AAD (Azure Active Directory) is an identity and access management service: it allows users and applications to access resources like VMs, storage accounts or the M365 suite. All resources are maintained inside a Tenant which represent a company (like a domain for on-prem context).
Tenancy structure and elements
Inside a tenant there is a root management group which is not enabled by default, under this group you can have child management groups, the following is the hierarchy for groups inside a tenant:
AAD Tenant
Root Management Group (not enabled by default)
Child Management Group (enabled only if RMG is enabled)
Subscription
Resource Group
Resource
There are more than 200 types of resources in Azure but these are the most common ones
Applications: serverless web application, API hosting
Service Principal: an "identity" used to represent an application to access other resources Applications in AAD can be granted further access to other resources in the tenant using the a service principal, an entity that is automatically created along with the application. Since single-factor authentication is the only authentication method supported for service principals, they represent a high-value target for threat actors.
Key Vaults: vault that stores secrets / certs / API keys ...
Automation Accounts: equivalent of a service account that runs code to perform tasks inside a subscription
See AlsoPowerShell & Intune, Automate your Work - Part 1: Retrieve Win32 AppsM-AZ040 | Automating Administration with PowerShell (AZ-040) | Training Course | Microsoft.Dhruv Chovatiya on LinkedIn: ➡️Useful Terraform commands along with brief explanations:- 1. terraform…Integrate VMware Pinniped with Microsoft Entra ID for federated authentication on Kubernetes clusters.Storage Accounts: accounts used to access cloud storage services
Virtual Machines: cloud-hosted endpoints
SQL Database: cloud-hosted SQL databases
Managed Identity: an identity representing a single resource or a group of resources to facilitate authentication These are a type of service principal but they represent resources instead of applications and they allow access to those resources without the need for credentials; managed identities can either be user-assigned or system-assigned
AAD roles vs RBAC roles
AAD roles (like Global Admin, User Admin ...) manage access to actions such as editing users or VMs while RBAC (Azure Role-Based Access) roles (like Owner, Contributor, Reader ...) manage access to Azure resources like VMs and storage accounts. AAD roles relate to the actual AD tenant itself (Global Admin of the tenant) while RBAC roles are more specific to the subscription, resource groups or management group.
Azure Users & Groups
user principal name = email address of the user object ID = identifier of the user in Azure
Groups are a way to manage users in bulk; users can be added to groups in two ways:
Assigned manually by the administrator or group owner
Dynamically placed in a group based on parameters / characteristics / attributes of the user itself
Hybrid Azure Environments
These are environments that configure ADFS (Active Directory Federation Services) and AAD.
A hybrid environment can be set up with three different types of authentication methods
AAD password hash synchronization (PHS): on-prem users use the same username and password to access AAD (this is the most common method)
Azure pass-through authentication (PTA): password validation is performed through an agent hosted on a on-prem server which validates the user's credentials, the password validation doesn't happen in the cloud but in the on-prem AD environment. This allows organizations to enforce on-prem security / password policies
Federation: the entire authentication process occurs on-prem
Single Sign-on
This authentication mechanism is compatible with PHS and PTA; it allows users to sign directly into AAD without needing to type in their passwords, this is done by using PTRs (Primary Refresh Tokens).
Log Sources
Main Log Sources
Unified Audit Logs: collection of all logs pertaining M365
Azure Audit Logs: tracks changes in AAD at a subscription level
Azure Sign in Logs: tracks sign-in events in AAD
Azure Activity Logs: tracks activities and actions take at a subscription level
Message Tracing Logs: tracks the flow of emails within an organization
Secondary Log Sources
AAD Provisioning Logs: tracks identities and actions taken on various systems
Azure Resource Logs: tracks operations performed within a resource, not enabled by default
Diagnostic Logs: allow to export logs and metrics of a resource
Security Reports: tracks suspicious activities
The following is a table representing the values default values for log retention
Primary Refresh Tokens - PRTs
This kind of tokens are made of two components:
Access token
Refresh token
They allow authentication across all applications, the tokens are stored as a JWT and they are issued with MFA which means that a valid PRT allows to bypass MFA for a user.
PRTs begin with the string eyJ and can be fully decoded since they are JSON Web Tokens, if we actually decode one we'll be able to see that it's made of 3 main fields
Refresh token
is_primary: a boolean flag that tells us whether the token is primary or notrequest_nonce
