Customers want their Azure Active Directory (Azure AD) tenant to be in a secure and healthy state. However, trying to keep track of all the changes with the various components up to date can become overwhelming, this is where Azure Active Directory Recommendations come into play.
Azure AD recommendations feature provides you with personalized insights and actionable guidance to align your tenant with recommended best practices, which enhance the security posture of your Azure AD tenant and improve the user’s productivity. it also ensures that your most sensitive resources can have the tightest controls, while your least sensitive resources can be more freely accessible. Additionally, it reduces IT operating and development costs by providing higher operating efficiency and transparency, which will lead to improved user satisfaction and better support from the business for further investments.
The Azure Active Directory Recommendations are currently in preview. This means you must explicitly enable this feature in Azure Portal.
What is Azure Active Directory
Azure Active Directory (Azure AD) is a cloud-based identity and access management service. It allows your employees to sign in and access external resources, such as Microsoft 365, the Azure portal, and thousands of other SaaS applications. Azure AD also helps them access internal resources.
To enhance your Azure AD implementation, you can also add paid capabilities by upgrading to Azure Active Directory Premium P1 or Premium P2 licenses. Azure AD paid licenses are built on top of your existing free directory.
There are multiple editions of Azure AD with differing levels of service offerings:
- Azure Active Directory Free.Provides user and group management, on-premises directory synchronization, basic reports, self-service password change for cloud users, and single sign-on across Azure, Microsoft 365, and many popular SaaS apps.
- Azure Active Directory Premium P1.In addition to the Free features, P1 also lets your hybrid users access both on-premises and cloud resources. It also supports advanced administration, such as dynamic groups, self-service group management, Microsoft Identity Manager, and cloud write-back capabilities, which allow self-service password to reset for your on-premises users.
- Azure Active Directory Premium P2.In addition to the Free and P1 features, P2 also offers Azure Active Directory Identity Protection to help provide risk-based Conditional Access to your apps and critical company data and Privileged Identity Management to help discover, restrict, and monitor administrators and their access to resources and to provide just-in-time access when needed.
- “Pay as you go” feature licenses. You can also get additional feature licenses, such as Azure Active Directory Business-to-Customer (B2C). B2C can help you provide identity and access management solutions for your customer-facing apps.
Azure Active Directory recommendations (preview)
Azure AD recommendations can help you keep your Azure Active Directory tenant to be in a secure and healthy state.
The Azure AD recommendations feature provides you with insights and actionable guidance to:
- Identify opportunities to implement best practices for Azure AD-related features.
- Improve the state of your Azure AD tenant.
Azure Advisor is a Microsoft Azure service that provides recommendations based on your deployed Azure services configuration. Analyzing data from various telemetries, helps you optimize your Azure configuration using the five pillars of the Microsoft Azure Well-Architected Framework as a baseline. By leveraging Azure Advisor’s recommendations, you can enhance and refine your Azure services’ cost, security, reliability, operational excellence, and performance.
Daily, Azure AD analyzes the configuration of your tenant. During an analysis, Azure AD compares the data of the known recommendations with the actual configuration. If a recommendation is flagged as applicable to your tenant, the recommendation status and its corresponding resources are marked as active.
In the recommendations or resource list, you can use the Status information to determine your action item.
The Azure AD recommendations don’t require any specific subscription or license to use this feature.
To manage your Azure AD recommendations, you need to be:
- Global admin
- Security admin
- Security operator
- Cloud app admin
- App admin
To view Azure AD recommendation, you need to assign the following roles to a user
- Global reader
- Security reader
- Reports reader
Recommendations from Azure AD
Azure AD can provide you with the following recommendations:
- Convert from per-user MFA to conditional access MFA
- Migrate users using SMS or voice call for MFA to use the Microsoft authenticator app.
- Integrating 3rd party apps with Azure AD
- Single sign-on to access all your apps with a single password
- One unified method to manage access to your third-party apps
Enable Azure AD recommendations
To enable your Azure AD recommendations:
- Navigate to the Preview features
- Set the Stateto On.
To manage your Azure AD recommendations:
- Navigate to the Azure AD overview
- On the Azure AD overview page, in the toolbar, clickRecommendations (Preview).
Action can be taken
- Dismiss: If you have a reason for not applying it on your Azure services.
- Mark complete: Use this state to indicate that you have applied the recommended action on your Azure resource.
- Postpone: you choose to postpone the action to address it in the future
- Reactivate: you can make it active again in case you Accidentally dismissed, completed, or postponed a recommendation.
Known Issues and limitation
- Users with a read only roles (global reader, security reader, reports reader) can update the status of a recommendation. This is a known issue that will be fixed.
- The only action recorded in the audit log is completing recommendations.
- Audit logs do not capture actions taken by reader roles.