Take a Look Inside Microsoft’s Sleeping Giant
Part 3 of 4
In part 2, we reviewed many of the high level features available in Azure Active Directory. At this point, we’d like to drill-in on some of the critical features that you can take advantage of. With all of the different bundles that are available it’s easy to get lost among the offerings.
Advanced Single Sign-on
As IT professionals, we’ve been dreaming for years about a world where users have one password. The irony here is the users want the same thing. Single sign-on is attempting to deliver on that promise. Behind single sign-on from many providers is a somewhat complicated technology called Security Markup Assertion Language or SAML which we briefly touched upon in Part 1. Many of the larger cloud services, like Salesforce, offer SAML as an authentication mechanism. Delving into how SAML works is a much deeper topic but its recommended that when evaluating all cloud services you should ask the provider if their application supports SAML.
Self Service Password Reset
The other dream of IT pros is a world where users who need their password resets can help themselves. Microsoft has figured this one out but you need to make sure your Azure AD synchronization is turned on and supports Password Reset. The requirement is that you have two way password sync between your on-premises Active Directory and Azure Active Directory. Many Azure AD deployments are turned on for syncing user information but password sync can be a missed step. There is a security implication here and its best to talk through risks before turning it on.
Conditional Based Access
From a security standpoint, this is one of the most useful features. Conditional based access is a fairly simple concept, it reviews information about the user for example where they are logging in from and takes different steps based on that information. For instance, if a user is logging in for your main office the login is fairly normal but then if the user is logging in from a foreign country prompt them for a second factor like an SMS code. Microsoft can take this one step further and analyze the risk with AI to decide how strict the login process should be.