Azure (AD) recommendations with some explanations

Posted by Harri Jaakkonen Posted on 08/04/2023 0 Comments on Azure (AD) recommendations with some explanations
Posted in Azure, Azure AD, Azure Policies, Defender, Identity, Identity Platform, Microsoft Graph, Security

This post is on recommendations, so here is my personal red alert type recommendation for all.

You still have 83 days, give or take to establish a migration from ADAL to MSAL.

Read from more Learn

Migrate to the Microsoft Authentication Library (MSAL) – Microsoft Entra
Learn about the differences between the Microsoft Authentication Library (MSAL) and Azure AD Authentication Library (ADAL) and how to migrate to MSAL.

In the past months I covered topics on Recommendations from Microsoft 365 Defender and Defender for Cloud.

What’s new with Secure score in Microsoft Defender portal (and some other tips)
What is Secure score? Microsoft releases suggestions on security settings that should be turned on to enhance your security posture against external and internal threats. You’re given points …

And in my SC-200 study guide

Section 6 – Mitigate threats using Microsoft Defender for Cloud – Implement and maintain cloud security posture management and workload protection
Then we go to Defender for Cloud and starting with the planning part. Let’s get going! Be sure to check the previous chapters, you will need that information to understand to journey that we …

Well, this time it will be about Azure AD based recommendations. The feature is customized from Azure Advisor recommendations and only for AAD. First let’s see what Azure Advisor is.

Azure Advisor

You can access the Advisor from https://portal.azure.com/#view/Microsoft_Azure_Expert/AdvisorMenuBlade/~/overview

And with these roles on a subscription, Resource Group or Resource

Built-in roleDescriptionID
General
ContributorGrants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.b24988ac-6180-42a0-ab88-20f7382dd24c
OwnerGrants full access to manage all resources, including the ability to assign roles in Azure RBAC.8e3af657-a8ff-443c-a75c-2fe8c4bcb635
ReaderView all resources, but does not allow you to make any changes.acdd72a7-3385-48ef-bd42-f606fba81ae7

The Advisor score page will show you an holistic view your environment.

Advisor provides recommendations on the following:

Application Gateway, App Services, availability sets, Azure Cache, Azure Data Factory, Azure Database for MySQL, Azure Database for PostgreSQL, Azure Database for MariaDB, Azure ExpressRoute, Azure Cosmos DB, Azure public IP addresses, Azure Synapse Analytics, SQL servers, storage accounts, Traffic Manager profiles, and virtual machines.

And to note that the recommendations can have parts from Microsoft Defender for Cloud, which could potentially contain suggestions for other resource kinds, are also included in Azure Advisor.

If we drill deeper to the security aspect, you can see the different resources you have and guess what, these are based on those Azure policies and again all will be connected.

Now we have an overview of Azure Advisor, let’s see the Azure AD part.

What are AAD recommendations?

The Azure AD recommendations tool is a version of Azure Advisor that is tailored to Azure AD and assists you in adhering to best practices to maximize your Azure installations. In order to make recommendations for solutions that can help you increase the efficiency, performance, dependability, and security of your Azure resources, Azure Advisor examines your resource setup and consumption data.

And you need to have one of these roles

RoleDescription
Reports ReaderCan read sign-in and audit reports.
Security ReaderCan read security information and reports in Azure AD and Office 365.
Global ReaderCan read everything that a Global Administrator can, but not update anything.
Cloud Application AdministratorCan create and manage all aspects of app registrations and enterprise apps except App Proxy.
Application AdministratorCan create and manage all aspects of app registrations and enterprise apps.
Security OperatorCreates and manages security events.
Security AdministratorCan read security information and reports and manage configuration in Azure AD and Office 365.

To get these permissions for them

Azure AD roleAccess type
Reports ReaderRead-only
Security ReaderRead-only
Global ReaderRead-only
Cloud apps AdministratorUpdate and read
Application AdministratorUpdate and read
Security OperatorUpdate and read
Security AdministratorUpdate and read

Here is list from all the available recommendations and note that there are separate recommendations available for P1 and P2 licenses.

RecommendationImpacted resourcesRequired licenseAvailability
Convert per-user MFA to Conditional Access MFAUsersAll licensesGenerally available
Migrate applications from AD FS to Azure ADApplicationsAll licensesGenerally available
Migrate to Microsoft AuthenticatorUsersAll licensesPreview
Minimize MFA prompts from known devicesUsersAll licensesGenerally available
Remove unused applicationsApplicationsAzure AD Premium P2Preview
Remove unused credentials from applicationsApplicationsAzure AD Premium P2Preview
Renew expiring application credentialsApplicationsAzure AD Premium P2Preview
Renew expiring service principal credentialsApplicationsAzure AD Premium P2Preview

How can you access them?

https://entra.microsoft.com/#view/Microsoft_AAD_IAM or Azure portal if you prefer it more https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview

There is three different Priority levels:

  • High: Must do. Not acting will result in severe security implications or potential downtime.
  • Medium: Should do. No severe risk if action isn’t taken.
  • Low: Might do. No security risks or health concerns if action isn’t taken.

In the portal the impacted resources are limited to a maximum of 50 resources. For all the recommendations you can use Graph calls.

And consent permission for the queries.

You can choose only Read or Read and write

If you think on the Consent type and why it says Principal, well let me explain.

There is two types of consent types and they Indicate if the authorization is granted for the client application to impersonate all users or only a specific user. 

  • AllPrincipals indicates authorization to impersonate all users. 
  • Principal indicates authorization to impersonate a specific user.

When you doing the consent, it will ask you that do you want to consent for the whole organization.

Overview of permissions and consent in the Microsoft identity platform – Microsoft Entra
Learn the foundational concepts and scenarios around consent and permissions in the Microsoft identity platform
  • Consent on behalf of all users can be granted by an administrator.
  • Non-admin users may be authorized to consent on behalf of themselves in some cases, for some delegated permissions. 

And see how User and Admin consent are different

Overview of user and admin consent – Microsoft Entra
Learn about the fundamental concepts of user and admin consent in Azure AD

And when you get permissions right, you will get an response with the Recommendation type, display name and the steps to take to remediate it.

And you can also use Microsoft Graph PowerShell cmdlets for the job

How to take actions?

You can choose the state of the recommendation

So, you can also postpone if you choose to do so

Closure

Currently there is away to see the recommendations for Azure AD but no way to create any remediation task an assign them to responsible admins or developers.

This could be the next step for these, just like with Microsoft 365 Defender, you can assign the action to someone.

That was Azure AD recommendations! Have a nice one!

Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *