DEV Community: SUNIL KUMAR

Azure Security Center

SUNIL KUMAR — Mon, 03 May 2021 03:04:11 +0000

What is Azure Security Center?
Azure Security Center is a unified infrastructure security management system that strengthens the security posture of your data centers, and provides advanced threat protection across your hybrid workloads in the cloud - whether they're in Azure or not - as well as on-premises.

Azure Security Center Provide:-

· Manage organization security policy and compliance
· Continuous assessments
· Network map
· Optimize and improve security by configuring recommended controls
· Protect against threats
· Integration with Microsoft Defender for Endpoint

Evaluate Vulnerability Scans & Remediations
Recommendations give you suggestions on how to better secure your resources. You implement a recommendation by following the remediation steps provided in the recommendation.

First, we will go to Azure Security Center> Recommendation and will choose the recommendation we willing to remediate first.

Now we can simply follow the remediation process.

Configure Just in Time VM Access
As with all cybersecurity prevention techniques, your goal should be to reduce the attack surface. In this case, that means having fewer open ports, especially management ports.

Your legitimate users also use these ports, so it's not practical to keep them closed.

To solve this dilemma, Azure Security Center offers JIT. With JIT, you can lock down the inbound traffic to your VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.

Open the Azure Defender dashboard and from the advanced protection area, select Just-in-time VM access.

The Just-in-time VM access page opens with your VMs grouped into the following tabs:

Configured - VMs that have been already been configured to support just-in-time VM access. For each VM, the configured tab shows:
the number of approved JIT requests in the last seven days
the last access date and time
the connection details configured
the last user
Not configured - VMs without JIT enabled, but that can support JIT. We recommend that you enable JIT for these VMs.
Unsupported - VMs without JIT enabled and which don't support the feature.

Configure Centralized Policy Management

Security Center uses Azure role-based access control (Azure RBAC), which provides built-in roles you can assign to Azure users, groups, and services. When users open Security Center, they see only information related to the resources they can access. Which means users are assigned the role of owner, contributor, or reader to the resource's subscription. There are also two specific Security Center roles:

Security reader: Has rights to view Security Center items such as recommendations, alerts, policy, and health. Can't make changes.
Security admin: Has the same view rights as security reader. Can also update the security policy and dismiss alerts.

Adaptive Network Hardening
Adaptive network hardening provides recommendations to further harden the NSG rules. It uses a machine-learning algorithm that factors actual traffic, known trusted configuration, threat intelligence, and other indicators of compromise, and then provides recommendations to allow traffic only from specific IP/port tuples.

Device Enrolment, Compliance, Configuration policies, Policy sets, and scripts, Device clean up rules

SUNIL KUMAR — Fri, 30 Apr 2021 13:17:28 +0000

We can enroll up to 1,000 mobile devices with a single Azure Active Directory account by using a device enrollment manager (DEM) account. DEM is an Intune permission that can be applied to an Azure AD user account and lets the user enroll up to 1,000 devices. A DEM account is useful for scenarios where devices are enrolled and prepared before handing them out to the users of the devices. By design, there's a limit of 150 Device Enrollment Manager (DEM) accounts in Microsoft Intune.

Why adopt this solution?
Intune lets you manage your workforce's devices and apps and how they access your company data. To use this mobile device management (MDM), the devices must first be enrolled in the Intune service. When a device is enrolled, it's issued an MDM certificate. This certificate is used to communicate with the Intune service.

We need a Microsoft Intune subscription to enroll the device. Now lets' enroll Windows 10 Desktop in Azure AD.

First, we will go to our window 10 device> settings> Account

Now we will go to Emails & accounts and will click on add work or school email.

We can see our device in Microsoft Endpoint Manager Admin Center by visiting https://endpoint.microsoft.com/> devices.

Now let's understand Compliance, Configuration policies, Policy sets, and scripts.
Now first create a compliance Policy. To do that, we will simply go to Microsoft Endpoint Manager Admin Center>Devices>Compliance policies

Now let's create a configuration profile. You can create profiles for different devices and different platforms, including iOS/iPad, Android device administrator, Android Enterprise, and Windows. Then, use Intune to apply or "assign" the profile to the devices.

Policy sets allow you to create a bundle of references to already existing management entities that need to be identified, targeted, and monitored as a single conceptual unit. A policy set is an assignable collection of apps, policies, and other management objects you've created. Creating a policy set enables you to select many different objects at once, and assign them from a single place.

PowerShell scripts use the Intune Management Extension to upload your PowerShell scripts in Intune, and then run these scripts on your devices. Also see what's required to use the extension, how to add them to Intune, and other important information.

Set your Intune device cleanup rules to delete Intune MDM enrolled devices that appear inactive, stale, or unresponsive. Intune applies cleanup rules immediately and continuously so that your device records remain current.

Apps Protection and Selective Wipe

SUNIL KUMAR — Thu, 29 Apr 2021 13:01:29 +0000

App protection policies can apply to apps running on devices that may or may not be managed by Intune. If your organization allowed BYOD this is a must adopt solution for your organization.

App protection policies (APP) are rules that ensure an organization's data remains safe or contained in a managed app. A policy can be a rule that is enforced when the user attempts to access or move "corporate" data or a set of actions that are prohibited or monitored when the user is inside the app. A managed app is an app that has app protection policies applied to it and can be managed by Intune.

Now let's create a create and assign app protection policy. We need to assign Intune licence to the end-user before we can assign an app protection policy to a user. Let's do that first we will go to Azure AD> Users> (Specific Use)> licences and will assign Intune licences.

Now let's create an app protection policy. First, we will go to https://endpoint.microsoft.com/>Apps>Policy and click on app protection policy.

We will create an APP for window 10.

Now we will select an app to protect and will choose settings according to our requirement.

We will select a user group to assign this policy.

Finally, we will click review and create.

Now let's understand App configuration policies for Microsoft Intune.
App configuration policies can help you eliminate app setup up problems by letting you assign configuration settings to a policy that is assigned to end-users before they run the app. The settings are then supplied automatically when the app is configured on the end-users device, and end-users don't need to take action. The configuration settings are unique for each app.

Let's create an App configuration policy for Adobe Acrobat Reader. First, we will go to the Microsoft Endpoint Manager admin centre> Apps>configuration policy>Create app configuration policy

We will go through the required setting and will assign a user group.

Now let's understand about App selective wipe requests.
When a device is lost or stolen, or if the employee leaves your company, you want to make sure company app data is removed from the device. But you might not want to remove personal data on the device, especially if the device is an employee-owned device.

To create a Wipe request we will go to Microsoft Endpoint Manager admin centre>Apps>App selective wipe> Create wipe request.

Now in the next step, we will select the user and his devices.

We can monitor our wipe requests and can take action accordingly.

Hope you enjoyed reading this. Please follow me on Twitter for certification-related help. https://twitter.com/stharvid

Endpoint Security In Azure

SUNIL KUMAR — Thu, 29 Apr 2021 12:14:14 +0000

The Endpoint security policies are designed to help you focus on the security of your devices and mitigate risk. The available tasks can help you identify at-risk devices, remediate those devices, and restore them to a compliant or more secure state.

Now to understand endpoint security let's first register s device in our Azure AD, To do that first we will create a VM and will connect it to our Azure AD.

Once logged in to our VM we will go to sesstings> accounts> and will click on login in office or school account.

In the next step, we will put our work credential and it will our device to Azure AD.

We can find our device in Azure AD> device

Now let's Manage Antivirus In Microsoft Azure Endpoint Manager admin center.

Go to https://endpoint.microsoft.com/ and now go to Endpoint Security>Antivirus

Now we will create an Antivirus Policy. To do that click on create a new AV policy.

We can closing monitor devices in AV reports and can manually look into unhealthy devices.

Let's now implement a disk encryption policy for window 10 and above. We can use BitLocker for encryption.

BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.

Next, let's talk about Endpoint detection and response. Microsoft Defender for Endpoint endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats.

To create an Endpoint detection and response policy we can go vo the Microsoft endpoint security admin panel and can create one from there.

When Defender antivirus is in use on your Windows 10 devices, you can use Intune endpoint security policies for Attack surface reduction to manage those settings for your devices.

Let's create a policy for App and browser isolation. We can do the same using the Microsoft Endpoint Manager admin center.

Account protection policies help protect user credentials by using technology such as Windows Hello for Business and Credential Guard.

In a similar, we can create device Compliance policies as well.

From Microsoft Endpoint Manager admin center Endpoint Analytics dashboard we can manage device which is incompatible with our Endpoint security policies.

Hope now you have an overview on Endpoint security policies. Follow me on twitter for more- https://twitter.com/stharvid

User Management In Azure AD

SUNIL KUMAR — Tue, 27 Apr 2021 12:24:17 +0000

Suppose your organization plan to use Azure AD and you are responsible to manage the user profiles and access to users. In this article, we will have an overview of basic user management tasks like- Managing user profile, assigned roles, licenses, MFA, etc. Now let's start one by one.

Suppose a new person (Ram Mohan) joined my organization's sales team and I am responsible to add him to Azure AD and provide relevant access.

Now let's add him to Azure AD. To do so I will go to Azure AD>Users> and Add New User.

Now as a user joined my organization I will create a user. Either if someone joins for a short term from outside my organization I can invite them as well.

For now, I will just fill in basic details only- Name, User Name, Designation, Department, and manager. Will assign a relevant role later.

Now let's assign the user Insight Administrator role. To do that we will click on that particular user and then will click on Role assignment. Now we will select the Insight administrator role from the list and on the next page select an assignment type. In case of eligible user need to activate it from their own end. Once done we will click on assign.

Now let's add users to the sales group-
To do so we will click on user profile and then will go to groups. Now click on add memberships and select the relevant group.

Now let's user assign a P2 license. To do that we will go to the user profile and will click on licenses.

In the devices section, we can see all the devices and user login activity. We can detect stale devices and remove access as well.

Now let's secure Ram Mohan with multi-factor authentication. We will force Ram Mohan to register for MFA and perform MFA according to organizations policy,

Now we will put user mobile and email to perform MFA or can create a policy to apply for all or specific users to perform MFA.

Which this I am done with the processes of adding Ram Mohan to my organization. Let's login into Ram Mohan's account to see how it forms.
When Ram Mohan login to his account he will be first asked to update his password.

After that Ram Mohan will be asked to register for MFAor he can skip for 14 days.

Now let's go to PIM and activate Ram Mohan's role as an Insight administrator-

We just need to click on activate and it will be activated or a report will be sent to the manager based on your PIM policy.

Hopefully, you found this write-up helpful. Please follow for more such content.

Azure AD Privileged Identity Management

SUNIL KUMAR — Mon, 26 Apr 2021 15:06:42 +0000

What is PIM?
Privileged Identity Management (PIM) is a service in Azure Active Directory that enables you to manage, control, and monitor access to important resources in your organization. These resources include resources in Azure AD, Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft Intune.

Why should you adopt this solution?
If you want to minimize the number of people who have access to secure information or resources because that reduces the chance of a malicious actor getting that access, or an authorized user inadvertently impacting a sensitive resource. However, users still need to carry out privileged operations in Azure AD, Azure, Microsoft 365, or SaaS apps. Organizations can give users just-in-time privileged access to Azure resources and Azure AD. There is a need for oversight for what those users are doing with their administrator privileges.

Now let's deploy PIM-
To deploy PIM first we need to enable Access management for Azure resources. To enable the same we will go to Azure AD> Properties and will enable Access management.

Now let's assign an Application Administrator role to John Duo user. To do so first we will find an Application Administrator in the roles section.

Now to add members we will click on add assignments and will select user.

By default, the assignment type is Eligible which means we need to activate the assignment whenever require.

Now John Duo needs to go to PIM and click on my roles. He can see eligible and active roles.

Now user can see the resources and resources group he is given access to.

Let's understand some functionalities-
Pending requests-
It displays users' pending requests to activate eligible role assignments.

Approve requests-
Displays a list of requests to activate eligible roles by users in your directory that you are designated to approve.

Review access-
Lists active access reviews you are assigned to complete, whether you're reviewing access for yourself or someone else.

Azure AD roles-

Here the administrator can see a log and analysis of roles he has assigned to others.

Hopefully, you get a brief idea about Azure AD PIM. Please hit follow to stay updated about such writeups.

Azure AD Entitlement Management

SUNIL KUMAR — Sat, 24 Apr 2021 12:13:24 +0000

What is Entitlement Management?
Azure Active Directory (Azure AD) entitlement management is an identity governance feature that enables organizations to manage identity and access lifecycle at scale, by automating access request workflows, access assignments, reviews, and expiration.

Why should you adopt this solution?
If you are using Azure AD; Employees in your organizations need access to various groups, applications, and sites to perform their job. Managing this access is challenging, as requirements change - new applications are added or users need additional access rights. This scenario gets more complicated when you collaborate with outside organizations - you may not know who in the other organization needs access to your organization's resources, and they won't know what applications, groups, or sites your organization is using. Azure AD entitlement management can help you more efficiently manage access to groups, applications, and SharePoint Online sites for internal users, and also for users outside your organization who need access to those resources.

Let's see how you can deploy Azure Active Directory entitlement management-

First, go to Azure AD>Identity Governance>Access packages

Now let's explore these all feature's one by one.

Access packages-
Entitlement management introduces to Azure AD the concept of an access package. An access package is a bundle of all the resources with the access a user needs to work on a project or perform their task. Access packages are used to govern access for your internal employees, and also users outside your organization.

With Entitlement management, you can manage access to Azure AD security groups, Microsoft 365 Groups, and Teams, SaaS applications with SSO, etc.

Now let's create the first access package-
First, click on create access package and give it a name and description.

Now we need to assign the sales group a contributor role. So click on the group and select sales group. We will assign a member role once added.

Now we will create a policy to enable specify who can request access. We will select all members directory and will assign a sales manager who can approve access-

Now we can ask the requester a question and can select when the access package will expire.

Remember we selected a catalog "General" while creating Access packages. A catalog is a container of related resources and access packages. Catalogs are used for delegation so that non-administrators can create their own access packages. Catalog owners can add resources they own to a catalog.

Now let's suppose you want a freelancer to work on your sales campaign and want to assign him access. You can do that by configuring his domain in a connected organization and we can specify in policy whole creating access package that they also can access resources.

Now let's add a connected organization. To do that go to Azure AD> Identity Governance>Connected organizations and hit create "Add connected organization".

Now search for the domain you want to add and click on add.

You can add internal and external sponsors as well related to the project. Sponsors are internal or external users already in your directory that are the point of contact for the relationship with this connected organization. Internal sponsors are member users in your directory. Once you configured sponsors you can hit create.

In the report section, you can have an overview of users and their access packages and also can have an analysis of assigned resources to users.

Hopefully, you got an idea about Azure AD Entitlement Management. Follow for more such writeups.

Azure AD Multi-Factor Authentication

SUNIL KUMAR — Thu, 22 Apr 2021 17:33:19 +0000

What id MFA?
Multi-factor Authentication (MFA) is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account, or a VPN. MFA is a core component of a strong identity and access management (IAM) policy.

How does it work?
Azure AD Multi-Factor Authentication secure user sign-in events. We can implement it by various methods but the best way to deploy MFA is deploying it with a conditional access policy. When a user tries to access Azure AD protected resource Azure AD try to verify identity using Something you know, something you have, something you are.

Is this solution for you?
If your organization is using Azure single sign-on solution and if you are worried about the security of your user accounts then Azure AD MFA is the right solution for you. You can implement risk-based MFA for your users that will ensure the security of your users.

Now let's understand about prerequisites to deploy an MFA with Azure AD-

We need a working Azure AD tenant with an Azure AD Premium P1 or P2 license enabled. (You can use the trial as well)
A account with Global administrator privilege.

How to Deploy MFA in Azure AD?
To deploy MFA we will log in to our Azure portal and will navigate to Azure AD>Security> Conditional Access

Now we will create a New policy to force MFA for the "MFA Test"
(test@99daysofgcp.tech) user.

Here we created a conditional access policy that if the User sign-in risk is medium or above then force the user to register and perform Multi-Factor Authentication.

Now let's configure various MFA-
To configure MFA navigate to MFA by searching it in the global search bar and then click on configure MFA.

Now if test@99daysofgcp.tech user faces medium or above level risk then conditional access policy will force the user to register and perform MFA.

Let's have a look at what different setting and functionalities available inside MFA-

Account lockout-
It temporarily locks accounts in the multi-factor authentication service if there are too many denied authentication attempts in a row. This feature only applies to users who enter a PIN to authenticate.

Block/unblock users-
A blocked user will not receive Multi-Factor Authentication requests. Authentication attempts for that user will be automatically denied. A user will remain blocked for 90 days from the time they are blocked. We can manually unblock a user as well.

Fraud Alert-
It allows your users to report fraud if they receive a two-step verification request that they didn't initiate.

Notification-
Email notifications can be configured when users report fraud alerts. These notifications are typically sent to identity administrators, as the user's account credentials are likely compromised.

One-time bypass
It allows a user to authenticate without performing two-step verification for a limited time. The bypass goes into effect immediately and expires after the specified number of seconds. This feature only applies to MFA Server deployment.

Caching rules
Set up caching rules so that consecutive authentications don't require two-step verification. This feature only applies to MFA Server deployment.

Hopefully, you got an idea about how to deploy and configure MFA in Azure AD. Thanks for reading please hit follow if it helped.