Introducing Azure Active Directory (Azure AD) Reccomendations

Share the Blog

Facebook
Twitter
LinkedIn
Email
WhatsApp

Introduction

Customers want their Azure Active Directory (Azure AD) tenant to be in a secure and healthy state. However, trying to keep track of all the changes with the various components up to date can become overwhelming, this is where Azure Active Directory Recommendations come into play.

Azure AD recommendations feature provides you with personalized insights and actionable guidance to align your tenant with recommended best practices, which enhance the security posture of your Azure AD tenant and improve the user’s productivity. it also ensures that your most sensitive resources can have the tightest controls, while your least sensitive resources can be more freely accessible. Additionally, it reduces IT operating and development costs by providing higher operating efficiency and transparency, which will lead to improved user satisfaction and better support from the business for further investments.

The Azure Active Directory Recommendations are currently in preview. This means you must explicitly enable this feature in Azure Portal.

What is Azure Active Directory?

Azure Active Directory (Azure AD) is a cloud-based identity and access management service. It allows your employees to sign in and access external resources, such as Microsoft 365, the Azure portal, and thousands of other SaaS applications. Azure AD also helps them access internal resources.

To enhance your Azure AD implementation, you can also add paid capabilities by upgrading to Azure Active Directory Premium P1 or Premium P2 licenses. Azure AD paid licenses are built on top of your existing free directory.

There are multiple editions of Azure AD with differing levels of service offerings:

  • Azure Active Directory Free.Provides user and group management, on-premises directory synchronization, basic reports, self-service password change for cloud users, and single sign-on across Azure, Microsoft 365, and many popular SaaS apps.
  • Azure Active Directory Premium P1.In addition to the Free features, P1 also lets your hybrid users access both on-premises and cloud resources. It also supports advanced administration, such as dynamic groups, self-service group management, Microsoft Identity Manager, and cloud write-back capabilities, which allow self-service password to reset for your on-premises users.
  • Azure Active Directory Premium P2.In addition to the Free and P1 features, P2 also offers Azure Active Directory Identity Protection to help provide risk-based Conditional Access to your apps and critical company data and Privileged Identity Management to help discover, restrict, and monitor administrators and their access to resources and to provide just-in-time access when needed.
  • “Pay as you go” feature licenses. You can also get additional feature licenses, such as Azure Active Directory Business-to-Customer (B2C). B2C can help you provide identity and access management solutions for your customer-facing apps.

Azure Active Directory Recommendations (Preview)

Azure AD recommendations can help you keep your Azure Active Directory tenant to be in a secure and healthy state, with the feature also providing you with insights and actionable guidance to:

  • Identify opportunities to implement best practices for Azure AD-related features
  • Improve the state of your Azure AD tenant.

 

Azure Advisor

Azure Advisor is a Microsoft Azure service that provides recommendations based on your deployed Azure services configuration. Analyzing data from various telemetries, helps you optimize your Azure configuration using the five pillars of the Microsoft Azure Well-Architected Framework as a baseline. By leveraging Azure Advisor’s recommendations, you can enhance and refine your Azure services’ cost, security, reliability, operational excellence, and performance.

Daily, Azure AD analyzes the configuration of your tenant. During an analysis, Azure AD compares the data of the known recommendations with the actual configuration. If a recommendation is flagged as applicable to your tenant, the recommendation status and its corresponding resources are marked as active.

In the recommendations or resource list, you can use the Status information to determine your action item.

Prerequisites

The Azure AD recommendations don’t require any specific subscription or license to use this feature.

To manage your Azure AD recommendations, you need to be:

  • Global admin
  • Security admin
  • Security operator
  • Cloud app admin
  • App admin

To view Azure AD recommendation, you need to assign the following roles to a user

  • Global reader
  • Security reader
  • Reports reader

Recommendations from Azure AD

Azure AD can provide you with the following recommendations:

  • Convert from per-user MFA to conditional access MFA
  • Migrate users using SMS or voice call for MFA to use the Microsoft authenticator app.
  • Integrating 3rd party apps with Azure AD
    • Single Sign-on to access all your apps with a single password
    • One unified method to manage access to your third party apps

Note: On the recommendations page, you might not see all available recommendations because Azure AD only displays the recommendations that apply to your tenant depending on your current configuration.

Enable Azure AD recommendations

To enable your Azure AD recommendations:

  1. Navigate to the Preview features
  2. Set the State to On.

Manage recommendations

To manage your Azure AD recommendations:

  1. Navigate to the Azure AD overview 
  2. On the Azure AD overview page, in the toolbar, click Recommendations (Preview).

Action can be taken

As an administrator, you can apply the following actions to Azure AD recommendations in your Azure AD tenant:

  • Dismiss: If you have a reason for not applying it on your Azure services.
  • Mark complete: Use this state to indicate that you have applied the recommended action on your Azure resource.
  • Postpone: you choose to postpone the action to address it in the future
  • Reactivate: you can make it active again in case you Accidentally dismissed, completed, or postponed a recommendation.

Known Issues and Limitations

  1. Users with a read only roles (global reader, security reader, reports reader) can update the status of a recommendation. This is a known issue that will be fixed.
  2. The only action recorded in the audit log is completing recommendations.
  3. Audit logs do not capture actions taken by reader roles.
Mahmoud Atallah

Mahmoud Atallah

Mahmoud Atallah is a Senior Cloud Solutions Architect for Bespin Global MEA. With over 10 years of experience spanning Microsoft Solutions, Azure, DevOps, Cloud Security, Infrastructure as Code, Modern Workspace, and AVD, he was recently awarded Microsoft Most Valuable Professional (MVP). Atallah helps customers build successful Azure practices, and lead on more transformation and digital journeys to Azure Cloud.  He enjoys sharing his knowledge around topics like Modern Workspace, Endpoint Management, Azure WVD, Office 365, EMS, and Intune amongst others.