Azure Active Directory Protection Improves Windows with New Roles


Microsoft has today announced that 16 new lower privileged positions in the Azure Active Directory (AD) are available in advance to assist administrators improve security by reducing the number of Global administrators and enhancing the granular delegation capability of the Azure and Microsoft 365.

“Do not mandate that you be a global administrator when you conduct your everyday management activities in Azure Active Directory (Azure AD),” says the Microsoft 365 team in today’s blog post.

“We launched 16 new roles in Azure AD to help you reduce the number of global administrators through the delegation of management tasks and the allocation of less-privileged roles.”

Current Azure AD functions built-in in demo

Microsoft recommend that as few people as possible are granted Global Administrator positions to reduce the risk of business vulnerability resulting from the ability to read and change all administrative settings in an Azure AD organization.

If more than five users have a role as Global Administrator in an organization, positions that more closely suit user needs should be identified using the Azure AD Positions Class filter and managers to create a role sub-set based on position categories.

“To facilitate this, our Strategy is to provide built-in roles in 90 percent of your scenarios and to provide you with the ability to create custom roles for your specific business requirements,” says Corporate Vice President Alex Simons, Microsoft Identity Group.

The list of new positions includes a Global Reader function sponsored by Microsoft 365, which allows you to access all settings and operational data for possible use in scheduling, auditing and investigation tasks.

Microsoft has also added new Authentication Manager and Privileged Authentication Manager password management roles with granular permissions.

Such functions are globally accessible for all Simmons subscriptions and are outlined with green flags within the Azure portal as shown above.

Below is a complete list of the latest unified Azure AD functions and their permissions:

Authentication administrator: View, set, and reset authentication method information and passwords for any non-admin user.
Azure DevOps administrator: Manage Azure DevOps organization policy and settings.
B2C user flow administrator: Create and manage all aspects of user flows.
B2C user flow attribute administrator: Create and manage the attribute schema available to all user flows.
B2C IEF Keyset administrator: Manage secrets for federation and encryption in the Identity Experience Framework.
B2C IEF Policy administrator: Create and manage trust framework policies in the Identity Experience Framework.
Compliance data administrator: Create and manage compliance data and alerts.
External Identity Provider administrator: Configure identity providers for use in direct federation.
Global reader: View everything a Global administrator can view without the ability to edit or change.
Kaizala administrator: Manage settings for Microsoft Kaizala.
Message center privacy reader: Read Message center posts, data privacy messages, groups, domains and subscriptions.
Password administrator: Reset passwords for non-administrators and Password administrators.
Privileged authentication administrator: View, set, and reset authentication method information for any user (admin or non-admin).
Security operator: Creates and manages security events.
Search administrator: Create and manage all aspects of Microsoft Search settings.
Search editor: Create and manage editorial content such as bookmarks, Q & As, locations, floorplan.

Further changes to Azure AD security

In August, Microsoft also announced a 100% improvement in the reliability of its Azure AD Identity Detection Algorithms, while the false-positive rate decreased by approximately 30 percent.

“These enhancements together have increased our ability to detect fraudulent signups by more than 100%,” Simmons said at the time.

“We have reduced our false positive rate by 30%—a more streamlined subscription experience for legitimate users and less surveys for your security operators” In April, Redmond also made a generally available Azure AD Password Protection feature to allow you to block compromised and commonly used passwords in order to significantly reduce the risk of password spray attack.

You need to sign in to the Azure Portal with a global administrator account, go to the Azure Active Directory, then to the Authentication Methods blade, which will view the Password Protection dialog.

Azure AD now also supports FIDO2 security keys which provide password-free authentication and passwords up to 256 characters, just like the Windows Active Directory on-site services.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.