Microsoft Previews Delegated App Management for Azure Active Directory

Microsoft issued a few Azure Active Directory previews this month, adding role-based access control (RBAC) improvements and the ability to block so-called "legacy" or older authentication approaches.

On the RBAC side, Azure AD now has "delegated app management roles," available at the preview stage," which lets IT departments assign a lesser role to personnel than a Global Administrator for managing enterprise applications, according to a Wednesday Microsoft announcement. Instead, IT personnel can be assigned to an Application Administrator role or a Cloud Application Administrator role. The assignments get made using the Azure AD Portal or Azure AD Privileged Identity Management.

Here are Microsoft's descriptions of those two app management roles:

  • Application Administrator: This role provides the ability to manage all applications in the directory, including registrations, SSO [single sign-on] settings, user and group assignments and licensing, Application Proxy settings, and consent. It does not grant the ability to manage conditional access
  • Cloud Application Administrator: This role grants all the abilities of the Application Administrator, except it does not grant access to Application Proxy settings (no on-premises access)

It's also possible to assign "ownership" of individual enterprise applications to specific IT personnel with the new preview. There's a new Enterprise Application Owner role for the purpose, which can be assigned using the Azure AD Portal.

An Enterprise Application Owner can "manage 'owned' enterprise applications, including SSO settings, user and group assignments, and adding additional owners," Microsoft explained. The ability to manage Application Proxy settings or conditional access isn't available to Enterprise Application Owners.

There's also a new Application Developer role, which gets assigned through the Azure AD Portal or Azure AD Privileged Identity Management. Microsoft explained that all users can "create application registrations" by default, unless the default setting is set to "No." In such cases, the Application Developer then has the power to create application registrations.

Blocking Legacy Authentications
Azure AD Conditional Access now has support, at the preview stage, for blocking legacy authentications, Microsoft announced, in a June 7 announcement.

The problem with these older authentication methods is that they don't have "support for interactive sign-in," Microsoft explained. The interactive sign-in capability is needed for schemes like multifactor authentication, where a secondary identity check gets imposed on top of a password before granting access to end users. Older Office clients (such as Office 2010) and clients that use "mail protocols such as IMAP/SMTP/POP" are considered to be using legacy authentications.

The reason to block legacy authentications is because they are targeted for attack, according to Alex Simons, director of program management for the Microsoft Identity Division.

"Attackers strongly prefer these protocols -- in fact, nearly 100% of password spray attacks use legacy authentication protocols," he said, in the announcement.

A password spray attack is an attack method for finding weak links in an organization by trying commonly used passwords (such as "password").

Password Protection for Windows Server AD
Microsoft this week announced a preview of Azure Active Directory Password Protection. It adds protections in the Azure AD Portal against setting weak passwords. It's for organizations using Azure AD and Windows Server AD on premises.

Azure Active Directory Password Protection checks for weak or leaked passwords, and it works across "all password set and reset operations," the announcement explained. It also has support for a PowerShell cmdlet that can be run to assess password quality.

Azure Active Directory Password Protection works with Windows Server versions all of the way back to Windows Server 2012. It can be downloaded at this page.

In other Azure AD news, Aaron Guilmette, a senior consultant at Microsoft, has updated his Azure AD Connect Network and Name Resolution Prerequisites Test tool. It's used to test local server connectivity to Office 365 before using Azure AD Connect. Azure AD Connect is Microsoft's wizard-like tool for setting up Azure AD connections. He's also built an Azure AD Connect Advance Permissions tool.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube