Azure Identity And Access Management Part 6 – Azure Active Directory – Manage Device Identity 1 – Overview
Hello Everybody,
Hope you all are doing good!!! .
First of all thanks you all for your comments and suggestions for my last article, Learn Basics Of Azure Networking In 60 Hours.
In our last Azure AD series articles we have discussed, about Bulk Update of Azure AD User Profile Using PowerShell. We have different articles which covered Azure AD Group and User. Today In this article, we will continue with our Azure IAM series by discussing on one more important and crucial topic of Azure AD Device Identity.
If you have missed our previous articles on Azure Identity And Access Management (IAM), please check it in following links.
Part 1 – Azure Active Directory – Overview
Part 2 – Azure Active Directory – Enterprise Users
Part 3 – Azure Active Directory – Create Custom Directory Role & Assign Role using Power-Shell
Part 4 – Azure Active Directory – Create Azure AD Extension Attribute Using Power-Shell
Part 5 – Azure Active Directory – Bulk Update of Azure AD User Profile Using PowerShell
Next Article : Part 7 – Azure Active Directory – Manage Device Identity 2 – Azure AD Joined
Azure Device Management :
- Simplify the process of bringing and managing devices in Azure AD
- Provide users with an easy to use access to user’s organization’s cloud-based resources.
- It supports Single Sign On (SSO)
The goal of Azure AD Devices Management is to manage user’s personal devices in Azue AD and allow our users to take advantage of Bring Your Own Device (BYOD) service. In these scenarios, our user can bring their own device and access our organization’s cloud applications such as Azure portal, Office 365 etc, which are protected by Azure Active Directory.
Device Identity In Azure AD :
When we register/add an user’s device in azure AD, It create a reference object for that particular device in azure active directory. This is know as Device Identity. Using this device identity, Azure AD will get to know which device is coming or which device is used by user to login. So that Azure AD could take appropriate decisions ( e.g decision for Conditional access), whether to allow the user or not. It provides benefits in following two different aspects.
- As an User – we will be able to configure Single Sign On (SSO).
- As an Administrator – we have device identity, which we can manage like either Enabled or disable or completely delete the device identity.
There are options available in Azure AD to configure device settings. As shown in the following figure, admin can configure the device settings for user. In the following figure, i have configured that, user can not enroll a device by registering a device but can enroll by Joining the device.
Maximum Devices Per User :
In Azure Active Directory, one user can register/add maximum 50 devices because the default configuration of maximum number of devices per user is set to 50 as shown in the following figure.
The user will get the following error if it reached it maximum limit. ” The maximum number of devices that can be joined to the workplace by the user has been reached.”
The Workaround :
We have following two option to overcome from the above issue.
- Delete devices for the User
- Increase the Maximum Number of devices per user as shown in the above figure.
Device Based Conditional Access :
As we know that, we can register/add different types of devices in Azure AD. Device Based Conditional Access In Azure Active Directory (Azure AD) controls the access .When a device enrolls, the Azure AD registration process starts, and device information is updated in Azure AD. One key piece of information is the device compliance status. This compliance status is used by Conditional Access policies to block or allow access.
Provisioning Device In Azure AD :
Getting devices in to Azure AD can be done in a self-service manner or a controlled provisioning process by administrators. To get a device in Azure AD, we have multiple options: ( The following information copied from Microsoft document)
- Azure AD registered
- Devices that are Azure AD registered are typically personally owned or mobile devices, and are signed in with a personal Microsoft account or another local account.
- Windows 10
- iOS
- Android
- MacOS
- Devices that are Azure AD registered are typically personally owned or mobile devices, and are signed in with a personal Microsoft account or another local account.
- Azure AD joined
- Devices that are Azure AD joined are owned by an organization, and are signed in with an Azure AD account belonging to that organization. They exist only in the cloud.
- Windows 10
- Windows Server 2019 (Server core is not supported)
- Devices that are Azure AD joined are owned by an organization, and are signed in with an Azure AD account belonging to that organization. They exist only in the cloud.
- Hybrid Azure AD joined
- Devices that are hybrid Azure AD joined are owned by an organization, and are signed in with an Azure AD account belonging to that organization. They exist in the cloud and on-premises.
- Windows 7, 8.1, or 10
- Windows Server 2008 or newer
- Devices that are hybrid Azure AD joined are owned by an organization, and are signed in with an Azure AD account belonging to that organization. They exist in the cloud and on-premises.
Note : Maximum number of devices and Require Multi-Factor Auth to join devices setting does not apply to hybrid Azure AD joined devices
Security Of Enrolled Device :
Security of enrolled device is one of the major concern. The security is handled as in following manner.
- Azure AD registered devices utilize an account managed by the end user, this account is either a Microsoft account or another locally managed credential secured with Password/Pin/Patter etc.
- Azure AD joined or hybrid Azure AD joined devices utilize an organizational account in Azure AD secured with Password / Windows Hello for business
Manage Stale Devices :
A Stale device is a device that has been registered with Azure AD but has not been used to access any cloud apps for a specific time-frame. Sometimes situation comes, when we lost, stolen, broken devices, or reinstalling the OS of our device. In this case as an IT administrator, I would like to disable/remove those stall devices so that it minimize the extra overhead to maintain Stale devices.
Activity Timestamp
A stale device is defined as registered device that hasn’t been used to access any cloud apps for a specific time-frame, detecting stale devices requires a timestamp-related property. In Azure AD, this property is called ApproximateLastLogonTimestamp or activity timestamp. In our cleanup policy we can consider the value of above property and decide if the device should be listed as stall device or not.We have following two options to retrieve the value of the activity timestamp.
- The Activity column on the devices page in the Azure portal.
- Using the Get-MsolDevice cmdlet.
Clean-Up Stall Devices
To efficiently clean up stale devices in our environment, We should define a related policy. This policy helps us to ensure that we capture all considerations that are related to stale devices. As we discussed, the policy will consider the activity timestamp property during the process.To delete/update a device in Azure AD, we need an account that has one of the following roles assigned.
- Global Administrator
- Cloud Device Administrator
- Intune Service Administrator
NOTE : As a best practice, disable a device for a grace period before deleting it. In your policy, define a timeframe to disable a device before deleting it.
NOTE : Don’t delete system-managed devices. These are generally devices such as Autopilot.
NOTE : We should Retire the device in the management system before disabling or deleting it If device is under control of Intune or any other MDM solution,
NOTE : Deleting an Azure AD device does not remove registration on the client. It will only prevent access to resources using device as an identity (e.g Conditional Access). We need to follow some other step to remove it from client.
We can cleanup stale devices in the Azure portal, but it is more efficient, to handle this process using a PowerShell script. Following are the step to cleanup efficiently.
- Connect to Azure Active Directory using the Connect-MsolService cmdlet
- Get the list of devices
- Disable the device using the Disable-MsolDevice cmdlet.
- Wait for the grace period of however many days you choose before deleting the device.
- Remove the device using the Remove-MsolDevice cmdlet.
License Requirements :
Last but not least topic on Azure AD Device is the requirement of License to get this service. An Azure AD Premium P1 license is must required to consume the Azure AD Device Identity Service.
I hope this article give you some basic knowledge about Azure AD Device Identity . In next article we will come with a new topic for our series on Azure AD Device.
As I am exploring the Azure Active Directory, please let me know if I missed anything important .In my next article we will continue one more feature of Azure Active Directory.
Next Article : Part 7 – Azure Active Directory – Manage Device Identity 2 – Azure AD Joined
Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more.
If you have any suggestion / feedback / doubt, you are most welcome. Stay tuned on Knowledge-Junction, will come up with more such articles.
Thanks for reading 🙂 .
Very useful article… Thanks for sharing!