Technical Blog | REBELADMIN

Learn about Active Directory and Various Azure Services

Azure Active Directory Domain Services

Step-by-Step Guide : Automate JML(Joiners/Movers/Leavers) process with Microsoft Entra lifecycle workflows

JML (Joiners/Movers/Leavers) process of an organization has a major impact on its security and efficiency. When a new employee joins the organization or an existing employee change the job role, if they do not have access to relevant services/tools to start their job, it is just a waste of resource. Also when someone leaves the company, their access permission to data/services should revoke and accounts should be disabled. If not it creates a security risk. As we can see it’s quite important to make sure organizations have robust, practical JML processes in place. If the process has a lot of manual tasks and people dependencies it may not deliver the expected results.

Microsoft Entra lifecycle workflows allow an organization to automate JML process and reduce human errors and people dependencies. Workflow is built upon two pillars – Tasks & Execution conditions.

Task – List of actions that run automatically when a workflow is “triggered”
Execution conditions – Defines the trigger scope of a workflow (impacted users, “what” executes the workflow, and when)

There are many benefits of using lifecycle workflows. Such as,

  • Reduce/remove manual tasks of JML process.
  • Centralize identity lifecycle tasks/process management. In one portal we can create and manage workflows.
  • Measure the success of workflows or identify issues in workflows by using workflow history and audit logs.
  • Allows using pre-built templates which cover most common identity management tasks.
  • integrate workflows with logic apps to address more complex scenarios.

In this article, I am going to demonstrate how we can create a “joiner” workflow based on a pre-built template. This includes,

1. Create lifecycle workflow using the “Onboard pre-hire employee” pre-built template to automate onboarding tasks of new employees before their first day.
2. Create a new user in Azure AD
3. Assign Manager to user
4. Validate the completed workflow tasks

Pre-requisites

Before we start, we need to make sure the following prerequisites are in place.

1. Azure AD Premium P2 Licences
2. Global Administrator Account
3. Users with employeeHireDate attribute value – This attribute value will use as a trigger condition for the workflow. At the moment this value cannot be set using UI and can only update using MS Graph. In this blog post, I will show how to set up a new user with this attribute. Also, note that a workflow will not trigger when the employee hire date value is prior to the workflow creation date.
4. Office 365 Licences – If the workflow includes tasks to send email notifications to users, make sure the recipients have a valid mailbox in place (prior to the workflow execution)
Once we have the above prerequisites in place, we can go ahead with the configuration tasks.

Create a life cycle workflow

To create this workflow I am going to use the “Onboard pre-hire employee” pre-built template as the baseline. It comes with one automation task (Generate TAP and Send Email) but I will add an additional automation task to the workflow. The list of tasks are as follows,

1. Enable Account – I like to enable the new user account as part of the workflow.
2. Add user to Group – The new user account will be added to an already existing security group called “New Hire”
3. Generate TAP and Send Email – Generate Temporary Access Pass and send it via email to the new user’s manager. Microsoft encourages organizations to use passwordless authentication as traditional authentication methods are weak in security. Temporary Access Pass is a time-limited passcode that can be used by users to log in to https://aka.ms/mysecurityinfo and onboard authentication methods. This code can be single-use or multi-use. Before using this feature, we need to enable Temporary Access Pass policy. For configuration details please follow https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-temporary-access-pass . In this demo environment, I already have this policy configured.
4. Send Welcome Email – Send a welcome email to new user

To set up the workflow,

1. Log in to MS Entra portal https://entra.microsoft.com/

2. Go to Identity Governance | Lifecycle workflows

MS entra lifecycle workflow feature

3. Next click on + Create workflow

Create new lifecycle workflow

4. In the new window, we can see the pre-built templates. For this demo, I am selecting “Onboard pre-hire employee

Onboard pre-hire employee pre-built lifecycle workflow template

5. This will open the template settings. Provides a name for the workflow first and then change the event timing settings for onboarding. This workflow will depend on the employeeHireDate attribute value and we can decide how many days we should run the workflow. To keep it simple I am going to use the default value which is 7 days. Once settings are in place, click on Next: Configure scope to continue.

Microsoft Entra lifecycle workflow trigger details

6. In the next window, we can use expressions to define the user scope for the workflow. Here I am going to run this workflow for new users in “Sales” department.

Microsoft Entra lifecycle workflow conndtion

7. In the workflow task window, we can see “Generate TAP and Send Email” task is already in the list. We can add new tasks by clicking + Add tasks

Adding Microsoft Entra lifecycle workflow tasks

8. From the list I have added, Enable Account, Add user to Group, and Send Welcome Email tasks. For the groups, I have selected the already existing security group called “New Hire”. I also change the logical order of the tasks.

Microsoft Entra lifecycle workflow custom task list

9. In the final window, select Schedule workflow to run the workflow every 3 hours. Then review the settings and click on Create.

Microsoft Entra lifecycle workflow configuration review

Active Microsoft Entra lifecycle workflow [Read more…] about Step-by-Step Guide : Automate JML(Joiners/Movers/Leavers) process with Microsoft Entra lifecycle workflows

Step-by-Step Guide: Enable secure LDAP (LDAPS) for an Azure Active Directory Domain Services managed domain

In an on-premises Active Directory environment, there can be application or service which required integration with Active Directory. With AD integration, the application can search for AD users, allow login, assign permissions, etc. This integration part is usually done using the Lightweight Directory Access Protocol (LDAP). By default, traffic over LDAP is not encrypted. Due to the vulnerabilities, Microsoft now recommends only to use secure LDAP (LDAPS, LDAP over SSL) connections to Domain Controllers. Azure Active Directory Domain Services (Azure AD DS) also support for secure LDAP connections. Most of the time the LDAP connection to Azure AD DS will be initiated over the public internet. So, it is important to have encryption in place to prevent man-in-the-middle attacks.

In this post, I am going to demonstrate how to enable secure LDAP for Azure AD DS. Before we start make sure you have the following prerequisites in place.

1. Valid Azure Subscription
2. Valid Azure Active Directory Domain Services

Azure Directory Domain Service instance is using default Microsoft domain name rebeladmlive.onmicrosoft.com. So, I have to use a self-sign certificate for it. To generate a self-sign certificate, we can use the following PowerShell commands. This can be run from any PC.

$domainname=”rebeladmlive.onmicrosoft.com”
$certlife=Get-Date
New-SelfSignedCertificate -Subject *.$domainname -NotAfter $certlife.AddDays(365) -KeyUsage DigitalSignature, KeyEncipherment -Type SSLServerAuthentication -DnsName *.$domainname, $domainname

create self sign certificate powershell

In above, replace rebeladmlive.onmicrosoft.com with your Azure Active Directory Domain Service instance name. As we can see, it created a wild card SSL for rebeladmlive.onmicrosoft.com under Computer account.

SSL certificate mmc

We need to export this certificate as .PFX file with private key to,

1. Use it during the secure LDAP setup and upload it to Azure
2. Import it to any other PC which like to initiate secure LDAP connection (The certificate must be imported into Computer Account\Personal\Certificates as well as Trusted Root Certification Authorities\Certificates. This is because the certificate is self-sign cert and it doesn’t have trusted root certificate)

To export certificate,

1. Right-click on the certificate and go to All Tasks | Export

export ssl certificate

2. It will open up the certificate export wizard, click on Next to start the process.

export certificate wizard screen 1

3. In the next window select Yes, export the private key, and click on Next.

export certificate wizard screen 2

4. In the Export file format window, match the following selection, and click on Next.

export certificate wizard screen 3

5. In the next window, define the password for the export file and click on Next.

export certificate wizard screen 4

6. Then, select the file path for the output and click on Next.

export certificate wizard screen 5

7. In the next window, click on Finish to complete the Export process.

export certificate wizard screen 6

Now we have the .PFX file. The next step is to import it again to Trusted Root Certification Authorities\Certificates. This is required as we are using a self-sign certificate for the exercise. [Read more…] about Step-by-Step Guide: Enable secure LDAP (LDAPS) for an Azure Active Directory Domain Services managed domain

Step-by-Step guide to enable Azure AD authentication for Azure Files

"Azure Files" is a managed, cloud-based file share that can access via SMB protocol. Once you create Azure File share it can be accessed from any ware using Windows, Linux or macOS. It can also map as a shared drive to a system. This can be used as a unified, reliable, simple solution to replace traditional file servers. 

In the on-premises Active Directory environment, we use NTFS permissions to control access to folders and file shares. If we are replacing traditional file shares with Azure Files, we need a way to manage access permissions to it in a similar manner. This is applicable if these folders are accessed via "Windows Virtual Desktop" or "Domain-Joined Azure VM". Azure File now supports Azure Active Directory Domain Services (Azure AD DS) authentication. Now we can create NTFS access control lists (ACLs) for Azure File Shares to control access permissions in a granular level. In this demo, we are going to look into this new feature in detail. 

To test this, we need following,

  • Valid Azure AD Subscription
  • Azure AD Domain Services on the Azure AD tenant – We need Azure AD Domain Services enabled for the Azure AD tenant. 
  • Domain-Joined Azure VM – This need to be added to the Azure AD Domain Services

In my demo setup, I already have a managed domain called rebeladmlive.onmicrosoft.com

I also have a domain-joined VM called SRV01 which I will be using for the testing. 

[Read more…] about Step-by-Step guide to enable Azure AD authentication for Azure Files

Step-by-Step Guide: Azure AD Access Reviews for Applications

Corporate applications may also hold critical operation data related to the company. By doing regular reviews, we can make sure only the relevant people have access to corporate applications. However, if we just use the native method, it will be mainly based on Enterprise app Sign-ins and audit log data. the only problem with this method is, it is so time-consuming. As it is all manual process, the result may not be that accurate either. But now with Azure AD Access reviews, we can do this by setting up a simple access review job. Here is why it is good rather than a typical audit. 

Automated – It is all automated. You do not need to go through logs and do anything manually. 

Actions – we can also attach predefined action to execute at the end of a successful access review job. If required, we also can manually decide what to do with the findings (approve or deny access)

Schedule – Access reviews jobs can be scheduled to run periodically. It helps to do it more frequently than the manual method.

Recommendation – Access review job itself provides recommendations based on findings. It helps reviewers to decide. 

Delegations – Access reviews job allows delegation. We can assign someone else in the team to decide what to do with the findings. It helps to get more accurate results. 

So, let's go ahead and see how it works. In my demo environment, I have linkedin application assigned to different groups and users. I like to know who has access to it and do permission changes if required.

 1. To start, log in to Azure portal as Global Administrator

2. Then make sure Access reviews onboarding process is completed. More info about this can be found in one of my previous blog posts https://www.rebeladmin.com/2019/02/step-step-guide-review-privileged-accounts-using-azure-pim/

3. To create a new access review job, go to Access Reviews | Controls

4. Then click on + New Access Review 

[Read more…] about Step-by-Step Guide: Azure AD Access Reviews for Applications

Step-by-Step Guide: How to setup Google federation for Azure AD B2B?

In on-premises Active Directory environments, we use “trusts” to establish identity infrastructure collaboration between businesses. In that way, partner organization can use their own user accounts to authenticate in to trusted organization resources. When it comes to cloud/hybrid identity, Azure AD B2B allow organizations to establish cross-organization identity connections. Unlike on-premises, it is not required additional infrastructure changes. In my previous article about Azure B2B explains how we can allow external users to authenticate in to cloud app using their own accounts. You can find it here https://www.rebeladmin.com/2018/11/cross-organization-collaboration-azure-ad-b2b/ . However, when external user’s sign up process it is asking to create “Microsoft Account” to continue. 

If users are having Google Accounts, now Azure AD B2B can initiate federation with google to allow users to use their own google accounts to authenticate instead of Microsoft Accounts. In this demo I am going to demonstrate how we can initiate federation with google. 

Prerequisites

Valid Azure AD B2B Subscription – If the guest users are going to use Azure AD paid services, make sure you have enough licenses allocated. More info about licensing can find here https://docs.microsoft.com/en-us/azure/active-directory/b2b/licensing-guidance

Shared Google Account – During the setup we need to create credentials at Google APIs. To do that we need to use existing google account. It is recommended to use separate google account for this instead of existing user account. 

To start the configuration,

1. Go to https://console.developers.google.com and log in with the Google account you have selected for the task. 

2. In Dashboard, Click on Create to start new project. 

3. Then in new window, give unique name to project and click on Create.

4. Once project is created, select it from the project drop down box. 

5. Then click on Credentials

[Read more…] about Step-by-Step Guide: How to setup Google federation for Azure AD B2B?