Posted in Azure Active Directory, Microsoft Azure

Microsoft Azure – How to enable Azure AD Multifactor Authentication using Azure Portal

In this article, we will learn how to enable the Azure AD multi-factor Authentication via Azure Portal.

In previous article, we learnt how to set up Azure AD and create users and group, so we will continue to use that user and group for this article.

https://kapilsqlgeek.wordpress.com/2019/03/21/microsoft-azure-how-to-create-the-azure-active-directory-ad-using-azure-portal/

So, what is multi-factor authentication?

In today’s world just having a userid and password is not secure enough which contains of letters, symbols, numbers etc. and no matter how complex it is. Once your password is lost its easy for other users to break into your system and steal important information.

So multi-factor authentication refers more ways to authenticate more than just your password.

User can add another layer of authentication either via phone, email, authentication app, security tokens etc. If a user is authenticating via phone then a text message will come to registered mobile number which is needed during login process to complete the authorization, or if user choose the email option then user receive an email with some random numbers which is required other than your password. This way an another layer of security can be added.

Microsoft Azure AD supports multi-factor authentication and its available as add on service and a billing model will be associated with it.

If you are using a premium AD service, then its included in that.

So, let’s see the demo of how we can enable MFA.

  1. Login to Azure Active Directory
  2. Click on Users tab. All user list will appear
  3. Click on Multi-factor authentication at the top. After you click it will take you to another website in new tab or window.

 

  1. A new window will open for multi-factor authentication.
  2. At top, there are two section ‘Users’ and ‘Service Settings’. By default, User section will open.

 

  1. Click on ‘Service Settings’. Here you can see the available option for verification and modify the options as per your choice and need.

 

  1. Now, select the user from User tab for which you need to enable MFA and click ‘Enable’

 

  1. A popup window will appear. Click on ‘enable multi-factor authentication’.

 

  1. Close the window. You can see that MFA status has been changed to ‘Enabled’ now.
  2. Now try to login to Azure Portal with this user login.
  3. After entering login and password, another screen will come for MFA. Click Next

 

12. Select the option for verification. I choose the ‘Authentication Phone’ as default option. Select your country name, enter your phone number and click ‘Next’.

 

  1. Enter the verification that you will receive on your phone number and click Verify.
  2. Click ‘Done’
  3. Now, from next time when you will login to Azure portal from this user you need to provide extra authorization.

 

So, this way you can enable multi-factor authentication using Azure AD.

 

 

Posted in Azure Active Directory, Development, Microsoft Azure

Microsoft Azure – How to create the Azure Active Directory (AD) using Azure Portal

Microsoft Azure Active Directory (AD) is a cloud based service to handle the identity and access management. It has the capabilities like multi factor authentication, self-service password reset, role based access control, security monitoring, managing alerts etc. When user create an Azure AD directory it automatically links with Azure subscription.

Azure AD provide easy way to give users single sign-on (SSO) access to various application like office 365, Dropbox, salesforce etc. Azure AD improve application security with multi-factor authentication and conditional access.

Azure AD can also be integrated with on premise Windows AD using Azure AD connect which provides organizations to use their existing on premise identity system to manage access to cloud based application.

Azure AD capabilities comes up in 3 versions Basic, Premium P1 and Premium P2. Paid editions P1 and P2 are built on top of free versions and provide more rich security facilities like monitoring security, self-service password management, privilege identity management etc.

 

Now, let’s jump on the demo part and learn how to create the active directory.

  1. Login to Azure Portal (If you don’t have Azure account then you can sign up for Azure free trial)
  2. From the left side pane, select Azure Active Directory or write it in a search box from the top of Azure dashboard.
  3. In create directory section, fill out the details like organization name, initial domain name, select country or origin. Initial domain name should be unique else it will throw error if it’s already used by another user.

 

  1. Click on ‘Create’ button to create the directory.
  2. After successful creation of directory, a new window appears as shown below –

  1. Now next step is to create a group in the directory and assign a user to a group.
  2. Click on ‘Groups’ tab to create a new Group.
  3. Click on ‘New Group’
  4. Enter the Group Name as ‘IT’.

 

  1. Click ‘Create’ button.
  2. You can see the new group in Group window

12. Click on ‘Users’ tab to create a new user.

13. Click on ‘Create new user’

14. Fill the details like Name, User name, profile, directory.

15. Enter name ‘adkktest’

16. Enter User Name which user enters to sign in to Azure AD. You should use the domain that you use at the time of creation of active directory. E.g. addkktest@adkktest1.onmicrosoft.com

You can define the custom domain but for that you need to registered them.

 

  1. Fill the details in Profile section.

  1. Select the Group that you have created earlier. E.g. IT
  2. Select the Directory Role.
  3. Click on ‘Show Password’ and note down the password. You will need it when login with new username.
  4. Click ‘Create’
  5. New user has been created successfully associated with a group.

So, this is how we can create a new directory and then create a group and assigned users to them.

Posted in Cosmos DB, Microsoft Azure

Microsoft Azure – Enable Geo replication of data – Cosmos DB Part 2

In this article, we will learn how to replicate the data to any Azure region globally.

Global Distribution

Azure Cosmos DB allows to distribute the data globally to any available Azure region with a click. With, Azure Cosmos DB data is replicated in a transparent manner. Azure Cosmos DB also provides configurable options to replicate your data across multiple datacentres.

There are two ways to replicate the data –

  • Manual Replication
  • Automatic Replication

Each selected region is billed based on throughput (RUs) and data stored on SSDs for the cosmos db account. Throughput is billed as Request Units (RU) per second which is a currency for charging throughput for read, write and query operations on an Azure Cosmos DB container.

Consistency Levels

Cosmos DB has different consistency levels per account which applies automatically to all the databases and collections within cosmos account.

five-consistency-levels

These consistency levels are –

  1. Strong – Strong consistency provides the most predictable and intuitive programming model and ensure that your versions of documents in your replica do not lag behind the primary. When you configure your account with strong consistency level, Cosmos DB provides linearizability guarantee which means that reads are guaranteed to see the most recent write. If your application requires all replica documents to exactly match the primary at any point in time, this strategy makes a lot of sense. The downside is that the primary write operation will be a lot slower than usual because that operation has to wait for every replica to confirm that the operation has been committed.
  2. Bounded Stateless – Bounded staleness consistency is most frequently chosen by globally distributed applications expecting low write latencies but total global order guarantees. Unlike strong consistency which is scoped to a single region, you can choose bounded staleness consistency with any number of read regions (along with a write region). Bounded staleness is great for applications featuring group collaboration and sharing, stock ticker, publish-subscribe/queueing etc.
  3. Session – Session consistency is most widely used consistency level both for single region as well as, globally distributed applications. It provides write latencies, availability and read throughput comparable to that of eventual consistency but also provides the consistency guarantees that suit the needs of applications written to operate in the context of a user.
  4. Consistent Prefix – Consistent prefix level guarantees that reads never see out of order writes. If writes were performed in the order `A, B, C`, then a client sees either `A`, `A,B`, or `A,B,C`, but never out of order like `A,C` or `B,A,C`. Consistent Prefix provides write latencies, availability and read throughput comparable to that of eventual consistency, but also provides the order guarantees that suit the needs of scenarios where order is important.
  5. Eventual – Eventual consistency is the weakest form of consistency which occurs because operations against the primary database commit immediately and do not wait for the replicas to confirm that they are committed. This is useful for scenarios where you need the highest tier of performance and the application does not require any ordering guarantees. Examples include count of Retweets, Likes or non-threaded comments.

 

Provision the replication of data globally

  1. Sign in to the Azure Portal (http://portal.azure.com).
  2. Create the Azure cosmos account as discussed in the part 1 –https://social.technet.microsoft.com/wiki/contents/articles/51596.azure-cosmos-db-introduction-part-1.aspx
  3. After the cosmos account created, open the Azure cosmos DB account.
  4. Click the Replicate data globallyoption on the left-hand side of the blade.
  5. In the Replicate data globallysection, you need to select at least one region as read region to enable the manual failover and automatic failover for data replication.
  6. Here I have added the North Europe as the read region. We can associate multiple read regions with cosmos db account as per the need.

1

  1. Click the Savebutton to continue the locations as Read regions for your account. This will enable the option of Manual and Automatic replication.

Let’s go through these options one by one.

Manual Failover

  1. In case of Manual failover, if any failure happens then the selected Read region will become the new Write region.
  2. In below screenshot, West Europe has been selected as Read Region and it will become the Write Region if any failure happens.

2

  1. Click OK button to save this setting for Manual Failover.

 

Automatic Failover

  1. To enable the Automatic Failure, you need to click the ON option.
  2. Now you need to select the read region which will be the Write region in case of failover.
  3. You can also select the multiple the Read region and set the priorities. If you have selected multiple Read Regions, then you can drag and drop the read regions items to reorder the failover priorities.
  4. In below screenshot, two read regions West Europe and East Asia are selected. If any failover happens then Read region with high priority (West Europe has priority 1) will be Write Region. After this, if another failover happens then Read Region (East Asia) will automatically be Write Region.

 

5

 

So, this is how you can replicate the data globally to multiple Azure data regions.