Today's complex enterprise environments involve the existence of multiple identity structures, especially in the case of cloud resource management. The management and governance of Azure Active Directory tenants, cloud & federated identities, and authorizations and roles on Azure subscriptions and resources, is the purpose of this session.
3. • Intro
• Challenges at scale
• Azure Active Directory. Single vs Multiple-Tenants
• Multi-tenancy management
• Directories
• Azure resources
• Conclusion
Agenda
4. Marius Zaharia
Azure Cloud Tech Lead, Société Générale
Azure MVP and Advisor
Community manager of AZUG FR community
@lecampusazure
www.linkedin.com/in/mzaharia
DISCLAIMER : Below are my own opinions, not my emplyer’s ones.
6. Beginning is good.
Welcome to Azure!
• 1 subscription.
Welcome to Office 365!
• 1-5 Office licences.
1 Azure Active Directory.
Individuals, SMBs
7. Moving further...
Welcome back to Azure!
• 10 subscriptions.
Welcome back to Office 365!
• 100 Office licences.
1 Azure Active Directory.
Larger businesses…
8. Moving beyond...
GO Azure!
• 100+ subscriptions.
GO Office!
• 10000+ Office licences.
?Azure Active Directory?
To MUCH larger businesses -
10. Challenges at scale
Azure
• Many users and groups
• Many, many Azure
resources
• …spread in subscriptions
• Accounts / CSP / EA
• Access rights management
Office 365
• Many users and groups
• More Office apps
• More complex licensing
plans
Microsoft 365
Dynamics 365
Other Cloud services
11. • What a large enterprise may look
like:
(from an IT perspective)
Challenges at scale
BU#1
BU#1 IT
BU#2 IT
BU#n IT
BU#2
BU#n
Corp IT
µBU
µBU
µBU
µBU
P
P
P
P
P
P
P
PP
P
P
P
12. Challenges at scale
Choosing multiple Azure subscriptions?
• Subscription more easily isolated than a resource group
• RBAC
• Billing
• Can be assigned completely to an app or project
• Allow autonomy for the team
But:
• Agreement becomes more complex: Depts, Accounts, Subs
• Create/disable subscriptions more often
• Global security governance becomes more difficult
13. Challenges at scale
That’s not all.
• Large companies may have complicated structure
• Single central governance may affect agility and reactivity
• Some BUs want to move faster thant others
So: BUs create separate Azure AD Tenants
• A BU will be owner of an Azure AD tenant
• A BU will have 1(+) account in Enterprise Agreement
• Will be responsible of billing and security of its own Azure
subscriptions.
GREAT!
14. Challenges at scale
But:
• Security compliance and best practices must be audited
and enforced across BUs
• Some BUs not necessary involved in managing
subscriptions
So a transversal IT team may need to audit or manage:
• Azure accounts and subscriptions across tenants
• Azure AD tenants configuration
• Other cloud related assets
16. • Azure AD tenant
allows us manage
• Users and groups
• Service principals /
applications
• Access rights to Azure
resources
• Access rights to Office
• Access to SaaS
applications
Azure AD: single vs multi-tenant
Users and Groups
Azure
subscriptions
SaaS
applications
Office 365
Service Principals
17. • Multi-tenant:
Azure AD B2B
Collaboration
Azure AD: single vs multi-tenant
Users and Groups
Azure
subscriptions
SaaS
applications
Office 365
Service Principals
18. • A user (not admin!) can create (in 2 min) a Azure AD tenant
• He will be Global Admin of the new tenant
• Original user mapped as External AD User in the new tenant
• If he is owner of an Azure subscription, then he can transfer the
subscription management to the new tenant
A (new) tenant into your place
19. • From the portal
Access a specific tenant
• From the command line
• Login-AzAccount -Tenant
xxxxxxxx-xxxx-xxxx-xxxx-
xxxxxxxxxxxx
• Login-AzAccount -Tenant
mydomain.onmicrosoft.com
• Login-AzAccount -Tenant
mydomain.net
• az login –t xxxxxxxx-xxxx-xxxx-
xxxx-xxxxxxxxxxxx
• …
• From Libs / API
24. Requires having configured, in the « remote » tenant, either:
1. Dedicated AAD user
2. Guest (invited) user (B2B Collaboration)
Managing multiple AAD tenants
25. 1. Whitelist invitation domains
2. Add users without invitation
New-AzureADMSInvitation -InvitedUserEmailAddress "user@example.com" `
-InviteRedirectUrl "https://example.com" `
-SendInvitationMessage $false `
-InvitedUserType "Member“
• Go directly to https://portal.azure.com/*yourtenantid* and accept terms
Securing invited identities
26. • Fact: Service Principals cannot be invited as users in
other tenants
• Enterprise Application => multi-tenant
• App registration (Service Principal): mono-tenant
• https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-
service-principals
What about SPNs ?
27. Limit perimeter to only the set of trusted tenants, by domains
• From inside :
« Only My Tenant » feature
• From outside :
Direct AAD federation with AD FS or t.p. STS provider
• https://docs.microsoft.com/en-us/azure/active-directory/b2b/direct-federation
Securing « only » our tenants
28. • A SaaS application registered in Azure AD can be
configured to work (accept signins) with/from multiple
tenants
• Configure Authentication / Supported account types /
Accounts in any organizational directory
• App ID URI must be globally unique
SaaS applications as multi-tenant
32. • Azure delegated resource management
• Works for users and service principals
• Azure portal experience
• Azure Resource Manager templates
• Managed Services offers in Azure Marketplace
• Azure managed applications
Capabilities
33. • Through Azure MarketPlace
• Perfect for MS Partners and Service Providers
• Not suitable for internal use in companies
• Or through Delegated Resource Management
• Customer deploys an ARM template into his Azure subscription(s)
Onboarding Customer
34. • Define roles and permissions to be used on Customer’s assets
• Build-in RBACs as of today
• What you need for setup
• Tenants
• Service provider's tenant ID (yours)
• Customer's tenant ID
• Group / User(s)
• Azure Subscription(s)
• (Azure) Role Definitions
Delegated RM - Setup
35. • Create ARM Template – and pass it to the Customer
• mspOfferName
• mspOfferDescription
• managedByTenantId
• authorizations
• Group ID & display name
• Role ID
Get it by PS/CLI: Get-AzRoleDefinition -Name "Reader"
• Customer deploys the ARM Template on his subscription(s)
• One deployment per subscription
• New-AzDeployment
Delegated RM - Setup
38. Azure Security Center!
• Cross-tenant visibility on Azure resources
• Cross-tenant security posture management
• Cross-tenant threat detection and protection
Azure Policy!
• Can create definitions and apply/assign them
• Enforcement w/ deployIfNotExists
Cross Tenant Security w/ Az Lighthouse
39. • Specific set of supported services
• Azure Databricks blocking
• Resource specific URIs (ex. blob.core.windows.net) not
supported
• Build-in RBACs only
• Many évolutions and features planned to come
(Current) Az Lighthouse Limitations
41. • Govern Azure resources : w/ Azure Lighthouse
Great solution for simplifying onboarding & experience
• For Partners & SPs, but also for large enterprises
• Govern AAD tenants:
• Users
• With dedicated users in target tenant w/ strong governance rules
• With restricted invitations (by domain)
• Service Principals
• « Multi-tenant enterprise application »
• ALL: minimum privilege principle
Conclusion
Cross-tenant visibility
Monitor compliance to security policies and ensure security coverage across all tenants’ resources
Continuous regulatory compliance monitoring across multiple customers in a single view
Monitor, triage, and prioritize actionable security recommendations with secure score calculation
Cross-tenant security posture management
Manage security policies
Take action on resources that are out of compliance with actionable security recommendations
Collect and store security-related data
Cross-tenant threat detection and protection
Detect threats across tenants’ resources
Apply advanced threat protection controls such as just-in-time (JIT) VM access
Harden network security group configuration with Adaptive Network Hardening
Ensure servers are running only the applications and processes they should be with adaptive application controls
Monitor changes to important files and registry entries with File Integrity Monitoring (FIM)
https://docs.microsoft.com/en-us/azure/lighthouse/concepts/cross-tenant-management-experience