Integrating Azure AD with Microsoft 365
Behind M365 lies a directory which holds user accounts, groups, and other security objects. That was known as Azure Active Directory for many years, even though it had very little in common with Active Directory on-premises.Azure AD was renamed to Entra ID in July 2023. In this article, we’ll look at Entra ID and how you interact with it for M365.
Entra, Priva and Purview
Before we dive into Entra ID, let’s look at the new portal where you’ll be accessing it, entra.microsoft.com.
All identity-related services are housed here, whereas all Information governance-related features are in compliance.microsoft.com, called the Purview portal, and it’s got a section with all the privacy-related features called Priva.
Apart from Entra ID, the Entra portal also houses Entra Permissions Management, which inventories and right sizes of administrative permissions across Azure, AWS, and GCP (IaaS and PaaS) – not related to Microsoft 365 permissions.
There’s also a Verified ID that will help in the future with new hires and managing external identities, as well as Global Secure access.
Meet Entra ID & Hybrid Identity
AD uses Kerberos and Group Policy, has a hierarchical structure, and is based on LDAP, none of which are cloud-friendly.
Entra ID operates over HTTPS, can be accessed from a REST API, and supports modern authentication protocols such as Security Assertion Markup Language (SAML), WS-Federation, and OpenID Connect for authentication and OAuth for authorization. It also supports federation, so you can connect it to other authentication systems.
There are three types of authentications supported in Entra ID:
- Cloud-based
- Directory synchronization
- Single Sign On (SSO) with AD FS
The first one is appropriate when you don’t have AD on-premises (or want to retire it) and create accounts in the cloud only. It’s definitely the simplest to configure.
The other two require linking your on-premises AD to your Entra ID tenant through the free AAD Connect tool.
Before we dive into Entra ID, let’s look at the new portal where you’ll be accessing it, entra.microsoft.com.
All identity-related services are housed here, whereas all Information governance-related features are in compliance.microsoft.com, called the Purview portal, and it’s got a section with all the privacy-related features called Priva.
Apart from Entra ID, the Entra portal also houses Entra Permissions Management, which inventories and right sizes of administrative permissions across Azure, AWS, and GCP (IaaS and PaaS) – not related to Microsoft 365 permissions.
There’s also a Verified ID that will help in the future with new hires and managing external identities, as well as Global Secure access.
AAD Connect – Your Umbilical Cord
AAD Connect (will presumably be renamed to Entra ID Connect) has had several predecessors over the years with different names – if you find an installation using DirSync or AAD Sync make sure to upgrade to AAD Connect as those tools are no longer supported. AAD Connect supports connecting multiple on-premises directories to AAD.
There was also version 1 generation of AAD Connect which is deprecated, you should be using version 2, which updates itself automatically. You can install the tool directly on a DC or on a member server.
There’s no true active / active HA option but you can set up a second installation of AAD Connect on a separate server in Staging mode and do a manual failover if the primary server is going to be offline for some time.
AAD Connect will synchronize user and group accounts in OUs you select (or the entire directory – not recommended) to Entra ID. You then assign licenses to those user accounts, and they can start using cloud services.
Note that this also means that on-premises is always the place to create new accounts and update, disable, or delete existing ones.
There are a few choices in how you handle passwords in AD. The simplest one is to use Password Hash Synchronization.
This gives your users SSO (even though technically it’s “same sign in” as the two user accounts are in two different directories). Another benefit of this method is that Microsoft can alert you when they find credentials on the web / dark web with accounts from your tenant where the passwords match.
If you’re adamant that your user’s passwords can’t be stored in the cloud (not even a hash of a hash), Pass-through authentication (PTA) is another option.
You set up agents on several (minimum 3, maximum 40) Windows Server 2012 R2+ servers (no inbound ports required) and when a user signs in at www.office.com for instance, Entra ID will verify that the correct password is supplied by communicating with your AD on-premises through the PTA agents.
Both PTA and Password hash sync optionally let you enable Seamless Single Sign On (Seamless SSO), where the user logs on to AD, and when they access www.office.com, they’re automatically logged in.
Both PTA and Password hash sync optionally let you enable Seamless Single Sign On (Seamless SSO), where the user logs on to AD, and when they access www.office.com, they’re automatically logged in.
A companion is AAD Connect Cloud Sync, which is configured from the cloud and only relies on lightweight agents on-premises, this also means you have High Availability built-in, as long as you deploy multiple agents.
Cloud Sync has slowly been gaining feature parity with AAD Connect and the main features missing today are support for device objects, the ability to sync from non-AD LDAP directories, PTA support, some filtering options and large groups with over 250,000 members.
The blocker for many though will that there’s no support for Exchange hybrid writeback. I expect Cloud Sync to eventually replace AAD Connect. The traditional way of not storing password hashes in the cloud is to use AD Federation Services (ADFS).
This is much more complex and requires several servers to be set up on-premises (or as VMs in Azure) but does offer more flexibility. If your organization has already deployed AD FS for other purposes, setting up federation with O365 is not a huge project but my (and Microsoft’s) recommendation is to stick with PTA or Password Hash Sync.
Given the SolarWinds supply chain breach and subsequent intrusion into various organizations using ADFS, along with Microsoft’s recommendation over the last few years to migrate from ADFS to Azure AD, if you have ADFS deployed, it’s time to make the move to Azure AD.
Azure MFA
One of the best things that Entra ID unlocks is the easy setup of Multi-Factor Authentication (MFA) for users.
Passwords are one of the weakest links in today’s IT landscape and the majority of the breaches we see are due to someone’s credentials being compromised. One solution to this problem is using MFA (sometimes known as 2FA or two-step authentication), where authentication requires not only a username and password but also a device or a biometric gesture to be present.
This drastically reduces (by 99%, according to Microsoft) the success of credential attacks.
MFA can call your phone, send a text message with a code, or send a notification / require a code from the free Microsoft Authenticator app. Unless absolutely required, do not use phone calls or SMS; they’re more insecure than the app options.
As a baseline, all your privileged accounts (Global / Exchange / SharePoint / Compliance administrators, etc.) MUST use MFA. This is free at all tiers of O365 and is simple to set up and the user experience is relatively seamless if you install the app on your smartphone.
If you’re an IT decision maker, expect to receive pushback from your administrators on this point but to maintain an acceptable security posture, this step is non-negotiable – all administrators HAVE TO use MFA.
As an aside, I’ve been using Azure MFA for my own business tenant and all my client’s tenants that I administer for many years now without issues.
You must however plan for times when Azure MFA is unavailable and this includes creating one (preferably two) Global Admin cloud accounts that are exempt from MFA and any CA policies.
These accounts should have very long and complex passwords that are only available to high-ranking administrators and should have monitoring enabled so that alerts go off if they’re ever used.
These broken glass / emergency access accounts should only be used to recover user access; for instance, if Entra ID MFA is down, you might turn off MFA requirements for the duration of the outage to enable users to log in and be productive.
Enabling MFA for your end users requires some planning and end user training. The level of tech familiarity your users have and whether they’re normally working from corporate offices influences how to implement MFA.
Administrators always get MFA for free; if you’re on the Business SKUs, MFA it’s built-in, but both lack the advanced features that Entra ID Premium P1 (M365 E3) or Entra ID Premium P2 (M365 E5) offer.
These include One-time bypass, Trusted IPs/Named locations; which lets you define corporate office IP address ranges where users will not be prompted for MFA. Note that all MFA levels let you (if you allow this feature) remember MFA on a trusted device for a set number of days (7-60).
If a user has logged on to a device and successfully performed MFA, they won’t be prompted on that device for the time period, and if the device is lost or stolen, either the user or you can “un-trust” these devices easily.
Starting in May 2023, Microsoft enabled number matching for all Microsoft Authenticator approvals, so instead of just pressing Approve or Reject, you must enter a two-digit code shown on your computer screen.
The app will also show you the geographical location from where the MFA request comes. Both features are designed to combat MFA fatigue attacks, where the attacker repeatedly tries to login, generating so many requests on your phone that some users simply press Approve to make it stop.
Microsoft now enables Security Defaults for all new tenants, and you can enable it manually for your existing tenants.
This will enforce MFA for all users and administrators using the Microsoft Authenticator app only, block legacy authentication, and control access to the Azure AD portal.
While these security enforcements are a good starting point for a small business with limited requirements, I advise caution for more complex organizations, as there’s no way to exclude break glass accounts or service accounts from MFA or ways to handle users who don’t have / can’t access the authenticator app on the phone.
Publishing Applications
One of the most powerful features of Entra ID is the ability to publish applications (third-party and on-premises) to your end users.
Take a corporate Twitter account, for instance, where several users have the username and password to send tweets on behalf of the company.
Not only will you need to reset the password as soon as someone leaves the company (you want them to refrain from tweeting as your organization after they’ve been fired) but you have little control over who else that password is shared with.
If you publish Twitter through Entra ID and create an AD group to put users in that should have access, you add a user account to that group, they’ll automatically have single-sign-on access to Twitter in the My Apps portal without ever knowing the password, and once they leave the company and their account is disabled, they can’t access it any longer.
For some of the 2400+ applications supported out of the box, you can even configure automatic provisioning so that when you add a user to the AD Salesforce group, an account is automatically created for them in Salesforce – again without them even knowing the password.
A popular option is using the AWS Single Sign-On app to integrate AAD and AWS.
Premium Features
Entra ID Premium P1 doesn’t just unlock more MFA features, it also allows you to ban commonly used passwords in your on-premises AD (including a custom word list), enable users to reset their own passwords when they have forgotten them, integrate MFA with Conditional Access and let users register for both MFA and self-service password reset (SSPR) in the same experience.
The P2 level adds the full experience of Entra Identity Protection where you get reports and can block authentications based on the risk level of the user account and the sign in or even trigger an “extra” MFA prompt based on the risk profile of the authentication attempt.
P2 also offers Privileged Identity Management (PIM) where you convert all administrative accounts to eligible accounts and users have to request elevation when they need to perform administrative tasks (known as “Just in Time administration”).
Instead of assigning administrative roles in Entra ID to individual user accounts you can now use groups to grant admin access.
The groups need to have a specific attribute set (isAssignableToRole) to true and static (rather than dynamic – automatically assigning user accounts to a group based on an attribute like “department” in the directory) user account membership.
Where AD has a hierarchical structure, relying on Organizational Units (OUs) to structure your user, machine and group accounts based on department, geography, or other approach, Entra ID is a flat structure.
Administrative Units (AUs) is a feature that aims to change this, using AUs you can structure user and group accounts and then delegate administrative permissions to a single AU or AUs. The AU admins need Entra ID Premium licensing.
Note that unlike OUs where an account can only be in a single OU, a group or user account can be a member of multiple AUs (up to 30).
If you have a large environment and Premium P2 licenses, consider using entitlement management, a way to group application, group membership (including Teams) and site access into a single access package.
These are useful for internal users (“you are the new person in Marketing – here’s your package that gives you all the access you need”) and can also be used to grant access to external users.
For partner organizations that you work with frequently you can even set it up so that their users can apply for packages, self-service style. Entitlement management can also get IT out of the role of assigning permissions by delegating package assignment to business users.
Conditional Access Policies
Both P1 and P2 unlocks another powerful feature in Entra ID, Conditional Access (CA).
This lets you build policies around application access (both cloud an on-premises applications) based on the user account and what groups they’re a member of, which application they’re accessing, the state of their device, their location, the sign-in risk and which type of client application they’re accessing it from.
These “if this – then do that” rules greatly enhance the security of your data by managing risk factors affecting identity and access in M365. Making it even easier to set up good CA policies are templates (in preview at the time of writing) covering Secure Foundation, Zero Trust, Remote work, Protecting administrators, and Emerging threats.
To make sure you don’t create a policy by mistake that locks out the CEO five minutes before his board presentation, the option to deploy CA policies in Report-only mode lets you evaluate the impact the policies will have without actually enforcing them.
There’s an API for accessing CA policies. This makes it possible to backup (using PowerShell for example) your CA policies, restore them, monitor changes, and treat them as code rather than manually manage them in the portal.
You could also test policies in a test tenant before exporting them from there and importing them in your production tenant after they pass validation.
Managing the Account Lifecycle
Once you implement AAD Connect, make sure you update your process documentation to consider the full lifecycle of user accounts, such as making sure they’re given the right licenses, are added to the right groups, and when the time comes to disable the account, the right steps are followed.
To make sure that users (and guests) don’t accumulate access that they no longer need, use Access Reviews (Premium P2), which now lets you review all guest accounts in one operation rather than on a per Team/M365 Group basis.
For a smaller O365 or M365 tenant, chances are you’ll never even need to go to the full Azure AD portal, and instead, you’ll do your user management in the M365 portal. However, it is a good idea, to explore the “full” Entra portal over at https://entra.microsoft.com.
If you’re keen to try out upcoming features in Entra ID, use the Preview hub to learn about and turn on public preview features.
To properly protect your Microsoft 365 environment, use Hornetsecurity one-of-a-kind services:
- 365 Total Protection
- 365 Total Backup
- 365 Permission Manager
- 365 Total Protection Compliance & Awareness
- 365 Total Protection Enterprise Backup
To keep up with the latest Microsoft 365 articles and practices, visit our Hornetsecurity blog now.
Conclusion
In conclusion, the transition from Azure Active Directory to Entra ID in Microsoft 365 marks a significant shift towards modern authentication and enhanced security. Entra ID offers robust features such as multi-factor authentication, application publishing, and conditional access policies, making it a pivotal component of M365’s identity management framework.
FAQ
Yes, Office 365 & Microsoft 365 includes Entra ID, formerly Azure Active Directory (Azure AD). Entra ID is the identity and access management service used by Microsoft 365 for user authentication and authorization.
A Microsoft 365 group in Azure AD is a security group with an associated email address and shared resources. It simplifies collaboration by granting members access to shared applications, data, and conversations.
Azure AD offers both free and premium plans. The free plan provides essential identity and access management features, while premium plans offer additional capabilities such as Conditional Access policies, advanced security features and self-service identity management.