobility Suite, Windows 10 and so on. As part of it, Azure AD PowerShell for Graph module allows us to retrieve data, update directory configuration, add/update/remove objects and configure features via Microsoft Graph. 

Installation 

Azure Active Directory PowerShell for Graph module comes as two versions. The public preview version is the latest version but it is not recommended to use in production. The installation steps for this version can be found on https://www.powershellgallery.com/packages/AzureADPreview .

General Availability version is the stable and recommended version for production environments. This can be installed in any computer which runs Windows Server 2008 R2 or above with the latest updates. This is also required Microsoft .NET framework 4.5 or above. 

Once prerequisites are in place,

1. Log in to the computer you have selected for Azure Active Directory PowerShell for Graph module
2. Launch PowerShell console as Administrator
3. Run Install-Module -Name AzureAD command. Answer "Yes" if it is required repository update. 

4. After installation, we can verify module install using Get-Module AzureAD

5. After the successful module installation, run Connect-AzureAD to initiate the connection to Azure AD tenant. 

6. Then it will prompt a login window. Use Azure AD global administrator account details to connect. 

Now we have Azure Active Directory PowerShell for Graph module installed. Let's see how we can manage Azure AD hybrid-environment using this module. 

Manage Users

Let's see how we can Manage use accounts using Azure Active Directory PowerShell for Graph module.

We can view user accounts details for a known account using,

Get-AzureADUser -ObjectId AdeleV@M365x562652.OnMicrosoft.com | fl

In the above command, AdeleV@M365x562652.OnMicrosoft.com represents the UPN of the user. 

We also can use user attributes to find user account details. 

Get-AzureADUser -Filter "startswith(GivenName,'Adele')"

Preceding command will filter Azure AD users with Given Name: Adele

We also can filter users based on specific attribute value. 

Get-AzureADUser -Filter "GivenName eq 'Adele'"

Above command will search for the exact user with given name-value Adele. 

In my demo environment, I like to see list of disabled account. I can do it using,

Get-AzureADUser -All $true -Filter 'accountEnabled eq false'

We can modify the output of the filtered data further.  

Get-AzureADUser -All $true -Filter 'accountEnabled eq false' | select DisplayName,UserPrincipalName,Department

Preceding command will display value of DisplayName,UserPrincipalName,Department attributes of filtered accounts. 

In hybrid environment, we can filter accounts which is synced from on-premises AD by using,

Get-AzureADUser -All $true -Filter 'DirSyncEnabled eq true'

In above command, value of DirSyncEnabled attribute defines if it's a cloud only account or synced account. 

We also can check the last sync value for the synced accounts. 

Get-AzureADUser  -All $true -Filter 'DirSyncEnabled eq true' | select DisplayName,UserPrincipalName,LastDirSyncTime

In above command, LastDirSyncTime value defines last sync time of the object. 

We also can export the output to a CSV file using Export-CSV command.

Get-AzureADUser  -All $true -Filter 'DirSyncEnabled eq true' | select DisplayName,UserPrincipalName,LastDirSyncTime | Export-CSV -Path .\syncaccount.csv

ImmutableID value of a user account is used to map Azure AD user object to on-premises user object. It does have a relationship with on-premises user accounts' ObjectGUID . We can use this to identify cloud-only users. If it is a cloud-only user ImmutableID value should be null. 

Get-AzureADUser -All $true | where-Object {$_.ImmutableId -eq $null}

Preceding command return list of all the cloud only accounts. We can export the required attribute values to CSV by using,

Get-AzureADUser -All $true | where-Object {$_.ImmutableId -eq $null} | select DisplayName,UserPrincipalName | Export-CSV -Path .\cloudaccount.csv

Another important thing related to account is "licences". If we are going to use Azure AD premium features, we need to have relevant licences assigned. By default, the user only has Azure AD free version features. 

To view licenses associated with a user account, we can use,

Get-AzureADUserLicenseDetail -ObjectId MeganB@M365x562652.OnMicrosoft.com | fl

Above command will return the licenses associated with user MeganB@M365x562652.OnMicrosoft.com

We also can view the subscribed SKUs using,

Get-AzureADSubscribedSku | fl

Above command list down all the details about licenses which is associated with the tenant. But mostly we only need to know how many licenses been used and how many licenses available. We can do it using,

Get-AzureADSubscribedSku | select SkuPartNumber,ConsumedUnits -ExpandProperty PrepaidUnits

In the preceding example, SkuPartNumber value represent the licence part number. Value of Enabled field represent the number of purchased licences. ConsumedUnits represent the number of used licences. 

Let's go ahead and see how we can assign a new licence to a user. 

In my environment, I have a user who synced from on-premises Azure AD who doesn't have a licence assigned. 

Get-AzureADUserLicenseDetail -ObjectId ADJellison@M365x562652.onmicrosoft.com | fl 

As first step, lets create objects to use in licence assignment process. 

$newlicence = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense

$newlicenceadd = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses

Then we need to find SkuId of the licences. 

I am going to assign ENTERPRISEPREMIUM licence to the user.

$newlicence.SkuId = (Get-AzureADSubscribedSku | Where-Object -Property SkuPartNumber -Value "ENTERPRISEPREMIUM" -EQ).SkuId

Then we need to assign the licences to the object,

$newlicenceadd.AddLicenses = $newlicence

Now we can go ahead and assign the licence to the user,

Set-AzureADUserLicense -ObjectId "ADJellison@M365x562652.onmicrosoft.com" -AssignedLicenses $newlicenceadd

Preceding command assign ENTERPRISEPREMIUM licences to user ADJellison@M365x562652.onmicrosoft.com

We can remove the assigned licences using,

$licenseB = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses

$licenseB.RemoveLicenses =  (Get-AzureADSubscribedSku | Where-Object {$_.SkuPartNumber -eq 'ENTERPRISEPREMIUM'}).SkuId

Set-AzureADUserLicense -ObjectId "ADJellison@M365x562652.onmicrosoft.com" -AssignedLicenses $licenseB

Using above commands, I have created following script to do following,

• Search for users who synced from on-premises AD.
• From those users, select the users who doesn't have Azure AD licences assigned.
• Set UsageLocation value for selected users.
• Assign Azure AD licences to selected users.

#######Script to Assign Licences to Synced Users from On-Permises AD#############

Import-Module AzureAD

Connect-AzureAD

###Filter Synced Users who doesnt have licence assigned#######

$ADusers = Get-AzureADUser -All $true -Filter 'DirSyncEnabled eq true'

$notlicenced = Get-AzureADUser -All $true | Where-Object {$ADusers.AssignedLicenses -ne $null} | select ObjectId | Out-File -FilePath C:\users.txt

#####Set UsageLocation value to sync users#########

(Get-Content "C:\users.txt" | select-object -skip 3) | ForEach { Set-AzureADUser -ObjectId $_ -UsageLocation "US" }

#####Set User Licecnes############

$newlicence = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense

$newlicenceadd = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses

$newlicence.SkuId = (Get-AzureADSubscribedSku | Where-Object -Property SkuPartNumber -Value "ENTERPRISEPREMIUM" -EQ).SkuId

$newlicenceadd.AddLicenses = $newlicence

(Get-Content "C:\users.txt" | select-object -skip 3) | ForEach { Set-AzureADUserLicense -ObjectId $_ -AssignedLicenses $newlicenceadd }

In hybrid environment, users are mainly created through on-premises Active Directory but there are occasions where we need to add cloud only accounts. This is mainly for cloud management tasks. 

We can create a new user by using, 

$Userpassword = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile

$Userpassword.Password = "London@1234"

New-AzureADUser -DisplayName "Andrew Xavier" -PasswordProfile $Userpassword -UserPrincipalName "Andrew.Xavier@M365x562652.onmicrosoft.com" -AccountEnabled $true -MailNickName "AndrewXavier"

In preceding command, -PasswordProfile is used to define the password profile for the new user account. -MailNickName defines value for user's mail nick name. Above example, add a new user account Andrew.Xavier@M365x562652.onmicrosoft.com with password London@1234

We also can create multiple user accounts using CSV files. In below example, I am using a CSV file to create users. 

CSV file contains the following,

UserPrincipalName, DisplayName,MailNickName

DishanM@M365x562652.onmicrosoft.com, Dishan Melroy,DishanMel

JackM@M365x562652.onmicrosoft.com,Jack May,JackMay

RicahrdP@M365x562652.onmicrosoft.com,Richard Parker,RichardPar

Then I can create these new users using,

$Userpassword = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile

$Userpassword.Password = "London@1234"

Import-Csv -Path C:\newuser.csv | foreach {New-AzureADUser -UserPrincipalName $_.UserPrincipalName -DisplayName $_.DisplayName -MailNickName $_.MailNickName -PasswordProfile $Userpassword -AccountEnabled $true}

By using above commands, I have created following script to do,

• Create new user accounts using CSV file
• Set UsageLocation for new user accounts
• Assign ENTERPRISEPREMIUM licences to users

########A Script to create new users and assign Azure AD licences#######

Import-Module AzureAD

Connect-AzureAD

###########Create New Users using CSV ###################

$Userpassword = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile

$Userpassword.Password = "London@1234"

Import-Csv -Path C:\newuser.csv | foreach {New-AzureADUser -UserPrincipalName $_.UserPrincipalName -DisplayName $_.DisplayName -MailNickName $_.MailNickName -PasswordProfile $Userpassword -UsageLocation "US" -AccountEnabled $true} | select ObjectId | Out-File -FilePath C:\users.txt

###########Assign Licences#################

$newlicence = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense

$newlicenceadd = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses

$newlicence.SkuId = (Get-AzureADSubscribedSku | Where-Object -Property SkuPartNumber -Value "ENTERPRISEPREMIUM" -EQ).SkuId

$newlicenceadd.AddLicenses = $newlicence

(Get-Content "C:\users.txt" | select-object -skip 3) | ForEach { Set-AzureADUserLicense -ObjectId $_ -AssignedLicenses $newlicenceadd }

To remove Azure AD user, we can use

Remove-AzureADUser -ObjectId "JDAllen@M365x562652.onmicrosoft.com"

We can combine it with user search,

Get-AzureADUser -Filter "startswith(DisplayName,'Dishan')" | Remove-AzureADUser

Above command will search for user accounts who has DisplayName starts with "Dishan". If there is any, second part of the command will remove it.

This marks the end of this post. I hope this was useful and If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Azure RMS is the protection technology behind Azure Information Protection (AIP). I have written many articles about Azure RMS & Azure information protection features before but how it really works? what is the technology behind it? 

In high-level, I can explain the Azure RMS data protection process as following, 

• When a user protects data, Azure RMS will encrypt the content of the file and attach an access policy to it. this policy decides what other users can do with the protected data. 

• When other users access the file (after successful Azure AD authentication), Azure RMS will decrypt the file and apply the access policy to it. 

In high-level it sounds simple, but let's go through this process in detail to understand the technology behind it. 

The best way to understand the technology behind the encryption & decryption process is to go through a scenario. Rebeladmin Inc. employee Andrew is sending a document with sensitive data to another employee Selena. He does not want anyone else in the sales team to have it. So, he is going to use AIP to protect the document. This is the first time both users going to use this solution. 

Since this is the first time Andrew and Selena use this AIP, they both need to go through the one-time user environment preparation process. As the first step, Andrew installs the Azure information protection client in his pc. It can be download via https://www.microsoft.com/en-gb/download/details.aspx?id=53018 . 

1. Then he authenticates into AIP using his Azure Active Directory Account. 

2. After successful authentication, the session will be redirected to the AIP tenant. Then it issues a certificate that will use to authenticate into Azure RMS in the future. This certificate will automatically renew after 31 days by the AIP client. Copy of this certificate will also store in Azure. If the user changes the device, Azure RMS will recreate the certificate using the same keys.

Now the user environment preparation process is done. The next step is to protect the word document. 

In my previous blog post about Azure Windows Virtual Desktop (Preview), I have explained what is it and how to publish full desktop using it. You can find it via http://www.rebeladmin.com/2019/04/step-step-guide-azure-windows-virtual-desktop-preview/ . However, in an infrastructure not every user required full desktop access. Some users may only be using certain applications. Azure Windows Virtual Desktop (Preview) also can use to publish an application. In this demo, I am going to show how to publish an application using Azure Windows Virtual Desktop (Preview).

Before we go ahead with the configuration, please make sure you have the following ready. 

Prerequisites

Windows Virtual Desktop Host Pool – Before we publish applications, we need to have a host pool up and running. This is already described on http://www.rebeladmin.com/2019/04/step-step-guide-azure-windows-virtual-desktop-preview/ . Please follow the guide and configure the host pool.

Install Applications – Any application available on the host's start menu can publish as a remote app. Therefore, please make sure you install the required applications in hosts. 

Windows Virtual Desktop PowerShell module – We will be using PowerShell commands to publish the app. Please following https://docs.microsoft.com/en-gb/powershell/windows-virtual-desktop/overview and install the module. 

In my demo environment, I already have a host pool configured as follows. 

I am going to create a new Remote app group and publish the Microsoft Word application which is already installed in the hosts. To do this,

1. Launch PowerShell console as Administrator.

2. Run Import-Module -Name Microsoft.RDInfra.RDPowerShell to import Windows Virtual Desktop PowerShell module

3. Then run Add-RdsAccount -DeploymentUrl https://rdbroker.wvd.microsoft.com and login to Windows Virtual Desktop environment using an account who has TenantCreator role assigned. 

In any identity infrastructure attack, attackers are going after the "privileges". The more privileged account they own, the more damage they can do. There can be privileged accounts in a system that only used once a month to do a privileged task. In any IT system, we used to believe administrators are trustworthy people. Therefore, most of the time we do not really worry about what they are doing with given privileges. what if they misuse the permissions? how we can ensure they only doing what they supposed to do? also if a privileged account got compromised, how we identify genuine activity from a malicious activity? 

Privileged access management in Azure AD & Office 365 provides an answer to all of the aforementioned challenges and protect cloud resource from identity attacks. With this solution, users will not have privileges attached to their accounts all the time. instead, they have to request privileges when they required. Then a workflow attached to it will decide if it should grant or not. Once permissions are granted, users can do the relevant privileged task. The permissions, however, will not be available for the users all the time. It is time-bounded. After the approved time, permissions will be removed automatically. In one of my previous blog post series, I demonstrate how to set this up with Azure AD. You can find it here http://www.rebeladmin.com/2016/07/step-step-guide-azure-ad-privileged-identity-management-part-1/ 

In this blog post, I am going to demonstrate how to do the same with office 365. 

As the first step, we need to create a group to approve the privilege access requests. If you already have an IT admin/management group, you can 

Create Admin Group

1. Log in to Office 365 Admin panel as a global administrator

2. Then go to Groups | Groups

3. Then click on Add a Group

4. In the new group window, select mail-enabled security as the group type. Then provide a name for the group. you also can add a description if you like. At the end click on Add to proceed. 

In order to manage Azure AD, we use Azure Active Directory option in https://portal.azure.com. By default, any user under Azure AD can access this option event they do not have a Directory role. In my demo setup, I have a user called "Emily Braun". She doesn't have any Directory role assigned. 

Then I log in to Azure portal https://portal.azure.com as the user and then go to Azure Active Directory option. It didn't block me accessing it. 

I can go to All users and see user account details. 

I even can see the Groups memberships details. 

Also, can view application assignments. 

As an end user I also can see the Azure AD Connect details. 

Finally, the long wait is over and Microsoft virtual desktop infrastructure (VDI) solution "Windows Virtual Desktop" preview is now available in Azure. If you ever worked with on-premises VDI solutions such as Microsoft RDS or Citrix solution, you may already know how much planning, management involve with it. It is costly as performance & availability of the solution depends on so many things such as networking, hardware resources, skills, connection, etc. But now with a cloud-based solution, we can create a robust, scalable VDI solution with few clicks. 

According to Microsoft we can do following with Windows Virtual Desktop,

• Set up a multi-session Windows 10 deployment that delivers a full Windows 10 with scalability
  
• Virtualize Office 365 ProPlus and optimize it to run in multi-user virtual scenarios
  
• Provide Windows 7 virtual desktops with free Extended Security Updates
  
• Bring your existing Remote Desktop Services (RDS) and Windows Server desktops and apps to any computer
  
• Virtualize both desktops and apps
  
• Manage Windows 10, Windows Server, and Windows 7 desktops and apps with a unified management experience
  

Source: https://docs.microsoft.com/en-gb/azure/virtual-desktop/overview 

Windows Virtual Desktop's Key capabilities are recognized as following,

• Create a full desktop virtualization environment in your Azure subscription without having to run any additional gateway servers.
  
• Publish as many host pools as you need to accommodate your diverse workloads.
  
• Bring your own image for production workloads or tests from the Azure Gallery.
  
• Reduce costs with pooled, multi-session resources. With the new Windows 10 Enterprise multi-session capability exclusive to Windows Virtual Desktop and Remote Desktop Session Host (RDSH) role on Windows Server, you can greatly reduce the number of virtual machines and operating system (OS) overhead while still providing the same resources to your users.
  
• Provide individual ownership through personal (persistent) desktops.
  

Source: https://docs.microsoft.com/en-gb/azure/virtual-desktop/overview 

Windows Virtual Desktop preview setup required following,

1. Azure Active Directory – Windows Desktop Machines must join to the Azure AD in the stranded method. It can't be Azure AD-Join
2. Virtual Desktop only should be Windows 10 Enterprise multi-session or Windows Server 2016/2019
3. OS should have one of the following licenses – Microsoft E3, E5, A3, A5, Business Windows E3, E5, A3, A5 
4. VM should be using subnet which has a connection to the same virtual network as Azure AD. 
5. Azure AD & VM should be in the same region. 

As same as any other VDI solution, user experience has a huge impact from "connectivity". Therefore Microsoft says,

• Round-trip (RTT) latency from the client's network to the Azure region where host pools have been deployed should be less than 150 ms.
• Network traffic may flow outside country borders when VMs that host desktops and apps connect to the management service.
• To optimize network performance, we recommend that the session host's VMs are collocated in the same Azure region as the management service.

There are few new terms related to the Windows Virtual Desktop setup, let's see what are they.

In this blog post, I am going to demonstrate how to set up a desktop application group. before start let's see how is the environment looks like.  

In my demo setup, I have Azure AD Domain Service enabled for tenant rebeladmlive.onmicrosoft.com

This is set up under resource group called AAD and it is using subnet called AAD-vnet 

I also set up a subnet called AAD-VM for session hosts. 

Corporate applications may also hold critical operation data related to the company. By doing regular reviews, we can make sure only the relevant people have access to corporate applications. However, if we just use the native method, it will be mainly based on Enterprise app Sign-ins and audit log data. the only problem with this method is, it is so time-consuming. As it is all manual process, the result may not be that accurate either. But now with Azure AD Access reviews, we can do this by setting up a simple access review job. Here is why it is good rather than a typical audit. 

Automated – It is all automated. You do not need to go through logs and do anything manually. 

Actions – we can also attach predefined action to execute at the end of a successful access review job. If required, we also can manually decide what to do with the findings (approve or deny access)

Schedule – Access reviews jobs can be scheduled to run periodically. It helps to do it more frequently than the manual method.

Recommendation – Access review job itself provides recommendations based on findings. It helps reviewers to decide. 

Delegations – Access reviews job allows delegation. We can assign someone else in the team to decide what to do with the findings. It helps to get more accurate results. 

So, let's go ahead and see how it works. In my demo environment, I have linkedin application assigned to different groups and users. I like to know who has access to it and do permission changes if required.

 1. To start, log in to Azure portal as Global Administrator

2. Then make sure Access reviews onboarding process is completed. More info about this can be found in one of my previous blog posts http://www.rebeladmin.com/2019/02/step-step-guide-review-privileged-accounts-using-azure-pim/

3. To create a new access review job, go to Access Reviews | Controls

4. Then click on + New Access Review