Azure AD - Users Test
Users are members of the Azure AD organization who are allowed access to apps/resources either directly or via AD groups. Since Azure AD resides on the cloud, tenants are vulnerable to ransomware attacks, password spraying, brute force attacks, etc. As an administrator, it is important for you to know which user accounts may pose a security threat. For instance, administrators should be able to determine which users are actively accessing the resources and which users are not. It is prudent to remove the inactive users to pre-empt the risk of attacks.
Like inactive/disabled users, unlicensed users should also be promptly captured. Since such users are not 'authorized' or licensed to access any Azure service, you may want to think about why you need these user accounts in Azure AD. It would be wise to remove unlicensed user accounts that are unlikely to be licensed in the near future.
From a security standpoint once again, administrators must know which user accounts are allowed to set 'weak' passwords and subject them to additional scrutiny. It is recommended that you encourage users to set 'strong' passwords, instead of 'weak' ones.
Users who have not signed in since their accounts were created in Azure AD should also be pulled up, as such 'stale' accounts are a security vulnerability and are often prone to misuse.
In the real world, an Azure AD organization may support hundreds of users with varying access rights. It will therefore take hours, even days, for an administrator to manually audit user accounts and capture pain points like the ones highlighted above. For quick and prompt identification of problematic user accounts, administrators can periodically run the Azure AD - Users Test.
This test monitors the user accounts managed by Azure AD, and reports the following:
-
The count and names of inactive/disabled users;
-
The number and names of users who are allowed to set weak passwords;
-
The count and details of unlicensed users;
-
How many users have not signed in since account creation, and who are they
These insights draw administrator attention to user accounts that may potentially become a security hole. Even if they do not pose any security risks, administrators may still want to identify the user accounts mentioned above, so they can remove them in an effort to declutter the AD organization.
Target of the Test: A Microsoft Azure Active Directory
Agent deploying the test: A remote agent
Output of the test: One set of results for the Azure Active Directory tenant being monitored
| Parameters | Description |
|---|---|
|
Test Period |
How often should the test be executed. |
|
Host |
The host for which the test is to be configured. |
|
Tenant ID |
Specify the Directory ID of the Azure AD tenant to which the target subscription belongs. To know how to determine the Directory ID, refer to Configuring the eG Agent to Monitor Microsoft Azure Active Directory Using Microsoft Graph API |
|
Client ID, Client Password, and Confirm Password |
To connect to Azure AD, the eG agent requires an Access token in the form of an Application ID and the client secret value. If a Microsoft Azure Subscription component is already monitored in your environment, then you would have already created an Application for monitoring purposes. You can provide the Application ID and Client Secret value of that application here. However, if no such application pre-exists, you will have to create one for monitoring Azure AD. To know how to create such an application and determine its Application ID and Client Secret, refer to Configuring the eG Agent to Monitor Microsoft Azure Active Directory Using Microsoft Graph API. Specify the Application ID of the Application in the Client ID text box and the client secret value in the Client Password text box. Confirm the Client Password by retyping it in the Confirm Password text box. |
|
Proxy Host and Proxy Port |
In some environments, all communication with the Azure cloud be routed through a proxy server. In such environments, you should make sure that the eG agent connects to the cloud via the proxy server and collects metrics. To enable metrics collection via a proxy, specify the IP address of the proxy server and the port at which the server listens against the Proxy Host and Proxy Port parameters. By default, these parameters are set to none, indicating that the eG agent is not configured to communicate via a proxy, by default. |
|
Proxy Username, Proxy Password and Confirm Password |
If the proxy server requires authentication, then, specify a valid proxy user name and password in the Proxy Username and Proxy Password parameters, respectively. Then, confirm the password by retyping it in the Confirm Password text box. |
|
Detailed Diagnosis |
To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option. The option to selectively enable/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled:
|
| Measurement | Description | Measurement Unit | Interpretation |
|---|---|---|---|
|
Total users |
Indicates the total number of users managed by Azure AD. |
Number |
Use the detailed diagnosis of this measure to know which users are managed by Azure AD. |
|
Active users |
Indicates the number of enabled users / users who can actively access Azure resources. |
Number |
Use the detailed diagnosis of this measure to know who the active/enabled users are. |
|
Inactive users |
Indicates the number of disabled/inactive users on Azure AD. |
Number |
Use the detailed diagnosis of this measure to know which users are inactive. Users who have been inactive for a long time can be removed.
|
|
Registered users |
Indicates the number of users who are registered with Azure AD. |
Number |
Use the detailed diagnosis of this measure to know which user s are registered. |
|
Guest users |
Indicates the number of guest users on Azure AD. |
Number |
You can invite anyone to collaborate with your organization by adding them to your directory as a guest user. Then you can either send an invitation email that contains a redemption link or send a direct link to an app you want to share. Guest users can sign in with their own work, school, or social identities. To prevent the misuse of guest user credentials, you may want to periodically check the count and names of guest users. To know who the guest users are, use the detailed diagnosis of this measure. |
|
Other users |
Indicates the number of users on Azure AD who cannot be classified as active / inactive / registered / guest users. |
Number |
Use the detailed diagnosis of this measure to know who the 'other' users are. |
|
Weak password allowed users |
Indicates the number of users who are allowed to use weak passwords. |
Number |
Use the detailed diagnosis of this measure to know which users are allowed to use weak passwords. You may want to urge such users to set strong passwords instead, to address the security risk that this may pose. |
|
Password not expired users |
Indicates the number of users who are configured with passwords that will never expire. |
Number |
Use the detailed diagnosis of this measure to know which users are configured with passwords that will never expire. |
|
Cloud only users |
Indicates the number of users whose identities are maintained only in the cloud. |
Number |
In the case of Cloud-only identity model, a user account only exists in the Azure AD tenant for your Microsoft 365 subscription. The Azure AD tenant for your Microsoft 365 subscription performs the authentication with the cloud identity account. To know which users' identities are authenticated by Azure AD, use the detailed diagnosis of this measure. |
|
On-premises users |
Indicates the number of users whose identities are maintained by on-premises Active Directory Domain Services (AD DS). |
Number |
In the case of the Hybrid identity model, a user account exists in an on-premises AD DS and a copy is also in the Azure AD tenant for your Microsoft 365 subscription. The identities that exist in an on-premises Active Directory are synchronized to Azure AD using a directory sync tool called “Azure AD Connect”. Use the detailed diagnoss of this measure to know who the synched / on-premises users are. |
|
Licensed users |
Indicates the number of licensed users in Azure AD. |
Number |
Use the detailed diagnosis of this measure to know who the licensed users are, and what are their service plans. |
|
Unlicensed users |
Indicates the number of unlicensed users in Azure AD. |
Number |
Use the detailed diagnosis of this measure to know who the unlicensed users are. |
|
Membered users |
Indicates the number of users who are direct members of one/more groups and directory roles. |
Number |
Use the detailed diagnosis of this measure to know who are the membered users. |
|
Not membered users |
Indicates the number of users who are not direct members of any group or directory role. |
Number |
Use the detailed diagnosis of this measure to know who are not member users. |
Use the detailed diagnosis of the Total users measure to know which users are managed by Azure AD.
Figure 1 : The detailed diagnosis of the Total users measure
Use the detailed diagnosis of the Active users measure to know who the active/enabled users are.
Figure 2 : The detailed diagnosis of the Active users measure
Use the detailed diagnosis of the Inactive users measure to know which users are inactive.
Figure 3 : The detailed diagnosis of the Inactive users measure
Use the detailed diagnosis of the Registered users measure to know which user s are registered.
Figure 4 : The detailed diagnosis of the Registered users measure
Use the detailed diagnosis of the Password not expired measure to know which users are configured with passwords that will never expire.
Figure 5 : The detailed diagnosis of the Password not expired measure
To know which users' identities are authenticated by Azure AD, use the detailed diagnosis of the Cloud-only users measure.
Figure 6 : The detailed diagnosis of the Cloud-only users
Use the detailed diagnoss of the On-premises users measure to know who the synched / on-premises users are.
Figure 7 : The detailed diagnosis of the On-premises users measure
Use the detailed diagnosis of the Licensed users measure to know who the licensed users are, and what are their service plans.
Figure 8 : The detailed diagnosis of the Licensed users measure
Use the detailed diagnosis of the Unlicensed users measure to know who the unlicensed users are.
Figure 9 : The detailed diagnosis of the Unlicensed users measure
Use the detailed diagnosis of the Membered users measure to know who are the membered users.
Figure 10 : The detailed diagnosis of the Membered users measure
Use the detailed diagnosis of the Not membered users measure to know who are not member users.
Figure 11 : The detailed diagnosis of the Not membered users measure
