Keeping your Azure AD clean and healthy
In my previous post, we saw how easy it is to set up an Azure AD tenant; you can do it in literally less than a minute. But managing your tenant is an ongoing task. If you have a cloud-only environment, that might seem obvious, but even if you have a hybrid deployment, you need to be able to manage all your cloud-only user accounts, groups and attributes that do not exist in your on-prem AD. In either case, many of the tasks are the same as with Active Directory management. For instance, you need to be able to provision, re-provision and deprovision Azure AD accounts, as well as regularly look for inactive accounts so you can clean them up before they can be misused. You also need to be able to reset users’ passwords, and add, modify and remove specific attributes from Azure AD users.
Microsoft provides several tools to help you manage users and groups in Azure AD, including the Azure Active Directory Admin Console, which is available in the Azure Portal. However, you’ll have to manage your cloud resources separately from your on-prem resources, juggling different tools. There are no universal searches or alerts on object changes, which makes tasks more time consuming and increases the risk of failing to spot critical modifications in time to prevent a breach or other security incident.
Quest Active Administrator for Azure Active Directory overcomes the limitations of the native tools. IT administrators can manage hybrid environments from a single console, instead of having to constantly switch between different tools and try to make sense of multiple sets of data. You can perform universal searches for users, groups and objects from anywhere within the console. The solution even alerts you in real time when critical users, groups or other objects are modified so you can respond quickly to any inappropriate changes that might put your organization at risk. Plus, Active Administrator for Azure Active Directory is also ideal for cloud-based Active Directory service providers because it enables them to manage multi-tenant AD environments from a single console.
Like Active Directory, Azure AD offers security groups to simplify the job of managing users and permissions. Azure AD groups grant access to Office 365 resources, such as SharePoint sites or SaaS applications.
In addition, Microsoft also offers Office 365 groups, which are more complex. The group itself is nothing more than an Azure AD object that contains members. But when a group is created, the Office 365 service spins up resources in the associated Office 365 workloads, and members of the group automatically have permissions to access those resources. In particular, each Office 365 group has a shared mailbox and calendar. By default, anyone in the organization can create an Office 365 group. Plus, Office 365 groups are created automatically by various applications, such as Microsoft Teams, Yammer, SharePoint Online and Planner.
Unfortunately, there are few native management options, so Office 365 groups can quickly spiral out of control. For example, using native tools, there are two ways that administrators can review what Office 365 groups exist and who their members are — manual review through the admin portals or PowerShell scripts. Both of them involve substantial manual work, so they don’t scale to meet the needs of any but the smallest organizations. As a result, many organizations quickly end up with group sprawl. Sprawl leads to confusion and loss of productivity — for instance, your global address list (GAL) can grow so large that it’s hard for users to find the recipients they need. Even more important, group sprawl also increases security risks because you lose accountability; Office 365 groups give both insiders and outsiders access to critical corporate resources, but no one knows what groups there are or who has a legitimate need to be in each of them.
Quest On Demand Group Management is a simple and secure SaaS solution that enables you to manage Azure AD and Office 365 groups effectively. From a single console, you get full visibility into all the groups being created, modified and deleted, so you know exactly what’s out there. Moreover, it offers robust group creation policies that control the naming and expiration of groups, as well as automated attestation for regular validation of group membership. There’s even a self-service portal where users can review the group membership and request access to resources with friendly naming conventions.
Backup and recovery
Azure AD management also involves backup and recovery. User accounts and attributes that are synced up by Azure AD Connect are covered by your on-prem backup and recovery solution. But as we’ve seen, you’ll also have cloud-only accounts, attributes and groups — if any of them are accidentally or deliberately deleted or modified, your on-prem solution won’t do you a lick of good.
What about native tools? Well, there is the Azure AD Recycle Bin. However, it was never intended to be an enterprise backup and recovery solution. For one thing, it keeps deleted objects for a maximum of 30 days, and once they’re gone, they’re gone forever. In addition, certain objects, including Azure AD groups and group membership, are not moved to the Recycle Bin when they are deleted. Moreover, even items that would normally go in the Recycle Bin can be hard-deleted, which means they never go into the Recycle Bin and therefore can’t be recovered from it.
Even if you’re lucky and none of these gotcha’s apply, you might still not be able to figure out exactly what you need to restore, since there is no Azure AD change log or comparison report to help you determine which Azure AD objects have been changed or deleted. Plus, there is no way to restore specific attributes that have been modified in a user object, no way to restore multiple users and attributes at one time without using PowerShell, and no way to restore objects across tenants.
In my post on AD management in the “What is Active Directory?” series, I explained how Recovery Manager for Active Directory delivers reliable, automated backup and recovery for your on-premises AD environment. You didn’t think we’d forget about Azure AD, did you? No way. Our On Demand Recovery solution integrates with Recovery Manager to deliver a complete backup and recovery solution for hybrid environments: Recovery Manager covers the on-premises objects, including anything you sync to the cloud with Azure AD Connect, while On Demand Recovery covers the rest.
Even better, you can manage backup and recovery across your environment from a single dashboard: You can view both hybrid and cloud-only objects, run difference reports to determine exactly what changes or deletions occurred, restore objects and granularly roll back specific attributes in a given object. You can even recover multiple users, groups and group memberships in bulk without even one line of PowerShell scripting. Plus, you can choose the backup retention period that meets your security and compliance needs, instead of being constrained by Azure AD’s native limitations.
That’s it for Azure AD management! But be sure to read the next three blog posts in this “What is Azure AD?” series:
- Part 3: Azure AD security (coming soon)
- Part 4: Azure AD migration (coming soon)
- Part 5: Azure AD reporting (coming soon)