Microsoft Previews Delegated App Management for Azure Active Directory -- Redmondmag.com

Microsoft Previews Delegated App Management for Azure Active Directory

By Kurt Mackie
06/15/2018

Microsoft issued a few Azure Active Directory previews this month, adding role-based access control (RBAC) improvements and the ability to block so-called "legacy" or older authentication approaches.

On the RBAC side, Azure AD now has "delegated app management roles," available at the preview stage," which lets IT departments assign a lesser role to personnel than a Global Administrator for managing enterprise applications, according to a Wednesday Microsoft announcement. Instead, IT personnel can be assigned to an Application Administrator role or a Cloud Application Administrator role. The assignments get made using the Azure AD Portal or Azure AD Privileged Identity Management.

Here are Microsoft's descriptions of those two app management roles:

Application Administrator: This role provides the ability to manage all applications in the directory, including registrations, SSO [single sign-on] settings, user and group assignments and licensing, Application Proxy settings, and consent. It does not grant the ability to manage conditional access
Cloud Application Administrator: This role grants all the abilities of the Application Administrator, except it does not grant access to Application Proxy settings (no on-premises access)

It's also possible to assign "ownership" of individual enterprise applications to specific IT personnel with the new preview. There's a new Enterprise Application Owner role for the purpose, which can be assigned using the Azure AD Portal.

An Enterprise Application Owner can "manage 'owned' enterprise applications, including SSO settings, user and group assignments, and adding additional owners," Microsoft explained. The ability to manage Application Proxy settings or conditional access isn't available to Enterprise Application Owners.

There's also a new Application Developer role, which gets assigned through the Azure AD Portal or Azure AD Privileged Identity Management. Microsoft explained that all users can "create application registrations" by default, unless the default setting is set to "No." In such cases, the Application Developer then has the power to create application registrations.

Blocking Legacy Authentications
Azure AD Conditional Access now has support, at the preview stage, for blocking legacy authentications, Microsoft announced, in a June 7 announcement.

The problem with these older authentication methods is that they don't have "support for interactive sign-in," Microsoft explained. The interactive sign-in capability is needed for schemes like multifactor authentication, where a secondary identity check gets imposed on top of a password before granting access to end users. Older Office clients (such as Office 2010) and clients that use "mail protocols such as IMAP/SMTP/POP" are considered to be using legacy authentications.

The reason to block legacy authentications is because they are targeted for attack, according to Alex Simons, director of program management for the Microsoft Identity Division.

"Attackers strongly prefer these protocols -- in fact, nearly 100% of password spray attacks use legacy authentication protocols," he said, in the announcement.

A password spray attack is an attack method for finding weak links in an organization by trying commonly used passwords (such as "password").

Password Protection for Windows Server AD
Microsoft this week announced a preview of Azure Active Directory Password Protection. It adds protections in the Azure AD Portal against setting weak passwords. It's for organizations using Azure AD and Windows Server AD on premises.

Azure Active Directory Password Protection checks for weak or leaked passwords, and it works across "all password set and reset operations," the announcement explained. It also has support for a PowerShell cmdlet that can be run to assess password quality.

Azure Active Directory Password Protection works with Windows Server versions all of the way back to Windows Server 2012. It can be downloaded at this page.

In other Azure AD news, Aaron Guilmette, a senior consultant at Microsoft, has updated his Azure AD Connect Network and Name Resolution Prerequisites Test tool. It's used to test local server connectivity to Office 365 before using Azure AD Connect. Azure AD Connect is Microsoft's wizard-like tool for setting up Azure AD connections. He's also built an Azure AD Connect Advance Permissions tool.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

Multi-Tenant Organization Hooks Released for Microsoft 365

Microsoft Entra ID's new multi-tenant organization capabilities have reached general availability (GA).
Real-World Ransomware Recovery

Here's how I was (mostly) successful in recovering a family PC infected with malware.
Microsoft Launches Small AI Models Family Phi-3

Recognizing that bigger isn't always better, Microsoft has released its smallest open AI models to date, Phi-3.
Microsoft and OpenAI Continue Global AI Expansions

Microsoft and OpenAI each continued their global expansion this month, with the announcements of new infrastructure investments and service rollouts in new regions, like Asia and the Middle East.
Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.