This post is on recommendations, so here is my personal red alert type recommendation for all.
You still have 83 days, give or take to establish a migration from ADAL to MSAL.
Read from more Learn
In the past months I covered topics on Recommendations from Microsoft 365 Defender and Defender for Cloud.
And in my SC-200 study guide
Well, this time it will be about Azure AD based recommendations. The feature is customized from Azure Advisor recommendations and only for AAD. First let’s see what Azure Advisor is.
Table of Contents
You can access the Advisor from https://portal.azure.com/#view/Microsoft_Azure_Expert/AdvisorMenuBlade/~/overview
And with these roles on a subscription, Resource Group or Resource.
|Contributor||Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.||b24988ac-6180-42a0-ab88-20f7382dd24c|
|Owner||Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.||8e3af657-a8ff-443c-a75c-2fe8c4bcb635|
|Reader||View all resources, but does not allow you to make any changes.||acdd72a7-3385-48ef-bd42-f606fba81ae7|
The Advisor score page will show you an holistic view your environment.
Advisor provides recommendations on the following:
Application Gateway, App Services, availability sets, Azure Cache, Azure Data Factory, Azure Database for MySQL, Azure Database for PostgreSQL, Azure Database for MariaDB, Azure ExpressRoute, Azure Cosmos DB, Azure public IP addresses, Azure Synapse Analytics, SQL servers, storage accounts, Traffic Manager profiles, and virtual machines.
And to note that the recommendations can have parts from Microsoft Defender for Cloud, which could potentially contain suggestions for other resource kinds, are also included in Azure Advisor.
If we drill deeper to the security aspect, you can see the different resources you have and guess what, these are based on those Azure policies and again all will be connected.
Now we have an overview of Azure Advisor, let’s see the Azure AD part.
What are AAD recommendations?
The Azure AD recommendations tool is a version of Azure Advisor that is tailored to Azure AD and assists you in adhering to best practices to maximize your Azure installations. In order to make recommendations for solutions that can help you increase the efficiency, performance, dependability, and security of your Azure resources, Azure Advisor examines your resource setup and consumption data.
And you need to have one of these roles
|Reports Reader||Can read sign-in and audit reports.|
|Security Reader||Can read security information and reports in Azure AD and Office 365.|
|Global Reader||Can read everything that a Global Administrator can, but not update anything.|
|Cloud Application Administrator||Can create and manage all aspects of app registrations and enterprise apps except App Proxy.|
|Application Administrator||Can create and manage all aspects of app registrations and enterprise apps.|
|Security Operator||Creates and manages security events.|
|Security Administrator||Can read security information and reports and manage configuration in Azure AD and Office 365.|
To get these permissions for them
|Azure AD role||Access type|
|Cloud apps Administrator||Update and read|
|Application Administrator||Update and read|
|Security Operator||Update and read|
|Security Administrator||Update and read|
Here is list from all the available recommendations and note that there are separate recommendations available for P1 and P2 licenses.
|Recommendation||Impacted resources||Required license||Availability|
|Convert per-user MFA to Conditional Access MFA||Users||All licenses||Generally available|
|Migrate applications from AD FS to Azure AD||Applications||All licenses||Generally available|
|Migrate to Microsoft Authenticator||Users||All licenses||Preview|
|Minimize MFA prompts from known devices||Users||All licenses||Generally available|
|Remove unused applications||Applications||Azure AD Premium P2||Preview|
|Remove unused credentials from applications||Applications||Azure AD Premium P2||Preview|
|Renew expiring application credentials||Applications||Azure AD Premium P2||Preview|
|Renew expiring service principal credentials||Applications||Azure AD Premium P2||Preview|
How can you access them?
https://entra.microsoft.com/#view/Microsoft_AAD_IAM or Azure portal if you prefer it more https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview
There is three different Priority levels:
- High: Must do. Not acting will result in severe security implications or potential downtime.
- Medium: Should do. No severe risk if action isn’t taken.
- Low: Might do. No security risks or health concerns if action isn’t taken.
In the portal the impacted resources are limited to a maximum of 50 resources. For all the recommendations you can use Graph calls.
And consent permission for the queries.
You can choose only Read or Read and write
If you think on the Consent type and why it says Principal, well let me explain.
There is two types of consent types and they Indicate if the authorization is granted for the client application to impersonate all users or only a specific user.
- AllPrincipals indicates authorization to impersonate all users.
- Principal indicates authorization to impersonate a specific user.
When you doing the consent, it will ask you that do you want to consent for the whole organization.
- Consent on behalf of all users can be granted by an administrator.
- Non-admin users may be authorized to consent on behalf of themselves in some cases, for some delegated permissions.
And see how User and Admin consent are different
And when you get permissions right, you will get an response with the Recommendation type, display name and the steps to take to remediate it.
And you can also use Microsoft Graph PowerShell cmdlets for the job
Get-MgDirectoryRecommendation -ExpandProperty "impactedResources"
How to take actions?
You can choose the state of the recommendation
So, you can also postpone if you choose to do so
Currently there is away to see the recommendations for Azure AD but no way to create any remediation task an assign them to responsible admins or developers.
This could be the next step for these, just like with Microsoft 365 Defender, you can assign the action to someone.
That was Azure AD recommendations! Have a nice one!