How to manage user identity in a hybrid cloud and premises-based IT structure
Identity, Identity, Identity.
I love Active Directory. I know that sounds a bit daft, but I do. I always used to joke how I loved it so much that I would be one of those people who got paid loads as they were highly skilled in a now forgotten technology, like the Lotus Notes developer of the noughties… except of course lots of others loved it too, so that was never going to happen. Many got by without understanding it from the bottom up, and Microsoft have cleverly transitioned admins across to Entra ID over the past decade or so, and many of them can still work in a Hybrid configuration for years to come.
By the time Active Directory is removed from many environments, after years of a three-way relationship, the expression “three’s a crowd” will be in the back of your mind, and the older, clunkier, less dynamic and less fun identity provider: the LDAP based Active Directory, will be cast aside without too much of a second glance.
In all seriousness though, as we all know in the past few years, greatly expedited by COVID-19, the working world has become very different. BC (Before-Covid) staff members would make their way into the office, sit down at their desks with a coffee obtained en route and not worry about IT security. That was dealt with by admins, right? Everything in the office was safe and there was something called a proxy server, and occasional references to a perimeter network. Sounded like security was in place.
The PC (Post-Covid) staff are different. They often work in a hybrid manner, have become intolerant of the commute and the Monday and Friday Starbucks (on a bad week!) replaced with a carefully curated home ground bean coffee, enjoyed alongside the early morning birdsong in the garden.
That network perimeter is not giving adequate protection anymore. Our hybrid users often have the ability to access potentially thousands of applications and resources with their Entra ID accounts – without the knowledge of the IT department. Our Cloud-only users do for sure. What is the network perimeter doing for them? Sitting on their BYOD tablet in the summer house that Covid built (and in some cases paid for!) simply using their WiFi and a web browser carrying out their day job. Accessing Microsoft 365, looking for other new web-based tools to enhance their role or allow them to make it easier perhaps. Finding they can “Sign up” for a trial of so many apps with their “Work or School” accounts. What can the perimeter network do about that? Not a lot.
What must we as Admins do now? Focus on the security of these Identities. Identity, Identity, Identity. It is the new perimeter network.
Entra ID has many capabilities to help us do this. Entra Multi-factor authentication is the first and most obvious one. It is free, easy to configure, and requires the user to supply a code from a text message or confirmation from the Authenticator app.
This is followed closely by Conditional Access. Only allowing your PC Staff to gain access to resources or carry out specific actions if they comply with the settings in a conditional access policy. Is their device compliant? Check. Is their device running Windows? Check. Are they in the UK? Check. Ok then yes, they can gain access to their resource.
How do we know what has been happening? The sign-in logs are phenomenal. Located in a single place, easily filtered so we know about every sign in that has taken place, who, what, where and when. Even better? Should our Active Directory subscription allow for it, (it is a Microsoft Entra ID P2 feature) we can use Identity Protection.
Microsoft take the information from these sign-in logs and analyse them to identify “Risky Sign ins”. That is, where a sign in comes from an anonymous browser, a known malicious IP address, or results from impossible travel (if a sign in came from London at 0800, then surely the same account cannot sign in an hour later in Beijing?).
These sign-ins can be blocked, or extra information requested at sign in. Microsoft threat intelligence (MSTIC) trawls the dark web for information about leaked credentials (among many other things!) and if they are found, the account will be classified as a “Risky User” and can be blocked or simply forced to reset the password.
There are many other worthy features in Entra ID that I am sure will be the subject of another identity blog in the future, but in reading this back to myself, it does sound as if I have moved on and found a younger more exciting model. But, no. There are different types of love of course, and this new one only exists because of the old. In a hybrid configuration, our trusty steed Active Directory is the functioning part. The workhorse. Our Entra Id is simply a copy, a hanger-on, that for many facilitates that move to the cloud without the machinations of configuring a federated trust relationship so we can achieve single-sign-in to cloud resources.
Microsoft have recently released an Applied Skills certification (these certifications are available at no cost for a limited time) for Active Directory. The Applied Skills certifications are new credentials for verifying in-demand technical skills.
A recognition by Microsoft that Identity, whether it is on or off Premises, is still a key part of any IT infrastructure.
Prepare for Microsoft certification with our instructor-led course Managing Identity with Active Directory in Windows Server 2022