Hybrid identity and how to protect your users?

Hybrid identity in a trendy way to distribute your identity across cloud services.

Identity has always been an important part in user interactions with services. It’s your unique identifier in the directory that you belong to.

This theme can also continue with network devices, they have Mac Addresses for their identification purposes.

Webpages have names not IP Addresses because it would be really annoying to login with only IP address and not the name, nobody would remember any of them.

When I was child, I remembered all my friend numbers, although I never called them, I always went running. Now I hardly remember my own number.

What I said in the beginning was not completely the fact because you and all other Object have Unique Identification under your username or your workstation name, these are called GUID’s or SID’s

And so, the story continues for the usernames and devices also.

Users have SID’s and devices and GUID’s and guess what? You still have these in the cloud as Azure AD as it is based on these Objects also.

Identity always has a Source of Authority and in this example, it is Active Directory. You will synchronize your identity and the attributes that belong to it through Azure AD Connect ja Azure Cloud Sync agent.

Your attributes can be manipulated in the process if needed, you can add, modify, or even remove them. It really depends on your organization’s regulations and what you want to do with identity. What rights or licenses to assign, what group to put the user in.

The multiple options for this scenario, but the real power comes from the cloud and the intelligence it provides.

Dynamic Groups

You can use Dynamic user security groups to assign users based on the extension attributes that flow from Active Directory. With dynamic groups you assign policies for a user, assign them rights or licenses.

You can also create Dynamic Microsoft 365 user Group and because Microsoft 365 group is a mail-enabled group it will have an email address that can be used inside the group.

You can also implement a default sensitivity label for the group members to protect data.

As Microsoft 365 is also SharePoint site and can be a Teams channel, there is also a SharePoint site associated with this group.

By default, it does not have Teams Channel, but it is easily created from Admin center

Policies for groups

You can define policies for groups, with these policies you can block words from group names.

Or force the groups to be name with certain names.

Enterprise applications

You can assign Dynamic group to Enterprise Application that will allow seamless single sign-on to services that your company provides. And you can add conditional access policies for these groups and their members.

Conditional Access

And you can add dynamic groups to Conditional Access policies that give a way to prevent people accessing your services from geo-graphic locations that you do not have offices in or enforce Use of Terms for NDA (non-disclosure agreement) purposes or even force Multi-Factor Authentication.

Access Reviews

Dynamic Groups also have Access Reviews, access review means that someone in your organization will take care of the group members expiration or renewals. This is a fantastic way to keep the group in order.

Multi-Factor authentication

MFA is a two-factor authentication for user logins to any service that uses Azure AD Identities for sign-in. It helps to prevent breaches to user accounts up to 99.9%

Or go Passwordless

MFA provides more security for identity, but usability suffers. Microsoft has introduced passwordless authentication. It will allow users to verify their login with Microsoft Authenticator instead of a password or to use FIDO2 keys on their device to verify their identity.

Verifiable Credentials – In Public preview

Verifiable credentials give the organization a way to find user evidence not only with a username and a password, but also with identifier that.

This method uses Decentralized Identity, user can provide evidence like driving license, passport, school certificate to prove user is really who they claim to be.

Organization segments

Organizations are divided into three layers.

Basic protected organizations, organizations with higher policies for security, highly protected and regulated customers.

Data segments

Data is also divided into three major segments.

Data is protected with basic protection features in Azure AD

Organizational data is protecting their sensitive data, they classify and up-hold the data sensitivity

And then there are highly protected organizations which have government regulations to keep the data for an extended period, encrypt the data with their own keys.


All the levels organizations should have their own policies in-place and your organization should follow the regulations and run assessments to discover the identity and data governance model to up-keep your organization policies.

Microsoft Secure Score is an excellent place to start.

Secure Score homepage.

And for Compliance score the Compliance Manager.

Compliance Manager - dashboard.


KEEP CALM AND STAY SECURE - Keep Calm and Posters Generator, Maker For Free  - KeepCalmAndPosters.com
Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *