Securing PaaS – Creating and securing Azure Active Directory accounts

Synopsis: In this exercise, attendees will learn how to create Azure Active Directory (Azure AD) groups and users and then securing them using multi-factor authentication.

NOTE: If you are using a corporate Azure instance and do not have access to Active Directory, you will not be able to complete this exercise, and should skip to Exercise 3.**

Task 1: Create Azure Active Directory groups

In this task, you will create security groups in Azure AD to be used in exercises later in this hands-on lab.

  1. Open your Azure Portal (https://portal.azure.com).
  2. Select Azure Active Directory.The Azure Active Directory option displays in the Azure Portal.
  3. Select Groups, then select All groups.
    In the Azure Active Dirctory blade, under MANAGE, Groups is selected, and All groups is selected on the right.
  4. Select +New group.On the All groups blade top menu, New group is selected.
  5. On the Group blade, enter the following:a. Group type: Select Security

    b. Group name: Enter Key Vault Mgmt Admins

    c. Group description: Enter Key Vault Mgmt Admins

    d. Membership type: select Assigned
    The Group blade displays with the previously defined settings entered into the appropriate fields.

  6. Select Create and close the dialog window if it does not close.
  7. Select +New group again.
  8. On the Group blade, enter the following:e. Group type: Select Security

    f. Group name: Enter Key Vault Key Admins

    g. Group description: Enter Key Vault Key Admins

    h. Membership type: select Assigned
    The Group blade displays with the previously defined settings entered into the appropriate fields.

  9. Select Create and close the dialog window if it does not close.

Task 2: Create Azure Active Directory accounts

In this task, you will create multiple Azure AD user accounts that will be used within the exercises in this hands-on lab to demonstrate the various levels of permissions and access control with Azure resources.

  1. Determine your Active Directory domain name.a. Select Azure Active Directory.

    b. Select Custom domain names.

    c. Record the *.microsoftonline.com domain name, you will use this later.

  2. Select Users, then select All users.
    In the Azure Active Dirctory blade, under MANAGE, Users is selected, and All users is selected on the right.
  3. Select +New user.
  4. On the User blade, enter the following:a. Name: enter Key Vault Admin

    b. User name, enter KeyVaultAdmin@<yourdomain>.microsoftonline.com

    • NOTE: Use the domain you recorded earlier.

    c. Select Groups.

    d. Select Key Vault Mgmt Admins, select.

    e. Select Create.

  5. Select +New user again.
  6. On the User blade, enter the following:a. Name: Enter Key Vault Auditor.

    b. User name, enter KeyVaultAuditor@<yourdomain>.microsoftonline.com

    • NOTE: Use the domain you recorded earlier.

    c. Select Groups.

    ii. Select **Key Vault Mgmt Admins**, select.
    

    d. Select Create.

  7. Select +New user again.a. Name, enter Key Vault Developer.

    b. User name, enter KeyVaultDeveloper@<yourdomain>.microsoftonline.com

    NOTE: Use the domain you recorded earlier.

    c. NOTE: No groups will be assigned to this user.

    d. Select Create.

Task 3: Enable Azure Identity Protection features

In this task, you will enable multi-factor authentication on the Key Vault Admin account you created in the previous task to demonstrate the Identity Protection features of Azure.

  1. Select your Active Directory.
  2. Select MFA Server.Under Security, MFA Server is selected.
  3. Select Get Free Premium Trial.
  4. Select the AZURE AD PREMIUM P2 option, select Free trial.
    The Azure AD Premium P2 tile is selected, and Free trial is highlighted.
  5. Select Activate.
  6. Select Users, the select All users.
    In the Azure Active Dirctory blade, under MANAGE, Users is selected, and All users is selected on the right.
  7. Select Multi-Factor Authentication.The Multi-Factor Authentication option is selected.
  8. Check the check box for the Key Vault Admin userThe check box for Key Vault Admin is selected.
  9. Select Enable.Under quick steps, the Enable link is selected.
  10. In the dialog, select enable multi-factor auth.the enable multi-factor auth button is selected in the Dialog box.
  11. In the dialog, select close.
  12. Attempt to sign-in as the KeyVaultAdmin user.
  13. In the Azure portal, select Azure Active Directory.a. Select Users, All Users, and select the Key Vault Admin user from the list.

    b. On the Key Vault Admin user blade, select Reset Password.
    On the Key Vault Admin user blade, Reset password is highlighted.

    c. On the Reset password blade, select Reset password.
    On the Reset password blade, the Reset password button is highlighted.

    d. Copy the Temporary password for use in the next step.
    On the Reset password blade, a message that the password has been reset is displayed, and the Temporary password is selected and highlighted.

  14. Open an InPrivate or Incognito browser window, navigate to http://login.microsoftonline.com and enter the usernameand password for the KeyVaultAdmin account.
  15. You will be prompted to setup additional security, select Set it up now.On the Portal page, the Set it up now button is selected.
  16. Select Mobile app in the dropdown.Under Step 1, How should we contact you, Mobile app is selected.
  17. Select Use verification code.Under Additional security verification, Use verification code is selected.
  18. Select Set up.
  19. Depending on your mobile device, download the Microsoft Authenticator application from the respective app store.
  20. Scan the image on the page to add the credentials to your authenticator app.In the Configure mobile app section, instructions are to scan the QR code.
  21. Select Next, the page will validate that you in fact added the account.The Validation page displays.
  22. Select Next, enter the validation code from the mobile app.Step 2, Enter the verification code section displays.
  23. Select Verify.
  24. On the Additional security verification, select your country, and enter your mobile phone number, then select Next.
    On the Additional security verification screen, the country is selected, and a mobile phone number is entered into the Step 3 textbox. The Next button is highlighted.
  25. On the next screen, copy the password provided, and select Done.
    On the Additional security verification screen, Step 4, the app password is displayed, and Done is highlighted.
  26. Enter the Authenticator app code on the next screen and select Verify.
    On the Microsoft login dialog, an Authenticator app code is entered, and Verify is selected.
  27. If prompted, on the Update your password page, update your password.e. NOTE: The Current password will be the value you copied after resetting the password in Azure AD.
  28. Select Sign in.
  29. If prompted, close the Welcome to Microsoft Azure dialog.

About engsoon

Eng Soon is a 4-time Microsoft MVP and has nearly 5 years of experience building enterprise system in the cloud.He is also a Certified Microsoft Azure.Eng Soon also have strong technical skills and analytic skill. As a developer, Besides the development task, he also involved in Project Management, Consulting, and Marketing. He has a passion for technology and sharing what he learns with others to help enable them to learn faster and be more productive. He also took part as speaker in many nationwide technical events, such as Conference, Meetup and Workshop. Currently, looking for opportunity in Cyber Security which include Cloud Security and Application Security.

View all posts by engsoon →

Leave a Reply

Your email address will not be published. Required fields are marked *