Technical Blog | REBELADMIN

Learn about Active Directory and Various Azure Services

Archives for September 2018

Step-by-Step Guide to Azure AD Password-less Authentication (public-preview)

Last Updated on September 30, 2018 by Dishan M. Francis

From early days of computing “password” is used to protect access to services or data. Passwords are breakable so people start using multi-factor authentication to add extra security to authentication process. With multifactor authentication we have to provide additional PIN or secret. However, it still not eliminates the password fact. The modern identity attacks are getting more and more sophisticated. So, we need to think about all possibilities of a breach. 

Microsoft Azure AD is now ready to provide password-less authentication experience to Azure AD connected apps using Microsoft Authenticator mobile app. with authenticator app we can replace password with fingerprint, face recognition, or PIN. This is still in public preview but it is not too soon to try it out. In this demo I am going to demonstrate how to enable password-less authentication with Azure AD.

1. As first step we need to enable public preview for password less authentication. To do that first install the public preview release of the Azure Active Directory V2 PowerShell Module using https://www.powershellgallery.com/packages/AzureADPreview/2.0.0.114

2. Then type Connect-AzureAD and login with global admin account. 

3. Once successfully authenticated, run New-AzureADPolicy -Type AuthenticatorAppSignInPolicy -Definition '{"AuthenticatorAppSignInPolicy":{"Enabled":true}}' -isOrganizationDefault $true -DisplayName AuthenticatorAppSignIn

4. As next step I need to enable MFA for the Azure AD user that I am going to test. To do that, log in to https://portal.azure.com as Global Administrator. 

5. Then go to Azure Active Directory | Users

[Read more…] about Step-by-Step Guide to Azure AD Password-less Authentication (public-preview)

Step-by-Step guide to control data access using Azure cloud app security (based on content type)

Last Updated on September 26, 2018 by Dishan M. Francis

In my recent blog posts, I explained few features of azure cloud app security. In this post also, I am going to explain another feature of it. if you not read my previous posts you still can access it using,

Step-by-Step guide to manage Impossible travel activity alert using Azure cloud app securityhttps://www.rebeladmin.com/2018/09/step-step-guide-manage-impossible-travel-activity-alert-using-azure-cloud-app-security/

Step-by-Step guide to block data download using Azure Cloud App securityhttps://www.rebeladmin.com/2018/09/step-step-guide-block-data-download-using-azure-cloud-app-security/

In applications, we are using different type of data. Some of these types of data are very sensitive. Credit card numbers, social security numbers, phone numbers are some examples for that. using cloud app security, we can control access to files contains sensitive data. In my demo environment I have salesforce app. it contains some files with credit card information. I do not want anyone to download these files. Let’s see how we can do it using cloud app security.

Before we start, we need to integrate salesforce with cloud app security. I have explain it in details in my previous post https://www.rebeladmin.com/2018/09/step-step-guide-block-data-download-using-azure-cloud-app-security/ so I am not going to repeat it in here ?.

1. Once integration is done, go to https://portal.cloudappsecurity.com and login as global administrator

2. Go to Settings | Conditional Access App Control

3. Now we should be able to see salesforce under conditional access app control apps tab.

4. Click on session control to create new session control policy.

5. Then under create policy click on Session policy

[Read more…] about Step-by-Step guide to control data access using Azure cloud app security (based on content type)

Step-by-Step guide to manage Impossible travel activity alert using Azure cloud app security

Last Updated on September 26, 2018 by Dishan M. Francis

Let’s assume one of user in your sales team log in to https://myapps.microsoft.com and launch salesforce app successfully from his office in UK. Few minutes later the same user made successful login from Canada. Unless user is using remote connection, it is not impossible. Still someone can’t travel that fast ?. Azure Active Directory capable of detect this type of impossible sign-in activities. However, detection type for this kind of activities is “offline”. Which means reporting latency for these alerts are between 2 to 4 hours

Azure cloud app security also capable of detecting these types of activities but it is real-time as it detects activities based on sessions. It helps administrators to react faster and protect infrastructure from potential breach. In this demo, I am going to demonstrate how to fine tune built in azure cloud app security policy for Impossible travel activity and prevent breach. 

Before we start, first we need to integrate SaaS app with cloud app security. In my previous post I demonstrate how to do that. So please go ahead and read it on https://www.rebeladmin.com/2018/09/step-step-guide-block-data-download-using-azure-cloud-app-security/

In my demo I am using salesforce app. 

1. Once integration is done, log in to https://portal.cloudappsecurity.com as global administrator.

2. Then go to Settings | Conditional access app control

3. There you should be able to see your app under Conditional access app control tab. It should be in healthy connected status. 

4. Then click on Control | Policies

5. Under policies, click on impossible travel policy 

6. This is a built-in policy. as you can see it doesn’t have any actions attached to it. if CAS detect such activity, it will still be reported under CAS dashboards. 

7. In my environment, I like to get an alert if its detect such activity. To do that, click on Send alert as email option under Alerts. Then define email address in text box.  [Read more…] about Step-by-Step guide to manage Impossible travel activity alert using Azure cloud app security

Step-by-Step guide to block data download using Azure Cloud App security

Last Updated on September 26, 2018 by Dishan M. Francis

In my last few blog posts I have talked about Azure AD conditional access policies and how we can use it to control access. In a conditional access policy, we define who have access to what applications from where. This is purely control the access to your app. Azure cloud app security allow us to extend these capabilities further into session level. using cloud app security, we can examine each session to the app in real time basis protect information further. Using cloud app security, we can create policies to,

1. Block downloads – Can define policies to block download of sensitive data. 

2. Protect on downloads – instead of blocking download, we can create policies to allow users to download encrypted document after authentication, even though they are login from unmanaged device. 

3. Monitor risky sessions – we can setup policies to monitor session of risky sign in. all the action from those sessions will be logged for further review. 

4. Block access – If needed we can completely block access to apps if it’s from unmanaged device or non-corporate network.

5. Create read-only mode – we can create policies to create read-only mode for apps (for group of users)

More about cloud app security is available at https://docs.microsoft.com/en-us/cloud-app-security/what-is-cloud-app-security

In this demo, I am going to demonstrate how to integrate an app with cloud app security and then how we can create policies to control download of sensitive data. In this demo I am going to use salesforce application with CAS and block PDF file downloads. To start,

1. Log in to Azure portal https://portal.azure.com as global administrator

2. Click on Azure Active Directory

3. Then click on Enterprise Applications 

4. Search for Salesforce under All applications and click on it. Note – If it is not existing app, you need to go and add app first and configure it for azure ad sso. 

5. Then click on Conditional access  [Read more…] about Step-by-Step guide to block data download using Azure Cloud App security

Step-by-Step guide to setup temporally privilege access using Azure AD Privileged Identity Management

Last Updated on September 26, 2018 by Dishan M. Francis

Just-in-Time Administrations protects high-privileged accounts been compromised. Administrators will have their privileges when they “required”. It minimizes the lateral movements of identity attack. Azure AD PIM allows to create time-based temporally admin accounts. In this demo I am going to demonstrate how to create time-based admin accounts in azure using PIM. If you are new to privilege identity management, I highly recommend to check my previous blog post about it. you can access it using https://www.rebeladmin.com/2016/07/step-step-guide-azure-ad-privileged-identity-management-part-1/ 

In my demo environment I have a user called Isaiah Langer from finance department. At the end of every month this user runs some reports which required admin privileges. I do not want to make this user a permanent global administrator. I like to give these privileges when “required”. Let’s see how we can configure it. 

1. Log in to Azure portal https://portal.azure.com as global admin.

2. Click on More Services from the left-hand panel and search for Azure AD PIM

3. In first window it asks me to verify my MFA before proceed. This is because I do not have MFA setup for my account. Click on verify my identity option. 

4. Then it goes through MFA setup process. Please complete sign up process to continue. 

5. Once process is completed it will load the PIM page again. Click on Consent to proceed. 

6. Then click on Yes to proceed. 

7. After service is initiated, click on Azure AD directory roles.

8. Then click on Sign up to proceed. [Read more…] about Step-by-Step guide to setup temporally privilege access using Azure AD Privileged Identity Management