Azure Active Directory security operations guide
Microsoft has a successful and proven approach to Zero Trust security using Defense in Depth principles that use identity as a control plane. Organizations continue to embrace a hybrid workload world for scale, cost savings, and security. Azure Active Directory (Azure AD) plays a pivotal role in your strategy for identity management. Recently, news surrounding identity and security compromise has increasingly prompted enterprise IT to consider their identity security posture as a measurement of defensive security success.
Increasingly, organizations must embrace a mixture of on-premises and cloud applications, which users access with both on–premises and cloud-only accounts. Managing users, applications, and devices both on-premises and in the cloud poses challenging scenarios.
Azure Active Directory creates a common user identity for authentication and authorization to all resources, regardless of location. We call this hybrid identity.
To achieve hybrid identity with Azure AD, one of three authentication methods can be used, depending on your scenarios. The three methods are:
As you audit your current security operations or establish security operations for your Azure environment, we recommend you:
- Read specific portions of the Microsoft security guidance to establish a baseline of knowledge about securing your cloud-based or hybrid Azure environment.
- Audit your account and password strategy and authentication methods to help deter the most common attack vectors.
- Create a strategy for continuous monitoring and alerting on activities that might indicate a security threat.
The Azure AD SecOps Guide is intended for enterprise IT identity and security operations teams and managed service providers that need to counter threats through better identity security configuration and monitoring profiles. This guide is especially relevant for IT administrators and identity architects advising Security Operations Center (SOC) defensive and penetration testing teams to improve and maintain their identity security posture.
This introduction provides the suggested prereading and password audit and strategy recommendations. This article also provides an overview of the tools available for hybrid Azure environments and fully cloud-based Azure environments. Finally, we provide a list of data sources you can use for monitoring and alerting and configuring your security information and event management (SIEM) strategy and environment. The rest of the guidance presents monitoring and alerting strategies in the following areas:
User accounts. Guidance specific to non-privileged user accounts without administrative privilege, including anomalous account creation and usage, and unusual sign-ins.
Privileged accounts. Guidance specific to privileged user accounts that have elevated permissions to perform administrative tasks. Tasks include Azure AD role assignments, Azure resource role assignments, and access management for Azure resources and subscriptions.
Privileged Identity Management (PIM). Guidance specific to using PIM to manage, control, and monitor access to resources.
Applications. Guidance specific to accounts used to provide authentication for applications.
Devices. Guidance specific to monitoring and alerting for devices registered or joined outside of policies, non-compliant usage, managing device administration roles, and sign-ins to virtual machines.
Infrastructure. Guidance specific to monitoring and alerting on threats to your hybrid and purely cloud-based environments.
Important reference content
Microsoft has many products and services that enable you to customize your IT environment to fit your needs. We recommend that you review the following guidance for your operating environment:
Windows operating systems
Cloud-based Azure environments
Active Directory Domain Services (AD DS)
Active Directory Federation Services (AD FS)
The log files you use for investigation and monitoring are:
Microsoft Sentinel - Enables intelligent security analytics at the enterprise level by providing security information and event management (SIEM) capabilities.
Sigma rules - Sigma is an evolving open standard for writing rules and templates that automated management tools can use to parse log files. Where Sigma templates exist for our recommended search criteria, we have added a link to the Sigma repo. The Sigma templates are not written, tested, and managed by Microsoft. Rather, the repo and templates are created and collected by the worldwide IT security community.
Azure Monitor - Enables automated monitoring and alerting of various conditions. Can create or use workbooks to combine data from different sources.
Azure Event Hubs integrated with a SIEM. Azure AD logs can be integrated to other SIEMs such as Splunk, ArcSight, QRadar and Sumo Logic via the Azure Event Hubs integration. For more information, see Stream Azure Active Directory logs to an Azure event hub.
Microsoft Defender for Cloud Apps - Enables you to discover and manage apps, govern across apps and resources, and check the compliance of your cloud apps.
Securing workload identities with Identity Protection Preview - Used to detect risk on workload identities across sign-in behavior and offline indicators of compromise.
Much of what you will monitor and alert on are the effects of your Conditional Access policies. You can use the Conditional Access insights and reporting workbook to examine the effects of one or more Conditional Access policies on your sign-ins and the results of policies, including device state. This workbook enables you to view an impact summary, and identify the impact over a specific time period. You can also use the workbook to investigate the sign-ins of a specific user. For more information, see Conditional Access insights and reporting.
The remainder of this article describes what to monitor and alert on. Where there are specific pre-built solutions we link to them or provide samples following the table. Otherwise, you can build alerts using the preceding tools.
Identity Protection generates three key reports that you can use to help with your investigation:
Risky users contains information about which users are at risk, details about detections, history of all risky sign-ins, and risk history.
Risky sign-ins contains information surrounding the circumstance of a sign-in that might indicate suspicious circumstances. For more information on investigating information from this report, see How To: Investigate risk.
Risk detections contains information on risk signals detected by Azure AD Identity Protection that informs sign-in and user risk. For more information, see the Azure AD security operations guide for user accounts.
For more information, see What is Identity Protection.
Data sources for domain controller monitoring
For the best results, we recommend that you monitor your domain controllers using Microsoft Defender for Identity. This approach enables the best detection and automation capabilities. Follow the guidance from these resources:
- Microsoft Defender for Identity architecture
- Connect Microsoft Defender for Identity to Active Directory quickstart
If you don't plan to use Microsoft Defender for Identity, monitor your domain controllers by one of these approaches:
- Event log messages. See Monitoring Active Directory for Signs of Compromise.
- PowerShell cmdlets. See Troubleshooting Domain Controller Deployment.
Components of hybrid authentication
As part of an Azure hybrid environment, the following items should be baselined and included in your monitoring and alerting strategy.
PTA Agent - The pass-through authentication agent is used to enable pass-through authentication and is installed on-premises. See Azure AD Pass-through Authentication agent: Version release history for information on verifying your agent version and next steps.
AD FS/WAP - Azure Active Directory Federation Services (Azure AD FS) and Web Application Proxy (WAP) enable secure sharing of digital identity and entitlement rights across your security and enterprise boundaries. For information on security best practices, see Best practices for securing Active Directory Federation Services.
Azure AD Connect Health Agent - The agent used to provide a communications link for Azure AD Connect Health. For information on installing the agent, see Azure AD Connect Health agent installation.
Azure AD Connect Sync Engine - The on-premises component, also called the sync engine. For information on the feature, see Azure AD Connect sync service features.
Password Protection DC agent - Azure password protection DC agent is used to help with monitoring and reporting event log messages. For information, see Enforce on-premises Azure AD Password Protection for Active Directory Domain Services.
Password Filter DLL - The password filter DLL of the DC Agent receives user password-validation requests from the operating system. The filter forwards them to the DC Agent service that's running locally on the DC. For information on using the DLL, see Enforce on-premises Azure AD Password Protection for Active Directory Domain Services.
Password writeback Agent - Password writeback is a feature enabled with Azure AD Connect that allows password changes in the cloud to be written back to an existing on-premises directory in real time. For more information on this feature, see How does self-service password reset writeback work in Azure Active Directory.
Azure AD Application Proxy Connector - Lightweight agents that sit on-premises and facilitate the outbound connection to the Application Proxy service. For more information, see Understand Azure ADF Application Proxy connectors.
Components of cloud-based authentication
As part of an Azure cloud-based environment, the following items should be baselined and included in your monitoring and alerting strategy.
Azure AD Application Proxy - This cloud service provides secure remote access to on-premises web applications. For more information, see Remote access to on-premises applications through Azure AD Application Proxy.
Azure AD Connect - Services used for an Azure AD Connect solution. For more information, see What is Azure AD Connect.
Azure AD Connect Health - Service Health provides you with a customizable dashboard that tracks the health of your Azure services in the regions where you use them. For more information, see Azure AD Connect Health.
Azure AD multifactor authentication - Multifactor authentication requires a user to provide more than one form of proof for authentication. This approach can provide a proactive first step to securing your environment. For more information, see Azure AD multi-factor authentication.
Dynamic groups - Dynamic configuration of security group membership for Azure AD Administrators can set rules to populate groups that are created in Azure AD based on user attributes. For more information, see Dynamic groups and Azure Active Directory B2B collaboration.
Conditional Access - Conditional Access is the tool used by Azure Active Directory to bring signals together, to make decisions, and enforce organizational policies. Conditional Access is at the heart of the new identity driven control plane. For more information, see What is Conditional Access.
Identity Protection - A tool that enables organizations to automate the detection and remediation of identity-based risks, investigate risks using data in the portal, and export risk detection data to your SIEM. For more information, see What is Identity Protection.
Group-based licensing - Licenses can be assigned to groups rather than directly to users. Azure AD stores information about license assignment states for users.
Provisioning Service - Provisioning refers to creating user identities and roles in the cloud applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. For more information, see How Application Provisioning works in Azure Active Directory.
Graph API - The Microsoft Graph API is a RESTful web API that enables you to access Microsoft Cloud service resources. After you register your app and get authentication tokens for a user or service, you can make requests to the Microsoft Graph API. For more information, see Overview of Microsoft Graph.
Domain Service - Azure Active Directory Domain Services (AD DS) provides managed domain services such as domain join, group policy. For more information, see What is Azure Active Directory Domain Services.
Azure Resource Manager - Azure Resource Manager is the deployment and management service for Azure. It provides a management layer that enables you to create, update, and delete resources in your Azure account. For more information, see What is Azure Resource Manager.
Managed identity - Managed identities eliminate the need for developers to manage credentials. Managed identities provide an identity for applications to use when connecting to resources that support Azure AD authentication. For more information, see What are managed identities for Azure resources.
Privileged Identity Management - PIM is a service in Azure AD that enables you to manage, control, and monitor access to important resources in your organization. For more information, see What is Azure AD Privileged Identity Management.
Access reviews - Azure AD access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignments. User's access can be reviewed regularly to make sure only the right people have continued access. For more information, see What are Azure AD access reviews.
Entitlement management - Azure AD entitlement management is an identity governance feature. Organizations can manage identity and access lifecycle at scale, by automating access request workflows, access assignments, reviews, and expiration. For more information, see What is Azure AD entitlement management.
Activity logs - The Activity log is an Azure platform log that provides insight into subscription-level events. This log includes such information as when a resource is modified or when a virtual machine is started. For more information, see Azure Activity log.
Self-service password reset service - Azure AD self-service password reset (SSPR) gives users the ability to change or reset their password. The administrator or help desk isn't required. For more information, see How it works: Azure AD self-service password reset.
Device services - Device identity management is the foundation for device-based Conditional Access. With device-based Conditional Access policies, you can ensure that access to resources in your environment is only possible with managed devices. For more information, see What is a device identity.
Self-service group management - You can enable users to create and manage their own security groups or Microsoft 365 groups in Azure AD. The owner of the group can approve or deny membership requests and can delegate control of group membership. Self-service group management features aren't available for mail-enabled security groups or distribution lists. For more information, see Set up self-service group management in Azure Active Directory.
Risk detections - Contains information about other risks triggered when a risk is detected and other pertinent information such as sign-in location and any details from Microsoft Defender for Cloud Apps.
See these security operations guide articles:
Submit and view feedback for