Best way to synch AD with IBM Tivoli access manager - azure-active-directory

We have an AD in MS AZURE cloud and IBM Access Manager in our in house datacenter.
I like to know what is the best way to synch users between these 2 system?
But that I mean, user will be added to AD in cloud. at the same time I want the same user to be added in Tivoli Access Manager. I am looking for the best approach
Thanks

Microsoft Azure Active Directory Adapter is an interface between a managed resource and the IBM® Security Identity server. The Microsoft Azure Active Directory (Azure Active Directory Adapter) uses the Tivoli® Directory Integrator functions to facilitate communication between the IBM Security Identity server and Microsoft Azure Active Directory (Azure Active Directory).
Adapters can be installed on the managed resource. The IBM Security Identity server manages access to the resource by using the security system. Adapters function as trusted virtual administrators on the target operating system. The adapter creates, suspends, restores user accounts, and other functions that administrators run manually. The adapter runs as a service, independently of whether you are logged on to the IBM Security Identity server.
The adapter automates several administrative and management tasks.
You can use the adapter to automate the following tasks:
Create, modify, suspend, restore, change password, and delete a user.
Create, modify, and delete group.
Reconcile user and user attributes.
Reconcile group and group attributes.
Reference - IBM Security Identity Manager: Microsoft Azure Active Directory Adapter Installation and Configuration Guide

Related

Azure Active Directory Integrated Authentication with SQL

I'm quite new to the Azure AD. So I will be grateful for any hint.
I need to enable members of a given domain (of a given Active Directory) to log in to Azure SQL Server using Azure Active Directory - Integrated Authentication.
So far I've logged into Windows and connected it to Azure Acticve Directory in Windows Setting.
Looking through the documentation, I understand that I need to select one of the authentication methods proposed by Microsoft within Azure Active Directory. The easiest seems to be Password hash synchronization. So I would like to pick this one (But if others are simpliest I am open to change that choice)
What is the easiest way to synchronise this? Can I avoid having to create a Windows Server VM and install Azure AD Connect there?
The current configuration of AD Connect on Azure Portal looks as follows:
To mention it again, the only service I care about is logging in via Azure Active Directory
I apologise if the whole question has been wrongly structured, but it is simply based on what I have found on the forums and in the documentation.
Thanks in advance for any tips
[for example: https://youtu.be/PyeAC85Gm7w?t=565, https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?tabs=azure-powershell#using-an-azure-ad-identity-to-connect-using-ssms-or-ssdt, https://techcommunity.microsoft.com/t5/azure-sql-blog/azure-ad-pass-through-and-password-hash-authentication-support/ba-p/1269735]
You don't need Azure AD Connect or password hash sync unless you have an on-premise Windows Server AD that you want to sync to Azure AD. Should note that AD is not the same as Azure AD. You don't need Windows Server AD with Azure SQL, just Azure AD. To grant a certain security group access to the server, you can run CREATE USER [group-name-here] FROM EXTERNAL PROVIDER; in the Azure SQL DB. Then you can use standard SQL stuff to grant that "user" access to the DB/tables.
Users should then use Azure Active Directory - Universal with MFA as the authentication method in SQL Server Management Studio.

Identity authentication over smb for Azure file share

I have mounted an azure file share on an azure VM using access keys ,the VM is not doman joined with the azure active directory instance.Please let me know if below scenario's will work out:-
If i apply acl's on the folders and sub folders will the acl's be
enforced in the mounted drive on the VM?
Will AZURE RBAC apply if someone tries to upload a file from the VM?
Note:- The Azure VM is on a VNET which has access to azure active directory.
Any information/answer/suggestion on the above questions would be greatly appreciated.
ACLs can exist for domain or non-domain accounts. Having a machine that is not domain joined, can obviously not set domain ACLs. So in that case local-server ACLs is all you can hope to get.
If another server mounts the share, and there is not another local user account + SID mapping, then there is no way these ACLs have any meaning on the second machine. But they will be enforced.
So that one will work albeit questionable in terms of usefulness.
RBAC is really a management plane construct. Meant to govern who can manage which Azure resource --> not access which data planes. Now in the case of AD / AAD DS support for Azure file shares, the team has decided to "stretch" the meaning of RBAC to govern share-level ACLs via Kerberos (where normal RBAC is OAuth only!)
Enough of the backend: What this basically means, is that there can be no support for local server accounts.
THese accounts only exist on a local server, not in AAD and certainly not DIRSYNC'ed from on-prem AD into AAD. So that means RBAC cannot work for local accounts, only for domain accounts.
I'm unclear what your scenario is.
A user coming into the server with some sort of local user credential?
Then creating/copying a file into a mounted Azure file share to that VM? --> That can work because there is no RBAC and since this is all happening through that single server that has that local user account, ACLs for these local accounts work natively.
A user coming into the server with a domain cred? --> will not work as the server isn't domain joined.
A user coming in with a local-server account and then using the Azure file share not via SMB mount but by going to the Azur file share directly: Cannot work because it's not a domain account and non-dimain accounts cannot work against Azure file shares. You'd use the srtorage access key to mount the file share to the VM, then you have access and leave auth. to the server with the set of local accounts.
Before you enable Azure AD over SMB for Azure file shares, make sure you have completed the following prerequisites:
Select or create an Azure AD tenant.
You can use a new or existing tenant for Azure AD authentication over SMB. The tenant and the file share that you want to access must be associated with the same subscription.
To create a new Azure AD tenant, you can Add an Azure AD tenant and an Azure AD subscription. If you have an existing Azure AD tenant but want to create a new tenant for use with Azure file shares, see Create an Azure Active Directory tenant.
Enable Azure AD Domain Services on the Azure AD tenant.
To support authentication with Azure AD credentials, you must enable Azure AD Domain Services for your Azure AD tenant. If you aren't the administrator of the Azure AD tenant, contact the administrator and follow the step-by-step guidance to Enable Azure Active Directory Domain Services using the Azure portal.
It typically takes about 15 minutes for an Azure AD DS deployment to complete. Verify that the health status of Azure AD DS shows Running, with password hash synchronization enabled, before proceeding to the next step.
Domain-join an Azure VM with Azure AD DS.
To access a file share by using Azure AD credentials from a VM, your VM must be domain-joined to Azure AD DS. For more information about how to domain-join a VM, see Join a Windows Server virtual machine to a managed domain.
Note:Azure AD DS authentication over SMB with Azure file shares is supported only on Azure VMs running on OS versions above Windows 7 or Windows Server 2008 R2.
Select or create an Azure file share.
Select a new or existing file share that's associated with the same subscription as your Azure AD tenant. For information about creating a new file share, see Create a file share in Azure Files. For optimal performance, we recommend that your file share be in the same region as the VM from which you plan to access the share.
Verify Azure Files connectivity by mounting Azure file shares using your storage account key.
To verify that your VM and file share are properly configured, try mounting the file share using your storage account key. For more information, see Mount an Azure file share and access the share in Windows.

Limit sql azure access from an azure web app

How can I limit the permissions of an Azure SQL database when accessed from an Azure web app?
Details - I am working with an Azure SQL database and creating an ASP.NET Core web app. In the web app I have put a connection string that points to the Azure SQL database. The connection string includes the server admin username and password of the Azure SQL server. The web app successfully communicates with the database and can read and write data. Now, as a safety precaution, I would like to prevent the web app from ever deleting a database table (whether this be due to a mistake in the code, or a malicious SQL injection performed on the web app). How can I set permissions on the Azure SQL database to disallow table deletions from the web app?
I have heard of Azure Active Directory; I have never used it but I gather that it is an approach to manage identities and permissions of database users. Is there something similar to manage the permission of a web app rather than a user. Or is it possible to treat the web app as a user and assign user permissions/roles to it? If so, what would be the correct approach to implement this?
(Also, while we are on the subject, aside from preventing table deletions are there some other CRUD operations that you would recommend preventing from a security perspective as a best practice?)
As Dbro said, we suggest you create a new login and user to limit the permissions of an Azure SQL database when accessed from an Azure web app.
Replace the app connection string with the new Non-administrator username and password.
And we all know, no matter which way we access or connect to the Azure SQL database, we must through the SQL account, Server administrator or new Non-administrator.
Different Azure SQL account has different permission on database operation CURD.
Fore more details, please reference Azure document Controlling and granting database access to SQL Database and SQL Data Warehouse.
When a new user you created, you can decided which database permissions to grant for the user. Please see: GRANT Database Permissions (Transact-SQL)
For security, Azure also provides the Azure Key Vault for you. To see: Always Encrypted: Protect sensitive data and store encryption keys in Azure Key Vault:
Summary:
Always Encrypted is a new data encryption technology in Azure SQL Database and SQL Server that helps protect sensitive data at rest on the server, during movement between client and server, and while the data is in use. Always Encrypted ensures that sensitive data never appears as plaintext inside the database system. After you configure data encryption, only client applications or app servers that have access to the keys can access plaintext data.
Hope this helps.
Is there something similar to manage the permission of a web app rather than a user.
Yes. It's called Managed Identities. Azure will provision an identity in your Azure Active Directory, and ensure that only code running in your Application can generate tokens for that identity. This gives you the ability to authenticate and connect to SQL Server (and other Azure Resources) without having a username/password or a client secret in your code or configuration.
See:
Azure AD managed identities for Azure resources
Managed identities for Azure resources provides Azure services with an
automatically managed identity in Azure Active Directory (Azure AD).
You can use this identity to authenticate to any service that supports
Azure AD authentication without having any credentials in your code.
Learn how to create and manage managed identities for Azure resources
with our quickstarts and tutorials.
And: Tutorial: Secure Azure SQL Database connection from App Service using a managed identity
are there some other CRUD operations that you would recommend preventing from a security perspective as a best practice
You should create a database role that has the minimal permissions required to run the application, and add your application user(s) to that role. The permissions needed will, of course, depend on what your application does, but the role might look something like this:
create role ApplicationUser
grant select,insert,update,delete,execute on schema::dbo to ApplicationUser
deny delete on AuditLog to ApplicationUser
(In SQL Server a DENY overrides any GRANTs and so you can grant permissions at the schema-level, and selectively DENY permissions at the object level)

Sync Office 365 (AAD) with NEW on premise Active Directory

My small company (about 100 users) is currently using Office 365. There have previously not been any domain controller. I am building an on premise domain controller and want to sync it with Azure Active Directory (Office 365). I used the sync service, with a small subset of users to no avail.
My main question: Can you sync FROM an Azure Active Directory to a new on premise Active Directory? My understanding is that it's the opposite - the on premise Active Directory is the "master" if you will. Is there a way to set it up the opposite? As in, Office 365 being the "master" or "seed" for an on premise?
At present, the Azure AD connect support the Password writeback, Group writeback and Device writeback.
You can refer the options features of Azure AD Connect from here.
At this point in time, synchronizing users FROM Azure AD to on-premises AD is NOT possible.
As Fei Xue pointed out, there are certain things (such as user passwords, groups and devices) that can be synchronized back to on-prem AD, but not users.
Depending on what you are trying to achieve, Azure Active Directory DS might be worth exploring as it allows you to create a VNet in Azure which has a AD-like support (LDAP, Active Directory domain join, NTLM, and Kerberos authentication).
More info on Azure AD DS: https://azure.microsoft.com/en-us/services/active-directory-ds/

CDH Security using Kerberos and Microsoft Active Directory

I'm trying to secure my CDH cluster using Kerberos but I want to use the user info that I have in my Microsoft Active Directory.
Is there a way to use MS AD as Kerberos user lookup source?
Yes, MS AD is actually an umbrella set of technologies working together to provide enterprise directory services. The big four, as I call them, are Kerberos, LDAP, DNS and Group Policy. Each MS AD domain controller runs a Kerberos KDC, which is a database of user, service, and computer principals.

Resources