Identity

Overview

glueckkanja-gab (GKGAB) delivers standardized processes for managing the Active Directory and Azure Active Directory. With the use of the Identity service, tasks are performed by a dedicated team of experienced engineers from initial request to delivery.

Cost base

Services costs for this Module are calculated based on the active user count of the customer. The number of active users equals the amount of Microsoft 365 user subscriptions and are predefined between the parties.

Standard services and tasks

The following section lists the standard tasks and services included in the service.

Active Directory Domain Services

The Directory Domain (AD Service) will be managed by GKGAB. The AD Service will be hosted on Windows Server Operating system 2016 or newer. In case the service is installed on hardware the operation and support for hardware-related topics, such as drivers, hardware repair or replacement or extension of hardware are not included in the AD service and need to be provided by a separate party.

GKGAB will operate the "Application Active Directory" based on the Operating system and the "Application DNS Database", which can be integrated into the Active Directory database.

The DNS Service and its Records management will be delegated to the DNS Service provider by the default "DNSAdmins" Group membership permissions. This allows the Service Provider's DNS Team to administrate the AD integrated DNS Zones and records with the RSAT remote management tools. Local access to an AD Service server (Domain Controller) will not be granted to a DNS Service Provider, as this is not necessary for DNS operations.

Up to 6 Domain Controllers are included in this support contract. Additional servers can be added on request.

Microsoft Azure AD Connect will be used to synchronize users for the on-premises Active Directory into the Azure AD. The "password-hash-sync" (PHS) is used for the synchronization of passwords between the Active Directory and the Azure Active Directory. The password write-back feature of Azure AD Connect will synchronize the password back to the on-premises synchronized user account in Active Directory. The support of Active Directory Federation Services is not included in the AD service and needs to be provided by a separate party.

User profile management

The basic user profile data shall be managed by a customer's Identity Management System (IDM). User attributes such as, but not limited to, first name, last name, department, address, city, office location are attributes that are provisioned to the users' accounts based on HR systems or similar services automatically. The user sign-in name (UserPrincipalName) shall be built by an automatic pattern (i.e. first.lastname@companydomain.com). For ease of use, the UserPrincipalName shall be identical to the user's primary e-mail address. \ In case the user identities are provisioned by an on-premises Active Directory many of the user attributes of a synced account are marked as read-only and need to be maintained in the source Active Directory. The creation and deletion of general user accounts are sovereign tasks of an IDM. The service provider will only create or delete user accounts as an exception on request. Some attributes can also be maintained by the user in self-service, such as profile picture, contact information, and authentication contact info (MFA settings). \ These settings will be written back to the on-premises Active Directory. The customer supports the concept of user self-service and will support the service provider by propagating this to the users. License assignments are automated by upfront agreed user account properties, such as group membership or other properties. In case the automated provisioning of the vital user attributes requires manual intervention, the service provider supports actions such as add, modify, or delete user profile information on request or through an administration tool.

User password management

In case a user requires a password reset, the built-in Self-Service Password Reset (SSPR) capability of Azure AD shall be used by the user. The customer's first-level help desk will guide the user through the reset steps and supports the user in case any problem occurs with the password reset method. In case the user's self-service password reset requires additional troubleshooting which cannot be provided by the first-level help desk, the service provider will support the first-level help desk with actions such as reset the password, unlock a user account, reset self-service password registration on request. The password write-back feature of Azure AD Connect will synchronize the password back to the synced user account in on-premises Active Directory.

Multi-Factor-Management

In case a user cannot utilize the configured MFA methods, the service provider will support the first-level help desk with actions such as review a user's MFA authentication and reset the user's MFA methods on request. Resetting the user's MFA requires the user to re-register the MFA methods when he or she signs in next time.

Privileged Identity Management

Privileged Identity Management (PIM) is an Azure Active Directory (Azure AD) service that helps organizations restrict privileged access. PIM can be used to manage, control and audit the assignment of privileged directory roles. The service provider will support the customer in selecting the correct role and assignment method for privileged users. Azure AD privileged roles can be assigned as eligible to a user. If a user with an eligible role assignment requires privileged access to the Azure environment for performing a specific task, the user can activate the required role. Users can perform the activation themself, without involving any other person. It can be activated at any time, and it does not require additional approval (additional approvals are an option but are not offered as part of the regular services agreements by the service provider).

The following roles are currently available in Azure AD. The service providers will create, modify, or delete a role assignment for a user identity.

The following roles can be managed:

• Authentication Policy Administrator
• Search Administrator
• External ID User Flow Attribute Administrator
• Guest User
• Power Platform Administrator
• Cloud Application Administrator
• Compliance Administrator
• Security Administrator
• Exchange Administrator
• Restricted Guest User
• Device Managers
• Office Apps Administrator
• Insights Business Leader
• Desktop Analytics Administrator
• Intune Administrator
• Teams Devices Administrator
• B2C IEF Policy Administrator
• Dynamics 365 Administrator
• Reports Reader
• Partner Tier1 Support
• License Administrator
• Customer LockBox Access Approver
• Security Reader
• Security Operator
• Global Administrator
• Printer Administrator
• Teams Administrator
• External ID User Flow Administrator
• Helpdesk Administrator
• Azure Information Protection Administrator
• Kaizala Administrator
• Usage Summary Reports Reader
• Skype for Business Administrator
• Cloud Device Administrator
• Message Center Reader
• Privileged Authentication Administrator
• Domain Name Administrator
• Search Editor
• Directory Readers
• Hybrid Identity Administrator
• Directory Writers
• Guest Inviter
• Password Administrator
• Application Administrator
• Device Join
• Attack Payload Author
• Azure AD Joined Device Local Administrator
• User
• Power BI Administrator
• B2C IEF Keyset Administrator
• Message Center Privacy Reader
• Billing Administrator
• Conditional Access Administrator
• Teams Communications Administrator
• External Identity Provider Administrator
• Workplace Device Join
• Attack Simulation Administrator
• Authentication Administrator
• Application Developer
• Directory Synchronization Accounts
• Network Administrator
• Device Users
• Partner Tier2 Support
• Azure DevOps Administrator
• Compliance Data Administrator
• Privileged Role Administrator
• Printer Technician
• Insights Administrator
• Service Support Administrator
• SharePoint Administrator
• Global Reader
• Teams Communications Support Engineer
• Teams Communications Support Specialist
• Groups Administrator
• User Administrator

A detailed list of available roles can be found here: https://docs.microsoft.com/EN-US/azure/active-directory/roles/permissions-reference

Group management

Active Directory and Azure Active Directory provides multiple types of groups:

The intent is to automate the group management tasks through the customer's ITSM system or a web interface used by first-level support. The service provider will support the customer´s first-level help desk to modify membership of groups manually to through the customer's ITSM system or a web interface. \ The service provider supports the customer to create, modify or delete groups (for the Active Directory of type "Global") based on defined naming conventions agreed between the provider and the customer. Groups are characterized by a scope that identifies the extent to which the group is applied in the domain tree or forest. The scope of the group defines where the group can be granted permissions. The following three group scopes are defined by Active Directory: Universal, Global, Domain Local.

The usage of nested groups will not be supported by the service provider due to their complexity and potential impacts on security, simplicity, and performance on Azure AD Connect.

Security Groups

Used to manage member and computer access to shared resources for a group of users. A security group can be used for a specific security policy. A security group can have users, devices, groups, and service principals as its members and users and service principals as its owners.

Distribution Groups

Distribution groups can be used only with email applications (such as Exchange Server) to send emails to collections of users. Distribution groups are not security-enabled, which means that they cannot be listed in discretionary access control lists (DACLs).

Microsoft 365 Groups

Microsoft 365 Groups Provides collaboration opportunities by giving members access to a shared mailbox, calendar, files, SharePoint site, and more. A Microsoft 365 group can have only users as its members. Both users and service principals can be owners of a Microsoft 365 group. Typically, managed groups have a user as an owner, who can add or remove members in a self-service manner.

Query-based / Dynamic groups

The service provider supports the customer to create, modify or delete dynamic groups based on defined naming conventions and available AAD attributes.

Group Policy Management

The service provider will create, maintain, or delete Group Policy Objects for legacy On-Prem Server infrastructures in cooperation with the hosting provider. The development of an overall GPO concept (if needed) is a separate project task outside this service offering.

Organizational Units

The service provider will create, maintain, or delete Organizational Units (OUs) for legacy On-Prem Server infrastructures in cooperation with the hosting provider. The development of an overall OU concept (if needed) is a separate project task outside this service offering.

Privileged Access Management

In the Windows Server operating system, there are several built-in accounts and security groups that are preconfigured with the appropriate rights and permissions to perform specific tasks.

The service provider will support the customer in selecting the correct role and assignment for privileged users. A detailed list of available roles can be found here: https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#active-directory-default-security-groups-by-operating-system-version

The deployment of a more sophisticated role-based access control (RBAC) model is a separate project task outside this service offering.

Kerberos Authentication, including Windows Hello for Business Hybrid (WHFB)

The service provider will maintain Windows Hello for Business Hybrid Key-Trust infrastructure and functionality incl. Domain Controller Certificates auto-enrolled per policies. The service provider will support the customer in troubleshooting Kerberos-related problems and supports the customer upon registration and management of Service Principal Names (SPN).

AD Topology Settings

The service provider will maintain and overlook the overall Active Directory Topology like the sites and AD replication configuration.

Joining new computer objects

The service provider will support the customer in troubleshooting problems around the task of joining new computer objects into the AD. A special permissions group will be configured to delegate the domain-join permissions to named persons.

B2B Account Management

The service provider will support the customer with creating, modify, or disable the B2B user on request. The service provider will support the customer for Identity lifecycle management on B2B with the Azure AD entitlement management capability of Azure AD. Azure AD entitlement management utilizes Azure AD business-to-business (B2B) to provide the lifecycle controls needed to collaborate with people outside your organization who require access to your organization's resources. With Azure AD B2B, external users authenticate to their home directory but have a representation in your directory. The representation in your directory enables the user to be assigned access to your resources. Entitlement management enables individuals outside your organization to request access, creating a digital identity for them as needed. These digital identities are automatically removed when the user loses access.

Conditional Access

The service provider will support and operate the conditional access configuration of the customer's tenant. This includes the overlook and management of the connected processes and the technical configuration of the service.

The service provider will provide support on:

• Onboarding applications within the Conditional Access framework
• Maintain and troubleshoot the existing Conditional Access framework
• Maintain Azure Identity Protection configuration
• Identification of necessary changes due to changes in requirements or technical possibilities
• Change management and control for the Conditional Access configuration
• Update Conditional Access Policies when appropriate or on request. In case of access issues, the service provider will work with the customer to decide how to update the policy with the least impact.
• Handling incidents as 2nd level support for the customers help desk.
• Coordination with 3rd level support (e.g. Microsoft)

AAD Application registration

The service provider will support the customer in onboarding applications, which support OpenID Connect, OAuth, or SAML authentication for Azure AD. The request of an application onboarding shall be built by an automatic request form in the customers ITSM application including an approval workflow and an owner who is responsible for the application registration in case of any notifications required. The Service provider will support the customer in creating and registering the application in Azure AD.\ Notifications of expiring certificates will be automatically sent by Azure AD to the defined owner of the application.

Azure AD Connect

Microsoft Azure AD Connect will be used to synchronize users for the on-premises Active Directory into the Azure AD. The service provider will deploy and operate the Azure AD Connect application and will identify and resolve synchronization issues in cooperation with the customers identity team. The management of the AAD Connect Servers, such as backup of AAD Connect configuration and documentation, synchronization configuration (rules, sync scopes, and filtering) is performed by the service provider. The service provider will perform a sync failover or disaster recovery if needed. The underlying Operating system support (hardware procurement, OS installation, OS configuration, OS and hardware monitoring, OS updates) is excluded from this task. The customer will provide two Windows Servers 2016 required for Azure AD Connect at his own cost.

Reporting Details

The reports include the following scope. We continuously revise them (adjust or remove if needed, add new if it makes sense)

• Get overall number of on-premises users and groups
• Get a report on inactive account based on lastLogontimeStamp attribute
• Overall Domain Controller performance (DNS queries, LDAP Searches/sec, Database I/O, CPU Load, System Uptime, Memory Consumption,)
• Role assignments
• Status of B2B Accounts
• Get the overall number of users registered for each authentication method.
• Get the overall number of users capable of Multi-Factor Authentication, Self-Service Password Reset, and Passwordless authentication.

On-Demand services and tasks

Ramp-Up

The initial commissioning and setup of our service is defined as ramp-up and is not part of our service. The ramp-up can be carried out via on-demand services or consulting services.

Customer requests and incidents

Requests that do not fall into the items listed under Standard services and tasks and are from direct customer requests will be treated as a normal change and serviced through On-Demand services. \ Topics listed under Exclusion can also be treated as Change after individual consideration and delivered via On-Demand services.

Prerequisites

Services

An IT-Service agreement with glueckkanja-gab is required. The glueckkanja-gab Service Level Agreement and Request definitions also apply to this Service Description.

Technical requirements

• Windows Server Operating System 2016 or newer
• Windows Server 2016 Active Directory or later schema.
• Remote RDP Access to the Domain Controllers
• User identities are provisioned by an Identity Lifecycle Management tool.
• Two AAD Connect Servers are provided by the customer
• AAD Connect Servers can reach out to Microsoft endpoints directly without an authenticating proxy.
• Hosting or Housing, including, but not limited to Operating-System deployment and Patch-Management, Hardware repair or deployment is not included in the service offering.
• Network configuration, including but not limited to IP Address Management (IPAM), IP-Configuration, DNS Management, DHCP Management, and Firewall management, Connectivity, ExpressRoute, and other network-related topics are not included in the service offering.
• The sole creation of User Accounts (Identities), including the provisioning and regular management of user attributes is not included in the service offering.
• Monitoring and auditing against cyber-attacks and malware.
• Azure Platform support, e.g. VPC, IaaS, PaaS, or Intune.
• License management for Servers and Client Access Licenses are not included.
• Licenses and Client Access Licenses must be provided by the customer.

License

The Customer is responsible for the correct licensing of all Microsoft services used and affected.

Optional

• Optionally, the customer can add one of the on-call duty packages (defined in more detail in the Service Level Agreement).
• In addition, the Office 365 and Client Module can be booked on top of the Identity Module.

Exclusion

• Hosting or Housing, including, but not limited to Operating-System deployment and Patch-Management, Hardware repair or deployment is not included in the service offering.
• Network configuration, including but not limited to IP Address Management (IPAM), IP-Configuration, DNS Management, DHCP Management, and Firewall management, Connectivity, ExpressRoute, and other network-related topics are not included in the service offering.
• The sole creation of User Accounts (Identities), including the provisioning and regular management of user attributes is not included in the service offering.
• Monitoring and auditing against cyber-attacks and malware.
• Azure Platform support, e.g. VPC, IaaS, PaaS, or Intune.
• License management for Servers and Client Access Licenses are not included.
• Licenses and Client Access Licenses must be provided by the customer.
• The operation of trusts relationships and setup of trusts between other Active Directory Domains/ Forests are handled on regular project requests.
• The deployment and setup of the Read-Only Domain Controller are handled on regular project requests.
• Updates on the Active Directory Database Schema require thorough planning and are not included in the regular service fee. Schema Updates are handled on regular project requests.
• Groups of types "Universal" and "Domain Local" are excluded from the standard service offering.
• Configuration of Azure AD custom roles in Privileged Identity Management
• Configuration of complex AAD Connect transforms or Sync rules to replace built-in rules from Microsoft.
• Advisory of development tasks regarding Azure AD Authentication