Technical Blog | REBELADMIN

Learn about Active Directory and Various Azure Services

Archives for April 2019

Step-by-Step guide: Privileged access management in office 365

Last Updated on April 14, 2019 by Dishan M. Francis

In any identity infrastructure attack, attackers are going after the "privileges". The more privileged account they own, the more damage they can do. There can be privileged accounts in a system that only used once a month to do a privileged task. In any IT system, we used to believe administrators are trustworthy people. Therefore, most of the time we do not really worry about what they are doing with given privileges. what if they misuse the permissions? how we can ensure they only doing what they supposed to do? also if a privileged account got compromised, how we identify genuine activity from a malicious activity? 

Privileged access management in Azure AD & Office 365 provides an answer to all of the aforementioned challenges and protect cloud resource from identity attacks. With this solution, users will not have privileges attached to their accounts all the time. instead, they have to request privileges when they required. Then a workflow attached to it will decide if it should grant or not. Once permissions are granted, users can do the relevant privileged task. The permissions, however, will not be available for the users all the time. It is time-bounded. After the approved time, permissions will be removed automatically. In one of my previous blog post series, I demonstrate how to set this up with Azure AD. You can find it here https://www.rebeladmin.com/2016/07/step-step-guide-azure-ad-privileged-identity-management-part-1/ 

In this blog post, I am going to demonstrate how to do the same with office 365. 

As the first step, we need to create a group to approve the privilege access requests. If you already have an IT admin/management group, you can 

Create Admin Group

1. Log in to Office 365 Admin panel as a global administrator

2. Then go to Groups | Groups

3. Then click on Add a Group

4. In the new group window, select mail-enabled security as the group type. Then provide a name for the group. you also can add a description if you like. At the end click on Add to proceed. 

[Read more…] about Step-by-Step guide: Privileged access management in office 365

Step-by-Step Guide to Restrict Azure AD Administration portal

Last Updated on April 7, 2019 by Dishan M. Francis

In order to manage Azure AD, we use Azure Active Directory option in https://portal.azure.com. By default, any user under Azure AD can access this option event they do not have a Directory role. In my demo setup, I have a user called "Emily Braun". She doesn't have any Directory role assigned. 

Then I log in to Azure portal https://portal.azure.com as the user and then go to Azure Active Directory option. It didn't block me accessing it. 

I can go to All users and see user account details. 

I even can see the Groups memberships details. 

 

Also, can view application assignments. 

As an end user I also can see the Azure AD Connect details. 

[Read more…] about Step-by-Step Guide to Restrict Azure AD Administration portal