Identity Days 2020 - Quelles sont les méthodes et le niveau de sécurisation/robustesse de chacune des méthodes d’authentification à Azure Active Directory ?
Similar to Identity Days 2020 - Quelles sont les méthodes et le niveau de sécurisation/robustesse de chacune des méthodes d’authentification à Azure Active Directory ?
SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?Scott Hoag
Similar to Identity Days 2020 - Quelles sont les méthodes et le niveau de sécurisation/robustesse de chacune des méthodes d’authentification à Azure Active Directory ? (20)
Presentation on how to chat with PDF using ChatGPT code interpreter
Identity Days 2020 - Quelles sont les méthodes et le niveau de sécurisation/robustesse de chacune des méthodes d’authentification à Azure Active Directory ?
1. Merci à tous nos partenaires !
29 octobre 2020
@IdentityDays #identitydays2020
2. Quelles sont les méthodes et le niveau de
sécurisation/robustesse de chacune des méthodes
d’authentification à Azure Active Directory ?
Xuan Ahehehinnou
& Hakim Taoussi
29 octobre 2020
Identity Days 2020
3. Xuan AHEHEHINNOU
Microsoft 365 Solution Architect
Abalon
Hakim TAOUSSI
Senior Architect /
MVP Apps & Services
vNext Insigth
• Rappels sur les identités hybrides
• Authentifications
• User
• Device
• Application
• Recommandations
AGENDA DE LA CONFÉRENCE
29 octobre 2020
Identity Days 2020
5. Rappels sur les identités hybrides
Identity Days 2020
29 octobre 2020
6. What does Hybrid look like?
Pass-through
authentication
Microsoft Azure
Active Directory
Pass-through
authentication agent
Office 365, SaaS, and LoB apps
Federation
Password Hash
synchronization
Windows Server
Active Directory
On-premises / Private cloud
10. Password Hash Sync
Pros: Cloud based authentication
with same password as on-premises.
Quickest and Easiest to deploy.
Seamless SSO.
Can be used with PTA and ADFS.
Cons: Disabling or editing user on
prem needs sync cycle to complete
• `
Federated Identity
Pros: Windows Integrated Desktop
SSO, Certificate Based Auth, 3rd Party
MFA integration
Cons: On premises deployment.
DMZ deployment.
3rd Party Federated
Pros: 3rd party tools and services pre-
tested for basic auth scenarios with
WS-Fed
Cons: Only basic scenarios. Second
directory store in cloud.
Multiple support channels
Provisioning only using PowerShell and
Graph API
Pass-through
Authentication
Pros: Cloud based authentication
with PW validation on prem.
Minimal on prem footprint
Seamless SSO
Cons: Legacy Office clients not
supported.
11. Sends result & salt
Requests unicodePwd attribute values
via MS-DRSR replication protocol
Sync Engine ++
MD4 hash of password stored
in unicodePwd attribute
Encrypts MD4
with salt and
MD5 hash of
RPC session key
Decrypts to
obtain MD4
hash of
password
Azure AD Connect
MD4 hash expanded, salt added
input to PBKDF2 function
1000 interactions of HMAC-SHA256
Result sent to Azure AD
Password stored as
original MD4 after
processing with
salt
+ PBKDF2
+ HMAC-SHA256
Sign in
Does supplied password value, after processing with MD4, with
salt, PBKDF2 and HMAC-SHA256, match stored value for user?
PBKDF = password based Key Derivation Function (RFC 2898) https://www.microsoft.com/security/blog/2019/05/30/demystifying-password-hash-sync/
12. User name and
password gathered via
Azure AD sign in page
Password encrypted with
each AuthN agent’s
public key
Sign in
User name and encrypted
passwords added to queue
Azure Service Bus Queue
AuthN agent removes
username and
password from queue,
decrypts the password
with its private key and
attempts
authentication against
DCs using Win32
LogonUser API If successful:
user authenticated and MFA possible
Returns results: success,
username/password incorrect, account
locked out…
No on-premises
passwords #
Sync required
13. Process token
Home realm discovery – via UPN
Redirected to your AD FS
Return ST for consumption by Azure AD
Return new ST
Claims-aware app Your AD FS
Redirected to Azure AD
Authenticate
Send Token
Return cookies
and page
Browse app
Not authenticated
Redirect to your Azure AD
App trusts
Azure AD
Azure AD
Trusts your AD FS
Directory Synchronization
Retrieve full user
details if required
14.
15. Feature summary PTA + sSSO PHS + sSSO ADFS
Authentication against credentials held on-premises Yes No Yes
Single-Sign-On Yes Yes Yes
Passwords remain on premises Yes Salted hash synced Yes
On-premises MFA solution No No Yes
Azure AD MFA Yes Yes Yes
On-premises password policies Yes Partial Yes
On-premises account enable/disable Yes Delayed (30 mins) Yes
On-premises password lockout Yes No Yes
Conditional access Yes++ Yes++ Yes
Credentials captured from user via Azure AD UI Yes Yes No
Protection against on-premise account lockout Smart Lockout N/A Extranet Lockout
Cost of implementation Medium Low High
Scalability/fault tolerance Cloud scalability Cloud scalability Complex
AuthN fails for remote workers if the on-premises Internet
connection is down. Requires HA solution.
Yes No Yes
On-going maintenance for authentication Automated None
SSL certificate
management
Azure AD Connect Health monitoring Not integrated Limited Yes
Azure AD Identity Protection (requires P2 license) Yes Yes No
16. Power up your Credentials
Call SMS Push TOTP OATH
Token
Good Better
Dependencies Risks
FIDO2
Key
Windows
Hello
Best
Authenticator
app
Passwordless
Again … MFA prevents 99.9% of identity attacks
17.
18. FIDO2 for AD Authentication
Windows 10
Client
Kerberos Server
Keys
Active
Directory
Domain Key
Contoso 394hwp…
Redmond Dreo322…
Azure AD
Domain Key
Contoso 394hwp…
Redmond Dreo322…
Azure AD
Connect
User authenticates to Azure AD with a FIDO2
security key.
Azure AD checks the tenant for a Kerberos
server key matching the user’s on-premises AD
Domain.
• Azure AD Generates a partial Kerberos Ticket
Granting Ticket (TGT) for the users on-premises
AD Domain. The TGT contains only the user SID.
No authorization data (groups) are included in
the TGT.
Windows contacts on-premises AD Domain
Controller and trades the partial TGT for a full
TGT.
1
2
4
The partial TGT is returned to the Windows
along with Azure AD Primary Refresh
Token (PRT).
3
5 Windows now has Azure AD PRT and a full
Active Directory TGT.
1
2
3
4
5
21. Windows sends “hello”
Azure AD sends back nonce*
Windows uses private key to sign nonce and returns to Azure AD with key ID
Azure AD returns PRT + encrypted session key protected in TPM
User sign-in with bio-gesture unlocks TPM holding private key
6 Windows returns the signed PRT and derived
session key to Azure AD to verify
Windows 10 device
1
62
3
4
5
2
3
4
5
1
* use of a random number (or string) used as part of the authentication process. It is used to additionally secure the authentication attempt
26. Enforce MFA !!
Turn on PHS
Enable Seamless SSO if your using PTA or PHS
Evaluate Authenticator Passwordless and FIDO, while educate end-users
Pilot and deploy WHfB
Upgrade LOB and web apps to modern authentication
Identify & phase out legacy workflows
Disable web browser password credential provider
…
27. Merci à tous nos partenaires ! @IdentityDays #identitydays2020