Azure AD - Users Test

Users are members of the Azure AD organization who are allowed access to apps/resources either directly or via AD groups. Since Azure AD resides on the cloud, tenants are vulnerable to ransomware attacks, password spraying, brute force attacks, etc. As an administrator, it is important for you to know which user accounts may pose a security threat. For instance, administrators should be able to determine which users are actively accessing the resources and which users are not. It is prudent to remove the inactive users to pre-empt the risk of attacks.

Like inactive/disabled users, unlicensed users should also be promptly captured. Since such users are not 'authorized' or licensed to access any Azure service, you may want to think about why you need these user accounts in Azure AD. It would be wise to remove unlicensed user accounts that are unlikely to be licensed in the near future.

From a security standpoint once again, administrators must know which user accounts are allowed to set 'weak' passwords and subject them to additional scrutiny. It is recommended that you encourage users to set 'strong' passwords, instead of 'weak' ones.

Users who have not signed in since their accounts were created in Azure AD should also be pulled up, as such 'stale' accounts are a security vulnerability and are often prone to misuse.

In the real world, an Azure AD organization may support hundreds of users with varying access rights. It will therefore take hours, even days, for an administrator to manually audit user accounts and capture pain points like the ones highlighted above. For quick and prompt identification of problematic user accounts, administrators can periodically run the Azure AD - Users Test.

This test monitors the user accounts managed by Azure AD, and reports the following:

  • The count and names of inactive/disabled users;

  • The number and names of users who are allowed to set weak passwords;

  • The count and details of unlicensed users;

  • How many users have not signed in since account creation, and who are they

These insights draw administrator attention to user accounts that may potentially become a security hole. Even if they do not pose any security risks, administrators may still want to identify the user accounts mentioned above, so they can remove them in an effort to declutter the AD organization.

Target of the Test: A Microsoft Azure Active Directory

Agent deploying the test: A remote agent

Output of the test: One set of results for the Azure Active Directory tenant being monitored

Configurable parameters for the test
Parameters Description

Test Period

How often should the test be executed.

Host

The host for which the test is to be configured.

Tenant ID

Specify the Directory ID of the Azure AD tenant to which the target subscription belongs. To know how to determine the Directory ID, refer to Configuring the eG Agent to Monitor Microsoft Azure Active Directory Using Microsoft Graph API

Client ID, Client Password, and Confirm Password

To connect to Azure AD, the eG agent requires an Access token in the form of an Application ID and the client secret value. If a Microsoft Azure Subscription component is already monitored in your environment, then you would have already created an Application for monitoring purposes. You can provide the Application ID and Client Secret value of that application here. However, if no such application pre-exists, you will have to create one for monitoring Azure AD. To know how to create such an application and determine its Application ID and Client Secret, refer to Configuring the eG Agent to Monitor Microsoft Azure Active Directory Using Microsoft Graph API. Specify the Application ID of the Application in the Client ID text box and the client secret value in the Client Password text box. Confirm the Client Password by retyping it in the Confirm Password text box.

Proxy Host and Proxy Port

In some environments, all communication with the Azure cloud be routed through a proxy server. In such environments, you should make sure that the eG agent connects to the cloud via the proxy server and collects metrics. To enable metrics collection via a proxy, specify the IP address of the proxy server and the port at which the server listens against the Proxy Host and Proxy Port parameters. By default, these parameters are set to none, indicating that the eG agent is not configured to communicate via a proxy, by default.

Proxy Username, Proxy Password and Confirm Password

If the proxy server requires authentication, then, specify a valid proxy user name and password in the Proxy Username and Proxy Password parameters, respectively. Then, confirm the password by retyping it in the Confirm Password text box.

Detailed Diagnosis

To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option.

The option to selectively enable/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled:

  • The eG manager license should allow the detailed diagnosis capability
  • Both the normal and abnormal frequencies configured for the detailed diagnosis measures should not be 0.
Measures made by the test:
Measurement Description Measurement Unit Interpretation

Total users

Indicates the total number of users managed by Azure AD.

Number

Use the detailed diagnosis of this measure to know which users are managed by Azure AD.

Active users

Indicates the number of enabled users / users who can actively access Azure resources.

Number

Use the detailed diagnosis of this measure to know who the active/enabled users are.

Inactive users

Indicates the number of disabled/inactive users on Azure AD.

Number

Use the detailed diagnosis of this measure to know which users are inactive.

Users who have been inactive for a long time can be removed.

 

Registered users

Indicates the number of users who are registered with Azure AD.

Number

Use the detailed diagnosis of this measure to know which user s are registered.

Guest users

Indicates the number of guest users on Azure AD.

Number

You can invite anyone to collaborate with your organization by adding them to your directory as a guest user. Then you can either send an invitation email that contains a redemption link or send a direct link to an app you want to share. Guest users can sign in with their own work, school, or social identities.

To prevent the misuse of guest user credentials, you may want to periodically check the count and names of guest users. To know who the guest users are, use the detailed diagnosis of this measure.

Other users

Indicates the number of users on Azure AD who cannot be classified as active / inactive / registered / guest users.

Number

Use the detailed diagnosis of this measure to know who the 'other' users are.

Weak password allowed users

Indicates the number of users who are allowed to use weak passwords.

Number

Use the detailed diagnosis of this measure to know which users are allowed to use weak passwords. You may want to urge such users to set strong passwords instead, to address the security risk that this may pose.

Password not expired users

Indicates the number of users who are configured with passwords that will never expire.

Number

Use the detailed diagnosis of this measure to know which users are configured with passwords that will never expire.

Cloud only users

Indicates the number of users whose identities are maintained only in the cloud.

Number

In the case of Cloud-only identity model, a user account only exists in the Azure AD tenant for your Microsoft 365 subscription. The Azure AD tenant for your Microsoft 365 subscription performs the authentication with the cloud identity account.

To know which users' identities are authenticated by Azure AD, use the detailed diagnosis of this measure.

On-premises users

Indicates the number of users whose identities are maintained by on-premises Active Directory Domain Services (AD DS).

Number

In the case of the Hybrid identity model, a user account exists in an on-premises AD DS and a copy is also in the Azure AD tenant for your Microsoft 365 subscription. The identities that exist in an on-premises Active Directory are synchronized to Azure AD using a directory sync tool called Azure AD Connect.

Use the detailed diagnoss of this measure to know who the synched / on-premises users are.

Licensed users

Indicates the number of licensed users in Azure AD.

Number

Use the detailed diagnosis of this measure to know who the licensed users are, and what are their service plans.

Unlicensed users

Indicates the number of unlicensed users in Azure AD.

Number

Use the detailed diagnosis of this measure to know who the unlicensed users are.

Membered users

Indicates the number of users who are direct members of one/more groups and directory roles.

Number

Use the detailed diagnosis of this measure to know who are the membered users.

Not membered users

Indicates the number of users who are not direct members of any group or directory role.

Number

Use the detailed diagnosis of this measure to know who are not member users.

Use the detailed diagnosis of the Total users measure to know which users are managed by Azure AD.

Figure 1 : The detailed diagnosis of the Total users measure

Use the detailed diagnosis of the Active users measure to know who the active/enabled users are.

Figure 2 : The detailed diagnosis of the Active users measure

Use the detailed diagnosis of the Inactive users measure to know which users are inactive.

Figure 3 : The detailed diagnosis of the Inactive users measure

Use the detailed diagnosis of the Registered users measure to know which user s are registered.

Figure 4 : The detailed diagnosis of the Registered users measure

Use the detailed diagnosis of the Password not expired measure to know which users are configured with passwords that will never expire.

Figure 5 : The detailed diagnosis of the Password not expired measure

To know which users' identities are authenticated by Azure AD, use the detailed diagnosis of the Cloud-only users measure.

Figure 6 : The detailed diagnosis of the Cloud-only users

Use the detailed diagnoss of the On-premises users measure to know who the synched / on-premises users are.

Figure 7 : The detailed diagnosis of the On-premises users measure

Use the detailed diagnosis of the Licensed users measure to know who the licensed users are, and what are their service plans.

Figure 8 : The detailed diagnosis of the Licensed users measure

Use the detailed diagnosis of the Unlicensed users measure to know who the unlicensed users are.

Figure 9 : The detailed diagnosis of the Unlicensed users measure

Use the detailed diagnosis of the Membered users measure to know who are the membered users.

Figure 10 : The detailed diagnosis of the Membered users measure

Use the detailed diagnosis of the Not membered users measure to know who are not member users.

Figure 11 : The detailed diagnosis of the Not membered users measure