Last Updated on December 7, 2022 by Dishan M. Francis In my previous blog post, I explained how we can automate JML (Joiners/Movers/Leavers) process by using Microsoft Entra lifecycle workflows. You can access it using https://www.rebeladmin.com/2022/11/step-by-step-guide-automate-jmljoiners-movers-leavers-process-with-microsoft-entra-lifecycle-workflows/#more-6030 . In this article, I used employeeHireDate Azure AD attribute value to trigger the workflow. At the moment this value cannot be set using UI and can only update using MS Graph. After reading the article, a few readers came back to m ..read more

Last Updated on November 7, 2022 by Dishan M. Francis JML (Joiners/Movers/Leavers) process of an organization has a major impact on its security and efficiency. When a new employee joins the organization or an existing employee change the job role, if they do not have access to relevant services/tools to start their job, it is just a waste of resource. Also when someone leaves the company, their access permission to data/services should revoke and accounts should be disabled. If not it creates a security risk. As we can see it’s quite important to make sure organizations have robust, practical ..read more

Last Updated on July 3, 2022 by Dishan M. Francis MDI Sensor installation is the Part 05 of the Microsoft Defender for Identity blog series. So far we learned about following about MDI, Part 01 – MDI Overview Part 02 – Create Directory Service Account Part 03 – Collect Windows Events Part 04 – Network Requirements In this blog post, I am going to demonstrate how to enable a MDI instance and then install the first MDI sensor in the environment. Before we go into the deployment we need to make sure we have the following in place, Prerequisites 1) Global Administrator or Security Administrator ac ..read more

Last Updated on June 16, 2022 by Dishan M. Francis This is the Part 04 of the Microsoft Defender for Identity blog series and so far in this series, we learned about following, Part 01 – MDI Overview Part 02 – Create Directory Service Account Part 03 – Collect Windows Events This is the last blog post which covering about MDI prerequisites. The rest of the blog posts in the series will cover the operation side of the MDI. Microsoft Defender for Identity sensors are responsible for collecting data from devices in network and then reporting back to Microsoft Defender for Identity cloud service ..read more

Last Updated on June 8, 2022 by Dishan M. Francis Azure Bastion is a PaaS service that provides seamless RDP/SSH connectivity to virtual machines via Azure portal. When we use Azure Bastion, virtual machines do not require public IP address to connect even if the VM is in a different VNET (same or different subscription). As long as Azure Bastion subnet can reach the remote network (via VNET peering, VPN), we can use the Azure Bastion service to connect. Azure Bastion now supports IP-Based connectivity to on-premises, Azure, and non-azure virtual machines. It means as long as Azure bastion can ..read more

Last Updated on May 31, 2022 by Dishan M. Francis This is the Part 03 of the Microsoft Defender for Identity blog series and so far in this series, we learned about, Part 01 – MDI Overview Part 02 – Create Directory Service Account Similar to Part 02, in this blog post also I am going to talk about another MDI prerequisite. MDI collects information from Windows Event logs to enrich the content of findings. Domain controllers do not collect these specific events by default and we need to enable Advanced Audit Policy settings using a group policy to enable the relevant event collection. MDI is i ..read more

Last Updated on May 23, 2022 by Dishan M. Francis In Part 01 of Microsoft Defender for Identity blog series, I have explained about Microsoft Defender for Identity and it’s benefits. I also talked about the prerequisites. In that list, I mentioned that we required Directory Service Account(DSA) to connect to Active Directory forest. There are two types of DSAs we can use for this task. 1) Regular Active Directory user account 2) Group Managed Service Account (gMSA) From above, the regular user account is the easiest to setup but that required to manage password manually. Even though this accou ..read more

Last Updated on May 16, 2022 by Dishan M. Francis In an organization, users are required access to many different groups, applications, and sites to do their day-to-day tasks. Sometimes there can be external organizations that also required access to these various resources. As access requirements change frequently, it is quite challenging for IT administrators to manage access. As a solution to this problem, we can use Azure AD access packages to govern access for internal users as well as external users. Each Access package can contain applications, and permissions required to perform specif ..read more

Last Updated on January 24, 2022 by Dishan M. Francis In my previous blog post, I have explained how we can collect custom attribute values by using Azure AD user flows. We had custom attributes setup in Azure AD and when a guest user accesses an application for the first time, the values for these custom attributes will be collected by using user flows. Azure AD entitlement management feature does identity governance by allowing organizations to manage identity and access life cycle with help of access packages, workflows, and reviews. In one of my previous blog posts, I have talked abou ..read more

Last Updated on January 9, 2022 by Dishan M. Francis Attributes can explain an object more precisely. Active Directory object types have predefined attributes which can use to store values and use later (query) when required. Active Directory schema also accepts custom attributes. Based on business requirements some time organizations will have to introduce custom attributes to object classes. On most occasions, it is related to application integration requirements with Active Directory. If it’s a hybrid environment, it may also require syncing these custom attributes values with Azure AD. In ..read more