Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

[AFUN90] Azure Identity Fundamentals

62 views

Published on

Descrição: A identidade é o coração da maioria das cargas de trabalho no Azure, e o Tailwind Traders deseja implementar o Azure Active Directory de uma maneira que combine corretamente suas identidades locais com as exigidas na nuvem.

Nesta sessão, aprenda a diferença entre autenticação e autorização, bem como diferentes modelos de identidade.

Em seguida, explore os benefícios do acesso condicional e da autenticação multifatorial (MFA) e conclua com uma demonstração mostrando como implementar esses tipos de proteção extra.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

[AFUN90] Azure Identity Fundamentals

  1. 1. Resources aka.ms/AFUN90Repo aka.ms/AFUN90 aka.ms/mymsignitethetour
  2. 2. devices datausers apps Windows Server Active Directory Security used to be so much easier
  3. 3. Simplify access to devices and apps Protect at access attempt Safeguard their credentials Identity & Access Goals
  4. 4. Identity & Access Goals
  5. 5. aka.ms/AFUN90 #MSIgniteTheTour How does Tailwind Traders customize Azure Active Directory and configure administrative permissions?
  6. 6. Demo: Configuring Azure Active Directory and an administrator account
  7. 7. Microsoft’s Cloud-Based Identity and Access Management Service A dedicated and trusted instance of Azure AD that represents a single organization Initial Domain will be x.onmicrosoft.com
  8. 8. Some Critical Azure AD Administrative Roles Role Function Global Administrator • Have access to all administrative features of Azure Active Directory • Different from “classic” Service Administrator role Billing Administrator • Make purchases • Manage subscriptions • Manage support tickets • Monitor service health Application Administrator • Create and manage all aspects of enterprise applications Authentication Administrator • Can set or reset non-password credentials • Can update passwords for all users Helpdesk Administrator • Change passwords • Invalidate refresh tokens • Manage service requests and monitor service health
  9. 9. Microsoft’s Identity Services
  10. 10. Office 365 and Microsoft 365
  11. 11. aka.ms/AFUN90 #MSIgniteTheTour How does Tailwind Traders synchronize on- premises and cloud identities?
  12. 12. Demo: Configuring Azure AD Connect
  13. 13. Microsoft’s Identity Services
  14. 14. Azure AD Connect Seamless authentication Sync engine On-premises / Private cloud Azure AD ConnectWindows Server Active Directory Self Service MFA Single sign-on Microsoft Azure Active Directory
  15. 15. ON PREMISES Azure AD Azure AD Connect Active Directory Secure and compliant Only non-reversible hashes are stored in the cloud Leaked credential report available Easy to deploy & administer No on-premises agent needed Small on-premises footprint Great user experience Same passwords for cloud-based and on-premises apps Integrated with Smart Lockout, Identity Protection and Conditional Access Disaster recovery option incase other authN methods are unavailable Password Hash Sync
  16. 16. ON PREMISES Azure AD AuthN Agent AuthN agent Active Directory Secure and compliant Passwords remain on-premises No DMZ and no inbound firewall requirements Easy to deploy & administer Agent-based deployment High availability out-of-the-box No complex on-premises deployments or network config Zero management overhead Great user experience Same passwords for cloud-based and on-premises apps Integrated with Self-Service Password Reset Integrated with Smart Lockout, Identity Protection and Conditional Access Pass thru Authentication
  17. 17. ON PREMISES Active Directory Easy to administer No additional on-premise infrastructure Register non-Windows 10 devices without AD FS Great user experience SSO experience from domain- joined devices within your corpnet Easy to integrate Works with Password Hash Sync and Pass-through Authentication Supports Alternate Login ID Azure AD Seamless Single Sign On
  18. 18. aka.ms/AFUN90 #MSIgniteTheTour How does Tailwind Traders give external users access to their Azure resources?
  19. 19. Demo: Configuring Azure AD Guest Access
  20. 20. Microsoft’s Identity Services
  21. 21. Azure AD B2B and Azure AD B2C Azure AD B2B Azure AD B2C • Allows organization to share files and resources with external users for direct collaboration • Suitable for customer-facing apps. • Azure AD handles the federation between your organization and the external organization • Allows customers to sign in with their own established identity (Gmail / Facebook)
  22. 22. aka.ms/AFUN90 #MSIgniteTheTour How can Tailwind Traders allow users to reset their own passwords?
  23. 23. Demo: Configuring Self-Service Password Reset
  24. 24. Resolving user password issues is one of the largest IT costs Enable resets from an intuitive web interface or directly from the Windows login screen ???????? Empower user self-service to save time and money
  25. 25. Connected intelligence Continuous detection Actionable insights Observe trillions of signals and risk events from cloud systems Apply artificial intelligence and human expertise to derive accurate insights Send alerts, self-mitigate, and automatically remediate threats Detecting threats to accounts as they occur
  26. 26. aka.ms/AFUN90 #MSIgniteTheTour How can Tailwind Traders require a user to take extra steps to identify themselves when performing a risky sign-in?
  27. 27. Demo: Configuring Conditional Access
  28. 28. Corporate Network Geo-location Microsoft Cloud App SecurityMacOS Android iOS Windows Windows Defender ATP Client apps Browser apps Google ID MSA Azure AD ADFS Require MFA Allow/block access Block legacy authentication Force password reset****** Limited access Controls Employee & Partner Users and Roles Trusted & Compliant Devices Physical & Virtual Location Client apps & Auth Method Conditions Machine learning Policies Real time Evaluation Engine Session Risk 3 40TB Effective policy Azure AD Conditional Access
  29. 29. Smart Lockout
  30. 30. User Normally logs in from Redmond, WA Redmond = Familiar location Smart Lockout in action
  31. 31. User 0 Familiar Location Counter Unfamiliar Location Counter 0 Data Center Redmond, WA Smart Lockout in action
  32. 32. User 0 0 Data Center Logs in from Redmond, WA with the correct password Counter remains unchanged Smart Lockout in action Familiar Location Counter Unfamiliar Location Counter
  33. 33. User 1 0 Data Center Logs in from Redmond, WA with an incorrect password Familiar location’s counter increases Smart Lockout in action Familiar Location Counter Unfamiliar Location Counter
  34. 34. User 2 0 Data Center Logs in from Redmond, WA with an incorrect password again Familiar location’s counter increases Smart Lockout in action Familiar Location Counter Unfamiliar Location Counter
  35. 35. User 0 0 Data Center Logs in from Redmond, WA a third time with correct password Familiar location’s counter resets Smart Lockout in action Familiar Location Counter Unfamiliar Location Counter
  36. 36. User 0 0 Data Center Bad Actor Bad actor located in Tasmania Tasmania = unfamiliar location Redmond, WA Smart Lockout in action Familiar Location Counter Unfamiliar Location Counter
  37. 37. User 0 1 Data Center Bad Actor Logs in from Tasmania with incorrect password Unfamiliar location counter increases Redmond, WA Smart Lockout in action Familiar Location Counter Unfamiliar Location Counter
  38. 38. User 0 2 Data Center Bad Actor Logs in from Tasmania with incorrect password again Unfamiliar location counter increases Redmond, WA Smart Lockout in action Familiar Location Counter Unfamiliar Location Counter
  39. 39. User 0 10 Data Center Bad Actor Logs in from Tasmania with incorrect password again Unfamiliar location counter increases Redmond, WA Smart Lockout in action Familiar Location Counter Unfamiliar Location Counter
  40. 40. User 0 10 Data Center Logs in from Redmond, WA with the correct password User hit familiar location counter, not unfamiliar location counter Bad Actor Smart Lockout in action Familiar Location Counter Unfamiliar Location Counter
  41. 41. Password Challenges
  42. 42. aka.ms/AFUN90 #MSIgniteTheTour How can Tailwind Traders ensure their users don’t use banned or common passwords?
  43. 43. Demo: Azure AD Password Protection
  44. 44. Azure AD Password Protection Cloud intelligence to ensure strong passwords
  45. 45. Hybrid Azure AD Password Protection
  46. 46. Nobody likes passwords
  47. 47. Passwords are expensive and insecure Data breaches are expensive Passwords are the weak link Passwords generate tons of support calls Password reuse across multiple accounts $3.86 million, the average total cost of a data breach #1 cost for IT departments is forgotten passwords 81% of breaches leveraged passwords 73% of passwords are duplicates
  48. 48. Microsoft’s password-replacement offerings Standards-based private key authentication - aka.ms/gopasswordless Windows Hello for Business Microsoft Authenticator Microsoft compatible security keys (FIDO2)
  49. 49. Identity & Access Goals
  50. 50. Want to learn more?
  51. 51. /Upcoming Session alert
  52. 52. /MS Learn alert aka.ms/AFUN90MSLearnCollection
  53. 53. #MSIgniteTheTour /Microsoft Certification alert Get hired, stay ahead, and receive the recognition you deserve #MSIgniteTheTour aka.ms/AzureFunCert aka.ms/AzureAdminCert
  54. 54. aka.ms/LearningPartner Microsoft.com/Learn Microsoft.com/Certifications
  55. 55. Resources aka.ms/mymsignitethetour aka.ms/AFUN90Repo aka.ms/AFUN90 #MSIgniteTheTour Get Certified • Microsoft Certified: Azure Fundamentals aka.ms/AzureFunCert • Microsoft Certified: Azure Administrator Associat aka.ms/AzureAdminCert

×