{"id":4211,"date":"2020-01-12T15:17:03","date_gmt":"2020-01-12T20:17:03","guid":{"rendered":"https:\/\/adsecurity.org\/?p=4211"},"modified":"2020-01-19T19:09:36","modified_gmt":"2020-01-20T00:09:36","slug":"what-is-azure-active-directory","status":"publish","type":"post","link":"https:\/\/adsecurity.org\/?p=4211","title":{"rendered":"What is Azure Active Directory?"},"content":{"rendered":"\n

Many are familiar with Active Directory, the on-premises directory and authentication system that is available with Windows Server, but exactly what is Azure Active Directory<\/a>?<\/em>

Azure Active Directory (Azure AD or AAD) is a multi-tenant cloud directory and authentication <\/a>service.
Azure AD is the directory service that Office 365 (and Azure) leverages for account, groups, and roles.
It is also an Identity Provider (IPD) and supports federation (SAML, etc).
Note: given how rapidly the cloud changes, elements of this post may become out of date soon after the original post date.

Azure AD is highly available and globally deployed.<\/strong><\/p>\n\n\n\n

Azure AD is deployed in over 30 datacenters around the world leveraging Azure Availability Zones where present. This number is growing rapidly as additional Azure Regions are deployed.

For durability, any piece of data written to Azure AD is replicated to at least 4 and up to 13 datacenters depending on your tenant configuration. Within each data center, data is again replicated at least 9 times for durability but also to scale out capacity to serve authentication load. To illustrate\u2014this means that at any point in time, there are at least 36 copies of your directory data available within our service in our smallest region. For durability, writes to Azure AD are not completed until a successful commit to an out of region datacenter.

This approach gives us both durability of the data and massive redundancy\u2014multiple network paths and datacenters can serve any given authorization request, and the system automatically and intelligently retries and routes around failures both inside a datacenter and across datacenters.

To validate this, we regularly exercise fault injection and validate the system\u2019s resiliency to failure of the system components Azure AD is built on. This extends all the way to taking out entire datacenters on a regular basis to confirm the system can tolerate the loss of a datacenter with zero customer impact.

Azure AD is already a massive system running on over 300,000 CPU Cores and able to rely on the massive scalability of the Azure Cloud to dynamically and rapidly scale up to meet any demand. This can include both natural increases in traffic, such as a 9AM peak in authentications in a given region, but also huge surges in new traffic served by our Azure AD B2C which powers some of the world\u2019s largest events and frequently sees rushes of millions of new users.

To support the health checks that gate safe deployment and give our engineering team insight into the health of the systems, Azure AD emits a massive amount of internal telemetry, metrics, and signals used to monitor the health of our systems. At our scale, this is over 11 PetaBytes a week of signals that feed our automated health monitoring systems. <\/p>https:\/\/azure.microsoft.com\/en-us\/blog\/advancing-azure-active-directory-availability\/<\/a><\/cite><\/blockquote>\n\n\n\n

Azure Active Directory is Not Cloud AD<\/strong>
Azure Active Directory is not Active Directory hosted in the cloud.
There is no standard AD authentication methods such as NTLM or Kerberos; no LDAP; and no group policy (GPO), so Azure AD won’t work for traditional on-prem applications.

There are cloud hosted Active Directory environments that can be used to manage cloud workloads in Microsoft Azure (Azure Active Directory Domain Services<\/a>), Amazon AWS (Amazon Managed Microsoft AD<\/a>), and Google Cloud (Managed Service for Microsoft Active Directory (AD)<\/a>). These are all hosted Microsoft Active Directory environments which have 2 Domain Controllers (or more) and the tenant admins do not receive Domain Admin rights to the hosted AD environment; only delegated access is provided which often includes the ability to create\/manage resources in a specific OU and specific GPOs.

Note: I don’t have room to include a comparison of these services here, but may write a future post if there’s interest (I did some research comparing Microsoft Azure vs Amazon AWS hosted AD service offerings in 2017).<\/em><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Primary Management Tools<\/strong>
The tool that most AD administrators are familiar with is Active Directory Users and Computers aka ADUC (MMC tool). <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Azure Active Directory administrators will primarily use the web console at https:\/\/portal.azure.com to administer the environment.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Admins that manage Active Directory on-prem and now Azure AD\/Office 365 will be using the on-prem MMC tools as well as the web admin portals (and various URLs associated with them).
There are PowerShell cmdlets available for managing Azure AD (similar to on-prem), though cloud features often move faster than the PowerShell tools are released, which means that using the cloud admin portal should still be used, even when using PowerShell.<\/p>\n\n\n\n

Interfacing with Azure Active Directory<\/strong>
Since Azure AD doesn’t have LDAP, interfacing with AAD involves connecting via the Graph API (or PowerShell modules). I like PowerShell, so I use the PowerShell modules (or Portal websites) for management and reporting.

There are 2 primary PowerShell modules for interfacing with Azure AD: MSOnline <\/a>and AzureAD<\/a>. These can be installed through the PowerShell install feature:
Install-Module -Name MSOnline -Force <\/em>
Install-Module -Name AzureAD -Force
<\/em>
The AzureAD module may eventually replace the MSOnline PowerShell module, but there are features available in MSOnline that haven’t been ported to the Azure AD module (yet). <\/p>\n\n\n\n\n\n\n\n

Azure AD PowerShell Modules & Cmdlets Comparison<\/strong>
(module & cmdlet data as of January 2020)<\/em><\/p>\n\n\n\n

Category<\/td>MSOnline<\/td>AzureAD<\/td><\/tr>
Administrative Unit<\/td>Get-MsolAdministrativeUnit<\/a><\/td>    <\/td><\/tr>
Administrative Unit<\/td>Get-MsolAdministrativeUnitMember<\/a><\/td>    <\/td><\/tr>
Application<\/td>    <\/td>Get-AzureADApplication<\/a><\/td><\/tr>
Application<\/td>    <\/td>Get-AzureADApplicationExtensionProperty<\/a><\/td><\/tr>
Application<\/td>    <\/td>Get-AzureADApplicationKeyCredential<\/a><\/td><\/tr>
Application<\/td>    <\/td>Get-AzureADApplicationLogo<\/a><\/td><\/tr>
Application<\/td>    <\/td>Get-AzureADApplicationOwner<\/a><\/td><\/tr>
Application<\/td>    <\/td>Get-AzureADApplicationPasswordCredential<\/a><\/td><\/tr>
Application<\/td>    <\/td>Get-AzureADApplicationProxyApplication<\/a><\/td><\/tr>
Application<\/td>    <\/td>Get-AzureADApplicationProxyApplicationConnectorGroup<\/a><\/td><\/tr>
Application<\/td>    <\/td>Get-AzureADApplicationProxyConnector<\/a><\/td><\/tr>
Application<\/td>    <\/td>Get-AzureADApplicationProxyConnectorGroup<\/a><\/td><\/tr>
Application<\/td>    <\/td>Get-AzureADApplicationProxyConnectorGroupMember<\/a><\/td><\/tr>
Application<\/td>    <\/td>Get-AzureADApplicationProxyConnectorMemberOf<\/a><\/td><\/tr>
Application<\/td>    <\/td>Get-AzureADApplicationServiceEndpoint<\/a><\/td><\/tr>
Application<\/td>    <\/td>Get-AzureADMSApplication                                     <\/td><\/tr>
Application<\/td>    <\/td>Get-AzureADMSApplicationExtensionProperty                    <\/td><\/tr>
Application<\/td>    <\/td>Get-AzureADMSApplicationOwner<\/td><\/tr>
Application<\/td>    <\/td>Get-AzureADDeletedApplication<\/a><\/td><\/tr>
Application<\/td>    <\/td>Get-AzureADServiceAppRoleAssignedTo<\/a><\/td><\/tr>
Application<\/td>    <\/td>Get-AzureADServiceAppRoleAssignment<\/a><\/td><\/tr>
Application<\/td>    <\/td>Get-AzureADGroupAppRoleAssignment<\/a><\/td><\/tr>
Authentication<\/td>    <\/td>Get-AzureADMSIdentityProvider<\/a><\/td><\/tr>
Authentication<\/td>    <\/td>Get-AzureADMSLifecyclePolicyGroup<\/a><\/td><\/tr>
Authentication<\/td>    <\/td>Get-AzureADOAuth2PermissionGrant<\/a><\/td><\/tr>
Contact<\/td>Get-MsolContact<\/a><\/td>Get-AzureADContact<\/a><\/td><\/tr>
Contact<\/td>    <\/td>Get-AzureADContactDirectReport<\/a><\/td><\/tr>
Contact<\/td>    <\/td>Get-AzureADContactManager<\/a><\/td><\/tr>
Contact<\/td>    <\/td>Get-AzureADContactMembership<\/a><\/td><\/tr>
Contact<\/td>    <\/td>Get-AzureADContactThumbnailPhoto<\/a><\/td><\/tr>
Contract<\/td>    <\/td>Get-AzureADContract<\/a><\/td><\/tr>
Device<\/td>Get-MsolDevice<\/a><\/td>Get-AzureADDevice<\/a><\/td><\/tr>
Device<\/td>Get-MsolDeviceRegistrationServicePolicy<\/a><\/td>    <\/td><\/tr>
Device<\/td>    <\/td>Get-AzureADDeviceConfiguration<\/a><\/td><\/tr>
Device<\/td>    <\/td>Get-AzureADDeviceRegisteredOwner<\/a><\/td><\/tr>
Device<\/td>    <\/td>Get-AzureADDeviceRegisteredUser<\/a><\/td><\/tr>
DirSync<\/td>Get-MsolDirSyncConfiguration<\/a><\/td>    <\/td><\/tr>
DirSync<\/td>Get-MsolDirSyncFeatures<\/a><\/td>    <\/td><\/tr>
DirSync<\/td>Get-MsolDirSyncProvisioningError<\/a><\/td>    <\/td><\/tr>
DirSync<\/td>Get-MsolHasObjectsWithDirSyncProvisioningErrors<\/a><\/td>    <\/td><\/tr>
Domain<\/td>Get-MsolDomain<\/a><\/td>Get-AzureADDomain<\/a><\/td><\/tr>
Domain<\/td>Get-MsolDomainVerificationDns<\/a><\/td>Get-AzureADDomainVerificationDnsRecord<\/a><\/td><\/tr>
Domain<\/td>Get-MsolDomainFederationSettings<\/a><\/td>    <\/td><\/tr>
Domain<\/td>    <\/td>Get-AzureADDomainNameReference<\/a><\/td><\/tr>
Domain<\/td>    <\/td>Get-AzureADDomainServiceConfigurationRecord<\/a><\/td><\/tr>
Federation<\/td>Get-MsolFederationProperty<\/a><\/td>    <\/td><\/tr>
Group<\/td>Get-MsolGroup<\/a><\/td>Get-AzureADGroup<\/a><\/td><\/tr>
Group<\/td>Get-MsolGroup<\/a><\/td>Get-AzureADMSGroup<\/a><\/td><\/tr>
Group<\/td>Get-MsolGroupMember<\/a><\/td>Get-AzureADGroupMember<\/a><\/td><\/tr>
Group<\/td>    <\/td>Get-AzureADGroupOwner<\/a><\/td><\/tr>
Group<\/td>    <\/td>Get-AzureADMSGroupLifecyclePolicy<\/a><\/td><\/tr>
Group<\/td>    <\/td>Get-AzureADMSDeletedGroup<\/a><\/td><\/tr>
License Subscription<\/td>Get-MsolSubscription<\/a><\/td>Get-AzureADSubscribedSku<\/a><\/td><\/tr>
Object<\/td>    <\/td>Get-AzureADMSDeletedDirectoryObject<\/a><\/td><\/tr>
Object<\/td>    <\/td>Get-AzureADObjectByObjectId<\/a><\/td><\/tr>
Partner<\/td>Get-MsolPartnerContract<\/a><\/td>    <\/td><\/tr>
Partner<\/td>Get-MsolPartnerInformation<\/a><\/td>    <\/td><\/tr>
Password<\/td>Get-MsolPasswordPolicy<\/a><\/td>    <\/td><\/tr>
Role Group<\/td>Get-MsolRole<\/a><\/td>Get-AzureADDirectoryRole<\/a><\/td><\/tr>
Role Group<\/td>Get-MsolRoleMember<\/a><\/td>Get-AzureADDirectoryRoleMember<\/a><\/td><\/tr>
Role Group<\/td>Get-MsolScopedRoleMember<\/a><\/td>    <\/td><\/tr>
Role Group<\/td>    <\/td>Get-AzureADDirectoryRoleTemplate<\/a><\/td><\/tr>
Service Principal<\/td>Get-MsolServicePrincipal<\/a><\/td>Get-AzureADServicePrincipal<\/a><\/td><\/tr>
Service Principal<\/td>Get-MsolServicePrincipalCredential<\/a><\/td>Get-AzureADServicePrincipalKeyCredential<\/a><\/td><\/tr>
Service Principal<\/td>    <\/td>Get-AzureADServicePrincipalCreatedObject<\/a><\/td><\/tr>
Service Principal<\/td>    <\/td>Get-AzureADServicePrincipalMembership<\/a><\/td><\/tr>
Service Principal<\/td>    <\/td>Get-AzureADServicePrincipalOAuth2PermissionGrant<\/a><\/td><\/tr>
Service Principal<\/td>    <\/td>Get-AzureADServicePrincipalOwnedObject<\/a><\/td><\/tr>
Service Principal<\/td>    <\/td>Get-AzureADServicePrincipalOwner<\/a><\/td><\/tr>
Service Principal<\/td>    <\/td>Get-AzureADServicePrincipalPasswordCredential<\/a><\/td><\/tr>
Session<\/td>    <\/td>Get-AzureADCurrentSessionInfo<\/a><\/td><\/tr>
Tenant<\/td>Get-MsolCompanyAllowedDataLocation<\/a><\/td>    <\/td><\/tr>
Tenant<\/td>Get-MsolCompanyInformation<\/a><\/td>    <\/td><\/tr>
Tenant<\/td>    <\/td>Get-AzureADTenantDetail<\/a><\/td><\/tr>
Tenant<\/td>    <\/td>Get-AzureADTrustedCertificateAuthority<\/a><\/td><\/tr>
Tenant<\/td>    <\/td>Get-CrossCloudVerificationCode<\/a><\/td><\/tr>
User<\/td>Get-MsolUser<\/a><\/td>Get-AzureADUser<\/a><\/td><\/tr>
User<\/td>Get-MsolUserByStrongAuthentication<\/a><\/td>Get-AzureADUserAppRoleAssignment<\/a><\/td><\/tr>
User<\/td>Get-MsolUserRole<\/a><\/td>Get-AzureADUserCreatedObject<\/a><\/td><\/tr>
User<\/td>    <\/td>Get-AzureADUserDirectReport<\/a><\/td><\/tr>
User<\/td>    <\/td>Get-AzureADUserExtension<\/a><\/td><\/tr>
User<\/td>    <\/td>Get-AzureADExtensionProperty<\/a><\/td><\/tr>
User<\/td>    <\/td>Get-AzureADUserLicenseDetail<\/a><\/td><\/tr>
User<\/td>    <\/td>Get-AzureADUserManager<\/a><\/td><\/tr>
User<\/td>    <\/td>Get-AzureADUserMembership<\/a><\/td><\/tr>
User<\/td>    <\/td>Get-AzureADUserOAuth2PermissionGrant<\/a><\/td><\/tr>
User<\/td>    <\/td>Get-AzureADUserOwnedDevice<\/a><\/td><\/tr>
User<\/td>    <\/td>Get-AzureADUserOwnedObject<\/a><\/td><\/tr>
User<\/td>    <\/td>Get-AzureADUserRegisteredDevice<\/a><\/td><\/tr>
User<\/td>    <\/td>Get-AzureADUserThumbnailPhoto<\/a><\/td><\/tr>
User<\/td>Get-MsolAccountSku<\/a><\/td>    <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

In the table above, I categorize the cmdlets across the two Azure AD PowerShell module and attempt to link the ones that provide the same or similar capability. I am planning to post more on these cmdlets in the future.<\/p>\n\n\n\n

Unfortunately, it isn’t a simple matter to single sign-on (SSO) to these modules. A credential can be captured in PowerShell and reused across modules, but only if MFA isn’t enforced (which reduces account security).

The Microsoft Cloud environment originally only supported username and password authentication. This “legacy authentication” doesn’t include Multi-Factor Authentication (“MFA”)<\/a>, so for security reasons, legacy authentication should be disabled (via Security Defaults<\/a>, Conditional Access<\/a>, etc).
The Azure Active Directory Authentication Library provides “modern authentication” which fully supports MFA (and passwordless<\/a>!).<\/p>\n\n\n\n

ADAL according to Microsoft:<\/a> <\/span>
The Azure Active Directory Authentication Library (ADAL) v1.0 enables application developers to authenticate users to cloud or on-premises Active Directory (AD), and obtain tokens for securing API calls. ADAL makes authentication easier for developers through features such as:<\/em><\/p>\n\n\n\n