The benefits of using Azure Active Directory are numerous. Sharon will outline some of the best use-case scenarios that leverage this tool, including multifactor authentication, device management, and advanced reporting.
- [Instructor] Azure Active Directory provides multifactor authentication, which adds another layer of security above a username and password. Multifactor authentication forces a user to provide another layer of identity control. They have to provide another credential. Typically we only require one method of authentication for our users, typically a password. This is something you know. When we use multifactor authentication, we are also requiring the user to provide another way to identify themselves, such as something they have.
This could be on a trusted devices such as a smart phone or a key FOB. This could also be something that they are, such as a fingerprint for biometrics. With Azure Active Directory, you can set up multifactor authentication for all users. Users outside the corporate network, accounts where anomalous activity has been detected, or a combination of any of these. The most common multifactor scenarios are requiring something that you know, such as a password, in conjunction with something you have, such as a text verification on a smart phone.
A great example of multifactor authentication within Azure is detecting logins from locations that are physically impossible to reach within a certain time frame. For example, we have a user who logs in, let's say from Los Angeles. No problem, they're in, everything is good. 20 minutes later that same user logs in from Tokyo. Using this method, the second login attempt would be forced to provide a secondary means of authentication. Company branding is also handled through Azure Active Directory.
Having consistent branding maintains the look and feel for the company and for the users. The branding options within Azure Active Directory include adding a logo, some illustrations, some sign-in page text, for example, you may have a help line that says, please sign in using your corporate credentials. Additional languages can also be set up within the branding pages as well. The customizations that you provide within the branding section of Azure Active Directory are also applied to the User Access portal.
Azure Active Directory has a rich reporting feature in the back end. There are several types of reports that you can pull. These reports include security, activity, and audit reports. The security reports contain information about irregular sign-in activity, going back to the example of maybe somebody signed in from L.A. and then 20 minutes later from Tokyo, about password resets, and sign-ins from IPs with suspicious activity. Anomalous activity reports include reporting on uncharacteristic login behaviors, including sign-ins from unknown sources or multiple sign-in failures.
These activity reports could indicate login attempts using brute force, or multiple users signing in with a single account. And finally, activity logs. These logs log the action by a specific account. For example, a log may report that on a specific date and time, a specific user deleted an application. These reports also provide information about password resets and self service group activity. And finally, device management in Azure Active Directory. One of the advancements in Windows 10 was the ability to authenticate to Azure Active Directory.
Again, this is only in Windows 10. Once authenticated, the user has access to all of their Cloud-enabled services without having to login again. Windows 10 also enables users to domain join without IT intervention. If the user is connecting a company-owned device, a device that you provided to that user, the user authenticates to Azure instead of the traditional domain controller. If the user is bringing their own device, they can still configure their personal device to access work applications and resources by adding their work account to the device.
Registered devices can easily be blocked or deleted, preventing that device from accessing the company data. For example, a new employee brings his own phone to work and IT allows him to access the corporate Cloud resources using that phone. Our employee then misplaces his phone and to protect the company data, we block his phone from accessing the corporate resources. It is then determined that his phone is lost. So now we can delete the device associated to that user, ensuring that device can never access our company data.
- Understanding cloud technologies
- Why Azure?
- Creating virtual networks and storage
- Using Azure Active Directory for identity management and protection
- Disaster recovery with Azure Backup and Azure Site Recovery
- Working with virtual machines