Microsoft Security Virtual Training Day Secure and Protect Your Organization

Show video

hello and welcome to this virtual session we're  glad you can join us today before we get started   there's a few housekeeping items we'd like to  go over with you now firstly you can resize   the webinar windows to cater to your viewing  preferences you can maximize minimize and drag   the windows to your preferred viewing size if  you look at the bottom middle of your screen   you can click on the widgets that you'll need  to get the most out of this virtual experience   secondly microsoft specialists are on  hand to answer your questions in real time   so feel free to type in your questions using the  q and a window and we'll answer them as soon as   we can lastly we've provided some additional  resources for you to supplement your learning   you can access them by clicking  on the links in this section   further ado i'll hand over to our speakers welcome  to this microsoft security virtual training day   secure and protect your organization in part one  we'll cover the first three modules of the course   we begin by discussing user and group management  then we'll move on to talking about how to   synchronize and protect your identities within  the cloud finally we'll look at identity and   access management where we discuss seamless single  sign-on and conditional access among other things   so let's get started with our first module we  build in experiences intelligence and integration   into the security technology we offer at microsoft  this shows up in four broad areas first of all   with identity and access management we look at  how the vast majority of breaches begin with   compromised passwords this is the single  weakest link in most security strategies   our customers also consistently tell us about  their concerns for the high volume of data and   alerts and the increasing sophistication and  impact of attacks so we prioritize integrated   and automated threat protection to help meet  the demand for advanced security that works   in the real world thirdly our customers tell us  about difficulties they have with protection and   governance of their information we actually  see that around 64 percent of organizations   report that employees externally share pii and  other sensitive business data without encryption   so we've made information protection a  priority to protect customer sensitive data   wherever it lives or travels so you can work with  confidence and as enterprises move more of their   workloads to the cloud it has never been more  important to protect cross-cloud resources from   azure to aws from slack to salesforce we've built  comprehensive cloud security to protect every   layer of your resources regardless of which cloud  or cloud apps you use we see a lot of challenges   around identity from the fact that 73 of passwords  are duplicates we also see that around 80 of   employees use non-approved apps for work which  causes more challenges around managing identities   and around 81 of breaches are caused by credential  theft so it's very important to consider identity   and access management identity is actually  the control plane for digital transformation   in this world your identity system in the cloud  is your control plane that can connect everything   give you visibility to your entire digital estate   ensure that only the right people have  the right access to the right resources   and keep the bad players out microsoft's azure  active directory is a universal identity platform   it can help you manage and secure all of your  users and access to all of your applications   now it's important to have a comprehensive  identity governance solution to ensure that   the right users have the right access at the right  time we have built-in capabilities in azure active   directory that help you protect monitor and  audit access throughout the user life cycle   when you have a new user join your organization  you can automate how you grant access rights to   resources if you connect it via the hr system  a user can receive a set of access rights   for their role with entitlement management  access packages then as users need additional   access rights we provide them with the  ability to do self-service access requests   even guest users such as vendors and partners can  be monitored and reviewed for greater security   when it comes to administrative rights and  admins you can use privileged identity management   for just-in-time access alerts and approval  workflows to protect access to critical resources   something that we encourage you to ask yourself  is how many global admins do you have this is the   highest level of administrative access in azure  ad so you want to make sure that you don't have   more than you need since excessive access  could be a risk to your environment   at the end of the life cycle you can use your  hr app to make sure access rights are removed   now this is an entire map of all the capabilities  that are needed for an effective identity   and access management in the cloud error we've  actually been working on this map with analyst   firms and customers to ensure that we don't  miss anything important microsoft's commitment   is to deliver one simple integrated and complete  identity solution for all your needs this includes   application access event logging and reporting  service resilience performance scalability and   ease of use so how does xero trust employ these  principles well every access request is strongly   authenticated authorized within policy constraints  and inspected for anomalies before granting access   everything from the user's identity to the  applications hosting environment is used to   verify the request and prevent breach and  to limit the impact of potential breaches   we apply segmentation policies employing the  principle of least privileged access and then   use analytics to help detect and respond quickly  but the essence of xero trust remains simple   security models which assume safety based on  network location are inadequate we're really   living in a new reality the old assumptions  will not keep us secure in the new world   we find that it's no longer acceptable to just  assume that everything behind the corporate   firewall is safe for new principles we want  to verify explicitly always authenticating and   authorizing based on available data points this  includes user identity location device health   data classification and anomalies the second  concept within microsoft zero trust principles   is using least privileged access we want to limit  user access to protect both data and productivity   we can use things like just  in time and just enough access   and finally we want to always assume breach this  lets us minimize the blast radius for breaches   and employ security strategy to prevent lateral  movement across our environments when we approach   zero trust and think about it holistically we want  it to extend throughout the entire digital estate   this allows it to serve as an integrated security  philosophy and end-to-end strategy there are six   foundational elements across zero trust controls  and technologies these include identities devices   data applications infrastructure and  network so it's important to verify identift   we want to know who is requesting  access validate that identity explicitly   and ensure that we're using strong  authorization and threat intelligence   to validate that authentication when we verify  devices we want all data access requests resulting   in the transfer of the data to a browser or app  on a device that is not lost stolen or infected   third we want to protect our data wherever  possible data should be protected by auto   classification and encryption to protect against  intentional or accidental misrouting and download   of data since applications and configuration  to those applications must be secure in order   to mitigate intrinsic application risks we want  to ensure that we govern access through policy   we can look at application behavior including  shadow i.t to look for and protect from anomalies   where we're using cloud workloads such as iaz  or paths it's important to ensure that you're   utilizing the cloud fabric according to the best  security principles utilizing intelligence and   protection provided and finally we want to govern  our networks by mitigating lateral movement   using intelligent adaptive segmentation strategies  for workloads and monitoring those and protecting   from anomalous traffic patterns when we look  at microsoft 365 identity models it's important   to first understand that there are two identity  models that you need to account for when planning   for user accounts we have both the cloud identity  and the hybrid identity a cloud only identity   uses user accounts that exist only in azure  ad with cloud only identity all your users   groups and contacts are stored in azure active  directory azure ad and both on-premises and   remote users use their azure ad user accounts and  passwords to access microsoft 365 cloud services   now depending on your business needs and technical  requirements the hybrid identity model may be your   best choice hybrid identity uses accounts that  originate in an on-prem active directory domain   services adds and have a copy in the azure  id tenant of a microsoft 365 subscription   this means that changes you make to adds user  accounts are synchronized to a copy in azure ad   but changes made to cloud-based accounts in azure  id such as a new user account are not synchronized   back to adds when you implement hybrid identity  your on-prem adds is the authoritative source for   account information when using the hybrid identity  model there are two types of authentication   there's managed authentication where azure id is  handling the authentication process by using a   locally stored hashed version of the password and  then we have federated authentication where azure   ad is redirecting the client computer requesting  authentication to another identity provider   within managed authentication we have  two types of managed authentications we   have password hash synchronization phs where  azure ad performs the authentication itself   and we also have pass-through authentication  pta which is where azure 80 has adds performed   authentication with phs you synchronize your adds  user accounts with microsoft 365 and then manage   your users on-prem hashes of user passwords  are synchronized from your adds to azure id   so that the users have the same password on  premises and in the cloud this is the simplest   way to enable authentication for adds identities  in azure id when passwords are changed or reset on   premises the new password hashes are synchronized  to azure id and this means your users can always   use the same password for both cloud resources and  on-premises resources pass-through authentication   provides a simple password validation for azure id  authentication services by using a software agent   running on one or more of your on-prem servers it  then validates the users directly with your adds   password authentication synchronizes user accounts  from adds to microsoft 365 and you manage your   users on premises pta also allows your users  to sign in to both on-premises and microsoft   365 resources and applications using their on-prem  account and password this configuration validates   user passwords directly against your on-prem  adds without storing password hashes in azure id   directory synchronization allows you to manage  your identity in active directory domain services   and then all updates to your user accounts groups   and contacts are synchronized into the azure  active directory tenant of your microsoft 365   subscription the azure ad connect tool is  what's used to synchronize your user accounts   from adds to azure ad it's made up of three  parts we have the synchronization services   the optional active directory federation services  piece and the monitoring piece azure id connect   comes with several features which you can turn on  and some are enabled by default it's important to   note that it requires a single source of authority  for every object and the source of authority in   this case is the on-premises active directory when  you use azure id connect for cloud provisioning   provisioning from active directory to azure ad  is orchestrated in microsoft online services   so an organization only needs to deploy in their  on-premises and is hosted environments a single   lightweight agent to act as a bridge between  azure ad and active directory domain services   the provisioning configuration is then stored in  azure id and managed as part of the service tying   it all together let's take a quick review of the  different identity models and considerations when   you choose the cloud authentication method azure  id handles the user sign-in process coupled with   seamless single sign-on users can sign in to cloud  apps without having to re-enter their credentials   with cloud authentication you get to choose from  two options azure ad password hash synchronization   which is the simplest way to enable authentication  for on-premises directory objects in azure id   and then azure id pass-through authentication you  also have the option of federated authentication   when you choose this authentication method azure  ad hands off the authentication process to a   separate trusted authentication system such as an  on-premises active directory federation services   to then validate the user's password when it  comes to creating user accounts you can use   different methods to provision them depending on  your needs this includes directory synchronization   windows powershell the ability to import multiple  users and also doing so within the microsoft   365 admin center when you need to manage user  accounts licenses you can use the microsoft 365   admin center to do so it allows you to edit single  or multiple users and to change settings such as   location settings administrator roles sign in  status it also allows you to assign licenses here   when it comes to administrator roles such as  global admin and service admin it's important   to note that microsoft 365 licenses can be  assigned within the microsoft 365 admin center   keep in mind that when users leave your  organization they usually no longer require   a user account in microsoft 365. so when you  delete a user account the assigned microsoft 365   license for that user becomes available which  you can then assign to another user microsoft   365 retains the account as a soft deleted  inactive account for 30 days after deletion   this enables you to restore the  account should you need to do so   again you can use the microsoft 365 admin center  to perform these functions or windows powershell   within microsoft 365 you can use groups to  manage sets of users you can manage groups   such as dynamic distribution groups and exchange  mail-enabled security groups office 365 groups   and distribution lists the microsoft 365  admin center also allows you to change   password settings for your users by default users  passwords expire after 90 days and then users   receive a notification of a password expiration  of 14 days so this is an example of a setting   that you can change within the admin center if  necessary you can also go here to reset a password   for one or multiple users and then if you forget  your own administrator password you can actually   reset the password yourself here or have another  administrator reset it for you microsoft 365 has   an option for multi-factor authentication also  known as mfa this increases security by having   users provide a second authentication method  when they sign in this might be something like   acknowledging a text message or a phone call or  having some other notification on their phones   if you want to enable mfa in microsoft 365  admin then a tenant administrator can do so   by enabling it here we also have the option  of self-service password reset this allows   users to reset their own passwords without  requiring intervention by the administrator   keep in mind self-service password reset is not  enabled by default in order to reset a password   users have to authenticate their identity  first there are two verification methods   that administrators must use when  using self-service password reset   and one of these cannot include  security questions for administrators   all right now we're going to take a look at a  guided demonstration for self-service password   in this case we'll take a look at isaiah who would  like to reset his password without calling the it   help desk so first we're going to reset his  password and then validate authentication so   we're going to reset isaiah's password as isaiah  to demonstrate the self-service password reset   here we go to sign in as isaiah with his user  id we're going to click next after entering his   full user name and email address since he's  actually forgotten his password and wants   to reset it without having to call in the help  desk we'll click on the forgot my password link now to recover the account we need  to first enter isaiah's user id   and then we're going to enter the  characters in the picture below click next in this case to verify we can either choose to  receive an email or a text to our mobile phone   for this example we'll receive a text to  isaiah's mobile phone here we enter the phone   number that's on record to ensure that it matches  and then click text once idea has received that   text message with the verification code it  can be entered here and then we'll click next and it's time to create a new password we'll  confirm it typing it in twice and click   finish so as you can see that was really easy for  isaiah to perform a self-service password reset   that let him do so without calling the help desk  sometimes it's hard to remember strong passwords   and we find that users often reuse passwords on  multiple sites because of this server breaches   can expose symmetric network credentials  and passwords are subject to replay attacks   we find that users also inadvertently expose  their passwords due to phishing attacks   so instead of always having users try to remember  passwords we can use password alternatives such as   windows hello microsoft authenticator and 502  security keys so let's take a look at each of   these password alternatives a little more closely  in windows 10 windows hello for business replaces   passwords with strong two-factor authentication  on pcs and mobile devices this authentication   consists of a new type of user credential that's  tied to a device and uses a biometric or a pin   you can authenticate to active directory or azure  active directory with windows hello for business   the microsoft authenticator app helps you sign  in to your accounts using two-factor verification   you can use it in multiple ways including  responding to a prompt for authentication after   you sign in with your username and password  or to sign in without entering a password   and as a code generator for any other accounts  that support authenticator apps you can use a   fingerprint face recognition or a pin in  conjunction with the authenticator app   and if anything happens to your mobile  device or if you forget your pin your   password will still get you into your account  microsoft also supports 502 security keys   the fido alliance or fast identity online is  one of our most important partnerships today   the organizations that you see here are the fido's  board members but more than 250 organizations   are members of the alliance the members work  together to improve authentication standards   and help reduce the world's over-reliance on  passwords our goal is to make sure that everybody   who uses services on the web or on premises  has a secure and convenient sign-in experience   with credentials that eliminate phishing  for example say i sign into my microsoft   surface i then have secure authentication to my  device and every service and application i use   with facial recognition or other biometrics  enabled i can use this throughout the day with one   secure sign-in the operating system browser  applications and credentials that i'm using   here support the fido standards to make this all  happen the number of phytocompliant devices and   services continues to grow all of the common  browsers edge firefox and chrome support fido   and there are multiple security key options  that use usb bluetooth or nfc to connect to meet   different business needs another way of protecting  your identities is through using azure 80 smart   lockout this helps lock out bad actors that try to  guess your users passwords or brute force methods   to get in attackers will get locked out but we  recognize sign-ins from valid users and treat   them differently so that users can continue  to access their accounts and be productive   azure ad smart lockout can be integrated  with hybrid deployments that use password   hash sync or pass through authentication smart  lockout is always on for all azure 80 customers   to offer you the right mix of security and  usability in module 1 we learned about identity   and access management concepts such as the  xero trust model and user accounts and roles   we'll now take a 10 minute break we'll see  everyone back here when we start module 2   synchronizing and protecting  identities in the cloud do welcome back from the break everybody now  we'll move on to module 2 where we will cover   identity synchronization and protecting those  identities in the cloud so let's get started before you begin synchronizing your  on-prem active directory to your azure   id tenant you'll need to clean up your adds  to prepare for the directory synchronization   if you don't prepare then you could cause  failures that cause a lot of cleanup that   you'll have to go through and take care of later  so if you have for example duplicate attributes   or certain characters and attributes then you  could cause it to fill so it's best to really   align your attributes go through the requirements  and ensure that you have these things in in order before you start synchronizing your on-prem  active directory you can check and and fix any   issues that you might have with your accounts  and you can do this by using the id fix tool   which you can download directly from microsoft  what it does is it scans your on-prem ad or or   the parts that you specify and then identifies  problem like formatting issues duplicates and   such and then you can fix these problems within  the tool before you begin the synchronization during your planning some of the considerations  you need to make are do you require an azure 80   connect failover scenario you'll also want to  think about the advanced configuration features   and how you want to synchronize your active  directories do you have multiple force that you   need to consider and do you want to synchronize  all of your object attributes or just use specific   ones and use filters to pull those in and do  you want to synchronize all or only part of   your active directory so you do get a free azure  id subscription with an m365 subscription and when   you set up the direct directory synchronization  you can install azure 80 connect on one of your   on-prem servers so you'll need to verify your  on-premises domain and the azure ad connect wizard   will actually help guide you through this and then  make sure that you've obtained your usernames and   passwords for the administrator accounts for the  m365 tenant and active directory domain services when you go to plan your azure ad connect  topologies keep in mind that having multiple   azure ad connect sync servers connected to the  same azure id tenant is not supported unless   it's a staging server so it's unsupported even if  these servers are configured to synchronize with   a completely exclusive set of objects sometimes  this topology is considered if you can't reach   all of the domains in the forest from a single  server or if you want to distribute load across   several servers azure ad connect will allow you  to install that second server in staging mode and   in this mode the server is reading data from  all of the connected directories but does not   write anything to connect to directories  it uses the normal synchronization cycle   and so it keeps an updated copy of the identity  data then if there does happen to be a disaster   where the primary server fails then you can fail  over to the staging server we do recommend having   just a singleton in azure ad for an organization  while many organizations have environments with   multiple on-prem active directory forests and  and there are various reasons for for doing so   such as designs with account resource  forests or when there's a merger acquisition   so when you have multiple force all force must be  reachable by a single azure ad connect sync server   and that server must be joined to a domain if  you need to you could even place the server in   a perimeter network or dmz when you go through  the installation wizard for azure id connect   you'll be given several options to  consolidate users who are represented   in multiple forests with the goal being that  the user is represented only once in azure ad if your environment does not have a default  configuration where each user has only one enabled   account each user has only one mailbox the a link  to mailbox for a user is not in a different forest   and and such assumptions then then you  may have to look at an alternate topology   there is actually a one-to-one relationship  between an azure ad connect sync server and   an azure id tenant so you do need one azure  id connect sync server per installation when you're planning for pass through  authentication with azure ad keep in mind   that the user's password is validated against  the on-prem active directory controller the   password does not need to be present in azure  80 in any form this allows for on-prem policies   such as sign-in hour restrictions to be  evaluated during authentication to cloud services   the way that pass-through authentication works is  by using a simple agent on a windows server domain   join machine in the on-prem environment the agent  then listens for password validation requests   and does not require any inbound  ports to be open to the internet   in addition you can also enable single sign-on for  users on domain join machines with single sign-on   these users only need to enter a username  to help them securely access cloud resources   and they don't have to enter a password so   remember with azure ad passthrough authentication  also called pta we ensure that users   have a password validation for all the services  that they rely on for azure ad and that's always   performed against an on-prem active directory also  azure ad password authentication is configured   through the azure 80 connect agent and that's  listening for those password validation requests and finally you need to remember that the  server that runs the agent for pass through   authentication should be joined to the active  directory domain where the users are located an alternate type of synchronization called  password hash synchronization is where hashes   of user passwords are synchronized from on-prem  to azure ad so when the passwords are changed   or reset on-prem the new password hashes then  gets synchronized to azure ad immediately so   your users can always use the same password  for cloud resources and on-prem resources   these passwords are never sent to azure ad or  stored in azure id in clear text you can use phs   together with password write back to enable self  service password reset in azure ad also you can   enable seamless sso for users on domain join  machines that are on your corporate network   azure ad connect also is providing an ongoing  account synchronization all the time while it's   checking for changes in active directory domain  services in your on-prem environment and then   forwarding those changes to azure ad with phs  you actually have the ability to filter which   accounts are synchronized and whether or not to  synchronize the hash version of user passwords so   keep in mind this is the simplest way to enable  authentication for adds identities in azure ad so before you go to install azure ad  connect there's a few things that you need   some of the prerequisites you should have  are an azure id tenant so you need to   add and verify the domain you plan to use in azure  id by default an azure ad tenant is going to allow   50 000 objects but if you verify the domain then  that limit increases to 300 000 objects and if if   you need more than that then those could be taken  care of through licensing such as microsoft 365. another prerequisite with your on-prem active  directory is ensuring that the ad schema version   and force functional level are at windows server  2003 at least the domain controllers can actually   run any version as long as the schema and  forest level requirements are met and again   that's at windows server 2003 or later if you  do want to use the password write back feature   then your domain controllers must be on windows  server 2012 or later those are some things to keep   in mind around the prerequisites with your on-prem  active directory environment when looking at azure   ad connect server this is actually contains  critical identity data so it's important that   we properly secure the server and administrative  access to it it should be treated as a   tier zero component and we recommend that you  harden your azure id connect server to decrease   that attack surface area since it is a very  critical component of your it environment   some of the recommendations that will  help mitigate security risk to your   organization would be creating a dedicated  account for all personnel with privileged access   denying use of ntlm authentication  with the azure ad connect server   ensure that every machine has a  unique local administrator password   you can look into the local administrative  password solution to help configure   random passwords on each of your servers and  and protect them by an access control list   moving on to the sql server used by azure  ad connect you'll want to make sure that   you have a server lined out for that by  default sql server 2012 express localdb   will be installed to store your identity data  but azure ad connect also supports versions   of sql server from 2012 to 2019 and be sure  you have the latest service pack installed   as far as accounts that you need for azure ad  connect you'll need to make sure you have an   azure ad global administrator account for the  azure 80 tenant that you want to integrate with   if you use express settings or upgrade from  dursync then you must have an administrator   account for your on-prem active directory  and that's an enterprise administrator   account that's needed if you use custom settings  then you'll have more options so you can look   into those if you go down that path and when  considering connectivity for azure ad connect   you'll need a dns resolution for both internet and  internet to provide to the azure 80 connect server   and that dns server must be able  to resolve names both to your   on-prem active directory and to azure  ad also if you have firewalls on your   internet you'll need to open ports between  azure ad connect and your domain controllers   so some of those are some of the prerequisites  you'll need to keep in mind when configuring   azure ad connect when you go to set up azure ad  connect there are two installation types for brand   new installations there's express and customize  express is the most common option and is used by   the majority of organizations when they go  to install azure ad connect it was designed   actually to provide a configuration that  works for most common customer scenarios   the express installation assumes that you  have a single active directory forest on-prem   you have an enterprise administrator account you  can use for the install and less than 100 000   objects in your on-prem active directory exists  you'll also get the password hash synchronization   for single sign-on and synchronization of all  eligible objects into all domains and all ou's   the configuration will synchronize your users  groups contacts and windows 10 computers and   automatic upgrade is enabled for azure 80 connect  to ensure that you're always using the latest   available version again as i mentioned earlier  the custom path does allow more options than the   express and it should be used in all cases where  the configuration that i just described doesn't   work for your organization so again if you if  you just have a single forest topology and want   to use phs for authentication then the express  settings work great and are the default option   before you do choose to begin either install  you'll need to download the azure ad connect files   and then go through all those prerequisite steps  that we just talked about and that are listed in   the documentation now let's touch on azure active  directory connect health so the idea behind azure   ad connect health is to provide you with robust  monitoring of your on-prem identity infrastructure   the goal of aad connect health is to enable you  to maintain a reliable connection between your   on-prem and the cloud online services so there are  some key identity components that we're looking at   monitoring and then we bubble up those  key data points about the components   in an easily accessible way to you  in the azure ad connect health portal   you can use this portal to view alerts performance  monitoring usage analytics and other information   you'll have basically a single lens of health  for your key identity components all in one place   so to summarize the azure ad connect health  can give you a central location to view   the health of key identity metrics for your  on-prem environment and it just requires a simple   agent to be installed on the targeted servers now  there are several required management tasks that   you should perform to make sure that  your users synchronize efficiently and   that there aren't any issues when you deploy  azure ad connect some of these tasks include   recovering from unsynchronized deletes  managing user accounts even through enhanced   user management recovering user accounts that  may have accidentally been deleted so in this   case after you delete a user the account remains  in a suspended state for 30 days and during that   30-day window you can still restore the user  account along with all its properties but after   that 30-day window passes then the permanent  deletion process is automatically started   you can view your restorable users restore  deleted user or even permanently delete a user in   the azure portal when talking about the enhanced  user management tasks some of those include   more visible user properties such as object  id directory sync status creation type   and identity issuer the search function will  allow you to look for sub strings and combine   a search of names emails and object ids and then  there's also some enhanced filtering by user type   directory sync status creation type company name  and and domain name so we've really tried to   make these management tasks for you as  easy as possible because they are important   you can also manage groups as part of the  directory synchronization to make sure that   your environment and objects are where they  need to be so once you implement directory   synchronization with aad connect then you'll  want to manage them in your active directory   similar to the write-back feature with  users there's also a write-back feature for   groups that writes microsoft 360  groups from azure id to on-prem a.d   and then the synchronized group from  aad to on-prem ad also include the   group memberships if the user accounts  are created in your active directory during setup of azure ad connect azure  id connects sync security groups such as   adsync admins adsync operators adsync browse  adsync password set are all automatically   created and then you can use these groups to  troubleshoot directory synchronization issues   or even assign a user temporary permission to run  a manual synchronization and all these groups are   created as local groups on domain joined servers  or as domain groups when you install azure ad   connect on a domain controller we also have a  capability around protecting your identities   called azure ad identity protection so this is  a tool that's going to allow you to accomplish   three key tasks the first of which is automate the  detection and remediation of identity based risks   then investigate risks using data in the portal  and thirdly export this risk detection data to   third party utilities for further analysis  identity protection is using the learnings that   microsoft has acquired through azure ad  the consumer space with microsoft accounts   and with xbox gaming so we're analyzing trillions  of signals every day to identify and protect you   from threats the signals that are generated by and  fed to identity protection can then be further fed   into tools such as conditional access to help  make access decisions or be fed back into a sim   security information and event management tool  for further hunting and investigation based on   your policies there are three categories that  identity protection uses for risk the tiers are   low medium and high and while we don't provide  specific details about how risk is calculated   what we do say is that each level brings higher  confidence that the user or sign-in is compromised   for example something like one instance of an  unfamiliar sign-in property for a user is not as   threatening as leaked credentials for another user  as mentioned you can also export the risk data   so this can be done for or archival or  for investigation and correlation purposes   the microsoft graph has apis that will allow  you to collect this data for further processing   and then you can review and take action  on detections as needed and there are   some reports that can even help you in your  investigations that identity protection provides identity protection identifies risks in the  following classifications so stuff like atypical   travel so sign in from an atypical location based  on the user's recent sign-ins password spray this   could indicate that multiple usernames are being  attacked using common passwords in a brute force   manner and stuff like malware linked ip address  so sign in from a malware linked ip address   and leaked credentials indicating that a  user's valid credentials have been linked   and these risk signals and remediations can be  used in conjunction with each other to notify or   automate certain actions so you can have the wrist  signals themselves trigger remediation efforts   such as requiring users to perform multi-factor  authentication or reset their passwords using   self-service password reset or even blocking  them until an administrator takes action there's   also vulnerabilities reported by azure identity  protection and and the recommendations on how   to address those some so some of the other  ones that um are mentioned up here are   sign-ins from infected devices so you can see how   valuable this is in detecting vulnerabilities  and risk events against your identities whenever you go to plan your investigation  using azure identity protection then you can   take these detections that are reported to you  in these three key reports risky users risky   sign-ins and risky detections and then take action  on them as needed you'll get access to information   and that helps you have a better understanding of  the weak points in your identity security strategy   so again these three reports are risky users risky  sign-ins and risky detections and all three of   these key reports will let you download events  in csv format if you want to analyze further   outside of azure portal the risky users and risky  sign-ins reports will let you download the most   recent 2500 entries while the risk detections  report allows for downloading the most recent   5000 records and again this uses the microsoft  graph api integrations so this is really useful   when needing to aggregate the data with  other sources from your organization the   reports do give you a lot of information on your  risks and then keep in mind some of the overall   best practices for mitigations include excluding  users who are likely to generate a lot of false   positives use a low threshold if your  organization requires greater security   and exclude users who do not or cannot  have multi-factor authentication so now that we've covered identity  protection and synchronization concepts   let's go take a look at a demo to  implement identity synchronization okay i'm done with the slide so i have the  demo left how long has it been 30 minutes okay okay cool so i think i'm shooting at a  total of 45 to 60 minutes so if my demo is   about 15 to 20 well i guess  15 to 30 then i'm good okay okay just gotta get it all okay over here in our demo system we're  going to set up our organization for   identity synchronization so what we have is  m365 deployed and then we plan to implement   identity synchronization between our m365 tenant  accounts and local active directory accounts so   the first step in this is configuring the  upn suffix so on the domain controller i'm   logged in as an administrator and i've  launched powershell as an administrator   and now i'm going to update the upn suffix for  the domain and on the upn on every user in adds   with with my domain's unique up name so to do  this i'm going to run the following command set   dash 84s dash identity the domain name dash upn  suffixes at replace equals and then in quotes my   upn name and then in curly brackets  so i'll go ahead and type that command now so i'm putting in my tenant name in quotes in curly brackets so we  have set dash a deforest identity   domain name dash upn suffixes and our tenant  name now press enter to run the command okay great now that one's done and  i'll run the connect the next command get dash ad user dash filter you okay so i'll run the next command git dash ad user   dash filter star dash properties sam account  name pipe for each object set 80 user user   principal name same account name and the provider  tenant name so we're going to run that command now okay uh just a note when i press enter on  the command something happened and so i'm   that's all just you know silence that  can be edited out but i'm just having   to retype this last part and press enter again all right i'm just looking  into why this errored out   we may just need to move on with the  demo but let me just see if it's a typo yep okay i've corrected that script  and i'm pressing enter again so okay great now that that command has  run then we just have one more command   which is to set the execution policy as unrestricted and then enter a for yes to all okay now let's move over to the office  portal to enable directory synchronization so i've logged into  portal.office.com as an administrator and now i'll click on admin  to go to the m365 admin center which i have opened here in this tab now i'm going to go to active users to take a look at directory synchronization all right once these loads i'm going to click  on these ellipsis and directory synchronization   so here's where we can prepare active directory  with the adconnect tool and this will allow   us to download it so by clicking on this it  will take us to the download page allow us to   download the azure active directory connect  installation which i've downloaded here in advance and then we'll go ahead and run this to  and install it and get to the setup wizard okay we're ready to run the setup wizard   so first let's agree to the license  terms and i'll click continue in this case i'm going to use express settings  and remember that express settings do work for the   majority of organizations especially if you only  have a single forest on prem to synchronize and   if you need to learn more about express settings  then you can always click here and refer back to   the documentation so again i'm going to choose  to use express custom set use express settings okay now that's gone through that first part of  the installation of installing required components   then we want to enter the administrative  credentials a global administrator for azure ad we'll enter the username and  password for a global admin i've clicked next and i'll wait  for it to verify those credentials okay it looks like it was successful  in verifying those credentials   and now we need to make sure that  we have enterprise admin credentials   to connect to our on-prem active directory  environment and then enter that username and password once you have your credentials in then  it's time to click next okay in this case okay use the wrong credentials  on this so i will try again here okay now that i have the correct  credentials and it's validating   and moving on to the sign in configuration so in this case i'm going to put a check  mark and continue without matching all upn   suffixes to verify domains since this is  just a test scenario it's it's completely   fine but just keep in mind that users  would not be able to sign in to azure   80 with on-prem credentials if the upn  suffix doesn't match a verified domain all right i'm clicking next letting it go through  the configuration and now we're going to go ahead   and click start the synchronization process  when configuration completes and click install so now that the azure ad connect  configuration com completed and is successful   then it started the synchronization process  now keep in mind that we can log into   the azure or the office 365 portal to verify the  user accounts and make sure that the accounts from   our local directory have been created we  can also do a test sign-on through the azure   portal and then also remember the active directory  recycle bin is not enabled for this forest and   this is something that we do recommend and then  also azure active directory is configured to use   some ad attributes such as the anchor attribute  and that's listed here and can actually you can   click on learn more if you want to have more  information so we'll click exit on the wizard now   and we will go ahead and go to the office portal  now to validate the results of the directory sync   synchronization and then also to license a  user so we can see what that process looks like   so let's go to portal.office.com  which i've done here

we'll go to the admin center so i'm pulling that up now active users wait for those to load okay so now we should see   many users that we've synchronized from  the on-prem active directory to azure ad i'll click refresh to see as if others show up here we can see that we now have a  lot of users that we've synchronized   from our on-prem active directory now we also want to license a user so  in this case i'll search for a user let's see if we can find abby parsons i'm filtering on abby great found abby now to edit her  license information i'm going to select click on manage product licenses so remember abby was a user that was  only in the on-prem the adds domain   prior to the synchronization that we just ran  so we need to license her for the m365 or ems   licenses that we'd like to apply to her user  account so in this case we can see abby is not   in the united states she's in the united kingdom  so we'll select her location in the drop down menu united kingdom and we'll give her the  enterprise mobility plus security e5 license   place a check mark next to  that and click save changes all right once we save those changes we'll just  close the window and so that's how you license   a user that's been synchronized from on-prem  and also the entire process of synchronizing   local users from an on-prem active directory  domain services environment to an azure ad   environment complete through licensing a user with  an enterprise mobility and security e5 license   so that ends our demonstration in module  two we discussed identity synchronization   and protection topics such as planning your  directory synchronization configuring and   managing synchronized identities and azure ad  identity protection we'll now take a 10 minute   break we'll see everyone back here when we'll  cover module 3 identity and access management welcome back from the break for module  three we'll cover identity and access   management with topics such as azure ad  b2b conditional access and single sign-on   let's get started azure 80 seamless  single sign-on or seamless sso   automatically signs in users when they are on  their pcs or other devices it provides users with   easy access to cloud-based applications without  needing any additional on-premises components   users get to conveniently access all of  their apps with sso from any location or   any device and receive a simplified experience  and better productivity the sign and flow   for a web browser as an example would go as  cis a user tries to access a web application   from a domain joined corporate device  inside your corporate network in this case   and then if the user is not already signed in  they get redirected to the azure 80 sign-in page   where they can type in their username then  azure id is going to challenge the browser   and provide a kerberos ticket and authentication  and authorization will proceed from there azure   ad can decrypt the kerberos ticket and then  either return the token back to the application   or ask the user to perform additional proofs  such as mfa or multi-factor authentication   then if everything is successful the user  will be able to access the application   so azure ad simplifies the way  that you manage your applications   by providing that single identity system for  both your cloud and on-premises applications   there are four main types of applications that  you can add to your enterprise applications   and manage with azure id these are azure ad  gallery applications which is a gallery of   thousands of applications that have already been  pre-integrated for single sign-on with azure id   the other type of application is on-premises  applications using azure 80 application   proxy which allows you to integrate on-premises  web apps with azure id to support single sign-on   the third type of application that you can add  is a custom develop application so when you   build your own line of business applications  you can still integrate those with azure ad   single sign-on and then finally the fourth  type is non-gallery applications so you   can bring your own applications there are  multiple ways to integrate an application   now with single sign-on your users can have one  set of credentials for access to everything they   need and again in our azure 80 application gallery  we have thousands of pre-integrated third-party   applications that you're probably already using  this makes it easier for your users because   if each application had to be tracked separately  then it would be a silo of different user games   and logins for every single application  the central identity system that azure ad   provides solves this problem by providing a  single place to store user information that   can be used by all the applications such as  these pre-integrated third-party applications   we find that organizations on  average use over 180 applications   and this number keeps on growing so it's becoming  a lot harder for organizations and their users   to find and access all the applications they  need at microsoft we offer the my apps experience   to help your users be more productive we fully  integrated my apps with the office 365 portal   so that your users have a consistent  way to find all of their applications   beyond just office 365. it's a one-stop  shop to provide that seamless experience to   sign in and find the applications now a little bit  more on azure active directories application proxy   how it works is it provides secure remote  access to on-premises web applications   after a single sign-on to azure id  users can access both their cloud and   on-premises applications through an external url  or even through an internal application portal   for example you could use application proxy  to provide remote access and single sign-on   capabilities to sharepoint microsoft teams  remote desktop and line of business applications   application proxy works with web applications that  use integrated windows authentication form-based   or header-based access web apis applications  hosted behind a remote desktop gateway   and other applications that are integrated with  the microsoft authentication library we allow you   to provide secure hybrid access and to connect  any app in any cloud or on-premises to any user   you can provide all of your users with secure  access even to your legacy apps you can streamline   and modernize access to applications that support  legacy authentication including kerberos ntlm   rdp ldap ssh and header base  and form-based authentication   you also get advanced security capabilities  including identity protection multi-factor   authentication and conditional access which  helps you further protect your legacy apps   and finally you can use single sign-on and  password authentication to allow seamless   access to your legacy apps let's talk more about  conditional access with identity protection   together this helps you make decisions  and enforce organizational policies   it's the best way to secure your identities and  keep the bad guys out our conditional access   policies allow you to define conditions for  how users authenticate and how they get access   to applications and data when you combine identity  protection with conditional access it's taking in   all of these terabytes of signals like  user behavior the state of the device   the user's location the risk score for the user  and the sign in and the application being accessed   and then we use machine learning to  analyze all these different signals   and determine the appropriate policy should we  allow or limit or block access or just request   additional verification for example you might  have a policy that requires mfa if the user is   accessing your application or data from a new  location that you haven't seen before so when a   user signs in from an unfamiliar location they  get an additional verification prompt before   they are given access you can apply different  conditional access policies based on location   user rules application sensitivity and device  state so for example you can configure policies to   select certain conditions such as whether a device  is compliant is the operating system up to date   and then decide whether you want to allow  access or require further identification   with azure active directory access reviews  microsoft 365 global admins and user account   admins can evaluate guest user access recertify  role assignments collect access review controls   and evaluate employee access to applications  and group memberships this really enables   your organization to efficiently manage group  memberships and access to your applications   and then ensure that those privileged  role assignments are managed   since managing security can be difficult with all  of the common identity related attacks such as   password spray replay and phishing we find that  security defaults within azure active directory   make it easier to help protect your organization  with pre-configured security settings   the default settings are requiring all users to  register for azure multi-factor authentication   requiring administrators to perform mfa  blocking legacy authentication protocols   protecting privileged activities like access to  the azure portal and requiring mfa when necessary   with conditional access we have the ability to use  report only mode which allows administrators to   evaluate the impact of any conditional access  policies that you create before you enable them   in your environment for organizations that have  an azure adpion p2 license you can also create   conditional access policies incorporating azure  80 identity protection sign in risk detections   or user risk detections microsoft works with law  enforcement other researchers our own internal   security teams and many other trusted sources  to help find any credentials that have been   leaked and then we have a risk that represents the  probability that a given authentication request   isn't authorized by the identity owner when  implementing conditional access and planning   for device compliance policies keep in mind that  you can define rules and settings that users and   devices must meet to be compliant these device  compliance policies can help your organization   protect its data you can include actions that  apply to vices that are non-compliant and then   alert users to the conditions of non-compliance  and you can combine compliance policies   with other conditional access policies to block  users and devices that don't meet the rules   before you can apply a compliance policy to device  you have to first enroll it in microsoft in tune   while the policies are platform specific  you can create compliance policies for   all of your device types some commonly used  settings are a minimum os version required   or requiring local data encryption and  requiring a password to access the device   when you enroll your devices into microsoft in  tune a mobile device management agent is installed   and then begins to sync the device details to in  tune where you can view all the detailed device   information further you can create user and device  groups within azure active directory which can be   both static and dynamic and then these groups are  used by in tune and can be automatically populated   with users or devices taking a closer look at  conditional access policies at the simplest   we're looking at if then statements if  a user wants to access a resource then   they must complete an action these policies  can be granular or specific with the goal   being to empower users to be productive wherever  whenever but to also protect the organization   so it's about applying the right access controls  when needed to keep your organization secure but   to stay out of the user's way when not needed you  can apply multiple conditional access policies   to any individual user at any time some common  decisions you might look at are are blocking   access or granting access and some commonly  applied policies that we look at are requiring   multi-factor authentication or requiring trusted  locations whenever you do register with mfa   on the entune blade within the azure portal and  in the microsoft 365 admin portal you can perform   basic device monitoring and view audit logs of all  the activities that are generated within microsoft   and tune these audit logs include activities such  as creating and deleting and you can also trigger   device action from here and view a history of  which actions were run on different devices   now let's take a look at a demonstration of  conditional access we'll take a look at how   you can ensure approved users and devices  have access to corporate data and then   also how to ensure compliance when accessing  different systems so with conditional access we   can first set a baseline policy to require for  example multi-factor authentication for admins   so within microsoft intune we've gone  to policies and conditional access   i have a baseline policy require mfa  for admins here so i'm going to set it once i've clicked on enabling that baseline  policy we get a notification that it requires   multi-factor authentication for these following  rules since we want to enable it immediately   we're going to put the bullet in use policy  immediately once that's enabled we can click on   new policy this is going to enforce compliance  when we access the financial system dynamics   in the name field i'm going to call  this one dynamic security compliance then i'm going to click on users and groups  to choose which users to apply this policy to   on the include tab i'm going to select  users and groups so that i can see a list   of all the users and groups that i can select from  clicking select i'm going to choose in this case   a group called business development so  i click on that and then click select now we're going to choose which cloud  apps to include so i click on cloud apps   and on the include app i click on select apps  and then under the select field i'm going to   choose dynamics in this case so i click dynamics  and then select now we're going to define the   conditions and rules to govern access to dynamics  we want to enable this policy with assign and risk   level set to high so i click on conditions click  on sign in risk click on configure yes and hi   so we want to grant access to this and require  mfa so now that we've configured it we're ready   to enable the policy i'm going to click on  on to do so and finally i'll click on create where we'll run a validation process and  then go ahead and deploy our new policy   great so we've set a baseline policy to require  multi-factor authentication for administrators   and then created the policy  to enforce the compliance when   accessing dynamics now let's talk more about  planning your identity and access management   solution by planning for role-based access  control when planning your access control strategy   remember it's a best practice to grant users the  least privilege to get their work done here we see   a suggested pattern for using role-based access  control including different scopes and roles   to better understand roles in azure it helps to  know a little bit of the history when azure was   initially released access to resources was  managed with just three administrator roles   this is the account administrator the service  administrator and the co-administrator   later azure role-based access control or  azure are back was added this is a newer  

2021-05-13

Show video