Azure AD - Devices Test

A device identity is an object in Azure Active Directory (Azure AD). This device object is similar to users, groups, or applications. A device identity gives administrators information they can use when making access or configuration decisions.

There are three ways to get a device identity:

  • Azure AD registration: The goal of Azure AD registered - also known as Workplace joined - devices is to provide your users with support for bring your own device (BYOD) or mobile device scenarios. In these scenarios, a user can access your organization’s resources using a personal device. Azure AD registered devices are signed in to using a local account like a Microsoft account on a Windows 10 or newer device. These devices have an Azure AD account for access to organizational resources. Access to resources in the organization can be limited based on that Azure AD account and Conditional Access policies applied to the device identity.

  • Azure AD join: Any organization can deploy Azure AD joined devices no matter the size or industry. Azure AD join works even in hybrid environments, enabling access to both cloud and on-premises apps and resources. Azure AD joined devices are signed in to using an organizational Azure AD account. Access to resources can be controlled based on Azure AD account and Conditional Access policies applied to the device.

  • Hybrid Azure AD join: Hybrid Azure AD join is seen as an interim step on the road to Azure AD join. Organizations with existing Active Directory implementations can benefit from some of the functionality provided by Azure Active Directory (Azure AD) by implementing hybrid Azure AD joined devices. These devices are joined to your on-premises Active Directory and registered with Azure Active Directory.

Each year, more and more cloud consumers are opting to access their cloud resources on-the-go, using any mobile device they prefer. Owing to this demand, enterprises are compelled to allow their employees to access their cloud-based organizational artefacts using their personal devices. As a result, enterprises are now having to manage a plethora of devices with varying configurations and complexities. One of the key challenges in device management in such environments is 'stale devices'. Stale devices are devices that have not been actively used beyond a configured duration. Besides adding to an administrator's management overheads, stale devices also interfere with the general lifecycle policies for devices in a cloud organization. It would therefore be good practice to identify such devices and remove/deregister them.

Where a large number of device identities are managed, the cumbersome responsibility of tracking the usage of devices over time and identifying the stale ones falls on the administrator. The Azure AD - Devices test seeks to ease the burden of administrators in this regard!

This test periodically monitors the status of devices that are managed by an Azure organization, and promptly alerts administrators to stale devices. Detailed diagnostics reveal which devices are stale, thereby saving administrators the time and trouble involved in identifying the stale devices. Additionally, you can use this test to track the removal/deletion of devices.

Target of the Test: A Microsoft Azure Active Directory

Agent deploying the test: A remote agent

Output of the test: One set of results for the Azure AD tenant being monitored

Configurable parameters for the test
Parameters Description

Test Period

How often should the test be executed.

Host

The host for which the test is to be configured.

Tenant ID

Specify the Directory ID of the Azure AD tenant to which the target subscription belongs. To know how to determine the Directory ID, refer to Configuring the eG Agent to Monitor Microsoft Azure Active Directory Using Microsoft Graph API

Client ID, Client Password, and Confirm Password

To connect to Azure AD, the eG agent requires an Access token in the form of an Application ID and the client secret value. If a Microsoft Azure Subscription component is already monitored in your environment, then you would have already created an Application for monitoring purposes. You can provide the Application ID and Client Secret value of that application here. However, if no such application pre-exists, you will have to create one for monitoring Azure AD. To know how to create such an application and determine its Application ID and Client Secret, refer to Configuring the eG Agent to Monitor Microsoft Azure Active Directory Using Microsoft Graph API. Specify the Application ID of the Application in the Client ID text box and the client secret value in the Client Password text box. Confirm the Client Password by retyping it in the Confirm Password text box.

Proxy Host and Proxy Port

In some environments, all communication with the Azure cloud be routed through a proxy server. In such environments, you should make sure that the eG agent connects to the cloud via the proxy server and collects metrics. To enable metrics collection via a proxy, specify the IP address of the proxy server and the port at which the server listens against the Proxy Host and Proxy Port parameters. By default, these parameters are set to none, indicating that the eG agent is not configured to communicate via a proxy, by default.

Proxy Username, Proxy Password and Confirm Password

If the proxy server requires authentication, then, specify a valid proxy user name and password in the Proxy Username and Proxy Password parameters, respectively. Then, confirm the password by retyping it in the Confirm Password text box.

Stale Days Limit

By default, this parameter is set to 90 days. This means that, by default, the test will count all those devices that have not been used to access resources for or over a period of 90 days as Stale devices. The Number of stale devices measure will report the count of such devices only. If required, you can override the value of this parameter by specifying a different duration (in days) here.

Recent Days Limit

By default, this parameter is set to 30 days. This means that, by default, the test will consider any device-related management activity that took place in the last 30 days, as 'recent' activity. Accordingly, the test will report the count of devices that were registered in the last 30 days and the count of devices that were deleted in the last 30 days as the values of the Number of recent devices registered and the Number of devices removed recently measures, respectively. If you want, you can redefine what is 'recent' by changing the value of this parameter.

DD Frequency

Refers to the frequency with which detailed diagnosis measures are to be generated for this test. The default is 1:1. This indicates that, by default, detailed measures will be generated every time this test runs, and also every time the test detects a problem. You can modify this frequency, if you so desire. Also, if you intend to disable the detailed diagnosis capability for this test, you can do so by specifying none against DD frequency.

Detailed Diagnosis

To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option.

The option to selectively enable/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled:

  • The eG manager license should allow the detailed diagnosis capability
  • Both the normal and abnormal frequencies configured for the detailed diagnosis measures should not be 0.
Measures made by the test:
Measurement Description Measurement Unit Interpretation

Number of devices registered

Indicates the total number of devices that are registered with Azure AD.

Number

 

Number of devices enabled

Indicates the number of devices that are currently enabled.

Number

 

Number of stale devices

Indicates the number of devices that are currently stale.

Number

A stale device is a device that has been registered with Azure AD but hasn't been used to access any cloud apps for or beyond the duration configured against the Stale Days Limit parameter of this test. Stale devices have an impact on your ability to manage and support your devices and users in the tenant because:

  • Duplicate devices can make it difficult for your helpdesk staff to identify which device is currently active.

  • An increased number of devices creates unnecessary device writebacks increasing the time for Azure AD connect syncs.

  • As a general hygiene and to meet compliance, you may want to have a clean state of devices.

Stale devices in Azure AD can interfere with the general lifecycle policies for devices in your organization.

Ideally therefore, the value of this measure should be 0. A non-zero value implies that one/more devices are stale. You can use the detailed diagnosis of this measure to know which are the stale devices. To reduce management pains an d to avert compliance issues, you may want to consider cleaning up stale devices. To efficiently clean up stale devices in your environment, you should define a related policy. This policy helps you to ensure that you capture all considerations that are related to stale devices.

Number of devices removed recently

Indicates the number of removed registered recently - i.e., in the past period configured against the Recent Days Limit parameter.

Number

 

You can use the detailed diagnosis of the Number of stale devices measure to know which are the stale devices, who owns them, which user uses them, whether/not they are enabled, and when they were registered.