Azure AD - Groups Test

Microsoft Azure AD Groups are collections of users and other principals who share access to resources in Microsoft services or in your app. Azure Active Directory (Azure AD) lets you use groups to manage access to your cloud-based apps, on-premises apps, and your resources.

Azure AD helps you give access to your organization's resources by providing access rights to a single user or to an entire Azure AD group. Using groups lets the resource owner (or Azure AD directory owner), assign a set of access permissions to all the members of the group, instead of having to provide the rights one-by-one.

To ease management, administrators must regularly 'declutter' their AD organization - i.e., identify and remove inactive/unwanted groups, empty groups, duplicate groups, or incorrectly configured groups. In the case of 'active' groups too, administrators should know who are the members of such groups. This is because, if group members are carelessly chosen, then sometimes, malicious users may gain access to critical apps/resources and wreak havoc. For this, administrators should periodically review group membership and make changes if required. Besides groups members, administrators should also pay attention to group owners. It is recommended that a group has at least one owner. Sometimes however, when users are directly deleted from Azure Active Directory, you may suddenly find a few groups 'orphaned' - i.e., without any owners. It is good administrative practice to identify such groups quickly and assign an owner to them. Using the Azure AD - Groups Test, administrators can achieve all of the above!

This test periodically audits AD groups and:

  • Promptly pinpoints inactive groups

  • Reports the count and names of users in each group, thereby leading administrators to empty groups or groups configured with wrong members;

  • Reveals the number and names of owners per group, so that orphaned groups can be rapidly identified

Target of the Test: A Microsoft Azure Active Directory

Agent deploying the test: A remote agent

Output of the test: One set of results for each Azure Active Directory Group

Configurable parameters for the test
Parameters Description

Test Period

How often should the test be executed.

Host

The host for which the test is to be configured.

Tenant ID

Specify the Directory ID of the Azure AD tenant to which the target subscription belongs. To know how to determine the Directory ID, refer to Configuring the eG Agent to Monitor Microsoft Azure Active Directory Using Microsoft Graph API

Client ID, Client Password, and Confirm Password

To connect to Azure AD, the eG agent requires an Access token in the form of an Application ID and the client secret value. If a Microsoft Azure Subscription component is already monitored in your environment, then you would have already created an Application for monitoring purposes. You can provide the Application ID and Client Secret value of that application here. However, if no such application pre-exists, you will have to create one for monitoring Azure AD. To know how to create such an application and determine its Application ID and Client Secret, refer to Configuring the eG Agent to Monitor Microsoft Azure Active Directory Using Microsoft Graph API. Specify the Application ID of the Application in the Client ID text box and the client secret value in the Client Password text box. Confirm the Client Password by retyping it in the Confirm Password text box.

Proxy Host and Proxy Port

In some environments, all communication with the Azure cloud be routed through a proxy server. In such environments, you should make sure that the eG agent connects to the cloud via the proxy server and collects metrics. To enable metrics collection via a proxy, specify the IP address of the proxy server and the port at which the server listens against the Proxy Host and Proxy Port parameters. By default, these parameters are set to none, indicating that the eG agent is not configured to communicate via a proxy, by default.

Proxy Username, Proxy Password and Confirm Password

If the proxy server requires authentication, then, specify a valid proxy user name and password in the Proxy Username and Proxy Password parameters, respectively. Then, confirm the password by retyping it in the Confirm Password text box.

Show Member Assigned DD

 

Detailed Diagnosis

To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option.

The option to selectively enable/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled:

  • The eG manager license should allow the detailed diagnosis capability
  • Both the normal and abnormal frequencies configured for the detailed diagnosis measures should not be 0.
Measures made by the test:
Measurement Description Measurement Unit Interpretation

Status

Indicates the current status of this AD group.

 

The values reported by this measure and its numeric equivalents are mentioned in the table below:

Numeric Value Measure Value
0 Inactive
1 Active

Note:

By default, this measure reports the Measure Values listed in the table above to indicate the current status of an Azure AD group. The graph of this measure however, represents the same using the numeric equivalents only.

The detailed diagnosis of this measure if enabled, reveals the complete group configuration, including group type, its creation date, the group mail ID, the options enabled for the group, and more.

Group type

Indicates the type of this AD group.

 

The values reported by this measure and its numeric equivalents are mentioned in the table below:

Numeric Value Measure Value
1 Office 365 group
2 Mail enabled security

3

Security enabled

4

Distribution group

Note:

By default, this measure reports the Measure Values listed in the table above to indicate the group type. The graph of this measure however, represents the same using the numeric equivalents only.

Is dynamic membership enabled?

Indicates whether/not dynamic membership is enabled for this group?

 

In Azure Active Directory (Azure AD), you can create complex attribute-based rules to enable dynamic memberships for groups. Dynamic group membership reduces the administrative overhead of adding and removing users. When any attributes of a user or device change, the system evaluates all dynamic group rules in a directory to see if the change would trigger any group adds or removes. If a user or device satisfies a rule on a group, they are added as a member of that group. If they no longer satisfy the rule, they are removed. You cannot manually add or remove a member of a dynamic group.

The values reported by this measure and its numeric equivalents are mentioned in the table below:

Numeric Value Measure Value
0 False
1 True

Note:

By default, this measure reports the Measure Values listed in the table above to indicate whether/not dynamic membership is enabled for a group. The graph of this measure however, represents the same using the numeric equivalents only.

Members assigned in group

Indicates the number of members assigned to this group.

Number

If this measure reports the value 0, it means that the group is empty. Empty groups are good candidates for deletion.

For non-empty groups, use the detailed diagnosis of this measure, if enabled, to know the name, ID , and type of each member of the group.

Group memberships

Indicates the number of groups and administrative units of which this group is a direct member.

Number

Use the detailed diagnosis of this measure to know which groups/administrative units include this group as a direct member.

Owners assigned in group

Indicates the number of owners assigned to this group.

Number

If this measure reports the value 0 for any group, it means that the group is an orphaned group.

A non-zero value for this measure on the other hand, implies that one/more owners exist for that group. In this case, you can use the detailed diagnosis of this measure to know who the owners are. The name, ID , and title of each owner are reported as part of detailed diagnostics.