[AFUN90] Azure Identity Fundamentals

3. Resources aka.ms/AFUN90Repo aka.ms/AFUN90 aka.ms/mymsignitethetour

4. devices datausers apps Windows Server Active Directory Security used to be so much easier

7. Simplify access to devices and apps Protect at access attempt Safeguard their credentials Identity & Access Goals

8. Identity & Access Goals

9. aka.ms/AFUN90 #MSIgniteTheTour How does Tailwind Traders customize Azure Active Directory and configure administrative permissions?

10. Demo: Configuring Azure Active Directory and an administrator account

11. Microsoft’s Cloud-Based Identity and Access Management Service A dedicated and trusted instance of Azure AD that represents a single organization Initial Domain will be x.onmicrosoft.com

12. Some Critical Azure AD Administrative Roles Role Function Global Administrator • Have access to all administrative features of Azure Active Directory • Different from “classic” Service Administrator role Billing Administrator • Make purchases • Manage subscriptions • Manage support tickets • Monitor service health Application Administrator • Create and manage all aspects of enterprise applications Authentication Administrator • Can set or reset non-password credentials • Can update passwords for all users Helpdesk Administrator • Change passwords • Invalidate refresh tokens • Manage service requests and monitor service health

13. Microsoft’s Identity Services

15. Office 365 and Microsoft 365

16. aka.ms/AFUN90 #MSIgniteTheTour How does Tailwind Traders synchronize on- premises and cloud identities?

17. Demo: Configuring Azure AD Connect

19. Azure AD Connect Seamless authentication Sync engine On-premises / Private cloud Azure AD ConnectWindows Server Active Directory Self Service MFA Single sign-on Microsoft Azure Active Directory

20. ON PREMISES Azure AD Azure AD Connect Active Directory Secure and compliant Only non-reversible hashes are stored in the cloud Leaked credential report available Easy to deploy & administer No on-premises agent needed Small on-premises footprint Great user experience Same passwords for cloud-based and on-premises apps Integrated with Smart Lockout, Identity Protection and Conditional Access Disaster recovery option incase other authN methods are unavailable Password Hash Sync

21. ON PREMISES Azure AD AuthN Agent AuthN agent Active Directory Secure and compliant Passwords remain on-premises No DMZ and no inbound firewall requirements Easy to deploy & administer Agent-based deployment High availability out-of-the-box No complex on-premises deployments or network config Zero management overhead Great user experience Same passwords for cloud-based and on-premises apps Integrated with Self-Service Password Reset Integrated with Smart Lockout, Identity Protection and Conditional Access Pass thru Authentication

22. ON PREMISES Active Directory Easy to administer No additional on-premise infrastructure Register non-Windows 10 devices without AD FS Great user experience SSO experience from domain- joined devices within your corpnet Easy to integrate Works with Password Hash Sync and Pass-through Authentication Supports Alternate Login ID Azure AD Seamless Single Sign On

23. aka.ms/AFUN90 #MSIgniteTheTour How does Tailwind Traders give external users access to their Azure resources?

24. Demo: Configuring Azure AD Guest Access

26. Azure AD B2B and Azure AD B2C Azure AD B2B Azure AD B2C • Allows organization to share files and resources with external users for direct collaboration • Suitable for customer-facing apps. • Azure AD handles the federation between your organization and the external organization • Allows customers to sign in with their own established identity (Gmail / Facebook)

27. aka.ms/AFUN90 #MSIgniteTheTour How can Tailwind Traders allow users to reset their own passwords?

28. Demo: Configuring Self-Service Password Reset

29. Resolving user password issues is one of the largest IT costs Enable resets from an intuitive web interface or directly from the Windows login screen ???????? Empower user self-service to save time and money

30. Connected intelligence Continuous detection Actionable insights Observe trillions of signals and risk events from cloud systems Apply artificial intelligence and human expertise to derive accurate insights Send alerts, self-mitigate, and automatically remediate threats Detecting threats to accounts as they occur

31. aka.ms/AFUN90 #MSIgniteTheTour How can Tailwind Traders require a user to take extra steps to identify themselves when performing a risky sign-in?

32. Demo: Configuring Conditional Access

33. Corporate Network Geo-location Microsoft Cloud App SecurityMacOS Android iOS Windows Windows Defender ATP Client apps Browser apps Google ID MSA Azure AD ADFS Require MFA Allow/block access Block legacy authentication Force password reset****** Limited access Controls Employee & Partner Users and Roles Trusted & Compliant Devices Physical & Virtual Location Client apps & Auth Method Conditions Machine learning Policies Real time Evaluation Engine Session Risk 3 40TB Effective policy Azure AD Conditional Access

34. Smart Lockout

35. User Normally logs in from Redmond, WA Redmond = Familiar location Smart Lockout in action

36. User 0 Familiar Location Counter Unfamiliar Location Counter 0 Data Center Redmond, WA Smart Lockout in action

37. User 0 0 Data Center Logs in from Redmond, WA with the correct password Counter remains unchanged Smart Lockout in action Familiar Location Counter Unfamiliar Location Counter

38. User 1 0 Data Center Logs in from Redmond, WA with an incorrect password Familiar location’s counter increases Smart Lockout in action Familiar Location Counter Unfamiliar Location Counter

39. User 2 0 Data Center Logs in from Redmond, WA with an incorrect password again Familiar location’s counter increases Smart Lockout in action Familiar Location Counter Unfamiliar Location Counter

40. User 0 0 Data Center Logs in from Redmond, WA a third time with correct password Familiar location’s counter resets Smart Lockout in action Familiar Location Counter Unfamiliar Location Counter

41. User 0 0 Data Center Bad Actor Bad actor located in Tasmania Tasmania = unfamiliar location Redmond, WA Smart Lockout in action Familiar Location Counter Unfamiliar Location Counter

42. User 0 1 Data Center Bad Actor Logs in from Tasmania with incorrect password Unfamiliar location counter increases Redmond, WA Smart Lockout in action Familiar Location Counter Unfamiliar Location Counter

43. User 0 2 Data Center Bad Actor Logs in from Tasmania with incorrect password again Unfamiliar location counter increases Redmond, WA Smart Lockout in action Familiar Location Counter Unfamiliar Location Counter

44. User 0 10 Data Center Bad Actor Logs in from Tasmania with incorrect password again Unfamiliar location counter increases Redmond, WA Smart Lockout in action Familiar Location Counter Unfamiliar Location Counter

45. User 0 10 Data Center Logs in from Redmond, WA with the correct password User hit familiar location counter, not unfamiliar location counter Bad Actor Smart Lockout in action Familiar Location Counter Unfamiliar Location Counter

46. Password Challenges

47. aka.ms/AFUN90 #MSIgniteTheTour How can Tailwind Traders ensure their users don’t use banned or common passwords?

48. Demo: Azure AD Password Protection

49. Azure AD Password Protection Cloud intelligence to ensure strong passwords

50. Hybrid Azure AD Password Protection

51. Nobody likes passwords

52. Passwords are expensive and insecure Data breaches are expensive Passwords are the weak link Passwords generate tons of support calls Password reuse across multiple accounts $3.86 million, the average total cost of a data breach #1 cost for IT departments is forgotten passwords 81% of breaches leveraged passwords 73% of passwords are duplicates

53. Microsoft’s password-replacement offerings Standards-based private key authentication - aka.ms/gopasswordless Windows Hello for Business Microsoft Authenticator Microsoft compatible security keys (FIDO2)

54. Identity & Access Goals

55. Want to learn more?

56. /Upcoming Session alert

57. /MS Learn alert aka.ms/AFUN90MSLearnCollection

58. #MSIgniteTheTour /Microsoft Certification alert Get hired, stay ahead, and receive the recognition you deserve #MSIgniteTheTour aka.ms/AzureFunCert aka.ms/AzureAdminCert

59. aka.ms/LearningPartner Microsoft.com/Learn Microsoft.com/Certifications

60. Resources aka.ms/mymsignitethetour aka.ms/AFUN90Repo aka.ms/AFUN90 #MSIgniteTheTour Get Certified • Microsoft Certified: Azure Fundamentals aka.ms/AzureFunCert • Microsoft Certified: Azure Administrator Associat aka.ms/AzureAdminCert

[AFUN90] Azure Identity Fundamentals

[AFUN90] Azure Identity Fundamentals

Recommended

More Related Content

Recently uploaded

Recently uploaded(20)

Featured

Featured(20)

[AFUN90] Azure Identity Fundamentals