Microsoft Security Virtual Training Day : Secure and Protect Your Organization
hello and welcome to this virtual session we're glad you can join us today before we get started there's a few housekeeping items we'd like to go over with you now firstly you can resize the webinar windows to cater to your viewing preferences you can maximize minimize and drag the windows to your preferred viewing size if you look at the bottom middle of your screen you can click on the widgets that you'll need to get the most out of this virtual experience secondly microsoft specialists are on hand to answer your questions in real time so feel free to type in your questions using the q and a window and we'll answer them as soon as we can lastly we've provided some additional resources for you to supplement your learning you can access them by clicking on the links in this section further ado i'll hand over to our speakers welcome to this microsoft security virtual training day secure and protect your organization in part one we'll cover the first three modules of the course we begin by discussing user and group management then we'll move on to talking about how to synchronize and protect your identities within the cloud finally we'll look at identity and access management where we discuss seamless single sign-on and conditional access among other things so let's get started with our first module we build in experiences intelligence and integration into the security technology we offer at microsoft this shows up in four broad areas first of all with identity and access management we look at how the vast majority of breaches begin with compromised passwords this is the single weakest link in most security strategies our customers also consistently tell us about their concerns for the high volume of data and alerts and the increasing sophistication and impact of attacks so we prioritize integrated and automated threat protection to help meet the demand for advanced security that works in the real world thirdly our customers tell us about difficulties they have with protection and governance of their information we actually see that around 64 percent of organizations report that employees externally share pii and other sensitive business data without encryption so we've made information protection a priority to protect customer sensitive data wherever it lives or travels so you can work with confidence and as enterprises move more of their workloads to the cloud it has never been more important to protect cross-cloud resources from azure to aws from slack to salesforce we've built comprehensive cloud security to protect every layer of your resources regardless of which cloud or cloud apps you use we see a lot of challenges around identity from the fact that 73 of passwords are duplicates we also see that around 80 of employees use non-approved apps for work which causes more challenges around managing identities and around 81 of breaches are caused by credential theft so it's very important to consider identity and access management identity is actually the control plane for digital transformation in this world your identity system in the cloud is your control plane that can connect everything give you visibility to your entire digital estate ensure that only the right people have the right access to the right resources and keep the bad players out microsoft's azure active directory is a universal identity platform it can help you manage and secure all of your users and access to all of your applications now it's important to have a comprehensive identity governance solution to ensure that the right users have the right access at the right time we have built-in capabilities in azure active directory that help you protect monitor and audit access throughout the user life cycle when you have a new user join your organization you can automate how you grant access rights to resources if you connect it via the hr system a user can receive a set of access rights for their role with entitlement management access packages then as users need additional access rights we provide them with the ability to do self-service access requests even guest users such as vendors and partners can be monitored and reviewed for greater security when it comes to administrative rights and admins you can use privileged identity management for just-in-time access alerts and approval workflows to protect access to critical resources something that we encourage you to ask yourself is how many global admins do you have this is the highest level of administrative access in azure ad so you want to make sure that you don't have more than you need since excessive access could be a risk to your environment at the end of the life cycle you can use your hr app to make sure access rights are removed now this is an entire map of all the capabilities that are needed for an effective identity and access management in the cloud error we've actually been working on this map with analyst firms and customers to ensure that we don't miss anything important microsoft's commitment is to deliver one simple integrated and complete identity solution for all your needs this includes application access event logging and reporting service resilience performance scalability and ease of use so how does xero trust employ these principles well every access request is strongly authenticated authorized within policy constraints and inspected for anomalies before granting access everything from the user's identity to the applications hosting environment is used to verify the request and prevent breach and to limit the impact of potential breaches we apply segmentation policies employing the principle of least privileged access and then use analytics to help detect and respond quickly but the essence of xero trust remains simple security models which assume safety based on network location are inadequate we're really living in a new reality the old assumptions will not keep us secure in the new world we find that it's no longer acceptable to just assume that everything behind the corporate firewall is safe for new principles we want to verify explicitly always authenticating and authorizing based on available data points this includes user identity location device health data classification and anomalies the second concept within microsoft zero trust principles is using least privileged access we want to limit user access to protect both data and productivity we can use things like just in time and just enough access and finally we want to always assume breach this lets us minimize the blast radius for breaches and employ security strategy to prevent lateral movement across our environments when we approach zero trust and think about it holistically we want it to extend throughout the entire digital estate this allows it to serve as an integrated security philosophy and end-to-end strategy there are six foundational elements across zero trust controls and technologies these include identities devices data applications infrastructure and network so it's important to verify identift we want to know who is requesting access validate that identity explicitly and ensure that we're using strong authorization and threat intelligence to validate that authentication when we verify devices we want all data access requests resulting in the transfer of the data to a browser or app on a device that is not lost stolen or infected third we want to protect our data wherever possible data should be protected by auto classification and encryption to protect against intentional or accidental misrouting and download of data since applications and configuration to those applications must be secure in order to mitigate intrinsic application risks we want to ensure that we govern access through policy we can look at application behavior including shadow i.t to look for and protect from anomalies where we're using cloud workloads such as iaz or paths it's important to ensure that you're utilizing the cloud fabric according to the best security principles utilizing intelligence and protection provided and finally we want to govern our networks by mitigating lateral movement using intelligent adaptive segmentation strategies for workloads and monitoring those and protecting from anomalous traffic patterns when we look at microsoft 365 identity models it's important to first understand that there are two identity models that you need to account for when planning for user accounts we have both the cloud identity and the hybrid identity a cloud only identity uses user accounts that exist only in azure ad with cloud only identity all your users groups and contacts are stored in azure active directory azure ad and both on-premises and remote users use their azure ad user accounts and passwords to access microsoft 365 cloud services now depending on your business needs and technical requirements the hybrid identity model may be your best choice hybrid identity uses accounts that originate in an on-prem active directory domain services adds and have a copy in the azure id tenant of a microsoft 365 subscription this means that changes you make to adds user accounts are synchronized to a copy in azure ad but changes made to cloud-based accounts in azure id such as a new user account are not synchronized back to adds when you implement hybrid identity your on-prem adds is the authoritative source for account information when using the hybrid identity model there are two types of authentication there's managed authentication where azure id is handling the authentication process by using a locally stored hashed version of the password and then we have federated authentication where azure ad is redirecting the client computer requesting authentication to another identity provider within managed authentication we have two types of managed authentications we have password hash synchronization phs where azure ad performs the authentication itself and we also have pass-through authentication pta which is where azure 80 has adds performed authentication with phs you synchronize your adds user accounts with microsoft 365 and then manage your users on-prem hashes of user passwords are synchronized from your adds to azure id so that the users have the same password on premises and in the cloud this is the simplest way to enable authentication for adds identities in azure id when passwords are changed or reset on premises the new password hashes are synchronized to azure id and this means your users can always use the same password for both cloud resources and on-premises resources pass-through authentication provides a simple password validation for azure id authentication services by using a software agent running on one or more of your on-prem servers it then validates the users directly with your adds password authentication synchronizes user accounts from adds to microsoft 365 and you manage your users on premises pta also allows your users to sign in to both on-premises and microsoft 365 resources and applications using their on-prem account and password this configuration validates user passwords directly against your on-prem adds without storing password hashes in azure id directory synchronization allows you to manage your identity in active directory domain services and then all updates to your user accounts groups and contacts are synchronized into the azure active directory tenant of your microsoft 365 subscription the azure ad connect tool is what's used to synchronize your user accounts from adds to azure ad it's made up of three parts we have the synchronization services the optional active directory federation services piece and the monitoring piece azure id connect comes with several features which you can turn on and some are enabled by default it's important to note that it requires a single source of authority for every object and the source of authority in this case is the on-premises active directory when you use azure id connect for cloud provisioning provisioning from active directory to azure ad is orchestrated in microsoft online services so an organization only needs to deploy in their on-premises and is hosted environments a single lightweight agent to act as a bridge between azure ad and active directory domain services the provisioning configuration is then stored in azure id and managed as part of the service tying it all together let's take a quick review of the different identity models and considerations when you choose the cloud authentication method azure id handles the user sign-in process coupled with seamless single sign-on users can sign in to cloud apps without having to re-enter their credentials with cloud authentication you get to choose from two options azure ad password hash synchronization which is the simplest way to enable authentication for on-premises directory objects in azure id and then azure id pass-through authentication you also have the option of federated authentication when you choose this authentication method azure ad hands off the authentication process to a separate trusted authentication system such as an on-premises active directory federation services to then validate the user's password when it comes to creating user accounts you can use different methods to provision them depending on your needs this includes directory synchronization windows powershell the ability to import multiple users and also doing so within the microsoft 365 admin center when you need to manage user accounts licenses you can use the microsoft 365 admin center to do so it allows you to edit single or multiple users and to change settings such as location settings administrator roles sign in status it also allows you to assign licenses here when it comes to administrator roles such as global admin and service admin it's important to note that microsoft 365 licenses can be assigned within the microsoft 365 admin center keep in mind that when users leave your organization they usually no longer require a user account in microsoft 365. so when you delete a user account the assigned microsoft 365 license for that user becomes available which you can then assign to another user microsoft 365 retains the account as a soft deleted inactive account for 30 days after deletion this enables you to restore the account should you need to do so again you can use the microsoft 365 admin center to perform these functions or windows powershell within microsoft 365 you can use groups to manage sets of users you can manage groups such as dynamic distribution groups and exchange mail-enabled security groups office 365 groups and distribution lists the microsoft 365 admin center also allows you to change password settings for your users by default users passwords expire after 90 days and then users receive a notification of a password expiration of 14 days so this is an example of a setting that you can change within the admin center if necessary you can also go here to reset a password for one or multiple users and then if you forget your own administrator password you can actually reset the password yourself here or have another administrator reset it for you microsoft 365 has an option for multi-factor authentication also known as mfa this increases security by having users provide a second authentication method when they sign in this might be something like acknowledging a text message or a phone call or having some other notification on their phones if you want to enable mfa in microsoft 365 admin then a tenant administrator can do so by enabling it here we also have the option of self-service password reset this allows users to reset their own passwords without requiring intervention by the administrator keep in mind self-service password reset is not enabled by default in order to reset a password users have to authenticate their identity first there are two verification methods that administrators must use when using self-service password reset and one of these cannot include security questions for administrators all right now we're going to take a look at a guided demonstration for self-service password in this case we'll take a look at isaiah who would like to reset his password without calling the it help desk so first we're going to reset his password and then validate authentication so we're going to reset isaiah's password as isaiah to demonstrate the self-service password reset here we go to sign in as isaiah with his user id we're going to click next after entering his full user name and email address since he's actually forgotten his password and wants to reset it without having to call in the help desk we'll click on the forgot my password link now to recover the account we need to first enter isaiah's user id and then we're going to enter the characters in the picture below click next in this case to verify we can either choose to receive an email or a text to our mobile phone for this example we'll receive a text to isaiah's mobile phone here we enter the phone number that's on record to ensure that it matches and then click text once idea has received that text message with the verification code it can be entered here and then we'll click next and it's time to create a new password we'll confirm it typing it in twice and click finish so as you can see that was really easy for isaiah to perform a self-service password reset that let him do so without calling the help desk sometimes it's hard to remember strong passwords and we find that users often reuse passwords on multiple sites because of this server breaches can expose symmetric network credentials and passwords are subject to replay attacks we find that users also inadvertently expose their passwords due to phishing attacks so instead of always having users try to remember passwords we can use password alternatives such as windows hello microsoft authenticator and 502 security keys so let's take a look at each of these password alternatives a little more closely in windows 10 windows hello for business replaces passwords with strong two-factor authentication on pcs and mobile devices this authentication consists of a new type of user credential that's tied to a device and uses a biometric or a pin you can authenticate to active directory or azure active directory with windows hello for business the microsoft authenticator app helps you sign in to your accounts using two-factor verification you can use it in multiple ways including responding to a prompt for authentication after you sign in with your username and password or to sign in without entering a password and as a code generator for any other accounts that support authenticator apps you can use a fingerprint face recognition or a pin in conjunction with the authenticator app and if anything happens to your mobile device or if you forget your pin your password will still get you into your account microsoft also supports 502 security keys the fido alliance or fast identity online is one of our most important partnerships today the organizations that you see here are the fido's board members but more than 250 organizations are members of the alliance the members work together to improve authentication standards and help reduce the world's over-reliance on passwords our goal is to make sure that everybody who uses services on the web or on premises has a secure and convenient sign-in experience with credentials that eliminate phishing for example say i sign into my microsoft surface i then have secure authentication to my device and every service and application i use with facial recognition or other biometrics enabled i can use this throughout the day with one secure sign-in the operating system browser applications and credentials that i'm using here support the fido standards to make this all happen the number of phytocompliant devices and services continues to grow all of the common browsers edge firefox and chrome support fido and there are multiple security key options that use usb bluetooth or nfc to connect to meet different business needs another way of protecting your identities is through using azure 80 smart lockout this helps lock out bad actors that try to guess your users passwords or brute force methods to get in attackers will get locked out but we recognize sign-ins from valid users and treat them differently so that users can continue to access their accounts and be productive azure ad smart lockout can be integrated with hybrid deployments that use password hash sync or pass through authentication smart lockout is always on for all azure 80 customers to offer you the right mix of security and usability in module 1 we learned about identity and access management concepts such as the xero trust model and user accounts and roles we'll now take a 10 minute break we'll see everyone back here when we start module 2 synchronizing and protecting identities in the cloud do welcome back from the break everybody now we'll move on to module 2 where we will cover identity synchronization and protecting those identities in the cloud so let's get started before you begin synchronizing your on-prem active directory to your azure id tenant you'll need to clean up your adds to prepare for the directory synchronization if you don't prepare then you could cause failures that cause a lot of cleanup that you'll have to go through and take care of later so if you have for example duplicate attributes or certain characters and attributes then you could cause it to fill so it's best to really align your attributes go through the requirements and ensure that you have these things in in order before you start synchronizing your on-prem active directory you can check and and fix any issues that you might have with your accounts and you can do this by using the id fix tool which you can download directly from microsoft what it does is it scans your on-prem ad or or the parts that you specify and then identifies problem like formatting issues duplicates and such and then you can fix these problems within the tool before you begin the synchronization during your planning some of the considerations you need to make are do you require an azure 80 connect failover scenario you'll also want to think about the advanced configuration features and how you want to synchronize your active directories do you have multiple force that you need to consider and do you want to synchronize all of your object attributes or just use specific ones and use filters to pull those in and do you want to synchronize all or only part of your active directory so you do get a free azure id subscription with an m365 subscription and when you set up the direct directory synchronization you can install azure 80 connect on one of your on-prem servers so you'll need to verify your on-premises domain and the azure ad connect wizard will actually help guide you through this and then make sure that you've obtained your usernames and passwords for the administrator accounts for the m365 tenant and active directory domain services when you go to plan your azure ad connect topologies keep in mind that having multiple azure ad connect sync servers connected to the same azure id tenant is not supported unless it's a staging server so it's unsupported even if these servers are configured to synchronize with a completely exclusive set of objects sometimes this topology is considered if you can't reach all of the domains in the forest from a single server or if you want to distribute load across several servers azure ad connect will allow you to install that second server in staging mode and in this mode the server is reading data from all of the connected directories but does not write anything to connect to directories it uses the normal synchronization cycle and so it keeps an updated copy of the identity data then if there does happen to be a disaster where the primary server fails then you can fail over to the staging server we do recommend having just a singleton in azure ad for an organization while many organizations have environments with multiple on-prem active directory forests and and there are various reasons for for doing so such as designs with account resource forests or when there's a merger acquisition so when you have multiple force all force must be reachable by a single azure ad connect sync server and that server must be joined to a domain if you need to you could even place the server in a perimeter network or dmz when you go through the installation wizard for azure id connect you'll be given several options to consolidate users who are represented in multiple forests with the goal being that the user is represented only once in azure ad if your environment does not have a default configuration where each user has only one enabled account each user has only one mailbox the a link to mailbox for a user is not in a different forest and and such assumptions then then you may have to look at an alternate topology there is actually a one-to-one relationship between an azure ad connect sync server and an azure id tenant so you do need one azure id connect sync server per installation when you're planning for pass through authentication with azure ad keep in mind that the user's password is validated against the on-prem active directory controller the password does not need to be present in azure 80 in any form this allows for on-prem policies such as sign-in hour restrictions to be evaluated during authentication to cloud services the way that pass-through authentication works is by using a simple agent on a windows server domain join machine in the on-prem environment the agent then listens for password validation requests and does not require any inbound ports to be open to the internet in addition you can also enable single sign-on for users on domain join machines with single sign-on these users only need to enter a username to help them securely access cloud resources and they don't have to enter a password so remember with azure ad passthrough authentication also called pta we ensure that users have a password validation for all the services that they rely on for azure ad and that's always performed against an on-prem active directory also azure ad password authentication is configured through the azure 80 connect agent and that's listening for those password validation requests and finally you need to remember that the server that runs the agent for pass through authentication should be joined to the active directory domain where the users are located an alternate type of synchronization called password hash synchronization is where hashes of user passwords are synchronized from on-prem to azure ad so when the passwords are changed or reset on-prem the new password hashes then gets synchronized to azure ad immediately so your users can always use the same password for cloud resources and on-prem resources these passwords are never sent to azure ad or stored in azure id in clear text you can use phs together with password write back to enable self service password reset in azure ad also you can enable seamless sso for users on domain join machines that are on your corporate network azure ad connect also is providing an ongoing account synchronization all the time while it's checking for changes in active directory domain services in your on-prem environment and then forwarding those changes to azure ad with phs you actually have the ability to filter which accounts are synchronized and whether or not to synchronize the hash version of user passwords so keep in mind this is the simplest way to enable authentication for adds identities in azure ad so before you go to install azure ad connect there's a few things that you need some of the prerequisites you should have are an azure id tenant so you need to add and verify the domain you plan to use in azure id by default an azure ad tenant is going to allow 50 000 objects but if you verify the domain then that limit increases to 300 000 objects and if if you need more than that then those could be taken care of through licensing such as microsoft 365. another prerequisite with your on-prem active directory is ensuring that the ad schema version and force functional level are at windows server 2003 at least the domain controllers can actually run any version as long as the schema and forest level requirements are met and again that's at windows server 2003 or later if you do want to use the password write back feature then your domain controllers must be on windows server 2012 or later those are some things to keep in mind around the prerequisites with your on-prem active directory environment when looking at azure ad connect server this is actually contains critical identity data so it's important that we properly secure the server and administrative access to it it should be treated as a tier zero component and we recommend that you harden your azure id connect server to decrease that attack surface area since it is a very critical component of your it environment some of the recommendations that will help mitigate security risk to your organization would be creating a dedicated account for all personnel with privileged access denying use of ntlm authentication with the azure ad connect server ensure that every machine has a unique local administrator password you can look into the local administrative password solution to help configure random passwords on each of your servers and and protect them by an access control list moving on to the sql server used by azure ad connect you'll want to make sure that you have a server lined out for that by default sql server 2012 express localdb will be installed to store your identity data but azure ad connect also supports versions of sql server from 2012 to 2019 and be sure you have the latest service pack installed as far as accounts that you need for azure ad connect you'll need to make sure you have an azure ad global administrator account for the azure 80 tenant that you want to integrate with if you use express settings or upgrade from dursync then you must have an administrator account for your on-prem active directory and that's an enterprise administrator account that's needed if you use custom settings then you'll have more options so you can look into those if you go down that path and when considering connectivity for azure ad connect you'll need a dns resolution for both internet and internet to provide to the azure 80 connect server and that dns server must be able to resolve names both to your on-prem active directory and to azure ad also if you have firewalls on your internet you'll need to open ports between azure ad connect and your domain controllers so some of those are some of the prerequisites you'll need to keep in mind when configuring azure ad connect when you go to set up azure ad connect there are two installation types for brand new installations there's express and customize express is the most common option and is used by the majority of organizations when they go to install azure ad connect it was designed actually to provide a configuration that works for most common customer scenarios the express installation assumes that you have a single active directory forest on-prem you have an enterprise administrator account you can use for the install and less than 100 000 objects in your on-prem active directory exists you'll also get the password hash synchronization for single sign-on and synchronization of all eligible objects into all domains and all ou's the configuration will synchronize your users groups contacts and windows 10 computers and automatic upgrade is enabled for azure 80 connect to ensure that you're always using the latest available version again as i mentioned earlier the custom path does allow more options than the express and it should be used in all cases where the configuration that i just described doesn't work for your organization so again if you if you just have a single forest topology and want to use phs for authentication then the express settings work great and are the default option before you do choose to begin either install you'll need to download the azure ad connect files and then go through all those prerequisite steps that we just talked about and that are listed in the documentation now let's touch on azure active directory connect health so the idea behind azure ad connect health is to provide you with robust monitoring of your on-prem identity infrastructure the goal of aad connect health is to enable you to maintain a reliable connection between your on-prem and the cloud online services so there are some key identity components that we're looking at monitoring and then we bubble up those key data points about the components in an easily accessible way to you in the azure ad connect health portal you can use this portal to view alerts performance monitoring usage analytics and other information you'll have basically a single lens of health for your key identity components all in one place so to summarize the azure ad connect health can give you a central location to view the health of key identity metrics for your on-prem environment and it just requires a simple agent to be installed on the targeted servers now there are several required management tasks that you should perform to make sure that your users synchronize efficiently and that there aren't any issues when you deploy azure ad connect some of these tasks include recovering from unsynchronized deletes managing user accounts even through enhanced user management recovering user accounts that may have accidentally been deleted so in this case after you delete a user the account remains in a suspended state for 30 days and during that 30-day window you can still restore the user account along with all its properties but after that 30-day window passes then the permanent deletion process is automatically started you can view your restorable users restore deleted user or even permanently delete a user in the azure portal when talking about the enhanced user management tasks some of those include more visible user properties such as object id directory sync status creation type and identity issuer the search function will allow you to look for sub strings and combine a search of names emails and object ids and then there's also some enhanced filtering by user type directory sync status creation type company name and and domain name so we've really tried to make these management tasks for you as easy as possible because they are important you can also manage groups as part of the directory synchronization to make sure that your environment and objects are where they need to be so once you implement directory synchronization with aad connect then you'll want to manage them in your active directory similar to the write-back feature with users there's also a write-back feature for groups that writes microsoft 360 groups from azure id to on-prem a.d and then the synchronized group from aad to on-prem ad also include the group memberships if the user accounts are created in your active directory during setup of azure ad connect azure id connects sync security groups such as adsync admins adsync operators adsync browse adsync password set are all automatically created and then you can use these groups to troubleshoot directory synchronization issues or even assign a user temporary permission to run a manual synchronization and all these groups are created as local groups on domain joined servers or as domain groups when you install azure ad connect on a domain controller we also have a capability around protecting your identities called azure ad identity protection so this is a tool that's going to allow you to accomplish three key tasks the first of which is automate the detection and remediation of identity based risks then investigate risks using data in the portal and thirdly export this risk detection data to third party utilities for further analysis identity protection is using the learnings that microsoft has acquired through azure ad the consumer space with microsoft accounts and with xbox gaming so we're analyzing trillions of signals every day to identify and protect you from threats the signals that are generated by and fed to identity protection can then be further fed into tools such as conditional access to help make access decisions or be fed back into a sim security information and event management tool for further hunting and investigation based on your policies there are three categories that identity protection uses for risk the tiers are low medium and high and while we don't provide specific details about how risk is calculated what we do say is that each level brings higher confidence that the user or sign-in is compromised for example something like one instance of an unfamiliar sign-in property for a user is not as threatening as leaked credentials for another user as mentioned you can also export the risk data so this can be done for or archival or for investigation and correlation purposes the microsoft graph has apis that will allow you to collect this data for further processing and then you can review and take action on detections as needed and there are some reports that can even help you in your investigations that identity protection provides identity protection identifies risks in the following classifications so stuff like atypical travel so sign in from an atypical location based on the user's recent sign-ins password spray this could indicate that multiple usernames are being attacked using common passwords in a brute force manner and stuff like malware linked ip address so sign in from a malware linked ip address and leaked credentials indicating that a user's valid credentials have been linked and these risk signals and remediations can be used in conjunction with each other to notify or automate certain actions so you can have the wrist signals themselves trigger remediation efforts such as requiring users to perform multi-factor authentication or reset their passwords using self-service password reset or even blocking them until an administrator takes action there's also vulnerabilities reported by azure identity protection and and the recommendations on how to address those some so some of the other ones that um are mentioned up here are sign-ins from infected devices so you can see how valuable this is in detecting vulnerabilities and risk events against your identities whenever you go to plan your investigation using azure identity protection then you can take these detections that are reported to you in these three key reports risky users risky sign-ins and risky detections and then take action on them as needed you'll get access to information and that helps you have a better understanding of the weak points in your identity security strategy so again these three reports are risky users risky sign-ins and risky detections and all three of these key reports will let you download events in csv format if you want to analyze further outside of azure portal the risky users and risky sign-ins reports will let you download the most recent 2500 entries while the risk detections report allows for downloading the most recent 5000 records and again this uses the microsoft graph api integrations so this is really useful when needing to aggregate the data with other sources from your organization the reports do give you a lot of information on your risks and then keep in mind some of the overall best practices for mitigations include excluding users who are likely to generate a lot of false positives use a low threshold if your organization requires greater security and exclude users who do not or cannot have multi-factor authentication so now that we've covered identity protection and synchronization concepts let's go take a look at a demo to implement identity synchronization okay i'm done with the slide so i have the demo left how long has it been 30 minutes okay okay cool so i think i'm shooting at a total of 45 to 60 minutes so if my demo is about 15 to 20 well i guess 15 to 30 then i'm good okay okay just gotta get it all okay over here in our demo system we're going to set up our organization for identity synchronization so what we have is m365 deployed and then we plan to implement identity synchronization between our m365 tenant accounts and local active directory accounts so the first step in this is configuring the upn suffix so on the domain controller i'm logged in as an administrator and i've launched powershell as an administrator and now i'm going to update the upn suffix for the domain and on the upn on every user in adds with with my domain's unique up name so to do this i'm going to run the following command set dash 84s dash identity the domain name dash upn suffixes at replace equals and then in quotes my upn name and then in curly brackets so i'll go ahead and type that command now so i'm putting in my tenant name in quotes in curly brackets so we have set dash a deforest identity domain name dash upn suffixes and our tenant name now press enter to run the command okay great now that one's done and i'll run the connect the next command get dash ad user dash filter you okay so i'll run the next command git dash ad user dash filter star dash properties sam account name pipe for each object set 80 user user principal name same account name and the provider tenant name so we're going to run that command now okay uh just a note when i press enter on the command something happened and so i'm that's all just you know silence that can be edited out but i'm just having to retype this last part and press enter again all right i'm just looking into why this errored out we may just need to move on with the demo but let me just see if it's a typo yep okay i've corrected that script and i'm pressing enter again so okay great now that that command has run then we just have one more command which is to set the execution policy as unrestricted and then enter a for yes to all okay now let's move over to the office portal to enable directory synchronization so i've logged into portal.office.com as an administrator and now i'll click on admin to go to the m365 admin center which i have opened here in this tab now i'm going to go to active users to take a look at directory synchronization all right once these loads i'm going to click on these ellipsis and directory synchronization so here's where we can prepare active directory with the adconnect tool and this will allow us to download it so by clicking on this it will take us to the download page allow us to download the azure active directory connect installation which i've downloaded here in advance and then we'll go ahead and run this to and install it and get to the setup wizard okay we're ready to run the setup wizard so first let's agree to the license terms and i'll click continue in this case i'm going to use express settings and remember that express settings do work for the majority of organizations especially if you only have a single forest on prem to synchronize and if you need to learn more about express settings then you can always click here and refer back to the documentation so again i'm going to choose to use express custom set use express settings okay now that's gone through that first part of the installation of installing required components then we want to enter the administrative credentials a global administrator for azure ad we'll enter the username and password for a global admin i've clicked next and i'll wait for it to verify those credentials okay it looks like it was successful in verifying those credentials and now we need to make sure that we have enterprise admin credentials to connect to our on-prem active directory environment and then enter that username and password once you have your credentials in then it's time to click next okay in this case okay use the wrong credentials on this so i will try again here okay now that i have the correct credentials and it's validating and moving on to the sign in configuration so in this case i'm going to put a check mark and continue without matching all upn suffixes to verify domains since this is just a test scenario it's it's completely fine but just keep in mind that users would not be able to sign in to azure 80 with on-prem credentials if the upn suffix doesn't match a verified domain all right i'm clicking next letting it go through the configuration and now we're going to go ahead and click start the synchronization process when configuration completes and click install so now that the azure ad connect configuration com completed and is successful then it started the synchronization process now keep in mind that we can log into the azure or the office 365 portal to verify the user accounts and make sure that the accounts from our local directory have been created we can also do a test sign-on through the azure portal and then also remember the active directory recycle bin is not enabled for this forest and this is something that we do recommend and then also azure active directory is configured to use some ad attributes such as the anchor attribute and that's listed here and can actually you can click on learn more if you want to have more information so we'll click exit on the wizard now and we will go ahead and go to the office portal now to validate the results of the directory sync synchronization and then also to license a user so we can see what that process looks like so let's go to portal.office.com which i've done here
we'll go to the admin center so i'm pulling that up now active users wait for those to load okay so now we should see many users that we've synchronized from the on-prem active directory to azure ad i'll click refresh to see as if others show up here we can see that we now have a lot of users that we've synchronized from our on-prem active directory now we also want to license a user so in this case i'll search for a user let's see if we can find abby parsons i'm filtering on abby great found abby now to edit her license information i'm going to select click on manage product licenses so remember abby was a user that was only in the on-prem the adds domain prior to the synchronization that we just ran so we need to license her for the m365 or ems licenses that we'd like to apply to her user account so in this case we can see abby is not in the united states she's in the united kingdom so we'll select her location in the drop down menu united kingdom and we'll give her the enterprise mobility plus security e5 license place a check mark next to that and click save changes all right once we save those changes we'll just close the window and so that's how you license a user that's been synchronized from on-prem and also the entire process of synchronizing local users from an on-prem active directory domain services environment to an azure ad environment complete through licensing a user with an enterprise mobility and security e5 license so that ends our demonstration in module two we discussed identity synchronization and protection topics such as planning your directory synchronization configuring and managing synchronized identities and azure ad identity protection we'll now take a 10 minute break we'll see everyone back here when we'll cover module 3 identity and access management welcome back from the break for module three we'll cover identity and access management with topics such as azure ad b2b conditional access and single sign-on let's get started azure 80 seamless single sign-on or seamless sso automatically signs in users when they are on their pcs or other devices it provides users with easy access to cloud-based applications without needing any additional on-premises components users get to conveniently access all of their apps with sso from any location or any device and receive a simplified experience and better productivity the sign and flow for a web browser as an example would go as cis a user tries to access a web application from a domain joined corporate device inside your corporate network in this case and then if the user is not already signed in they get redirected to the azure 80 sign-in page where they can type in their username then azure id is going to challenge the browser and provide a kerberos ticket and authentication and authorization will proceed from there azure ad can decrypt the kerberos ticket and then either return the token back to the application or ask the user to perform additional proofs such as mfa or multi-factor authentication then if everything is successful the user will be able to access the application so azure ad simplifies the way that you manage your applications by providing that single identity system for both your cloud and on-premises applications there are four main types of applications that you can add to your enterprise applications and manage with azure id these are azure ad gallery applications which is a gallery of thousands of applications that have already been pre-integrated for single sign-on with azure id the other type of application is on-premises applications using azure 80 application proxy which allows you to integrate on-premises web apps with azure id to support single sign-on the third type of application that you can add is a custom develop application so when you build your own line of business applications you can still integrate those with azure ad single sign-on and then finally the fourth type is non-gallery applications so you can bring your own applications there are multiple ways to integrate an application now with single sign-on your users can have one set of credentials for access to everything they need and again in our azure 80 application gallery we have thousands of pre-integrated third-party applications that you're probably already using this makes it easier for your users because if each application had to be tracked separately then it would be a silo of different user games and logins for every single application the central identity system that azure ad provides solves this problem by providing a single place to store user information that can be used by all the applications such as these pre-integrated third-party applications we find that organizations on average use over 180 applications and this number keeps on growing so it's becoming a lot harder for organizations and their users to find and access all the applications they need at microsoft we offer the my apps experience to help your users be more productive we fully integrated my apps with the office 365 portal so that your users have a consistent way to find all of their applications beyond just office 365. it's a one-stop shop to provide that seamless experience to sign in and find the applications now a little bit more on azure active directories application proxy how it works is it provides secure remote access to on-premises web applications after a single sign-on to azure id users can access both their cloud and on-premises applications through an external url or even through an internal application portal for example you could use application proxy to provide remote access and single sign-on capabilities to sharepoint microsoft teams remote desktop and line of business applications application proxy works with web applications that use integrated windows authentication form-based or header-based access web apis applications hosted behind a remote desktop gateway and other applications that are integrated with the microsoft authentication library we allow you to provide secure hybrid access and to connect any app in any cloud or on-premises to any user you can provide all of your users with secure access even to your legacy apps you can streamline and modernize access to applications that support legacy authentication including kerberos ntlm rdp ldap ssh and header base and form-based authentication you also get advanced security capabilities including identity protection multi-factor authentication and conditional access which helps you further protect your legacy apps and finally you can use single sign-on and password authentication to allow seamless access to your legacy apps let's talk more about conditional access with identity protection together this helps you make decisions and enforce organizational policies it's the best way to secure your identities and keep the bad guys out our conditional access policies allow you to define conditions for how users authenticate and how they get access to applications and data when you combine identity protection with conditional access it's taking in all of these terabytes of signals like user behavior the state of the device the user's location the risk score for the user and the sign in and the application being accessed and then we use machine learning to analyze all these different signals and determine the appropriate policy should we allow or limit or block access or just request additional verification for example you might have a policy that requires mfa if the user is accessing your application or data from a new location that you haven't seen before so when a user signs in from an unfamiliar location they get an additional verification prompt before they are given access you can apply different conditional access policies based on location user rules application sensitivity and device state so for example you can configure policies to select certain conditions such as whether a device is compliant is the operating system up to date and then decide whether you want to allow access or require further identification with azure active directory access reviews microsoft 365 global admins and user account admins can evaluate guest user access recertify role assignments collect access review controls and evaluate employee access to applications and group memberships this really enables your organization to efficiently manage group memberships and access to your applications and then ensure that those privileged role assignments are managed since managing security can be difficult with all of the common identity related attacks such as password spray replay and phishing we find that security defaults within azure active directory make it easier to help protect your organization with pre-configured security settings the default settings are requiring all users to register for azure multi-factor authentication requiring administrators to perform mfa blocking legacy authentication protocols protecting privileged activities like access to the azure portal and requiring mfa when necessary with conditional access we have the ability to use report only mode which allows administrators to evaluate the impact of any conditional access policies that you create before you enable them in your environment for organizations that have an azure adpion p2 license you can also create conditional access policies incorporating azure 80 identity protection sign in risk detections or user risk detections microsoft works with law enforcement other researchers our own internal security teams and many other trusted sources to help find any credentials that have been leaked and then we have a risk that represents the probability that a given authentication request isn't authorized by the identity owner when implementing conditional access and planning for device compliance policies keep in mind that you can define rules and settings that users and devices must meet to be compliant these device compliance policies can help your organization protect its data you can include actions that apply to vices that are non-compliant and then alert users to the conditions of non-compliance and you can combine compliance policies with other conditional access policies to block users and devices that don't meet the rules before you can apply a compliance policy to device you have to first enroll it in microsoft in tune while the policies are platform specific you can create compliance policies for all of your device types some commonly used settings are a minimum os version required or requiring local data encryption and requiring a password to access the device when you enroll your devices into microsoft in tune a mobile device management agent is installed and then begins to sync the device details to in tune where you can view all the detailed device information further you can create user and device groups within azure active directory which can be both static and dynamic and then these groups are used by in tune and can be automatically populated with users or devices taking a closer look at conditional access policies at the simplest we're looking at if then statements if a user wants to access a resource then they must complete an action these policies can be granular or specific with the goal being to empower users to be productive wherever whenever but to also protect the organization so it's about applying the right access controls when needed to keep your organization secure but to stay out of the user's way when not needed you can apply multiple conditional access policies to any individual user at any time some common decisions you might look at are are blocking access or granting access and some commonly applied policies that we look at are requiring multi-factor authentication or requiring trusted locations whenever you do register with mfa on the entune blade within the azure portal and in the microsoft 365 admin portal you can perform basic device monitoring and view audit logs of all the activities that are generated within microsoft and tune these audit logs include activities such as creating and deleting and you can also trigger device action from here and view a history of which actions were run on different devices now let's take a look at a demonstration of conditional access we'll take a look at how you can ensure approved users and devices have access to corporate data and then also how to ensure compliance when accessing different systems so with conditional access we can first set a baseline policy to require for example multi-factor authentication for admins so within microsoft intune we've gone to policies and conditional access i have a baseline policy require mfa for admins here so i'm going to set it once i've clicked on enabling that baseline policy we get a notification that it requires multi-factor authentication for these following rules since we want to enable it immediately we're going to put the bullet in use policy immediately once that's enabled we can click on new policy this is going to enforce compliance when we access the financial system dynamics in the name field i'm going to call this one dynamic security compliance then i'm going to click on users and groups to choose which users to apply this policy to on the include tab i'm going to select users and groups so that i can see a list of all the users and groups that i can select from clicking select i'm going to choose in this case a group called business development so i click on that and then click select now we're going to choose which cloud apps to include so i click on cloud apps and on the include app i click on select apps and then under the select field i'm going to choose dynamics in this case so i click dynamics and then select now we're going to define the conditions and rules to govern access to dynamics we want to enable this policy with assign and risk level set to high so i click on conditions click on sign in risk click on configure yes and hi so we want to grant access to this and require mfa so now that we've configured it we're ready to enable the policy i'm going to click on on to do so and finally i'll click on create where we'll run a validation process and then go ahead and deploy our new policy great so we've set a baseline policy to require multi-factor authentication for administrators and then created the policy to enforce the compliance when accessing dynamics now let's talk more about planning your identity and access management solution by planning for role-based access control when planning your access control strategy remember it's a best practice to grant users the least privilege to get their work done here we see a suggested pattern for using role-based access control including different scopes and roles to better understand roles in azure it helps to know a little bit of the history when azure was initially released access to resources was managed with just three administrator roles this is the account administrator the service administrator and the co-administrator later azure role-based access control or azure are back was added this is a newer
2021-05-13 11:49
