Azure Identity Protection and securing management with Just In Time (JIT)
In this we will learn about the Azure various identity protection policies and the process of securing management with Just In Time (JIT) access.
Identity Protection policies
Azure Active Directory Identity Protection covers three default policies that administrators can choose to enable. However, these policies include limited customization but are applicable to most organizations. And, all of the policies allow for excluding users such as your emergency access or break-glass administrator accounts.
Azure MFA registration policy
Organizations may use Identity Protection to help them implement Azure Multi-Factor Authentication (MFA) utilising a Conditional Access policy that requires registration at sign-in. Enabling this policy, on the other hand, is a wonderful method to ensure that new users in your business sign up for MFA on their first day. Moreover, Multi-factor authentication is one of the self-remediation methods for risk events within Identity Protection.
Sign-in risk policy
Identity Protection analyzes signals from each sign-in in both real-time and offline. Then, it calculates a risk score based on the probability that the sign-in wasn’t performed by the user. However, administrators can make a decision based on this risk score signal for enforcing organizational requirements. And, they can choose to block access, allow access, or allow access but require multi-factor authentication. If risk is detected, users can perform multi-factor authentication for self-remediating and closing the risky sign-in event for preventing unnecessary noise for administrators.
User risk policy
Identity Protection has the ability to calculate for a user’s behavior and use that to base decisions for their risk. However, user risk is a calculation of probability that an identity has been compromised. In this, the administrators can make a decision based on this risk score signal for enforcing organizational requirements. And, they can choose to block access, allow access, or allow access but a password change using Azure AD self-service password reset. If risk is detected, users can perform multi-factor authentication for self-remediating and closing the risky sign-in event for preventing unnecessary noise for administrators.
Securing your management ports with just-in-time access
Using Azure Security Center’s just-in-time (JIT) virtual machine (VM) access feature lockdown inbound traffic to your Azure Virtual Machines. As this reduces exposure to attacks while providing easy access when you need to connect to a VM.
In this you’ll learn how to:
- Firstly, enabling JIT on your VMs. In this, you can enable JIT with your own custom options for one or more VMs using Security Center, PowerShell, or the REST API. Alternatively, you can enable JIT with default, hard-coded parameters, from Azure virtual machines. After enabling, JIT locks down inbound traffic to your Azure VMs by creating a rule in your network security group.
- Secondly, requesting access to a VM that has JIT enabled. The aim of JIT is to ensure that even though your inbound traffic is locked down, Security Center still provides easy access for connecting to VMs when needed. However, you can request access to a JIT-enabled VM from Security Center, Azure virtual machines, PowerShell, or the REST API.
- Lastly, auditing the activity. For ensuring that VMs are secured appropriately, review the accesses to your JIT-enabled VMs as part of your regular security checks.
Enabling JIT VM access
In this you can enable JIT VM access with your own custom options for one or more VMs using Security Center or programmatically. Moreover, you can enable JIT with default, hard-coded parameters, from Azure Virtual machines. It includes options that are:
- Azure Security Center
- Azure virtual machines
- PowerShell
- REST API
Requesting access to a JIT-enabled VM
This is for requesting access to a JIT-enabled VM from the Azure portal (in Security Center or Azure Virtual machines) or programmatically. It includes options that are:
- Azure Security Center
- Azure virtual machines
- PowerShell
- REST API
Auditing JIT access activity in Security Center
In this, you can gain insights into VM activities using log search. For viewing the logs:
- Firstly, from Just-in-time VM access, select the Configured tab.
- Secondly, for the VM that you want to audit, open the ellipsis menu at the end of the row.
- After that, select Activity Log from the menu.
- Then, the activity log provides a filtered view of previous operations for that VM along with time, date, and subscription.
- Lastly, for downloading the log information, select Download as CSV.
Reference: Microsoft Documentation, Documentation 2