Take control of your Active Directory to get the most from your Office 365 environment - Resources
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Take control of your Active Directory® to get the most from your Office 365® environment
As Office 365® adoption grows, Active Directory® management and security have never been more critical. Many businesses will synchronize their Active Directory® (AD) with Azure® AD, creating a hybrid AD environment with on-premises AD providing authentication and authorization services. That means, if AD isn’t properly secured, Office 365 won’t be either. In order to reduce risk and cost, and to ensure a secure, compliant and available environment, you will need to optimise your Active Directory. Take control of your hybrid AD infrastructure to ensure you get the most from Office 365’s inherent benefits. Find out how you can: • Improve your security posture both on premises and in the cloud • Ensure a successful AD migration, consolidation or restructuring project • Guarantee business continuity and quick recovery from any AD and Azure AD disaster • Increase productivity with AD automation and provisioning • Achieve and maintain continuous compliance with regulations 12
eBook Contents:
p4 - 24 Whitepaper: Top 10 security events to monitor in Azure aAD and Office 365
p25 - 29 Whitepaper: Maintaining Business Momentum in the Face of Forced Change
p30 - 41 Whitepaper: Conquer your Active Directory migration
p42 - 52 Whitepaper: AD Account Lifecycle Management
p53 - 60 TechBrief: Testing Your Active Directory Disaster Recovery Plan
p61 - 63 TechBrief: Next-Gen Privileged Access Management Solutions
p64 - 66 Case Study: Government healthcare agency ensures security and compliance
p67 - 69 Case Study: Identity-based education at Edmonton Catholic School District
p70 - 73 Case Study: Manufacturer ensures fast and reliable AD backup and recovery
p74 - 76 Case Study: Effective learning becomes possible with streamlined IT
About Quest About One Identity
Quest provides software solutions for the rapidly-changing One Identity, a Quest Software business, lets
world of enterprise IT. We help simplify the challenges caused organizations implement an identity-centric security
by data explosion, cloud expansion, hybrid data centres, strategy, whether on-prem, in the cloud or in a hybrid
security threats and regulatory requirements. We’re a global environment. With our uniquely broad and integrated
provider to 130,000 companies across 100 countries, portfolio of identity management offerings including
including 95% of the Fortune 500 and 90% of the Global account management, identity governance and
1000. Since 1987, we’ve built a portfolio of solutions which administration and privileged access management,
now includes database management, data protection, identity organizations are empowered to reach their full
and access management, Microsoft platform management potential where security is achieved by placing
and unified endpoint management. With Quest, organizations identities at the core of the program, enabling proper
spend less time on IT administration and more time on access across all user types, systems and data.
2
business innovation. For more information, visit Learn more at OneIdentity.com.
www.quest.com.
TOP 10 SECURITY EVENTS TO MONITOR IN AZURE AD AND OFFICE 365 See the shortcomings of native auditing tools and overcome them
Is your organization really more secure now that you’re running applications in the cloud? More efficient, probably. But more secure? Users can still perform high-risk actions in the cloud, and account cre- dentials can still be compromised. Microsoft has warned admins for years that tens of millions of AD accounts are the target of cyberattack each day.1 Besides, 34 percent of data breaches involve someone already inside the network.2 Unfortunately, native Office 365 and Azure AD auditing tools leave a lot to be desired when it comes to auditing changes to roles, groups, appli- cations, sharing and mailboxes. Their search capabilities are limited and they retain audit events in logs for only a limited time. Office 365 and Azure AD offer limited search capabilities and retain audit events for only a limited time. This eBook highlights ten security events that administrators track closely to keep their Azure AD and Office 365 environment secure. It explores the audit information they can find using native tools and consoles, and identifies the pitfalls they are most likely to encounter when pulling audit reports natively. Finally, it offers a look at a solution that can help them overcome some of these native auditing limitations. 1 Fontana, John, “Active Directory czar rallies industry for better security, identity,” ZDNet, June 2015, https://www.zdnet. com/article/active-directory-czar-rallies-industry-for-better-security-identity/ 2 “2019 Data Breach Investigations Report,” Verizon, May 2019, https://enterprise.verizon.com/resources/reports/dbir/2019/ summary-of-findings/ 2
How does auditing work in
Microsoft
Exchange Online Azure and Office 365?
Managing and securing a cloud environment starts with being able to follow a
user’s login and logout events.
Microsoft
SharePoint Online To obtain this information on premises, system administrators trying to track
users must examine multiple logs on every Windows domain controller and
correlate audit events across the logs of multiple servers.
In the cloud, administrators must correlate in a similar manner across two logs
Microsoft
OneDrive for Business in Azure AD: the Audit Log, containing all change events, and the Sign-in
Log, containing all authentication events (see Figure 1). They access the logs
Unified
audit log through either the Azure Portal or PowerShell.
Microsoft Teams
As for Office 365, each application — Exchange Online, SharePoint Online,
OneDrive for Business, etc. — writes to what will become the Office 365 Unified
Audit Log, containing all administrator- and user-level events. The Unified Audit
Other Microsoft apps Log also includes events from the Azure Audit Log and Sign-in Log.
Microsoft Azure AD
Administrators know what kinds of data are stored in the
logs. But pulling out that data and using it to manage
and secure their environment is another matter.
Sign-in log Audit log
Figure 1: Unified Audit Log (for Office 365 audit log search)
3Administrators know where the logs are, and they know what kinds of
data are stored in those logs. But pulling out that data and using it to
manage and secure their environment is another matter.
THE AUDITING GAPS OF NATIVE TOOLS
Auditing in Azure and Office 365 has a number of limitations.
• For organizations with hybrid environments, it is not possible to
search audit activity across on-premises and cloud workloads in a
single view.
• Similarly, the audit policies for on-premises workloads must be con-
figured separately from those for cloud workloads. Also, there is no
way to monitor audit policies in case they change or are disabled by
other administrators.
• There can be a delay of 24 hours or more in processing some of the
entries to the audit logs and adding them to the Unified Audit Log.
• Logs in Azure are retained for periods of time that vary, based on
workload and subscription type. That can be a limiting factor when IT
investigates incidents. It may also be too uncertain for some regula-
tory requirements.
• Events are formatted differently depending on the type of event and
whether it occurred on premises or in the cloud. With no normalized
format, the logs visible through native consoles are difficult to interpret.
• It is possible to access the audit events for Azure and Office 365
through PowerShell. Additionally, both Azure and Office 365 provide
a web portal for accessing audit events. But the portal displays only
15 events at a time, and the processing delay means that not all rele-
vant audit events are necessarily there at once.
41. Changes — To important
roles
In on-premises infrastructure, multiple groups within AD, such as Domain
Administrators, Account Operators and Server Administrators, are consid-
ered important because of the advanced rights they bestow. In the cloud,
that applies to roles in the Azure tenant as well.
The problem is that, over time, users such as administrators, opera-
tors, managers and helpdesk technicians gradually acquire many more
rights than they should have. Therefore, careful management includes
the ability to report and alert on changes taking place within those
groups and roles.
The problem is that, over time, users such as administrators,
operators, managers and helpdesk technicians gradually
acquire many more rights than they should have.
FINDING ROLES IN THE AZURE AUDIT LOG
In the cloud, the first step is to identify important roles in the Azure portal.
In the Audit logs section under Azure Active Directory, a search on the
Core Directory service and RoleManagement category returns all of
the changes to roles in the tenant, as shown in Figure 2. Unfortunately,
that does not allow direct searches for only the roles deemed important.
Administrators must examine each audit event individually to know which
role was modified.
5Figure 3: Unified Audit Log search
Figure 2: Searching on roles in Azure portal Here, however, the entire audit detail is in one embedded JSON, so
Another option is to export and analyze the results as a Microsoft Excel identifying the modified role means looking through all of the detail. It
spreadsheet. That requires a subscription not only to Office 365 but is possible to export the data to a tool like Excel, but as shown in the
also to Azure. AuditData column in Figure 4, the JSON makes it difficult to filter for the
modified roles.
FINDING ROLES IN THE UNIFIED AUDIT LOG
The information can also be gathered from a search of the Unified Audit
Log through the Office 365 Security & Compliance Center. (These
searches run against the logs of Azure AD, plus the logs of all Office 365
tools, as described above. They may take longer than searches against
the Azure Audit Log alone.)
Searches return all individual activities related to Role administration in Figure 4: Search results viewed in Microsoft Excel
a given date range (see Figure 3), which is an advantage over searching
the Azure Audit Log.
62. Changes — To
groups
Groups in AD have long been the key to
granting access to resources. That remains
true in the cloud, with some complications.
• Azure allows more types of groups. For
example, users can create groups through
apps like Outlook and Teams.
• Office 365 groups, such as those created
through Teams, generate other Azure
resources to support the application. 3
• Azure AD B2B makes it easy to create
groups for collaboration with customers
and vendors. But it brings the risk of a
user granting unintended access to a
third party.
Azure AD B2B makes it easy to create groups for
collaboration with customers and vendors. But it brings the
risk of a user granting unintended access to a third party.
3 For more information, see the eBook, “Frequently Asked Questions:
Office 365 Groups” https://www.quest.com/whitepaper/frequently-asked-
questions-office-365-groups8134485/ .
7FINDING GROUPS IN THE AZURE
AUDIT LOG
As with role changes, the Azure portal is the
logical first step in keeping track of groups.
In the Audit logs section under Azure Active
Directory, a search on the Core Directory ser-
vice and GroupManagement category returns
all of the changes to groups in the tenant
(top of Figure 4). Again, however, that does
not allow direct searches for only the groups
deemed important. Furthermore, the modified
group is not initially displayed, so adminis-
trators must examine the details of the audit
event on the Modified Properties tab (bottom
of Figure 4) to find the modified group.
Another option is to export and analyze the
results as a Microsoft Excel spreadsheet,
which requires subscriptions not only to Office
365 but also to Azure.
Figure 4: Searching on groups in Azure portal
8FINDING GROUPS IN THE
UNIFIED AUDIT LOG
As with role changes, information on group
changes can also be gathered in the Office
365 Security & Compliance Center (see Figure
2) from an audit log search on all Azure AD
group administration activities. A search
on Added member to group and Removed
member from group (see Figure 5) yields the
changes in membership.
But that procedure still does not allow direct
searches on only the desired groups; it is
necessary to search for changes to all groups,
then examine the data. And, again, the entire
audit detail is in one embedded JSON, so
identifying the modified group means looking
through all of the detail. It is possible to
export the data to a tool like Excel, but the
JSON makes it difficult to filter for the mod-
ified groups.
Figure 5: Modified properties in Unified Audit Log
93. Changes — To
applications
Azure AD allows for simplified setup of many
SaaS applications and for access to on-prem-
ises applications as well.
While SaaS applications are not difficult to
set up, they can be easily broken if changes
are not made correctly. Furthermore, undoc-
umented changes lead to loss of time,
productivity and profit as problems are
resolved. Thus, being able to track changes to
applications is a business imperative.
Being able to track changes to applications is a
business imperative.
FINDING APPLICATION CHANGES IN
THE AZURE AUDIT LOG
In the Azure portal, the first step to finding
changes to an individual application is under
Azure Active Directory in the Audit logs sec-
tion for the individual application. The problem
is that it takes a lot of repetitive, manual drilling
to find changes.
10Figure 8: Search on UserManagement category
Figure 6: Application changes listed in Azure Audit Log
To drill into the application changes related to UserManagement, it is
As shown in the Category column of Figure 6, the audit events come necessary to switch to that Category, then to select five different activi-
from ApplicationManagement and UserManagement. ties from the Activity drop-down:
Drilling into the ApplicationManagement category yields the list shown • Add app role assignment grant to user (see Figure 8)
in Figure 7.
• Create application password for user
• Delete application password for user
• Remove app role assignment from user
• Review app assignment
Thus, there is no easy way to search on all application changes or gen-
erate a list containing the desired ones.
Figure 7: Search on ApplicationManagement category
114. Resource
creation
Almost every move to the cloud results in the
creation of resources, some of which (like a
Microsoft Teams site) create their own set of
resources, such as Office 365 groups and
SharePoint resources. Being able to track the
kind and number of resources created will help
administrators reduce the costly, time-con-
suming burden of managing them.
FINDING CREATED RESOURCES IN
THE AZURE AUDIT LOG
Consider the resources associated with
creating users and groups. The best place to
discover the resources consumed — adds,
deletes, updates, license changes, app role Figure 9: Created resources listed in Azure Audit Log
assignments — is in the Azure Active Directory
audit log inside the Azure portal.
Unfortunately, it is possible to search on only
one Category — UserManagement (see Being able to track the kind and number of resources created
Figure 9), then GroupManagement — at a
will help administrators reduce the costly, time-consuming
time, so administrators must execute multiple
queries to gather the information.
burden of managing them.
12FINDING CREATED RESOURCES IN
THE UNIFIED AUDIT LOG
The audit log search in the Office 365 Security
& Compliance portal (see Figure 10) offers a
view of multiple resources:
• Files: Copied, moved, uploaded,
renamed, restored
• Folders: Created, renamed,
moved, restored
• SharePoint sites: Created list, cre-
ated list item
• Site permissions: Added site collection
admin, added user or group to SharePoint
group, created group
• Exchange: Created mailbox item, added
mailbox permissions
• Sway: Created Sway
• Teams: Created team, added tab, added
Figure 10: Created resources listed in Unified Audit Log
connector, added channel, added mem-
bers, added bot
Getting a full picture of all of those resources
requires multiple queries. And, as with any
other search into Office 365 audit events, the
details will be in the embedded JSON, which
makes them less accessible than a simple
query result.
13Figure 11: Sharing activity listed in Unified Audit Log
An unauthorized user who obtains a share-
5 & 6. Sharing — Important with-anyone link to data on OneDrive can
files and anonymous data access the file anonymously.
Moving to SharePoint Online and OneDrive for Business introduces new important as companies move to the cloud. Businesses have strong rea-
kinds of risk, especially around data sharing. As mentioned above, users sons to block or tightly control the sharing of specific file types.
can unintentionally share sensitive data by including a B2B user from
another company without realizing it. For example, an unauthorized user FINDING SHARES AND ACCESS REQUESTS IN THE
UNIFIED AUDIT LOG
who obtains a share-with-anyone link to data on OneDrive can access
the file anonymously. The audit log search in the Office 365 Security & Compliance portal
returns information on shared files, folders and sites. Figure 11 depicts the
Increased risk is the downside of increased sharing. For IT, being able results of a search on Sharing and access request activities.
to generate Azure AD reports on data sharing becomes even more
14The problem is that the query returns all the data for those activities. A more effective and more useful query would limit results to the extensions of the files shared, such as CER, DER, CRT, PEM, PFX, P7B, P7C, P12, PPK, PUB, SPC, STL, CRL, SSH, EVT, EXE, BAT, PIF. Or, it would pare the results down to Microsoft Office file extensions, PPT, PPTX, XLS, XLSX, DOC, DOCX, etc. The audit log search does not allow for that. Another option is to export the superset of data from the AuditData field in the Unified Audit Log to a spreadsheet format. Still, some data manipulation is necessary to narrow the results to the questionable shares. Anonymous shares, which are of particular interest, are easier to query by entering the word “anonymous” in the Activity filter, as shown in Figure 12. Changing the User filter to anonymous returns any file that was accessed anony- Figure 12: Search results on anonymous sharing activity mously. Similar results come from filtering on the UserIds or Operations columns in the exported audit events. 15
7. Email — Forwarding
inbound messages
By itself, forwarding inbound email to other addressees is neither good
nor bad. Recipients may need to share information in a message with
outside vendors or customers. On-site consultants and contractors may
prefer to forward messages and consolidate all their email in a single
account. Users can manually forward email, and automatic forwarding
can be set up on a mailbox by a user (through ForwardSMTP) or an
administrator (through ForwardAlias).
Automatic forwarding could be perfectly innocuous, but smart adminis-
trators keep an eye on changes that involve email forwarding to thwart
changes that suggest malicious activity.
Unfortunately, the audit logs in Azure Active Directory
and Office 365 do not allow for direct searches on
email-forwarding changes.
Unfortunately, the audit logs in Azure Active Directory and Office 365 do
not allow for direct searches on those changes. Instead, it is necessary
to export the entire log for changes in Exchange Online, then search
the exported audit events with {“name”:”DeliverToMailboxAndFor-
ward”,”value”:”True”} in the Parameters field of the audit detail to return
the desired events.
168. Email — Non-owner activity Non-owner email activity is common in large organizations, where admin- istrative assistants have access to the email accounts of the executives they support, or multiple employees share mailboxes. If a non-owner’s account becomes compromised, an attacker can obtain access to sensi- tive information. In the context of administration of Exchange Online, the administrators can perform almost any activity with their rights, including granting themselves access to look in other executive mailboxes. While every organization trusts its administrators to manage and maintain systems, it must also keep an eye out for rogue activity. Administrators can perform almost any activity with their rights, including granting themselves access to look in other executive mailboxes. FINDING NON-OWNER EMAIL ACTIVITY IN THE UNIFIED AUDIT LOG Information on non-owner activity is available only in the Unified Audit Log, as shown in Figure 13. To search for the types of activity that most non-owners perform on mailboxes, include the following: 17
• Sent message using Send On
Behalf permission
• Added or removed user with delegate
access to calendar/folder
• Sent message using Send As permission
• Added delegate mailbox permission
• Removed delegate mailbox permission
Note, however, that those do not cover activ-
Figure 13: Non-owner email activity listed in Unified Audit Log
ities such as adding, deleting and moving
folders and messages, nor changes in some
permissions, to name a few. Querying all
mailbox activities and exporting the results
as a spreadsheet is the way to perform an
exhaustive search.
But the next step — finding audit events
where LogonUserSid does not match
MailboxOwnerMasterSid — is labor-intensive
because the information is embedded in the
AuditData column with the rest of the informa-
tion from the event (see Figure 14).4
Figure 14: Detail of AuditData column
4 See also “Auditing Privileged Operations and Mailbox Access in Office
365 Exchange Online,” https://www.quest.com/docs/auditing-privileged-
operations-and-mailbox-access-in-office-365-white-paper-24932.pdf
189. Admin command history Microsoft provides administrative tools like Microsoft Management Console (MMC) for on-premises management, and web portals for cloud management. Increasingly, Microsoft emphasizes PowerShell as the main method for administration. In fact, many MMCs run PowerShell commands based on events passed from the user interface; Exchange is a typical example. However, as important as it may be to ensure commands are run correctly, keeping track of the command history is nearly impossible. For example, it is a good idea to track application consent events and any changes to conditional access policies in Azure AD. Read/write access on objects granted to the wrong application can result in vulnerability. The problem is that there is currently no way to extract a history of executed administrator com- mands from the Azure and Office 365 portals. There is currently no way to extract a history of executed administrator commands from the Azure and Office 365 portals. 19
10. Failed logins
Whether on premises or in the cloud, tracking
failed logins is part of an administrator’s job.
Lockouts frustrate users, who rarely know
how or why they have been locked out.
Hybrid logins through Azure AD exacerbate
the problem by adding another potential
source of the lockout. But repeated, failed
logins can indicate malicious activity, as bad
actors attempt to enter user passwords by
brute force.
On premises, information about failed login
events is stored in the security logs on all
domain controllers. In the cloud, that infor-
mation is in the audit events from of all Azure
tenants. As depicted in Figure 15, searching
on Failure in the Sign-ins screen under
Figure 15: Search on failed logins in Azure AD
Monitoring in the Azure AD for each tenant
returns failed login events.
But gathering all the failed login events is only
Repeated, failed logins can indicate malicious activity, as bad the start. The next task is to analyze all the
actors attempt to enter user passwords by brute force. information for patterns, a task made no easier
by the lack of detail in the search results.
20Conclusion —
On Demand
Audit from Quest
Given the shortcomings of native tools for Office 365 and
Azure reporting, what if you didn’t have to fly blind?
Quest On Demand Audit Hybrid Suite for Office 365 provides
a single, hosted view of user activity across hybrid Microsoft
environments. It exposes all changes taking place, whether
in on-premises AD, Azure AD or Office 365 workloads such
as Exchange Online, SharePoint Online and OneDrive for
Business. Instead of combing through partial peeks at audit
logs, you can use responsive search on years of data to inves- Figure 16: On Demand Audit
tigate and report on events from a single window. Integration
with Power BI from Microsoft allows you to generate reports
through interactive data visualization, as shown in Figure 16.
On Demand Audit Hybrid Suite provides granular, delegated
access, safely empowering users to get the insights they
On Demand Audit Hybrid Suite provides granular,
need without making any configuration changes or setting up
additional infrastructure. In just a few clicks, you can give your
delegated access, safely empowering users to
security and compliance teams, help desk staff, IT managers get the insights they need without making any
and even external auditors and partners exactly the reports configuration changes or setting up additional
they need and nothing more. infrastructure.
For more information, visit quest.com/
on-demand.
21Maintaining Business
Momentum in the Face of
W H I T E PA P E R
Forced Change
The Active Directory Angle
The challenges with managing accounts in Active Directory (AD) and Azure
AD are many and varied. With the frantic pace of today’s business world,
organizations struggle to keep up with requests to create, change and
remove access to their on-premises AD. This scenario becomes even more
complicated when you mix in a hybrid AD environment.
Change is a part of business, but rarely does it happen as quickly and with
such little warning as with the events of early 2020. In a matter of a few
weeks, the world economic landscape changed. Governments introduced
and enforced measures to reduce social contact, which in turn led to many
organizations being forced to make drastic changes to workforce numbers
and practices. Layoffs, furloughs and working from home have become the
norm for many as businesses scramble to adapt to restrictions.
The vast majority of organizations rely on AD as the authoritative source
Preserve business of user-account information and the front line of access control. As
with situations that require unexpected changes to the makeup of your
momentum when workforce, your organization may find itself dealing with a huge amount of
faced with massive change in a short amount of time. You may need to off-board large numbers
of employees quickly, manage their access status, and then when things
and sudden changes improve, you may need to reactivate furloughed workers or bring on lots of
in Active Directory new employees. Perhaps they were quickly furloughed without much of a
plan. This could leave your AD data in a bit of a mess and the effort required
– and quickly return to clean it up may be rather intimidating. A similar situation could apply if
to normal when it’s your organization grew quickly or made many acquisitions. You’ve muddled
along and managed as your company expanded. But now you’re left with
over. manual processes and a portfolio of disparate systems, and management of
it all relies on tribal knowledge.
Whatever the root of the situation, it’s highly unlikely that your AD
is properly managed and secure. Studies show that 90 percent of
organizations are at risk of a data breach as a result of failings in their AD
administration practices but that 50 percent believe that they are fully
secure. However, there ways that you can be sure that your security matches
your confidence.
In this white paper, we discuss three different scenarios in which properly
tuned AD account lifecycle management can empower organizations to
easily handle fast-paced changes – even unprecedented changes.
w w w. o n e i d e n t i t y. c o mAutomate AD and Azure AD/Office 365 processes to
save money and secure your environment
The automated approach Fred creates two organizational units (OUs), one for each
status of impacted employees. He then moves the respective
One Identity Active Roles delivers automation for user- and user accounts in each OU.
group-account management that overcome the shortcomings
Note: To move such large object quantities, Fred can either
of native AD/AAD tools, so that you can do your job efficiently,
use a simple Active Roles PowerShell cmdlet or he could use
accurately, and with less manual intervention. Active Roles is
the built-in Sync Service. Either method can read from a .csv
designed with a modular architecture, so your organization can
import file.
easily meet your business requirements today and in the future.
Fred then links his existing deprovisioning policy, entitled
If you are an existing user of Active Roles for AD account
‘ACME Inc. Deprovisioning’ to the ‘Terminated Accounts’ OU.
lifecycle management, you have no doubt already seen the
The ‘ACME Inc. Deprovisioning Policy’ is an automated policy
benefits of deploying Active Roles in your environment. With
that performs the following actions:
feature-rich capabilities, such as:
1. Makes account ineligible for logon
• Integration with Azure Hybrid AD Objects
• By disabling the account
• Leveraging RBAC capabilities to mitigate risk throughout
the lifecycle of the AD account • Setting the account password to a random value
• Saving money by automating AD and Azure AD/Office 365 • Rename the user account
processes • Update applicable user attributes
However, many in your organization may not be as familiar with 2. Removes account from all security and distribution
the many powerful features of Active Roles. groups
The following use case demonstrates how organizations can 3. Prevents user from accessing mailbox
benefit from Active Roles’ capabilities.
• Hide mailbox from the GAL
Use Case No. 1 – In the midst of the storm • Grant the user’s manager full access to the mailbox
ACME Inc. is a hypothetical telecommunication company. It
employs more than 100,000 people worldwide. Due to an
economic downturn, the company was forced to off board
40 percent of its workforce in order to move forward under
a huge debt load. Some of the employees will be laid off
Active Roles’ Preset
permanently, others will be furloughed. workflows accelerate
George is an IT director at ACME, he and his team are tasked
with ensuring that these 40,000+ employees are off-boarded
and simplify tasks
efficiently and as smoothly as possible, and this must be done
while maintaining a secure and productive environment.
George is informed that there will be periodic audits by 4. Prevents user from accessing home folder
internal corporate security to ensure this work is done in a • Remove user’s permissions
secure and compliant manner.
• Grant user’s manager read-only access
Fred is one of ten IT administrators that works for George. He
• Delete the home folder when the user account is deleted
is assigned to manage the deprovisioning process while other
admins handle regular daily tasks and requests. Luckily, ACME 5. Moves account to the ‘To Be Removed’ folder
uses Active Roles. Fred receives two lists: one contains laid 6. Schedules account deletion in 30 days
off employees and the other is the furloughed employees list.
However, the deprovisioning tasks must take place at midnight 7. Sends deprovisioning-related report to George, the IT
that evening. director
w w w. o n e i d e n t i t y. c o mFred now needs to create a new deprovisioning policy
for those who will be furloughed. He copies the existing
deprovisioning policy and renames it to ‘ACME Inc –
Furloughed Accounts Policy’ and modifies the policy changing Reactivate accounts
only the option to ‘Does not delete user account’.
All other options he leaves unchanged. He then applies it to
with the touch of a
the newly created ‘Furloughed Accounts’ OU. button to quickly
Note: For the deprovisioning of the furloughed accounts,
there are many ways to achieve the same result. However, in
bring back seasonal or
this case, Fred choses a simple point-and-click approach by
using one of Active Roles’ automation workflows. With this
furloughed workers
method, he configures the search criteria and points it to the
‘Furloughed Accounts’ OU. Selects the ‘Deprovision’ object-
management module and schedules the run time to kick off
at midnight. Fred can be confident that the workflow will method, he configures the search criteria and points it to
execute the deprovision tasks quickly and securely. the ‘Furloughed Accounts’ OU, then he selects the ‘Undo
Fred now begins the deprovisioning of the terminated Deprovision’ object-management module and schedules the
user accounts by simply selecting all the user IDs in the run time to kick off at midnight.
‘Terminated’ OU and selecting ‘Deprovision’ tab. By The built-in Active Roles policy for Undo Deprovisioning has
implementing such policies via Active Roles, ACME has saved been configured to:
significant time and ensured that all actions occur consistently
1. Restore user to original security group memberships, as
and without human error.
well as any distribution groups
To manually perform each of the operations described above
2. Prompts the user to reset a password (optional but
for 40,000 users would literally take weeks and require
recommended)
multiple levels of help desk and intervention by many IT
personnel. By using Active Roles, Fred can complete his tasks 3. Restores any attributes that were changed on the user
in seconds. Without Active Roles, there simply isn’t enough account due to the deprovisioning
time to be security conscious and thorough. This is the ideal 4. Restores home folder access
recipe for IT staff to take shortcuts, which leads to risk,
5. Restores mailbox access
vulnerabilities and security gaps.
By using Active Roles Undo – Deprovisioning feature,
The next morning, George, the IT director, receives a report of
Fred can quickly and seamlessly return all entitlements to
deprovisioned users. He can share this with IT and corporate
the furloughed employees. ACME saved many expensive
leadership, as well as at the next corporate audit meeting.
work hours by using this feature. What would have taken
Active Roles saves significant administrator effort and cuts approximately 20 minutes per user account to manually
the time it takes to complete this massive task from weeks to perform (multiplied by 20,000), Fred completes in seconds.
just a few minutes without sacrificing security. Furthermore, Fred can complete this with the knowledge that
all reinstated accounts, permissions and access are the same
Use Case No. 2 – After the Storm as the day they were furloughed.
When, ACME Inc., our hypothetical telecommunication If this task were performed manually, the potential for error
company, bounces back from a large economic downturn, it is would be enormous. Oversights, such as missing user access
in a position to bring back its 20,000 furloughed workers. or access to the wrong level of resources can easily happen
without automation. So manual processes when dealing with
George, the IT director, and his team are tasked with ensuring
high-volume provisioning tasks can lead to vast amounts of
that these 20,000 employees will be reinstated with the
lost productivity, risk and unplanned costs, as well as delays in
exact same entitlements and permissions they were assigned
generating income.
before the furlough. Audits will be performed to ensure that
this happens and that users receive no more or no fewer George, the IT director, is confident in Active Roles’ ability
entitlements than they had pre-furlough. to restore the entitlements to the respective users. In
addition, when he needs to show (for an audit) that original
Fred, the IT administrator, is again tasked by George to do this
entitlements were restored, he can by means of the ‘User
work. Fred initiates the undo-deprovisioning of these 20,000
Entitlements’ feature on the account profile.
employees with by selecting an OU, right clicking to obtain a
menu and selecting the undo-deprovisioning option. To simplify approximate ROI calculations, let’s assume that
ACME Inc. is an example of a corporation with 100,000 user
Note: If Fred would like to schedule this task, he can use
objects, 10 IT administrators, 5 Exchange administrators and
Active Roles’ built-in automation workflow. With this
w w w. o n e i d e n t i t y. c o m50 help desk personnel. They would stand to save roughly • One Drive provisioning for home folders
$5.5 million over three years with Active Roles, than if they
• Access to LOB security groups and file folders
continued to use native tools. An average annual ROI of 50
percent and a cumulative ROI over three years of 49 percent. • A corresponding account to the SaaS database linked
to the on-prem account
Use Case No. 3 – Taming the Beast 4. All existing deleted accounts to be deprovisioned in
an automated fashion to mitigate risk by removing all
What if I don’t have Active Roles?
entitlements associated with the identity
Pluto Mortgages Inc. is a hypothetical mortgage brokerage
5. All future deprovisioning procedures meet per line-of-
firm. Due to economic events, a large number of margin calls
business needs
was sent across the mortgage banking industry, which forced
bankers and brokerage firms to severely downsize staff. Now John quickly gets to work installing One Identity Active
that the market has leveled off and the economy has regained Roles.
strength there is a need to hire back 5,000 mortgage After following the guide on how to install Active Roles, John
specialists spread across different lines of businesses with addresses the mandated items one by one.
various entitlements, while ensuring separation of duties.
1. John configures RBAC by means of the built-in the access
templates
• He creates a Help Desk role, a Level 2 role and a senior
administrator role
Deploy Active Roles to • These roles are then linked to the appropriate security
groups to take effect
your enterprise in a few 2. Next, John makes use of the built-in user-creation policies
work days, not months and configures them to satisfy the mandates for the
automated user-creation processes
• He configures the rules to generate properties, such as
logon name, display name, alias, etc.
• He also configures the Azure policy for the hybrid-
Angelo is the IT director at Pluto Mortgages. The AD account creation
environment consists of 10,000 accounts of which 5,000
• And he configures the SaaS policy and links the One
were hastily disabled in a previous action. While none of
Identity Starling Connect Oracle Connector to the
these accounts are active, many have not been properly
appropriate OU
deprovisioned and all these disabled accounts still have
permissions and entitlements associated with them. It’s messy 3. By using the Group Families feature of Active Roles, John
and risky. These accounts were moved to a ‘Terminated automatically creates groups by departments. Once
Accounts’ OU. Corporate Security informs Angelo that to completed, he sees the various groups created and all the
mitigate risk on these user accounts, they need to be more than appropriate members are automatically added to their
just disabled. respective departments.
Angelo gets approval to implement Active Roles and assigns 4. John next creates the deprovisioning policy and names it
John the IT Administrator to deploy it in the environment. ‘Pluto Inc – Deprovisioning Policy’ the policy includes the
following:
John is one of five admins on a team that is tasked with
deploying Active Roles while ensuring the following is • Makes account ineligible for logon
maintained:
- Disables the account
1. All IT administrators are managed under role-based
- Setting the account password to a random value
access control (RBAC) policies
- Rename the user account
2. Administration of on-premises and cloud-based accounts
must be managed centrally - Update applicable user attributes
3. All new account creation must contain automation of the • Removes account from all security and distribution
following: groups
• Azure hybrid account creation • Prevents user from accessing mailbox
• Unique logon naming convention - Hide mailbox from the GAL
• Adherence to complex passwords - Grant the user’s manager full access to the mailbox
w w w. o n e i d e n t i t y. c o m• Prevents user from accessing home folder
Conclusion
- Remove user’s permissions
The above examples, although illustrative and approximate
- Grant user’s manager read-only access do represent the challenges of real-life scenarios that many
- Delete the home folder when the user account is organizations face today.
deleted. As highlighted, Active Roles enables organizations to mitigate
• Moves account to specified ‘To Be Removed’ LOB Sub risk and close security gaps by automating tasks, such as
OU. provisioning and deprovisioning. Done manually, these tasks
would take enormous amounts of time and effort, and they
• Deletes account after 30 days.
would be prone to delays and mistakes.
• Sends Deprovisioning-Related Report to the individual
Active Roles enables organizations to save time and money
department managers
without hiring additional IT personnel, as well as delivers
5. John copies this policy and applies it to the existing stability in a dynamic world economy.
‘Terminated OU’ and kicks off a bulk deprovisioning of all
Learn more about how Active Roles can help your organization
5,000 existing disabled users
automate AD/AAD processes, regulate admin access with
The complete install of Active Roles using all the built-in RBAC roles, overcome native tool limitations and expand AD
policies and workflow modules has taken less than one week. control beyond Windows.
By using Active Roles, Pluto Mortgages sees a large benefit by
mitigating risk and closing security gaps on the existing 5,000 Download your free trial here:
disabled users. With Active Roles’ deprovisioning policy, https://www.oneidentity.com/products/active-roles/
John removed permissions, groups, home-folders and other
entitlements all with the click of a button.
Furthermore, now that Pluto Mortgages is in a position to hire
back its workforce of 5,000 employees, it can do so in a much
more efficient and expedient manner. With the deployment
of Active Roles, they have saved time and money as the
automation processes within Active Roles doesn’t require
more IT workers to manage and run. What generally would
take Pluto Mortgages 20 minutes per user account to create,
now takes seconds. A saving of 1,600+ work hours (roughly
$79,000 USD) 1.
1. The Pluto Mortgages example is based on 10,000 User
Objects, 5 IT Administrators, 1 Exchange administrator
and 10 helpdesk personnel. It highlights a rough savings
of approximately $1.1 million over three years with Active
Roles versus continuing to use native AD tools. An
average annual ROI of 98 percent and a cumulative ROI
over three years of 194 percent.
About One Identity
One Identity, a Quest Software business, lets organizations implement an identity-centric security strategy, whether on-prem, in
the cloud or in a hybrid environment. With our uniquely broad and integrated portfolio of identity management offerings including
account management, identity governance and administration and privileged access management, organizations are empowered to
reach their full potential where security is achieved by placing identities at the core of the program, enabling proper access across all
user types, systems and data. Learn more at OneIdentity.com
© 2020 One Identity LLC ALL RIGHTS RESERVED. One Identity, and the One Identity logo are trademarks and registered trademarks of One Identity LLC in
the U.S.A. and other countries. For a complete list of One Identity trademarks, please visit our website at www.oneidentity.com/legal. All other trademarks,
servicemarks, registered trademarks, and registered servicemarks are the property of their respective owners.
Whitepaper_2020_ARS-MaintainingBusinessMomentum_RS_58761
w w w. o n e i d e n t i t y. c o mNATIVE AND AFRAID Active Directory migrations are too complex and critical to trust to limited native tools. Get the skills and tools you need to survive.
AD migrations
are common
!
today — and
more critical than
ever.
IS AN AD MIGRATION LOOMING
OVER YOU?
Active Directory (AD) migrations are hap-
pening everywhere these days. Many are
being driven by the hot merger and acquisition
(M&A) scene — 76 percent of M&A executives
at U.S.-headquartered corporations and 87
percent of M&A leaders at domestic private
equity firms are forecasting an increase in the
number of M&A deals in 2019, and 70 percent
are anticipating the deals to be bigger as well.1
But there are many other drivers in play. Some
organizations need to take action as Microsoft
solutions approach their end of life, and others
are simply eager to take advantage of the new
features in more current versions of products
or to reap the benefits of the cloud.
1 Deloitte, “The state of the deal: M&A trends 2018,” https://www2.deloitte.
com/content/dam/Deloitte/us/Documents/mergers-acqisitions/us-mergers-
acquisitions-2018-trends-report.pdf
2So, if you’re like most IT pros, you’re likely to be seeing not just one but
multiple AD migrations in the not-too-distant future.
THE STAKES ARE HIGH.
You might be dreading the prospect of an AD migration because you
know, either from first-hand experience or accounts from colleagues, that
they usually involve a lot of complexity and risk. In fact, the statistics are
downright alarming:
• 51 percent of IT pros have experienced a failed migration, and 65
percent have experienced a delayed migration.2
• The average cost of a failed migration is over $200K, according to a
2018 study by Osterman Research study for Quest.
• Some companies say that system downtime and lost productivity
due to a failed migration could cost them half a million to a million
dollars — per hour. If you think that’s a wildly high estimate, consider
how your organization would function if users were unable to log
on, access vital services like email, and work with critical data. That’s
what happens when an Active Directory migration fails: Your busi-
ness comes to a standstill, and you can face steep fines for missing
critical deadlines.
A failed Active Directory can stop your business in
its tracks.
2 Vision Solutions, “1oth Annual State of Resilience Reporthttps://www.convergetechmedia.com/challenges-outlined-vision-
solutions-10th-annual-state-resilience-report-research/
3Start with the right questions. The first step to dispelling the fear that comes with most AD migrations is to gain knowledge. Dig into your motives and goals by asking these critical questions: WHY ARE YOU DOING A MIGRATION? AD migrations are usually large and complex and involve a lot of risk, so it’s not something that you want to enter into lightly. There are plenty of good reasons for doing a migration, including those mentioned earlier: a merger or acquisition, the need to move away from a deprecated version of a product, or the need to gain the functionality and other benefits of a particular platform, such as the Microsoft cloud. But there are also some bad reasons. For example, if you simply have multiple business units that don’t want each other’s admins to have access to their data, an AD migration isn’t really necessary; you can address the need far more easily by modifying your administration model. So, it’s wise to really explore your goals, document them thoroughly, and then carefully consider whether an Active Directory migration is the best approach to achieving them. AD migrations are often a golden opportunity to clean up your environment make changes that enhance security or simplify administration. WHAT DOES YOUR TARGET END STATE LOOK LIKE? Once you’ve established that an AD migration is actually needed, take time to lay out exactly what your new environment should look like on day one. AD migrations are often a golden opportunity to make improvements, such as changes that enhance security or simplify administration. For example, are there users and data that should be cleaned up? Are there systems or services you have that you won’t need? Are there any that you need but don’t have? 4
In particular, be sure to think about the following:
• Authorization and authentication — There are a lot of tools available to strengthen and
streamline the authorization and authentication experience, including single sign-on (SSO) and
multifactor authentication (MFA) technologies. Be sure to explore the options available and
document your requirements.
• Network services — To perform an AD migration, you’ll need to set up communication between
the source and destination directories. In addition, the new environment needs its own set of
network services, including DNS and DHCP. Be sure you have all of that in place and ready to
go before you start any migration jobs.
• Applications — What applications do you have? Which ones need to be migrated? Are there
newer versions that are worth considering? Be sure to also document who needs which
applications, as well as which applications need which data, so you can ensure continued
productivity in the target environment. Custom applications will likely require special attention.
• Cloud services — Be sure to inventory the cloud services you’re already using and work with
your users to develop a coherent strategy that enables them to get the functionality they need
without sacrificing the IT oversight necessary to ensure security, business continuity and other
broader requirements.
WHAT’S YOUR TIMELINE?
Mergers and acquisitions often come with a deadline imposed by management, often without
involvement from the IT team. In those cases, it’s especially critical to assess what can and cannot be
completed in the time available and get explicit agreement on the scope of the migration. Often, M&A
IT integrations have two phases: The initial goal is to achieve a basic IT integration that enables effec-
tive communication within the organization and the appearance of a united front to the outside world;
the second phase involves more of the heavy lifting and cleanup of any workarounds and shortcuts
that were necessary to meet the initial legal deadline.
5Also be sure to get clarification about the consequences of failure to meet the established timeline. The prospect of steep fines or a failed deal can inform decisions about investing in tools or services to speed the migration and reduce the risk of failure. CAN YOU JUST CUT OVER OR DO YOU NEED COEXISTENCE? Sometimes, a small AD migration can be completed quickly, such as over a weekend, and any asso- ciated downtime is acceptable to the business. But it’s far more common for AD migrations to take weeks or months — and users need to be able to continue to collaborate and access resources, regardless of what has been migrated and what has not. In those situations, you need to establish coexistence between the source AD and the target AD, ensuring that changes in one are synced to the other, whether it’s the addition or deletion of a user account, an updated password, or a modifi- cation to group membership. Truly seamless coexistence is vital to making the migration painless for users and a success in the eyes of management. Seamless coexistence throughout the migration is vital to making the process painless for users and a success in the eyes of management. PUTTING IT ALL TOGETHER Once you’ve answered all these questions, be sure to document your migration plan and get sign-off from all stakeholders. Make sure everybody involved understands what the process is, what the timelines are, and who has which roles and responsibilities. Set milestones and be sure you have a way to review and report on the progress of the migration. With a clear roadmap to help you navigate, the migration will no longer feel so much like an unknown wilderness. It’s unlikely that everything will go exactly to plan; there will be changes to requirements and unex- pected bumps along the way. You’ll likely need to periodically re-evaluate your timeline and success criteria. Be sure to document those changes as well and get buy-in from your stakeholders so there are no surprises or lack of clarity about when the migration is complete. 6
If you have only native tools
to help, you’re right to be
afraid.
If these questions make AD migration seem like a big job, that’s because
it is. And if you have only native tools at hand, you have every reason
to be apprehensive about the whole project. While the Microsoft Active
Directory Migration Tool (ADMT) is free of charge, it’s sufficient only if
you’re migrating a limited number of users and a small amount of data; its
manual processes and error-prone scripts simply cannot scale to meet
the needs of larger migration projects.
Why? Well, for an AD migration to be successful, it’s not enough to simply
move users and their data from point A to point B. You also have to
ensure that everyone can stay productive throughout the project, check
your progress and regularly provide reports to management, be able to
roll back failed or otherwise problematic migration jobs, maintain security,
ensure that the target environment is uncluttered and easy to manage,
and more.
In short, an AD migration is a complex undertaking with many moving
parts, and ADMT has limited or no functionality in many of these areas.
For example:
• Trusts are required for inter-forest migrations.
• Scaling the architecture requires deploying additional instances,
which means sacrificing centralized control of the migration.
7• You can’t easily exclude disabled, expired or system accounts from “Horrible, it’s the reason I sought out a third party tool in the first place.”
migration, or modify most object properties before the migration (for Engineer, AdvanceMed - CSC (TechValidate, TVID 041-D69-F12)
example, according to your HR database or particular rules).
“ADMT is painful.”
• Certain objects, including printers and contacts, have to be migrated IT Project Manager, Medium Enterprise Energy & Utilities Company
manually. OUs cannot be migrated at all. (TechValidate, TVID 713-1F4-43F)
• Keeping the source and target directories in sync throughout the “ADMT has no good rollback, much customizing scripts.”
migration requires daily manual effort, which means not just extra IT IT Architect, Medium Enterprise Computer Services Company
workload but increased risk of errors that could keep business users (TechValidate, TVID: 81F-6C9-34D)
from being able to do their jobs.
“Limitations and not as easy to manage.”
• Undo capabilities are limited, so if something goes wrong with a
IT Director, Adient US (TechValidate, TVID: 757-8B2-116)
migration job (and something WILL go wrong at some point), you may
have to really scramble to get things working again. “Not fun!”
Enterprise Architect State & Local Government (TechValidate,
• The SID history attribute of objects is not automatically cleaned up
TVID: CCC-8EA-E5A)
after migration, as required for security.
“ADMT is very inflexible.”
• Support is limited to a web-based forum.
IT Director, Large Enterprise Electronics Company (TechValidate,
As a result of these and other drawbacks, using ADMT makes an AD TVID: CE3-6F5-572)
migration a difficult and risky proposition. Here are some unvarnished
descriptions of ADMT from IT pros who have tried it:
8A better approach
What if you could:
• Better predict the cost and timeline of your AD migration — With
native tools, it’s hard to commit to a timeline and a budget for a
migration. But what if you could be confident that you could deliver
what you promise on time, and there will be no surprises when it
comes to costs?
• Make the migration a non-event for users — If users can’t access
the resources they need to do their jobs, schedule or reschedule
meetings, or view an accurate directory, productivity will suffer
and the help desk will be deluged with calls. With native tools, you
have practically zero chance of getting through a migration without
these kinds of disruptions. But what if you could make the migration
virtually invisible to users, except for a new domain name they might
not even notice on the logon screen and the new services they will
be delighted to discover?
• Be prepared for not just today’s migration, but any Microsoft
migration that comes your way in the future — Every migration is
different, but that doesn’t mean you have to start from scratch every
time. What if you had a reusable framework, a familiar set of tools,
and an experienced support team that you knew and trusted?
What if you could plan and deliver a seamless AD
migration — and have the skills and tools to survive
future migrations as well?
9You can also read
