Identity within the Azure Cloud #5 Securing User objects in the Cloud

Author by Steve Lazzara

Now that we have covered what is meant by Identity in the Azure Cloud as well as what is meant by the Cloud and the roles within them, it is time to look at the user’s themselves.  The primary identity source in Azure is the Azure Active Directory (IDaaS) which is a simple flat file database of objects with various attributes.  This IDaaS is also referred to as an Azure Tenant and provides the authentication base for the rest of the Cloud services and resources for at least one organization.   

blogimage1-(1).png

Populating this database can be done by either creating the objects directly in it (Cloud Users or Cloud Groups) or through synchronization to another directory source (Synchronized Users or Synchronized Groups). 

If creating objects directly in Azure AD, the entire object exists in the cloud itself.  There is no correlating account or object that will exist on any on-premise application or environment.  In addition, all management of these objects will need to occur using native tools in the cloud itself (like MS Graph API) or through third party tools that have elevated privileges within Azure AD.  In order to use a cloud-based object for any administrative role, it is important to ensure that it has a working email address and other attributes needed for multi-factor authentication.

The other method for creating objects in Azure AD would be to import them in from a secondary source. 

If using a non-Active Directory source, then the best way is through a third-party tool which will use MS Graph API’s to create these objects as Cloud Objects.  After which the same requirements for the objects exist as if they were created manually in Azure AD. 

If the source is an on-premise Active Directory source regardless if it is to be federated or not, is through the Azure Active Directory Connect tool. 

blogimage2.png

In both cases (Directory and password Synchronization and Federation) the owner of the objects is maintained as the on-premise Active Directory environment.  Which means that the only way to gain access to an identity, is to gather it from the on-premise source.  Of the two methods of directory and password synchronization (Pass-through authentication and password hash synchronization), at no point is there a direct exposure of an object’s password in the cloud. 

Therefore, by coupling the on-premise ownership and control of the user identity, along with trusted networks to manage where access can occur from, as well as conditional access requirements for un-trusted networks as well as for any privileged access, identities within the Azure Cloud are relatively secured.

Tags in this Article