Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Azure AD Identity Protection and
Conditional Access
Using the Microsoft cloud to protect your corporate
identities and app...
About Your Speaker: Morgan Simonsen
• Cloud Evangelist@Lumagate
• P-TSP@Microsoft
• MCSE, MCSA, MCT
• MVP
• Twitter: @msim...
Agenda
• Why are we in this room? - We are all going to the cloud and
becoming mobile
• The Story so far - Cloud Identity ...
Why are we in this room?
We are all going to the cloud and becoming
mobile
Easy access
24x7
connectivity
Flexibility
Global reach
Seamless
collaboration
Agility
Reduced friction
23% greater product...
Enterprise Mobility+Security
The Microsoft vision
Identity Driven Security
Managed Mobile Productivity
Comprehensive Solut...
Azure Information
Protection
Protect your data,
everywhere
Microsoft Cloud App Security
Azure Active Directory
Detect thre...
The Story so far
Cloud Identity with Azure Active Directory
101
• Microsoft “Identity Management as a
Service (IDaaS)” for organizations.
• Millions of independent identity
systems contr...
Azure AD Trust Fabric
Contoso AD
Contoso
Azure AD
Fabrikam AD
Fabrikam
Azure AD
…and trust extends to all Azure AD
enabled...
Hybrid identity components
AD DS
FIM/MIM
Sync
• Sync engine
• Password Sync
• Health (Sync, ADFS, ADDS)
• AD FS (optional)...
But I’m worried…
How to protect ourselves in this brave new
world
The frequency and sophistication of cybersecurity attacks are escalating
$500B
total potential cost
of cybercrime to the
g...
Azure Active Directory
Identity Protection & Conditional Access
Cloud-powered
protection
WE DRIVE BUSINESS EVOLUTION FORWARD
Adopt Cloud for Better Security
• Past: Cloud was security concern
• Now: Cloud is sec...
Why use Azure AD to protect our users and
apps?
• Cloud Cadence release schedule for new features
• Insights of scale
• Wo...
Mission: Protect our users
• World class signal due to massive amount of relevant data
• One of the world’s largest consum...
Machine
Learning
for security
Credentials
Azure Active Directory
Azure Active Directory
Credentials
Schrödinger's
User
?
Seems
Good
Seems
Bad
Coder
Azure Active DirectorySchrödinger's
User
?
Credentials
Classifier
Azure Active Directory
Analysis
Seems
Good
Seems
Bad
Classifier
Schrödinger's
User
?
Credentials
Self-reporting Threatdata...
Azure Active Directory
Analysis
Seems
Good
Seems
Bad
Classifier
Self-reporting ThreatdataRelying parties Behavior10+ TB Lo...
Azure Active Directory
Analysis
Seems
Good
Seems
Bad
Classifier
Self-reporting ThreatdataRelying parties Behavior
Schrödin...
Azure Active Directory
Analysis
Seems
Good
Seems
Bad
Classifier
Self-reporting ThreatdataRelying parties Behavior
Schrödin...
Azure Active Directory
Analysis
Seems
Good
Seems
Bad
Classifier
Self-reporting ThreatdataRelying parties Behavior
Schrödin...
Azure Active Directory
Analysis
Seems
Good
Seems
Bad
Classifier
Self-reporting ThreatdataRelying parties Behavior
Schrödin...
Credentials
Azure Active Directory
Analysis
Seems
Good
Seems
Bad
Classifier
Self-reporting ThreatdataRelying parties Behav...
Credentials
Azure Active Directory
Analysis
Seems
Good
Seems
Bad
Classifier
Self-reporting ThreatdataRelying parties Behav...
Learner
Credentials
Azure Active Directory
Analysis
Seems
Good
Seems
Bad
Classifier
Self-reporting ThreatdataRelying parti...
How Identity Protection detects and mitigates
cyber attacks
• Sign in Risk
• Invoked on each login, evaluating that partic...
Identity Protection in Action: EDU Attack
We noticed a sharp increase in password lockouts
Large elevation in user lockouts.
Inspection show lockout increase
from s...
Suspicious IP activity very different from in-country IPs
Generally lower user volume
Generally successful
In-
Country
Tra...
Detailed suspicious IP view showed automated attacks
Initial bad guy
test run
Large scale account
failures/minuteAccounts
...
The Bad Guys are getting smarter
too
• Botnets are bigger, cheaper
and more available
• Bad guys are effectively
defeating...
Risks Identified by AAD Identity Protection
• Leaked credentials (High)
• Impossible travel to atypical locations (Medium)...
Identity Protection APIs
• Microsoft Graph API
• https://graph.microsoft.io
• IdentityRiskEvents
• Sign-ins and other even...
Enable AAD Identity
Protection
• EMS E5/AAD P2
required
• Identity Protection works
for any sign-in to Azure
AD
Demo: Identity Protection in the Azure
Portal
Multi-Factor Authentication (MFA) Registration
Policy
• Pre-Canned Conditional Access
Policy
• Edit: Users
• Access: Allow...
Sign-in risk remediation policy
• Pre-Canned Conditional Access
Policy
• Edit: Users and Conditions
• Access: Allow or Blo...
User risk remediation policy
• Pre-Canned Conditional Access
Policy
• Edit: Users and Conditions
• Access: Allow or Block
...
User Experience – Suspicious Sing-In
• Sign-in Risk Policy
enforced
User Experience – User at Risk
• User Risk Policy
enforced
Licensing
• Azure Active Directory Premium P2 required
• Enterprise Mobility+Security E5
• If users don’t have it they can...
Using Identity Protection with
Conditional Access for Applications
Wide range of Enterprise Mobility Scenarios
Locked Down
Device
Managed
Device
Personal
Device
Unknown
Device
Example Point...
Conditional Access Building Blocks
• "When this happens" is called condition statement
• "Then do this" is called controls...
Conditional Access
Application
Per app policy
Type of client
(Web, Rich, mobile)
Cloud and
On-premises
applications
User a...
Demo: Conditional Access for
Applications in the Azure Portal
Devices Controls in Conditional Access
• Compliant Device:
• Intune Compliance Policy
• SCCM
• Domain Joined Device:
• Azu...
Azure AD Device Registration Prerequisites
• Device Registration Allowed
• USERS MAY WORKPLACE JOIN DEVICES:ALL
• DNS Reco...
ADFS Claims for DRS
• Additional Claims:
• http://schemas.microsoft.com/ws/2012/01/accounttype
• http://schemas.microsoft....
Questions?
Please evaluate the session on your way
out…
Hated It! Meh…
Best session
ever!
NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identiti...
NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identiti...
Upcoming SlideShare
Loading in …5
×

1

Share

Download to read offline

NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications

Download to read offline

A common trend in today’s cloud based world is identity driven security. As the name implies this makes user identity really important; user identity is now the key to unlock everything. Building the infrastructure to support this trend is very hard; you bear all the responsibilities and can rely on only your own signal data and threat detection. With Azure AD there is a better way! Come join this session to see how Azure AD Identity Protection is using signals from the global Microsoft cloud, Big Data and Machine Learning to protect your users’ accounts, and also how Azure AD Conditional Access makes it easy to enforce application access policies based on things like location and device. We will show you how to set it all up, what works and what doesn’t and how it integrates with other Microsoft protection services in the cloud, and your existing systems. Come and be safe!

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Microsoft cloud to protect your corporate identities and applications

  1. 1. Azure AD Identity Protection and Conditional Access Using the Microsoft cloud to protect your corporate identities and applications
  2. 2. About Your Speaker: Morgan Simonsen • Cloud Evangelist@Lumagate • P-TSP@Microsoft • MCSE, MCSA, MCT • MVP • Twitter: @msimonsen • Email: morgan.simonsen@lumagate.com • Blog: morgansimonsen.com
  3. 3. Agenda • Why are we in this room? - We are all going to the cloud and becoming mobile • The Story so far - Cloud Identity with Azure Active Directory 101 • But I’m worried… - How to protect ourselves in this brave new world • Skynet to the rescue - Azure AD Identity Protection • IFTTTATAT - Azure AD Conditional Access
  4. 4. Why are we in this room? We are all going to the cloud and becoming mobile
  5. 5. Easy access 24x7 connectivity Flexibility Global reach Seamless collaboration Agility Reduced friction 23% greater productivity, 100% higher employee satisfaction Is mobility the answer to better employee productivity?, Forbes Magazine, 29.3.2016 But what about Auditing? Security? Compliance & Assurance?
  6. 6. Enterprise Mobility+Security The Microsoft vision Identity Driven Security Managed Mobile Productivity Comprehensive Solution AppsDevices DataUsers
  7. 7. Azure Information Protection Protect your data, everywhere Microsoft Cloud App Security Azure Active Directory Detect threats early with visibility and threat analytics Advanced Threat Analytics Extend enterprise-grade security to your cloud and SaaS apps Intune Protect your users, devices, and apps Manage identity with hybrid integration to protect application access from identity attacks Enterprise Mobility+Security The Microsoft solution Privileged Identity Management Identity Protection ENFORCE MFA ALLOW BLOCK Conditional Access Windows 10 Azure AD Join, Health Attestation, Windows Hello, BitLocker
  8. 8. The Story so far Cloud Identity with Azure Active Directory 101
  9. 9. • Microsoft “Identity Management as a Service (IDaaS)” for organizations. • Millions of independent identity systems controlled by enterprise and government “tenants.” • Information is owned and used by the controlling organization—not by Microsoft. • Born-as-a-cloud directory for Office 365. Extended to manage across many clouds. • Evolved to manage an organization’s relationships with its customers/citizens and partners (B2C and B2B). Azure Active Directory 33,000 Enterprise Mobility + Security | Azure AD Premium enterprise customers >110k third-party applications used with Azure AD each month >1.3 billion authenticationsevery dayonAzureAD More than 750 M user accounts on Azure AD Azure AD Directories >10 M 90% of Fortune 500 companies use Microsoft Cloud (Azure, O365, CRM Online, and PowerBI) Every Office 365 and Microsoft Azure customer uses Azure Active Directory
  10. 10. Azure AD Trust Fabric Contoso AD Contoso Azure AD Fabrikam AD Fabrikam Azure AD …and trust extends to all Azure AD enabled organizations Business-2-Business (B2B) lets all identities in Azure AD collaborate We are all in the same boat forest
  11. 11. Hybrid identity components AD DS FIM/MIM Sync • Sync engine • Password Sync • Health (Sync, ADFS, ADDS) • AD FS (optional) • Pass-Through AuthN Salesforce Box DropBox Google … Azure AD Connect Azure AD
  12. 12. But I’m worried… How to protect ourselves in this brave new world
  13. 13. The frequency and sophistication of cybersecurity attacks are escalating $500B total potential cost of cybercrime to the global economy $3.5M average cost of a data breach to a company 200+ median # days attackers reside within a victim’s network before detection network intrusions due to compromised user credentials 75%+
  14. 14. Azure Active Directory Identity Protection & Conditional Access Cloud-powered protection
  15. 15. WE DRIVE BUSINESS EVOLUTION FORWARD Adopt Cloud for Better Security • Past: Cloud was security concern • Now: Cloud is security peace of mind • Economies of Scale  Security of Scale • Division of responsibilities • Compliance and Certifications • PCI, HIPAA etc. • Security Talent
  16. 16. Why use Azure AD to protect our users and apps? • Cloud Cadence release schedule for new features • Insights of scale • World Class Protection • Price • Frankly; what are your other options…?
  17. 17. Mission: Protect our users • World class signal due to massive amount of relevant data • One of the world’s largest consumer identity services (the Microsoft Account service) • One of the world’s large enterprise identity services (the Azure AD service) • One of the world’s largest consumer email services (Outlook.com) • One of the world’s largest enterprise email services (Office 365) • One of the world’s largest online gaming services (Xbox Live) • Signals from services like SharePoint Online, Skype and OneDrive to strengthen our analysis • Feeds from Microsoft Digital Crime Unit and Microsoft Security Response Center • Partnering with Law Enforcement, Security Researchers, Industry further enhances signal Microsoft Daily Statistics Source: https://www.microsoft.com/sir
  18. 18. Machine Learning for security
  19. 19. Credentials Azure Active Directory
  20. 20. Azure Active Directory Credentials Schrödinger's User ?
  21. 21. Seems Good Seems Bad Coder Azure Active DirectorySchrödinger's User ? Credentials Classifier
  22. 22. Azure Active Directory Analysis Seems Good Seems Bad Classifier Schrödinger's User ? Credentials Self-reporting ThreatdataRelying parties Behavior10+ TB Logs
  23. 23. Azure Active Directory Analysis Seems Good Seems Bad Classifier Self-reporting ThreatdataRelying parties Behavior10+ TB Logs Schrödinger's User ? Credentials
  24. 24. Azure Active Directory Analysis Seems Good Seems Bad Classifier Self-reporting ThreatdataRelying parties Behavior Schrödinger's User ? Label Data We were right! Credentials 10+ TB Logs
  25. 25. Azure Active Directory Analysis Seems Good Seems Bad Classifier Self-reporting ThreatdataRelying parties Behavior Schrödinger's User ? Label Data We were wrong! Credentials 10+ TB Logs We were right!
  26. 26. Azure Active Directory Analysis Seems Good Seems Bad Classifier Self-reporting ThreatdataRelying parties Behavior Schrödinger's User ? Security Analyst Label Data We were wrong! Credentials 10+ TB Logs We were right!
  27. 27. Azure Active Directory Analysis Seems Good Seems Bad Classifier Self-reporting ThreatdataRelying parties Behavior Schrödinger's User ? Security Analyst Label Data Code updates to Classifier We were wrong! Credentials 10+ TB Logs We were right!
  28. 28. Credentials Azure Active Directory Analysis Seems Good Seems Bad Classifier Self-reporting ThreatdataRelying parties Behavior Schrödinger's User ? Security Analyst Label Data Deploy new Classifier Code updates to Classifier We were wrong! 10+ TB Logs We were right!
  29. 29. Credentials Azure Active Directory Analysis Seems Good Seems Bad Classifier Self-reporting ThreatdataRelying parties Behavior Schrödinger's User ? We were wrong! Analyze Label Data Update Deploy 10+ TB Logs We were right!
  30. 30. Learner Credentials Azure Active Directory Analysis Seems Good Seems Bad Classifier Self-reporting ThreatdataRelying parties Behavior Schrödinger's User ? Label Data We were right! We were wrong! Analyze Update Deploy 10+ TB Logs
  31. 31. How Identity Protection detects and mitigates cyber attacks • Sign in Risk • Invoked on each login, evaluating that particular login • 100 data points (signals) • Result sent as input to Conditional Access • User Risk • Invoked on each login, evaluating accumulated data • Background process • Collects data over time
  32. 32. Identity Protection in Action: EDU Attack
  33. 33. We noticed a sharp increase in password lockouts Large elevation in user lockouts. Inspection show lockout increase from single org. Users Locked Out Per Day
  34. 34. Suspicious IP activity very different from in-country IPs Generally lower user volume Generally successful In- Country Traffic Suspect IP Mostly failure traffic Single UserAgent
  35. 35. Detailed suspicious IP view showed automated attacks Initial bad guy test run Large scale account failures/minuteAccounts Accessed Per-Minute, Suspect IP
  36. 36. The Bad Guys are getting smarter too • Botnets are bigger, cheaper and more available • Bad guys are effectively defeating 2nd factor authentication • Bad guys are feeding our machine learning systems bad data • The bad guys have machine learning too
  37. 37. Risks Identified by AAD Identity Protection • Leaked credentials (High) • Impossible travel to atypical locations (Medium) • Sign-ins from infected devices (Low) • Sign-ins from anonymous IP addresses (Medium) • Sign-ins from IP addresses with suspicious activity (Medium) • Signs in from unfamiliar locations (Medium) • Lockout events
  38. 38. Identity Protection APIs • Microsoft Graph API • https://graph.microsoft.io • IdentityRiskEvents • Sign-ins and other events that have been analyzed and found to be “risky” by Identity Protection’s machine learning and algorithms
  39. 39. Enable AAD Identity Protection • EMS E5/AAD P2 required • Identity Protection works for any sign-in to Azure AD
  40. 40. Demo: Identity Protection in the Azure Portal
  41. 41. Multi-Factor Authentication (MFA) Registration Policy • Pre-Canned Conditional Access Policy • Edit: Users • Access: Allow • Access Controls: MFA registration • Monitor Current Registration Status • You should enforce this!
  42. 42. Sign-in risk remediation policy • Pre-Canned Conditional Access Policy • Edit: Users and Conditions • Access: Allow or Block • Access Controls: MFA Authentication • Monitor Number of Sign-ins impacted • Do not enforce this unless you have high number of users registered with MFA!
  43. 43. User risk remediation policy • Pre-Canned Conditional Access Policy • Edit: Users and Conditions • Access: Allow or Block • Access Controls: Require Password Change • Monitor Number of users impacted • Should probably be enabled for High immediately • AADP SSPR is a nice add-on feature to have enabled
  44. 44. User Experience – Suspicious Sing-In • Sign-in Risk Policy enforced
  45. 45. User Experience – User at Risk • User Risk Policy enforced
  46. 46. Licensing • Azure Active Directory Premium P2 required • Enterprise Mobility+Security E5 • If users don’t have it they cannot self-remediate! Plan features Enterprise Mobility + Security E3 Enterprise Mobility + Security E5 Identity and access management •Microsoft Azure Active Directory Premium P1 •Secure single sign-on to cloud and on-premises apps •Multi-factor authentication •Conditional access •Advanced security reporting •Azure Active Directory Premium P2 •Risk-based conditional access •Privileged identity management •Includes all P1 capabilities
  47. 47. Using Identity Protection with Conditional Access for Applications
  48. 48. Wide range of Enterprise Mobility Scenarios Locked Down Device Managed Device Personal Device Unknown Device Example Point-of-sale or maintenance tablet or PC Company provided phone, tablet or PC Personal phone, tablet or PC Kiosk at a hotel Type of user Task Worker Information Worker Information Worker Information Worker Level of Access Desired by Organization varies across the spectrumLevel of Access Desired by Organization varies across the spectrum  MDM Enabled ꭕ Won’t Enable MDM ꭕ Can’t Enable MDM
  49. 49. Conditional Access Building Blocks • "When this happens" is called condition statement • "Then do this" is called controls • The combination of a condition statement with your controls represents a conditional access policy
  50. 50. Conditional Access Application Per app policy Type of client (Web, Rich, mobile) Cloud and On-premises applications User attributes Group membership Devices Domain Joined compliant Platform type (Windows, iOS, Android) Location IP Range ENFORCE MFA ALLOW BLOCK Risk Session risk User risk
  51. 51. Demo: Conditional Access for Applications in the Azure Portal
  52. 52. Devices Controls in Conditional Access • Compliant Device: • Intune Compliance Policy • SCCM • Domain Joined Device: • Azure AD Registered Device (DRS) • Windows 10 Domain Joined: Creates object in AD which is synced to cloud by AAD Connect • (Windows 10 Azure AD Joined: Registers at join) • Windows 7, 8, 8.1 domain joined: ADFS claims configured for DRS • Windows 8.1 could potentially also enroll in MDM manually and become compliant that way
  53. 53. Azure AD Device Registration Prerequisites • Device Registration Allowed • USERS MAY WORKPLACE JOIN DEVICES:ALL • DNS Records: • Internet Explorer Settings (these are defaults) • Don’t prompt for client certificate selection when only one certificate exists: Enable • Allow scripting: Enable • Automatic logon only in Intranet zone: Checked • Group Policy to enforce registration Entry Type Address enterpriseregistration.contoso.com CNAME enterpriseregistration.windows.net enterpriseregistration.region.contoso.com CNAME enterpriseregistration.windows.net
  54. 54. ADFS Claims for DRS • Additional Claims: • http://schemas.microsoft.com/ws/2012/01/accounttype • http://schemas.microsoft.com/identity/claims/onpremobjectguid • http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid • http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid
  55. 55. Questions?
  56. 56. Please evaluate the session on your way out… Hated It! Meh… Best session ever!
  • AdedejiAdeseye

    May. 13, 2021

A common trend in today’s cloud based world is identity driven security. As the name implies this makes user identity really important; user identity is now the key to unlock everything. Building the infrastructure to support this trend is very hard; you bear all the responsibilities and can rely on only your own signal data and threat detection. With Azure AD there is a better way! Come join this session to see how Azure AD Identity Protection is using signals from the global Microsoft cloud, Big Data and Machine Learning to protect your users’ accounts, and also how Azure AD Conditional Access makes it easy to enforce application access policies based on things like location and device. We will show you how to set it all up, what works and what doesn’t and how it integrates with other Microsoft protection services in the cloud, and your existing systems. Come and be safe!

Views

Total views

1,415

On Slideshare

0

From embeds

0

Number of embeds

124

Actions

Downloads

79

Shares

0

Comments

0

Likes

1

×