Microsoft Brings Identity Protection Service to Azure Active Directory

Microsoft continues to enhance its cloud Active Directory platform to provide customers with incentives to migrate their directories from on premise AD to the cloud.  The latest service to be added to Azure AD is a new Identity Protection Service

Azure AD Identity Protection is now available in preview.  It uses advanced machine learning to look for anomalies, intrusion and compromised accounts to proactively detect cyber attacks. 

At Microsoft, we enjoy a unique advantage here because we run many of the world’s largest cloud services, including Outlook.com, Xbox Live, Office 365 and Azure and they generate an incredible amount of data. And we put this data to good use! Every day our ML system processes>10 terabytes of data, including information on over 14B logins from nearly 1B users. These login signals are combined with data feeds from Microsoft’s Digital Crimes Unit and Microsoft Security Response Center, phishing attack data from Outlook.com and Exchange Online as well as information we acquire from partnering with law enforcement, academia, security researchers, and industry partners around the world.

Azure AD Identity Protection will notify admins of any detected attempts, risky sign-ins or configuration vulnerabilities.

Read More

Azure SQL Now Supports Azure AD Authentication in Preview

Microsoft has just released a new feature for Azure SQL that allows you to manage your users access via Azure Active Directory.  Previously, authentication was limited to SQL authentication.

This provides an enterprise class method for managing users and providing them access to your Azure SQL database.

aad auth diagram

The details for setting this up can be found here.

Read More

Microsoft is Consolidating Microsoft Account and Azure AD Authentication Models

In the current Microsoft cloud world, there are two core identity management systems – 1) the Microsoft account and 2) the Azure AD account.  As a user, you are continually asked to choose whether you are a business user or a personal user and then you login using one of these two paths.image

For developers building applications against these identity stores, there are two separate APIs to contend with to authenticate the user, enforcing the same forking of the authentication workflow and making it more complex to build applications.

Microsoft has announced that they are working on a consolidated authentication flow and API that will provide a consolidated user experience and API for developers.  The App Model v2.0 is now in preview.

  

Instead of forcing the user to tell us what type of account they are using, the API will figure it out under the covers and authenticate using either account type in a single flow.  In addition, the API for authenticate either Microsoft personal accounts or AD Azure accounts will be the same to make it easier for developers to build external applications that use these accounts as identities.

Read More

Admin Security Reviews Come to Azure AD Premium in Preview

Admin accounts have a significant risk exposure to enterprise organizations because they have access to potentially hundreds of services, accounts and settings that if compromised could wreak havoc on the organization’s overall security.  As part of an overall enterprise security program, validating these accounts to ensure they are still active and being used by the right people ensures that the threat to these accounts is minimized.

Microsoft has now introduced a new “Security review” process as part of Azure AD Premium (which is itself part of the Microsoft Enterprise Mobility Suite bundle) that allows the security administrator to validate administrator accounts through the following process:

  • Security administrator picks a privileged role, such as Global Administrator, where they believe administrators might still be holding that role who no longer need it.
  • Azure AD sends each user in that role a notification, and they respond in the Azure portal whether or not they need still need that role.
  • The security administrator reviews the results to decide who to remove from the role.

The security review process is in addition to the existing features of the Privileged Identity Management service which provides global administrators the ability to:

  • Discover and monitor privileged roles. The Azure AD PIM Dashboard gives you visibility into and tracking of users with privileged roles.
  • Automatically restrict the time that users have these privileged permissions through on-demand “just in time (JIT)” activation of permissions for pre-configured time windows.
  • Monitor and track privileged operations for audit purposes or security incident forensics.

Read More

Pushing Data into Power BI Preview Using the New REST API – Part 1

Microsoft has just published a new REST API for Power BI Preview that allows you to push data into cloud based datasets sitting in their cloud environment.  Over the weekend, I put together some test code to explore the possibilities of the new API.  (You can find the sample code here on github).  The REST API is still quite limited in its abilities but supports a key scenario for the new Power BI Preview Service – pushing data into Power BI Preview in real time.

Getting Started

In order to access the Power BI Preview REST API, you will need to authenticate your application and your user identity through Azure Active Directory.  The way you do this is to set up an Azure AD and create a profile for your application under configuration.

image

The client id is a key to that is supplied by Azure to be included when you pass in credentials from your application.  The Redirect URI is the page for logging into Azure AD – for a console app this should be https://login.live.com/oauth20_desktop.srf and for a web application it should be the page which you create to receive the token that Azure AD generates when you authenticate.  The page needs to be registered here and needs to match what is passed in along with the authenticate request.

You also need to grant permissions to the Power BI Service in order to use the REST API to push data.  image

Now that this is configured you can start building an application.

Scenario #1: Building a Basic Console Application

My first attempt was to build a basic console application that created a test dataset and pushed in some data.  In building this application, I also built a PowerBIDataTransferService class that manages the various interactions with the rest API.  I can use the same class with the second scenario below.

The way that the Power BI Preview API works is all JSON and HTTP based – you send in commands with JSON data as part of your HTTP call and Power BI Preview responds with an HTTP Response typically with JSON data included in the response.

Logging into Power BI REST API

The first step is to login.  The login method looks like this:

public void Login() { //Create a new **AuthenticationContext** passing an Authority. AuthenticationContext authContext = new AuthenticationContext(authority); //Get an Azure Active Directory token by calling **AcquireToken** if (Username != "" && Username != null) { UserCredential user = new UserCredential(Username, Password); token = authContext.AcquireToken(resourceUri, clientID, user).AccessToken.ToString(); } else { token = authContext.AcquireToken(resourceUri, clientID, new Uri(redirectURI)).AccessToken.ToString(); } }

The class supports two different scenarios: 1) you use Microsoft’s login URI for console apps and when you run the app it will prompt you to login or 2) you supply a username and password directly.   In either scenario, the key thing you get back is a token from Azure AD that you pass into each of your REST API Preview Calls.

Creating a Dataset

The next step is to create a dataset.  A dataset is a collection of tables and tables have columns that can be one of the following types: int64, bool, DateTime, string and double.  Creating a dataset involves structuring JSON data to represent this schema.  What I did was to use this web site to model C# classes that could be easily serialized to the JSON required.  I then used JSON.NET to serialize the dataset schema to JSON and send it off to Power BI Preview.

For sending basic DatasetRequests and HTTPRequests, I borrowed some code from Microsoft’s sample code – you can find the original code here.

Using this approach, our CreateDataset method is quite simple:

/// <summary> /// Creates a dataset based on a DatasetSchema. /// </summary> /// <param name="Schema">Dataset Schema represents the definition of dataset including dataset name, tables and columns for each table.</param> /// <returns>Created dataset as .NET object.</returns> public Dataset CreateDataset(DatasetSchema Schema) { try { //Create a POST web request to list all datasets HttpWebRequest request = DatasetRequest(datasetsURI, "POST", token); PostRequest(request, JsonConvert.SerializeObject(Schema)); return (FindDataset(Schema.name)); } catch (Exception ex) { throw; } }

When you create the dataset in Power BI Preview successfully, you will see an empty dataset in Power BI Preview with your table structure.  In my test console application, I created a table with a test int, test date, test bool, test double and test string column.

NOTE: There doesn’t seem to be yet a REST API method for deleting a dataset.  There also doesn’t seem to be methods for altering the dataset schema yet either.

Adding Rows

Once you have a dataset created, you can now add rows to the table.  I created a simple test that pushed a row with a random int every 5 seconds.

public static void AddRows(Object myObject, EventArgs myEventArgs) { Random random = new Random(); double randomDouble = random.NextDouble() * 5; int randomInt = random.Next(1, 5); ArrayList rows = new ArrayList(); rows.Add(new TestRow() { TestColumnBool = true, TestColumnDateTime = DateTime.Now, TestColumnDouble = randomDouble, TestColumnInt = randomInt, TestColumnString = "test" }); PowerBI.AddRow(dataset, "testTable", rows); }

Again, in this case I have encapsulated the raw JSON by allowing you to use a basic value object defined in C# that is then translated serialized dynamically into JSON when the request is passed.  The translation works by inspecting the object and translating the public properties into the appropriate JSON values.

Testing It Out

If you are successful and sending in the right REST API calls you will see a new dataset created and the table being populated with rows.  The cool thing about the new Power BI Preview is the dashboards are updated in real time so if you have created a graph you will see it being updated as data is added.  Here is an example of the data I added from my test application.

image

Read More

Check Out New Azure AD Connect: Simplified Tool for Hybrid Directory

Microsoft has supported hybrid directory architectures for years but it’s always been somewhat complicated to setup and required multiple services and services.  We just implemented Office 365 in a hybrid architecture and the most complicated aspects are the integration of directory services, especially when including Exchange and Lync on top of Active Directory services.

Given that Microsoft controls most of these technologies, it shouldn’t really as complicated as it is – this is primarily because of legacy reasons and the evolution of all these various federations scenarios. 

Microsoft has released a new tool in preview (e.g. it’s not Production support just yet) called Azure AD Connect that centralizes and simplifies the hybrid directory scenario of connect your on premise AD with Azure AD.  It’s available for download here.

This tool will replace DirSync, Azure AD Connect and Azure AD Sync as a single centralized tool.

Read More