Azure AD Identity Protection basics

Azure AD Identity protection is available with Azure AD P2 and provides risk detection and policy enforcement for sign ins and users. It can also be incorporated with Conditional Access policies to provide even more flexibility. This video shows you the basics of Azure AD Identity Protection as well as showing you an example of a login process that generates creates risk.

You can find the video here – https://www.youtube.com/watch?v=8AQQrSCrLMI

and more information here – What is Identity Protection?

Azure AD access reviews basics

Azure AD reviews are a capability provided with Azure AD P2 licenses that allow you to automate the discovery and access control of user account in Azure AD groups and roles. This video give you a walk through of the basics of creating and using access reviews to ensure your environment remains secure.

You can find the video here – https://www.youtube.com/watch?v=UxlVuSNBBzE

You can learn about Azure AD access review here:

What are Azure AD access reviews?

Escalating to multiple roles using Privileged Identity Management

Privileged Identity Management or PIM, is great way to ensure that users are not given standing administrative access. Instead, with PIM, these rights can be requested, approved and removed in an automated and audited way.

In the scenario where a user may need administrative rights to multiple services at the same time, say Exchange Online administration and SharePoint Online administration together, you can achieve this by using the capability in Azure AD to assign multiple roles to an Azure AD group. You then have users go through the PIM process to become members of that group. When they do, they automatically get access to the roles that are part of that group. Once PIM deactivated them, they are removed from that group and lose those permissions.

This video take you through that process.

https://www.youtube.com/watch?v=mAA1KjxjAuQ

remember, to achieve this you’ll need to have an Azure AD P2 assigned and that currently this feature is in preview.

For more information consult the following documentation from Microsoft:

Management capabilities for Privileged Access groups


Privileged Identity Management basics

In this video I provide a walk through of the basics of Azure Privileged Identity Management or PIM for short. PIM allows users to escalate their rights and roles on demand as well as having that escalation controlled and audited. PIM requires a subscription to Azure AD P2.

PIM is an excellent way to minimise standing administrator privileges and ensure they are only given greater permissions when they require and request them.

You can find the video here:

https://www.youtube.com/watch?v=JiVcCLY1jh0

See the following link for more details on PIM from Microsoft:

What is Azure AD Privileged Identity Management?

Automated user tenant access control

image

If you ever used an on premises Active Directory (AD) you may be aware of the setting, shown above, that allows you to set users login times. This was typically done to prevent users logging in after hours, say from 9pm to 6am.

Unfortunately, with Azure AD there is no direct equivalent setting but we can create something similar quickly and easily using Power Automate.

image

The first step in this process is to create a new Azure AD security group that will contain the users who will be prevented from accessing the tenant. You can also create this security group in the Microsoft 365 portal but it is better to do it in Azure as you’ll need to get the ObjectID for this group as highlighted above. There is also no need to actually put any users into this group as they’ll be added dynamically by Power Automate.

image

To prevent access to the tenant you’ll need to create a Conditional Access policy as shown above. This will require you to have a license for Azure AD Premium P1 or P2 for each user. Microsoft 365 Business Premium already includes Azure AD P1, so if that is already in the environment you need nothing additional.

Give this new Conditional Access policy a name and set it to include just the Azure AD security group created previously. It is also best practice to exclude at least one administration account to prevent you from being ‘locked out’ of your tenant. Ensure that All cloud apps is selected and that Block access is configured, as shown above. Finally, turn this Conditional Access policy On.

With no members in this Azure AD Security group, no one will be restricted from accessing the tenant.

image

Next, create a List in SharePoint that contains a list of users you want to be blocked. You can achieve this by adding the Person field to the list in question. This will basically allow you to enter users who are in your tenant by doing a lookup from Azure AD.

image

Create a new Flow and use the Recurrence action to trigger it as shown above. Select an appropriate time once a day when users will be prevented from accessing the tenant, say 9pm.

image

Add the Get items action as shown above next. Configure this action to retrieve from the list of users from the SharePoint list just created.

image

Then use the Apply to each action to loop through all the users returned by this Get items as shown above.

image

Inside the Apply to each action use the Get user profile (V2) action as shown, with the users email address, which is effectively their Azure AD identity.

image

Also inside the Apply to each action add the Add user to group action as shown above. Populate this action with the ObjectID of the Azure AD security group obtained at the start and the Id from the Get user profile (V2) action.

image

Now test the Flow manually to ensure it works correctly.

image

Once the Flow completes, the users in the list in SharePoint should now appear in the Azure AD security group as shown above.

image

Now when a user on that list attempts to login, because they are part of a security group that is part of a blocking Conditional access policy, they will no longer have access to the tenant.

image

To allow access again for users simply create another scheduled Flow executing at say 6am that uses the Get group members action and then a Remove Member from group action inside an Apply to each action as shown above. In essence, this removes all users from the Azure AD security group that is part of the blocking Conditional Access policy, resulting in those users no longer being blocked from accessing the tenant.

image

Run this Flow manually and ensure it completes,

image

and you should find that Azure AD security group to be empty, as shown above.

image

The users in the list who were previously blocked,  should now be able to access the tenant as normal. Left to its own devices, users in the SharePoint list will have their access blocked from 9pm to 6am each day now.

This automation is very quick and easy to set up. It can solve the challenge of ‘forcing’ users to take a break from work after hours, rather than being ‘on’, aiding their mental health and making them more productive when they do work. It could be used to improve security but allowing account to only operate during ‘business hours’ and limiting attacks after hours, which is when many attacks happen.

This process could be extended and enhanced to provide more granular options to suit any need as well as alerting. However, hopefully, it demonstrates how easy it is to solve business challenges thanks to the Power Platform and the integration of Microsoft 365. Remember, the only extra you need is Azure AD Premium P1 to enforce Conditional Access, something already part of Microsoft 365 Business Premium.