Add user

​

Event Information

• The “Add user” event in Azure Active Directory refers to the action of creating a new user account within the Azure AD tenant.
• This event signifies the addition of a new user to the Azure AD directory, allowing them to authenticate and access resources within the Azure environment.
• The “Add user” event is typically triggered when an administrator or user with appropriate permissions creates a new user account using the Azure AD management portal, PowerShell, or through API calls.

​

Examples

1. Weak or compromised user credentials: When adding a user in Azure Active Directory, it is important to ensure that strong and unique passwords are set for each user. If weak passwords are used or if user credentials are compromised, it can lead to unauthorized access to resources and potential security breaches.

2. Incorrect user permissions: When adding a user in Azure Active Directory, it is crucial to assign appropriate permissions based on the principle of least privilege. If users are granted excessive permissions or if they are given access to sensitive resources without proper justification, it can increase the risk of unauthorized access and potential data breaches.

3. Lack of multi-factor authentication (MFA): Enabling multi-factor authentication for user accounts in Azure Active Directory adds an extra layer of security by requiring users to provide additional verification, such as a code sent to their mobile device, in addition to their password. If MFA is not enabled for user accounts, it increases the risk of unauthorized access in case of password compromise or phishing attacks.

​

Remediation

​

Using Console

To remediate the issue for Azure Active Directory using the Azure console, you can follow these step-by-step instructions:

1. Enable Multi-Factor Authentication (MFA):

   • Sign in to the Azure portal (portal.azure.com) using your administrator account.
   • Navigate to the Azure Active Directory service.
   • Select “Security” from the left-hand menu.
   • Under “Manage,” click on “MFA” to access the Multi-Factor Authentication settings.
   • Enable MFA for all users or specific users/groups as per your organization’s requirements.
   • Configure the MFA settings, such as the verification method (phone call, text message, mobile app), and the number of days before users are prompted to re-verify.

2. Implement Conditional Access Policies:

   • In the Azure portal, go to the Azure Active Directory service.
   • Select “Security” from the left-hand menu.
   • Under “Manage,” click on “Conditional Access” to access the Conditional Access policies.
   • Create a new policy or modify an existing one to enforce additional security controls based on your organization’s requirements.
   • Configure conditions such as user/group, location, device state, and client app.
   • Define access controls like requiring MFA, blocking access, or granting access only from trusted locations.

3. Monitor and Respond to Security Alerts:

   • In the Azure portal, navigate to the Azure Active Directory service.
   • Select “Security” from the left-hand menu.
   • Under “Manage,” click on “Security alerts” to access the security alerts dashboard.
   • Review the alerts and investigate any suspicious activities or potential security threats.
   • Take appropriate actions based on the severity of the alerts, such as blocking users, resetting passwords, or escalating to the incident response team.

Note: The above steps are general guidelines, and you should tailor them to your specific requirements and compliance standards. It is recommended to consult Azure documentation and best practices for detailed instructions and additional security measures.

​

Using CLI

To remediate Azure Active Directory issues using Azure CLI, you can follow these steps:

1. Enable MFA for Azure AD users:

   • Use the az ad user update command to update the user’s MFA settings.
   • Example: az ad user update --id <user-id> --force-change-password-next-login true

2. Configure password policies:

   • Use the az ad policy password update command to update the password policy settings.
   • Example: az ad policy password update --id <policy-id> --password-lifetime 90 --password-history-count 5

3. Enable Azure AD Privileged Identity Management (PIM):

   • Use the az ad pim update command to enable PIM for a specific role.
   • Example: az ad pim update --id <role-id> --enabled true

Please note that the <user-id>, <policy-id>, and <role-id> placeholders should be replaced with the actual IDs or names of the users, policies, or roles you want to modify.

​

Using Python

To remediate Azure Active Directory issues using Python, you can utilize the Azure SDK for Python. Here are three examples of how you can use Python to remediate Azure Active Directory issues:

1. Reset User Password:

   • Use the azure-identity library to authenticate with Azure Active Directory.
   • Use the azure-mgmt-graphrbac library to interact with the Azure AD Graph API.
   • Use the UserOperations class to reset the password for a specific user.
   • Here’s an example script:

   from azure.identity import DefaultAzureCredential
   from azure.mgmt.graphrbac import GraphRbacManagementClient
   
   # Authenticate with Azure Active Directory
   credential = DefaultAzureCredential()
   graph_client = GraphRbacManagementClient(credential, "<your-tenant-id>")
   
   # Reset user password
   user_object_id = "<user-object-id>"
   password = "<new-password>"
   graph_client.users.update(user_object_id, password_profile={"password": password})
   

2. Enable Multi-Factor Authentication (MFA) for a User:

   • Use the azure-identity library to authenticate with Azure Active Directory.
   • Use the azure-mgmt-graphrbac library to interact with the Azure AD Graph API.
   • Use the UserOperations class to enable MFA for a specific user.
   • Here’s an example script:

   from azure.identity import DefaultAzureCredential
   from azure.mgmt.graphrbac import GraphRbacManagementClient
   
   # Authenticate with Azure Active Directory
   credential = DefaultAzureCredential()
   graph_client = GraphRbacManagementClient(credential, "<your-tenant-id>")
   
   # Enable MFA for a user
   user_object_id = "<user-object-id>"
   user = graph_client.users.get(user_object_id)
   user.additional_properties["strongAuthenticationMethods"] = [{"type": "microsoftAuthenticator"}]
   graph_client.users.update(user_object_id, user)
   

3. Add User to a Group:

   • Use the azure-identity library to authenticate with Azure Active Directory.
   • Use the azure-mgmt-graphrbac library to interact with the Azure AD Graph API.
   • Use the GroupOperations class to add a user to a specific group.
   • Here’s an example script:

   from azure.identity import DefaultAzureCredential
   from azure.mgmt.graphrbac import GraphRbacManagementClient
   
   # Authenticate with Azure Active Directory
   credential = DefaultAzureCredential()
   graph_client = GraphRbacManagementClient(credential, "<your-tenant-id>")
   
   # Add user to a group
   user_object_id = "<user-object-id>"
   group_object_id = "<group-object-id>"
   graph_client.groups.add_member(group_object_id, user_object_id)
   

Please note that you need to install the required libraries (azure-identity and azure-mgmt-graphrbac) before running these scripts.