Getting the best out of Azure AD


I spent some time with a customer yesterday who had a particular requirement around securing access to Office 365.  After a quick discussion it emerged they had paid for Azure AD Premium (via EMS licensing) but weren't using key features that would help address their requirement.  After 10 mins of walking through Azure AD features we looked at Conditional Access and discussed what policy to deploy to meet their requirement. This got me thinking...what "no brainer" Azure AD features would I recommend customers deploy\use straight away?

This is my top 5 list. (some features only require a single Azure AD Premium License, some require all users to be licensed and some require a small number of licenses.)

1.Enable Azure AD Privileged Identity Management (PIM) - You only need Azure AD P2 licenses assigned to administrators to use this. PIM will add a change control\approval process to the use of Azure AD\Azure admin accounts to provide "Just in Time" access. It achieves this by converting the type of your Azure AD admin roles from "permanent" to "eligible". This allows your organisation to approve (or deny) requests for administration rights for "eligible" administrators as and when they are needed. A very important tool to further protect the most important accounts in Azure AD. PIM controls the who, when and for how still need to control the what. The principles of "least privilege" still apply and regular reviews of Administrators access need to be performed. Azure\Office 365\Azure AD have extensive RBAC models but it is easy to create custom roles to ensure that the bare minimum is granted to an administrator. PIM and "Access Reviews" helps you determine what administration roles have access to, when the access has been used and you should perform regular reviews as to what administration rights an individual should have.

2.Configure Azure AD Conditional Access - This functionality is included with Azure AD Premium and licensed on a per user basis (if you have EMS licensing then you likely are covered for those users). Conditional Access works by providing you the ability to allow\deny access or potentially step up authentication based on the following parameters. (In my customers scenario we were able to set up a policy and apply to test users within minutes)

  • Group membership - Allow users to access a resource if they are a member of a group.
  • Location - Allow, Deny users based on the location from which they are trying to access resources (IP\Country Based).
  • Device Platform - Allow or Deny users to access a resource based on the OS of the device they are trying to access from.
  • Device State - The ability to enable\disable a device and include the state of the device in the authorisation decision. i.e. require that users accessing Exchange from a browser on an unknown device perform MFA.
  • Sign-in and user risk - Advanced protection to determine the risk of the access request. I.e. user is attempting to logon from USA and had previously logged on from UK 5 mins earlier (Available with Azure Identity Protection - P2).

3.Enable Azure MFA - Having MFA enabled is obviously a good idea. If you have Azure AD Premium for your users then you are able to enable them for MFA and use Conditional Access to determine when it should be invoked. i.e user is on an unknown device, location based, risk level etc. In particular I would recommend the following as a minimum.

  • MFA for administrators is a must have. If you don't have Azure AD Premium for your users but do have Office 365 E3 licencing then you do have MFA licences for Azure administrators.
  • Enroll your users in MFA (MFA Registration Policy provided with Azure AD Identity Protection - P2) even if you don't plan to enforce MFA yet. Reason being if you need to react to an event then MFA is a great tool to step up security. Having users enrolled in MFA means that you can do this quickly.

4.Enable Azure Connect Health - AADConnect is an integral part of an organisations identity management. Azure AD is the identity platform for Azure, Office 365 and potentially lots of your 3rd party SaaS applications. The health of these services are very important and when it comes to identity its important that users are provisioned, de-provisioned and able to log on in a secure and reliable fashion. Azure Connect Health monitors your AADConnect and AD FS services and reports errors to you.  Accessing the Sync Error Report doesn't require an Azure AD Premium license but you do need AAD Premium Licenses for the Azure Connect Health agents you deploy. It's a great tool to provide visibility of a key part of your identity management infrastructure.

5.Use Azure AD Reporting - Reporting comes with all editions of Azure AD and its a valuable feature to gain insight into what is happening with Azure AD users and a place to review the Security\Auditing that is provided with the service. The levels of security reporting depend on the licencing you have. Its broken down in to 3 types:

  • Azure Active Directory Free and Basic editions, you already get a list of users flagged for risk and risky sign-ins.
  • Azure Active Directory Premium 1 edition extends this model by also enabling you to examine some of the underlying risk events that have been detected for each report.
  • Azure Active Directory Premium 2 edition provides you with the most detailed information about the underlying risk events and it also enables you to configure security policies that automatically respond to configured risk levels.

Hope this helps and if you have Azure AD Premium licensing then make use of these great features, its good stuff 🙂

MD (@Dudders1)


Comments (2)

  1. Are you sure about that:
    This feature doesn’t require an Azure AD Premium license and its a great tool to provide visibility of a key part of your identity management infrastructure.

    Q: How many licenses do I need to monitor my infrastructure?

    Please read and confirm.


    1. Hi Carlos, apologies for the confusion. You don’t need a AAD Premium license to view the Sync error report (see here but you are correct on the licensing of the agent. Have amended and thanks for bring to my attention.

Skip to main content