Anyone using Office 365, Dynamics Online or Azure resources is using Azure AD whether they realize it or not. The standard models for integrating Azure AD with on-prem AD is to synchronize users and groups from on-prem to the cloud. Optionally, you can implement federation for single-sign-on or 2-way password synchronization.
Once synchronization with Azure AD Connect is setup and working we tend to forget about it. In fact, many organizations consider Azure AD as simply a replicated projection of their on-prem Active Directory. But security is never simple. Treating Azure AD as an afterthought will lead to either
- Compliance issues as auditors become increasingly aware of hybrid risk scenarios
- Allow unauthorized changes originating in Azure AD to go undetected and in some cases even expose on-prem resources to risk
Just because you connect Azure AD to your on-prem AD doesn't mean you can forget about. Azure AD is not a read-only projection of the on-prem AD which you are likely already carefully monitoring. Yes, in-scope changes to your local AD synchronize up to Azure but nothing prevents users with sufficient permissions at the directory level or higher to create additional user accounts, change permissions or tamper with group membership.
There's at least 2 broad-categories of changes that can occur in Azure AD
- On-prem originating changes synchronized up to the cloud via Azure AD Connect
- Cloud originating changes occurring directly in Azure AD. Changes can occur to users and groups in the synchronization scope or to users and groups specific to the cloud.
And remember that Azure allows consumer Microsoft accounts like bob@hotmail.com to be granted privileged access to resources, subscriptions and directories.
I wish it were simply a matter of reviewing an Azure AD change report but remember that all the changes to in-scope users and groups in your on-prem AD are synchronized up to Azure so how do you distinguish between those changes (which should already be subject to monitoring in your on-prem AD) and changes originating inside Azure AD itself?
In this webinar I will show you how changes flow from on-prem AD to Azure AD and how cloud originating changes are made.
Then we will look at how both types of changes are reported in Azure AD and how to distinguish them from each other.
But there's an additional risk we haven't discussed. In today's highly integrated hybrid environments some very interesting and unforeseen interdependencies sometimes arise. What about unauthorized changes in Azure that replicate back to your on-prem network?
In the case of hybrid AD environments consider this. Azure AD Connect supports 2-way password synchronization which is good for the user because they can change their password on-prem at their workstation or up in the Office 365 cloud and that password change will synchronize back the other way.
But that means unauthorized password resets originating in the cloud don't just expose cloud-based information and resources but also on-prem resources. And of course, with increasing federation to other cloud-based applications and services there can be wider repercussions.
So, while it's no surprise you need to monitor everything, the added wrinkle with AD is that you need to be able to correlate changes between on-prem and Azure so that you can zero in on the changes that really matter.
In this real training for free ™ webinar I'll show you how changes executed by Azure AD Connect and originating from on-prem AD look in the Azure AD audit log. And we'll compare those audit records to changes made directly in Azure AD. Then we'll come back to on-prem AD and show you, when looking at your domain controller security logs, how to distinguish password resets and changes occurring locally from those originating the cloud.
Quest Software is our sponsor for this webinar and Bryan Patton will briefly show you how Change Auditor monitors both on-prem AD and Azure and helps you correlate these changes and surface what doesn't look right.
Please join me for this real-training for free ™ event.