Knowing what's happening in Active Directory has always been critical. That was increasingly true as more and more applications inside your network came to rely on AD for identity, authentication and authorization.
But now Active Directory is connected to and/or even itself exists in the cloud. Anyone using an Azure service or Office 365 is already using Azure Active Directory whether they realize it or not. Most of us do realize it and therefore we have connected our on-premise AD with Azure AD using synchronization (think Azure AD Connect and before that dirsync) and in some cases with Federation (think ADFS, et al).
Is Azure AD simply a projection of on-premise Active Directory? And therefore not in need of monitoring? Not so fast. Azure AD isn't simply a read-only projection of your on-premise AD. Users accounts and groups can be created directly in Azure AD with no relationship to on-premise AD objects. There are situations where you must do that and of course non-compliant admins or intruders will certainly do that for a variety of reasons. Whether intentional or not you need to know when objects are created or changed directly in Azure AD that don't correspond to on-premise AD objects.
Azure AD may or may not be an extension of your on-premise AD. But the same security risks and compliance requirements apply to Azure AD as on-premise AD. You have to monitor both and you need to be able to correlate changes so that you can eliminate those events which are just duplicates as a result of synchronization from those who aren’t.
Furthermore, there's a host of security settings that apply to Azure AD that have no meaning to on-prem AD. We need to know when those things change. For instance, when a new trusted partner is added with delegated admin authority to your Azure AD domain. Would you know?
Beyond that, what about logon and authentication? Bad guys can attack both on-premise AD and Azure AD. Both provide logon monitoring but in very different ways and formats. You need to monitor both. Is that true if you use federation? Doesn't everything go through ADFS or a 3rd-party federation server? It can but it doesn't mean every access does. You can still attack resources directly and that's again where monitoring comes in.
In this webinar I'll compare and contrast monitoring changes and authentication in on-premise AD and Azure AD. Beyond that, I'll dive into all the issues raised above in terms of how to go about monitoring both types of AD in common hybrid environments. The native source of audit data in on-premise AD is of course the Windows Security Log but in Azure AD of course it's a very different story. I'll show you how it works.
Netwrix is our sponsor for this real training for free ™ webinar and they will briefly show you how Netwrix provides visibility into changes and access events in both Active Directory and Azure Active Directory. Better yet, they’ll demonstrate how they put both sources of information on a single pane of glass and address the issues mentioned above.
Please join us for this interesting, technical and practical security event.