Today's complex enterprise environments involve the existence of multiple identity structures, especially in the case of cloud resource management. The management and governance of Azure Active Directory tenants, cloud & federated identities, and authorizations and roles on Azure subscriptions and resources, will be the purpose of this session.
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
Multi-Tenant Identity and Azure Resource Governance - Identity Days 2019
1. 24 octobre 2019 - PARIS
Identity Days 2019
Multi-Tenant Governance
with Azure Active Directory
Marius Zaharia
Identity Days 2019
2. 24 octobre 2019 - PARIS
Identity Days 2019
Marius Zaharia
Azure Cloud Tech Lead,
Société Générale
Azure MVP and Advisor
AZUG FR – Azure User Group France
@lecampusazure
www.linkedin.com/in/mzaharia
DISCLAIMER : Below are my own opinions,
not my employer’s ones.
• Intro
• Challenges at scale
• Azure Active Directory. Single vs Multiple-Tenants
• Multi-tenancy management
• Directories
• Azure resources
• Conclusion
AGENDA
24 octobre 2019 - PARIS
Identity Days 2019
4. 24 octobre 2019 - PARIS
Identity Days 2019
Beginning is good.
Welcome to Azure!
1 subscription.
Welcome to Office 365!
1-5 Office licences.
1 Azure Active Directory.
Individuals, SMBs
5. 24 octobre 2019 - PARIS
Identity Days 2019
Moving further...
Welcome back to Azure!
10 subscriptions.
Welcome back to Office 365!
100 Office licences.
1 Azure Active Directory.
Larger businesses…
6. 24 octobre 2019 - PARIS
Identity Days 2019
Moving beyond...
GO Azure!
100+ subscriptions.
GO Office!
10000+ Office licences.
?Azure Active Directory?
To MUCH larger businesses -
7. 24 octobre 2019 - PARIS
Identity Days 2019
Challenges at Scale
Identity Days 2019
24 octobre 2019 - PARIS
8. 24 octobre 2019 - PARIS
Identity Days 2019
Challenges at scale
• Azure
• Many users and groups
• Many, many Azure resources
• …spread in subscriptions
• Accounts / CSP / EA
• Access rights management
• Office 365
• Many users and groups
• More Office apps
• More complex licensing plans
• Microsoft 365
• Dynamics 365
• Other Cloud services
9. 24 octobre 2019 - PARIS
Identity Days 2019
Challenges at scale
What a large enterprise may look like:
(from an IT perspective)
BU#1
BU#1 IT
BU#2 IT
BU#n IT
BU#2
BU#n
Corp IT
µBU
µBU
µBU
µBU
P
P
P
P
P
P
P
PP
P
P
P
10. 24 octobre 2019 - PARIS
Identity Days 2019
Challenges at scale
Choosing multiple Azure subscriptions?
• Subscription more easily isolated than a resource group
• RBAC
• Billing
• Can be assigned completely to an app or project
• Allow autonomy for the team
But:
• Agreement becomes more complex: Depts, Accounts, Subs
• Create/disable subscriptions more often
• Global security governance becomes more difficult
11. 24 octobre 2019 - PARIS
Identity Days 2019
Challenges at scale
That’s not all.
• Large companies may have complicated structure
• Single central governance may affect agility and reactivity
• Some BUs want to move faster thant others
So: BUs create separate Azure AD Tenants
• A BU will be owner of an Azure AD tenant
• A BU will have 1(+) account in Enterprise Agreement
• Will be responsible of billing and security of its own Azure subscriptions.
GREAT!
12. 24 octobre 2019 - PARIS
Identity Days 2019
Challenges at scale
But:
• Security compliance and best practices must be audited and enforced across BUs
• Some BUs not necessary involved in managing subscriptions
So a transversal IT team may need to audit or manage:
• Azure accounts and subscriptions across tenants
• Azure AD tenants configuration
• Other cloud related assets
13. 24 octobre 2019 - PARIS
Identity Days 2019
Azure Active Directory.
Single vs Multiple Tenants
14. 24 octobre 2019 - PARIS
Identity Days 2019
• Azure AD tenant allows us
manage
• Users and groups
• Service principals /
applications
• Access rights to Azure
resources
• Access rights to Office
• Access to SaaS applications
Azure AD: single vs multi-tenant
Users and Groups
Azure subscriptions SaaS applicationsOffice 365
Service Principals
15. 24 octobre 2019 - PARIS
Identity Days 2019
• Multi-tenant:
Azure AD B2B
Collaboration
Azure AD: single vs multi-tenant
Users and Groups
Azure subscriptions SaaS applicationsOffice 365
Service Principals
16. 24 octobre 2019 - PARIS
Identity Days 2019
• A user (not admin!) can create (in 2 min) a Azure AD tenant
• He will be Global Admin of the new tenant
• Original user mapped as External AD User in the new tenant
• If he is owner of an Azure subscription, then he can transfer the subscription
management to the new tenant
A (new) tenant into your place
17. 24 octobre 2019 - PARIS
Identity Days 2019
• From the portal
Access a specific tenant
• From the command line
Login-AzAccount -Tenant xxxxxxxx-
xxxx-xxxx-xxxx-xxxxxxxxxxxx
Login-AzAccount -Tenant
mydomain.onmicrosoft.com
Login-AzAccount -Tenant mydomain.net
az login –t xxxxxxxx-xxxx-xxxx-xxxx-
xxxxxxxxxxxx
…
• From Libs / API
18. 24 octobre 2019 - PARIS
Identity Days 2019
Multi-tenancy management
19. 24 octobre 2019 - PARIS
Identity Days 2019
Multi-tenancy management means…
• Managing multiple Azure AD tenants
and/or
• Managing (Azure) resources « spread » over multiple Azure AD tenants
Multi-tenancy management
20. 24 octobre 2019 - PARIS
Identity Days 2019
Responsibilities cross-tenant
21. 24 octobre 2019 - PARIS
Identity Days 2019
Managing multiple AAD tenants
22. 24 octobre 2019 - PARIS
Identity Days 2019
• Requires having configured, in the « remote » tenant, either:
1. Dedicated AAD user
2. Guest (invited) user (B2B Collaboration)
Managing multiple AAD tenants
23. 24 octobre 2019 - PARIS
Identity Days 2019
1. Whitelist invitation domains
2. Add users without invitation
New-AzureADMSInvitation -InvitedUserEmailAddress "user@example.com" `
-InviteRedirectUrl "https://example.com" `
-SendInvitationMessage $false `
-InvitedUserType "Member“
• Go directly to https://portal.azure.com/*yourtenantid* and accept terms
Securing invited identities
24. 24 octobre 2019 - PARIS
Identity Days 2019
• Fact: Service Principals cannot be invited as users
in other tenants
• Enterprise Application => multi-tenant
• App registration (Service Principal): mono-tenant
https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-
principals
What about SPNs ?
25. 24 octobre 2019 - PARIS
Identity Days 2019
• A SaaS application registered in Azure AD can be configured to work
(accept signins) with/from multiple tenants
• Configure Authentication / Supported account types / Accounts in any
organizational directory
• App ID URI must be globally unique
SaaS applications as multi-tenant
26. 24 octobre 2019 - PARIS
Identity Days 2019
Limit perimeter to only the set of trusted tenants, by domains
• From inside :
« Only My Tenant » feature
• From outside :
Direct AAD federation with AD FS or t.p. STS provider
https://docs.microsoft.com/en-us/azure/active-directory/b2b/direct-federation
Securing « only » our tenants
27. 24 octobre 2019 - PARIS
Identity Days 2019
Managing Azure over
multiple AAD tenants
28. 24 octobre 2019 - PARIS
Identity Days 2019
• Manage Azure over multiple AAD tenants via:
• « Classical » way: see previous section
• New way: Azure Lighthouse
Managing Azure over multiple AAD tenants
29. 24 octobre 2019 - PARIS
Identity Days 2019
Azure Lighthouse
Single control plane to view and manage Azure across all customers
30. 24 octobre 2019 - PARIS
Identity Days 2019
• Azure delegated resource management
• Works for users and service principals
• Azure portal experience
• Azure Resource Manager templates
• Managed Services offers in Azure Marketplace
• Azure managed applications
Capabilities
31. 24 octobre 2019 - PARIS
Identity Days 2019
• Through Azure Marketplace
• Perfect for MS Partners and Service Providers
• Not suitable for internal use in companies
• Or through Delegated Resource Management
• Customer deploys an ARM template into his Azure subscription(s)
Onboarding Customer
32. 24 octobre 2019 - PARIS
Identity Days 2019
• Define roles and permissions to be used on Customer’s assets
• Build-in RBACs as of today
• What you need for setup
• Tenants
• Service provider's tenant ID (yours)
• Customer's tenant ID
• Group / User(s)
• Azure Subscription(s)
• (Azure) Role Definitions
Delegated RM - Setup
33. 24 octobre 2019 - PARIS
Identity Days 2019
• Create ARM Template – and pass it to the Customer
• mspOfferName
• mspOfferDescription
• managedByTenantId
• authorizations
• Group ID & display name
• Role ID
Get it by PS/CLI: Get-AzRoleDefinition -Name "Reader"
• Customer deploys the ARM Template on his subscription(s)
• One deployment per subscription
New-AzDeployment
Delegated RM - Setup
34. 24 octobre 2019 - PARIS
Identity Days 2019
• Customer view
• Service
Provider
View
Lighthouse in Use
35. 24 octobre 2019 - PARIS
Identity Days 2019
DEMO
Delegated Deployment and Management
with Azure Lighthouse
36. 24 octobre 2019 - PARIS
Identity Days 2019
•Azure Security Center!
• Cross-tenant visibility on Azure resources
• Cross-tenant security posture management
• Cross-tenant threat detection and protection
•Azure Policy!
• Can create definitions and apply/assign them
• Enforcement w/ deployIfNotExists
Cross Tenant Security w/ Az Lighthouse
37. 24 octobre 2019 - PARIS
Identity Days 2019
• Specific set of supported services
• Azure Databricks blocking
• Resource specific URIs (ex. blob.core.windows.net) not supported
• Build-in RBACs only
• Many évolutions and features planned to come
(Current) Az Lighthouse Limitations
39. 24 octobre 2019 - PARIS
Identity Days 2019
• Govern Azure resources : w/ Azure Lighthouse
Great solution for simplifying onboarding & experience
• For Partners & SPs, but also for large enterprises
• Govern AAD tenants:
• Users
• With dedicated users in target tenant w/ strong governance rules
• With restricted invitations (by domain)
• Service Principals
• « Multi-tenant enterprise application »
• ALL: minimum privilege principle
Conclusion
Cross-tenant visibility
Monitor compliance to security policies and ensure security coverage across all tenants’ resources
Continuous regulatory compliance monitoring across multiple customers in a single view
Monitor, triage, and prioritize actionable security recommendations with secure score calculation
Cross-tenant security posture management
Manage security policies
Take action on resources that are out of compliance with actionable security recommendations
Collect and store security-related data
Cross-tenant threat detection and protection
Detect threats across tenants’ resources
Apply advanced threat protection controls such as just-in-time (JIT) VM access
Harden network security group configuration with Adaptive Network Hardening
Ensure servers are running only the applications and processes they should be with adaptive application controls
Monitor changes to important files and registry entries with File Integrity Monitoring (FIM)
https://docs.microsoft.com/en-us/azure/lighthouse/concepts/cross-tenant-management-experience