SlideShare a Scribd company logo

Identity Days 2020 - Quelles sont les méthodes et le niveau de sécurisation/robustesse de chacune des méthodes d’authentification à Azure Active Directory ?

Identity Days
Identity Days

Retrouvez le support de la conférence donnée par Hakim Taoussi & Xuan Ahehehinnou lors de la seconde édition des Identity Days.

Technology
1 of 27
Download to read offline
Merci à tous nos partenaires ! 29 octobre 2020 @IdentityDays #identitydays2020
Quelles sont les méthodes et le niveau de sécurisation/robustesse de chacune des méthodes d’authentification à Azure Active Directory ? Xuan Ahehehinnou & Hakim Taoussi 29 octobre 2020 Identity Days 2020
Xuan AHEHEHINNOU Microsoft 365 Solution Architect Abalon Hakim TAOUSSI Senior Architect / MVP Apps & Services vNext Insigth • Rappels sur les identités hybrides • Authentifications • User • Device • Application • Recommandations AGENDA DE LA CONFÉRENCE 29 octobre 2020 Identity Days 2020
lllllllll lllllllll
Rappels sur les identités hybrides Identity Days 2020 29 octobre 2020
What does Hybrid look like? Pass-through authentication Microsoft Azure Active Directory Pass-through authentication agent Office 365, SaaS, and LoB apps Federation Password Hash synchronization Windows Server Active Directory On-premises / Private cloud
SECURED BY HARDWARE USER CREDENTIAL UTILIZE FAMILIAR DEVICES
Azure AD Connect On-premises / Private cloud Microsoft Azure Active Directory Power up your credentials
User Authentication Identity Days 2020 29 octobre 2020
Password Hash Sync Pros: Cloud based authentication with same password as on-premises. Quickest and Easiest to deploy. Seamless SSO. Can be used with PTA and ADFS. Cons: Disabling or editing user on prem needs sync cycle to complete • ` Federated Identity Pros: Windows Integrated Desktop SSO, Certificate Based Auth, 3rd Party MFA integration Cons: On premises deployment. DMZ deployment. 3rd Party Federated Pros: 3rd party tools and services pre- tested for basic auth scenarios with WS-Fed Cons: Only basic scenarios. Second directory store in cloud. Multiple support channels Provisioning only using PowerShell and Graph API Pass-through Authentication Pros: Cloud based authentication with PW validation on prem. Minimal on prem footprint Seamless SSO Cons: Legacy Office clients not supported.
Sends result & salt Requests unicodePwd attribute values via MS-DRSR replication protocol Sync Engine ++ MD4 hash of password stored in unicodePwd attribute Encrypts MD4 with salt and MD5 hash of RPC session key Decrypts to obtain MD4 hash of password Azure AD Connect MD4 hash expanded, salt added input to PBKDF2 function 1000 interactions of HMAC-SHA256 Result sent to Azure AD Password stored as original MD4 after processing with salt + PBKDF2 + HMAC-SHA256 Sign in Does supplied password value, after processing with MD4, with salt, PBKDF2 and HMAC-SHA256, match stored value for user? PBKDF = password based Key Derivation Function (RFC 2898) https://www.microsoft.com/security/blog/2019/05/30/demystifying-password-hash-sync/
User name and password gathered via Azure AD sign in page Password encrypted with each AuthN agent’s public key Sign in User name and encrypted passwords added to queue Azure Service Bus Queue AuthN agent removes username and password from queue, decrypts the password with its private key and attempts authentication against DCs using Win32 LogonUser API If successful: user authenticated and MFA possible Returns results: success, username/password incorrect, account locked out… No on-premises passwords # Sync required
Process token Home realm discovery – via UPN Redirected to your AD FS Return ST for consumption by Azure AD Return new ST Claims-aware app Your AD FS Redirected to Azure AD Authenticate Send Token Return cookies and page Browse app Not authenticated Redirect to your Azure AD App trusts Azure AD Azure AD Trusts your AD FS Directory Synchronization Retrieve full user details if required
Feature summary PTA + sSSO PHS + sSSO ADFS Authentication against credentials held on-premises Yes No Yes Single-Sign-On Yes Yes Yes Passwords remain on premises Yes Salted hash synced Yes On-premises MFA solution No No Yes Azure AD MFA Yes Yes Yes On-premises password policies Yes Partial Yes On-premises account enable/disable Yes Delayed (30 mins) Yes On-premises password lockout Yes No Yes Conditional access Yes++ Yes++ Yes Credentials captured from user via Azure AD UI Yes Yes No Protection against on-premise account lockout Smart Lockout N/A Extranet Lockout Cost of implementation Medium Low High Scalability/fault tolerance Cloud scalability Cloud scalability Complex AuthN fails for remote workers if the on-premises Internet connection is down. Requires HA solution. Yes No Yes On-going maintenance for authentication Automated None SSL certificate management Azure AD Connect Health monitoring Not integrated Limited Yes Azure AD Identity Protection (requires P2 license) Yes Yes No
Power up your Credentials Call SMS Push TOTP OATH Token Good Better Dependencies Risks FIDO2 Key Windows Hello Best Authenticator app Passwordless Again … MFA prevents 99.9% of identity attacks
FIDO2 for AD Authentication Windows 10 Client Kerberos Server Keys Active Directory Domain Key Contoso 394hwp… Redmond Dreo322… Azure AD Domain Key Contoso 394hwp… Redmond Dreo322… Azure AD Connect User authenticates to Azure AD with a FIDO2 security key. Azure AD checks the tenant for a Kerberos server key matching the user’s on-premises AD Domain. • Azure AD Generates a partial Kerberos Ticket Granting Ticket (TGT) for the users on-premises AD Domain. The TGT contains only the user SID. No authorization data (groups) are included in the TGT. Windows contacts on-premises AD Domain Controller and trades the partial TGT for a full TGT. 1 2 4 The partial TGT is returned to the Windows along with Azure AD Primary Refresh Token (PRT). 3 5 Windows now has Azure AD PRT and a full Active Directory TGT. 1 2 3 4 5
Device Authentication Identity Days 2020 29 octobre 2020
SECURED BY HARDWARE USER CREDENTIAL An asymmetrical key pair Provisioned via PKI or created locally via Windows 10 UTILIZE FAMILIAR DEVICES
Windows sends “hello” Azure AD sends back nonce* Windows uses private key to sign nonce and returns to Azure AD with key ID Azure AD returns PRT + encrypted session key protected in TPM User sign-in with bio-gesture unlocks TPM holding private key 6 Windows returns the signed PRT and derived session key to Azure AD to verify Windows 10 device 1 62 3 4 5 2 3 4 5 1 * use of a random number (or string) used as part of the authentication process. It is used to additionally secure the authentication attempt
Application Authentication Identity Days 2020 29 octobre 2020
Identity Days 2020 29 octobre 2020 Conclusion
Enforce MFA !! Turn on PHS Enable Seamless SSO if your using PTA or PHS Evaluate Authenticator Passwordless and FIDO, while educate end-users Pilot and deploy WHfB Upgrade LOB and web apps to modern authentication Identify & phase out legacy workflows Disable web browser password credential provider …
Merci à tous nos partenaires ! @IdentityDays #identitydays2020

Recommended

Flyer Letter Gen Vasco
Flyer Letter Gen VascoFlyer Letter Gen Vasco
Flyer Letter Gen VascoLeenVerleyen
 
The Future of Authentication - Verifiable Credentials / Self-Sovereign Identity
The Future of Authentication - Verifiable Credentials / Self-Sovereign IdentityThe Future of Authentication - Verifiable Credentials / Self-Sovereign Identity
The Future of Authentication - Verifiable Credentials / Self-Sovereign IdentityEvernym
 
Evernym May 2021 Product Update
Evernym May 2021 Product UpdateEvernym May 2021 Product Update
Evernym May 2021 Product UpdateEvernym
 
Why The Web Needs Decentralized Identifiers (DIDs) — Even if Google, Apple, a...
Why The Web Needs Decentralized Identifiers (DIDs) — Even if Google, Apple, a...Why The Web Needs Decentralized Identifiers (DIDs) — Even if Google, Apple, a...
Why The Web Needs Decentralized Identifiers (DIDs) — Even if Google, Apple, a...Evernym
 
Meet Evernym's SSI Platform
Meet Evernym's SSI PlatformMeet Evernym's SSI Platform
Meet Evernym's SSI PlatformEvernym
 
FOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/Sovrin
FOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/SovrinFOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/Sovrin
FOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/SovrinCalvin Cheng
 
Introduction to Self Sovereign Identity
Introduction to Self Sovereign IdentityIntroduction to Self Sovereign Identity
Introduction to Self Sovereign IdentityHeather Vescent
 
What are Decentralized Identifiers (DIDs)?
What are Decentralized Identifiers (DIDs)?What are Decentralized Identifiers (DIDs)?
What are Decentralized Identifiers (DIDs)?Evernym
 

Recommended

Flyer Letter Gen Vasco
Flyer Letter Gen VascoFlyer Letter Gen Vasco
Flyer Letter Gen VascoLeenVerleyen
 
The Future of Authentication - Verifiable Credentials / Self-Sovereign Identity
The Future of Authentication - Verifiable Credentials / Self-Sovereign IdentityThe Future of Authentication - Verifiable Credentials / Self-Sovereign Identity
The Future of Authentication - Verifiable Credentials / Self-Sovereign IdentityEvernym
 
Evernym May 2021 Product Update
Evernym May 2021 Product UpdateEvernym May 2021 Product Update
Evernym May 2021 Product UpdateEvernym
 
Why The Web Needs Decentralized Identifiers (DIDs) — Even if Google, Apple, a...
Why The Web Needs Decentralized Identifiers (DIDs) — Even if Google, Apple, a...Why The Web Needs Decentralized Identifiers (DIDs) — Even if Google, Apple, a...
Why The Web Needs Decentralized Identifiers (DIDs) — Even if Google, Apple, a...Evernym
 
Meet Evernym's SSI Platform
Meet Evernym's SSI PlatformMeet Evernym's SSI Platform
Meet Evernym's SSI PlatformEvernym
 
FOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/Sovrin
FOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/SovrinFOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/Sovrin
FOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/SovrinCalvin Cheng
 
Introduction to Self Sovereign Identity
Introduction to Self Sovereign IdentityIntroduction to Self Sovereign Identity
Introduction to Self Sovereign IdentityHeather Vescent
 
What are Decentralized Identifiers (DIDs)?
What are Decentralized Identifiers (DIDs)?What are Decentralized Identifiers (DIDs)?
What are Decentralized Identifiers (DIDs)?Evernym
 
Overview of Decentralized Identity
Overview of Decentralized IdentityOverview of Decentralized Identity
Overview of Decentralized IdentityJim Flynn
 
Security aspects on blockchain white paper
Security aspects on blockchain white paperSecurity aspects on blockchain white paper
Security aspects on blockchain white paperCreus Moreira Carlos
 
Cordacon 2018 - Cordentity - Hyperledger Indy + Corda
Cordacon 2018 - Cordentity - Hyperledger Indy + CordaCordacon 2018 - Cordentity - Hyperledger Indy + Corda
Cordacon 2018 - Cordentity - Hyperledger Indy + CordaVasiliy Suvorov
 
Kerberos-PKI-Federated identity
Kerberos-PKI-Federated identityKerberos-PKI-Federated identity
Kerberos-PKI-Federated identityWAFAA AL SALMAN
 
Digital Certificates and Secure Web Access
Digital Certificates and Secure Web AccessDigital Certificates and Secure Web Access
Digital Certificates and Secure Web Accessbluntm64
 
Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...
Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...
Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...Gokul Alex
 
Who are you? Authentication by certificates
Who are you? Authentication by certificatesWho are you? Authentication by certificates
Who are you? Authentication by certificatesteam-WIBU
 
Understanding Digital Certificates & Secure Sockets Layer
Understanding Digital Certificates & Secure Sockets LayerUnderstanding Digital Certificates & Secure Sockets Layer
Understanding Digital Certificates & Secure Sockets LayerCheapSSLUSA
 
KISS API
KISS APIKISS API
KISS APIVenkat R
 
An Expert Panel on Safe Credentials
An Expert Panel on Safe CredentialsAn Expert Panel on Safe Credentials
An Expert Panel on Safe CredentialsEvernym
 
All you need to know about SSI for Corporates and IoT – Heather Vescent
All you need to know about SSI for Corporates and IoT – Heather VescentAll you need to know about SSI for Corporates and IoT – Heather Vescent
All you need to know about SSI for Corporates and IoT – Heather VescentBlockchain España
 
Open Banking beyond PSD2 in the EU
Open Banking beyond PSD2 in the EU Open Banking beyond PSD2 in the EU
Open Banking beyond PSD2 in the EU OpenID Foundation Japan
 
Verifiable Credentials, Self Sovereign Identity and DLTs
Verifiable Credentials, Self Sovereign Identity and DLTs Verifiable Credentials, Self Sovereign Identity and DLTs
Verifiable Credentials, Self Sovereign Identity and DLTs Vasiliy Suvorov
 
Enhancing Learner Mobility with SSI & Portable Digital Credentials
Enhancing Learner Mobility with SSI & Portable Digital CredentialsEnhancing Learner Mobility with SSI & Portable Digital Credentials
Enhancing Learner Mobility with SSI & Portable Digital CredentialsEvernym
 
PKI-In-A-Box
PKI-In-A-BoxPKI-In-A-Box
PKI-In-A-BoxChin Wan Lim
 
Decentralized Identifiers
Decentralized IdentifiersDecentralized Identifiers
Decentralized IdentifiersMarkus Sabadello
 
Certification authority
Certification authorityCertification authority
Certification authorityproser tech
 
Transferring from 1024 to 2048 SSL | Symantec Website Security Solutions
Transferring from 1024 to 2048 SSL | Symantec Website Security SolutionsTransferring from 1024 to 2048 SSL | Symantec Website Security Solutions
Transferring from 1024 to 2048 SSL | Symantec Website Security SolutionsSymantec Website Security
 
Ledger Meetup Bitcoin à Tours
Ledger Meetup Bitcoin à ToursLedger Meetup Bitcoin à Tours
Ledger Meetup Bitcoin à ToursJulien Trottier
 
Digital certificates and information security
Digital certificates and information securityDigital certificates and information security
Digital certificates and information securityDevam Shah
 
Appliquez le modèle Zero Trust pour le Hardening de votre Azure AD !
Appliquez le modèle Zero Trust pour le Hardening de votre Azure AD !Appliquez le modèle Zero Trust pour le Hardening de votre Azure AD !
Appliquez le modèle Zero Trust pour le Hardening de votre Azure AD !Identity Days
 
What's new in Azure Active Directory and what's coming new ?
What's new in Azure Active Directory and what's coming new ?What's new in Azure Active Directory and what's coming new ?
What's new in Azure Active Directory and what's coming new ?Vignesh Ganesan I Microsoft MVP
 

More Related Content

What's hot

Overview of Decentralized Identity
Overview of Decentralized IdentityOverview of Decentralized Identity
Overview of Decentralized IdentityJim Flynn
 
Security aspects on blockchain white paper
Security aspects on blockchain white paperSecurity aspects on blockchain white paper
Security aspects on blockchain white paperCreus Moreira Carlos
 
Cordacon 2018 - Cordentity - Hyperledger Indy + Corda
Cordacon 2018 - Cordentity - Hyperledger Indy + CordaCordacon 2018 - Cordentity - Hyperledger Indy + Corda
Cordacon 2018 - Cordentity - Hyperledger Indy + CordaVasiliy Suvorov
 
Kerberos-PKI-Federated identity
Kerberos-PKI-Federated identityKerberos-PKI-Federated identity
Kerberos-PKI-Federated identityWAFAA AL SALMAN
 
Digital Certificates and Secure Web Access
Digital Certificates and Secure Web AccessDigital Certificates and Secure Web Access
Digital Certificates and Secure Web Accessbluntm64
 
Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...
Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...
Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...Gokul Alex
 
Who are you? Authentication by certificates
Who are you? Authentication by certificatesWho are you? Authentication by certificates
Who are you? Authentication by certificatesteam-WIBU
 
Understanding Digital Certificates & Secure Sockets Layer
Understanding Digital Certificates & Secure Sockets LayerUnderstanding Digital Certificates & Secure Sockets Layer
Understanding Digital Certificates & Secure Sockets LayerCheapSSLUSA
 
An Expert Panel on Safe Credentials
An Expert Panel on Safe CredentialsAn Expert Panel on Safe Credentials
An Expert Panel on Safe CredentialsEvernym
 
All you need to know about SSI for Corporates and IoT – Heather Vescent
All you need to know about SSI for Corporates and IoT – Heather VescentAll you need to know about SSI for Corporates and IoT – Heather Vescent
All you need to know about SSI for Corporates and IoT – Heather VescentBlockchain España
 
Verifiable Credentials, Self Sovereign Identity and DLTs
Verifiable Credentials, Self Sovereign Identity and DLTs Verifiable Credentials, Self Sovereign Identity and DLTs
Verifiable Credentials, Self Sovereign Identity and DLTs Vasiliy Suvorov
 
Enhancing Learner Mobility with SSI & Portable Digital Credentials
Enhancing Learner Mobility with SSI & Portable Digital CredentialsEnhancing Learner Mobility with SSI & Portable Digital Credentials
Enhancing Learner Mobility with SSI & Portable Digital CredentialsEvernym
 
Certification authority
Certification authorityCertification authority
Certification authorityproser tech
 
Transferring from 1024 to 2048 SSL | Symantec Website Security Solutions
Transferring from 1024 to 2048 SSL | Symantec Website Security SolutionsTransferring from 1024 to 2048 SSL | Symantec Website Security Solutions
Transferring from 1024 to 2048 SSL | Symantec Website Security SolutionsSymantec Website Security
 
Ledger Meetup Bitcoin à Tours
Ledger Meetup Bitcoin à ToursLedger Meetup Bitcoin à Tours
Ledger Meetup Bitcoin à ToursJulien Trottier
 
Digital certificates and information security
Digital certificates and information securityDigital certificates and information security
Digital certificates and information securityDevam Shah
 

What's hot (20)

Overview of Decentralized Identity
Overview of Decentralized IdentityOverview of Decentralized Identity
Overview of Decentralized Identity
 
Security aspects on blockchain white paper
Security aspects on blockchain white paperSecurity aspects on blockchain white paper
Security aspects on blockchain white paper
 
Cordacon 2018 - Cordentity - Hyperledger Indy + Corda
Cordacon 2018 - Cordentity - Hyperledger Indy + CordaCordacon 2018 - Cordentity - Hyperledger Indy + Corda
Cordacon 2018 - Cordentity - Hyperledger Indy + Corda
 
Kerberos-PKI-Federated identity
Kerberos-PKI-Federated identityKerberos-PKI-Federated identity
Kerberos-PKI-Federated identity
 
Digital Certificates and Secure Web Access
Digital Certificates and Secure Web AccessDigital Certificates and Secure Web Access
Digital Certificates and Secure Web Access
 
Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...
Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...
Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...
 
Who are you? Authentication by certificates
Who are you? Authentication by certificatesWho are you? Authentication by certificates
Who are you? Authentication by certificates
 
Understanding Digital Certificates & Secure Sockets Layer
Understanding Digital Certificates & Secure Sockets LayerUnderstanding Digital Certificates & Secure Sockets Layer
Understanding Digital Certificates & Secure Sockets Layer
 
KISS API
KISS APIKISS API
KISS API
 
An Expert Panel on Safe Credentials
An Expert Panel on Safe CredentialsAn Expert Panel on Safe Credentials
An Expert Panel on Safe Credentials
 
All you need to know about SSI for Corporates and IoT – Heather Vescent
All you need to know about SSI for Corporates and IoT – Heather VescentAll you need to know about SSI for Corporates and IoT – Heather Vescent
All you need to know about SSI for Corporates and IoT – Heather Vescent
 
Open Banking beyond PSD2 in the EU
Open Banking beyond PSD2 in the EU Open Banking beyond PSD2 in the EU
Open Banking beyond PSD2 in the EU
 
Verifiable Credentials, Self Sovereign Identity and DLTs
Verifiable Credentials, Self Sovereign Identity and DLTs Verifiable Credentials, Self Sovereign Identity and DLTs
Verifiable Credentials, Self Sovereign Identity and DLTs
 
Enhancing Learner Mobility with SSI & Portable Digital Credentials
Enhancing Learner Mobility with SSI & Portable Digital CredentialsEnhancing Learner Mobility with SSI & Portable Digital Credentials
Enhancing Learner Mobility with SSI & Portable Digital Credentials
 
PKI-In-A-Box
PKI-In-A-BoxPKI-In-A-Box
PKI-In-A-Box
 
Decentralized Identifiers
Decentralized IdentifiersDecentralized Identifiers
Decentralized Identifiers
 
Certification authority
Certification authorityCertification authority
Certification authority
 
Transferring from 1024 to 2048 SSL | Symantec Website Security Solutions
Transferring from 1024 to 2048 SSL | Symantec Website Security SolutionsTransferring from 1024 to 2048 SSL | Symantec Website Security Solutions
Transferring from 1024 to 2048 SSL | Symantec Website Security Solutions
 
Ledger Meetup Bitcoin à Tours
Ledger Meetup Bitcoin à ToursLedger Meetup Bitcoin à Tours
Ledger Meetup Bitcoin à Tours
 
Digital certificates and information security
Digital certificates and information securityDigital certificates and information security
Digital certificates and information security
 

Similar to Identity Days 2020 - Quelles sont les méthodes et le niveau de sécurisation/robustesse de chacune des méthodes d’authentification à Azure Active Directory ?

Appliquez le modèle Zero Trust pour le Hardening de votre Azure AD !
Appliquez le modèle Zero Trust pour le Hardening de votre Azure AD !Appliquez le modèle Zero Trust pour le Hardening de votre Azure AD !
Appliquez le modèle Zero Trust pour le Hardening de votre Azure AD !Identity Days
 
What's new in Azure Active Directory and what's coming new ?
What's new in Azure Active Directory and what's coming new ?What's new in Azure Active Directory and what's coming new ?
What's new in Azure Active Directory and what's coming new ?Vignesh Ganesan I Microsoft MVP
 
Azure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDKAzure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDKPeter Selch Dahl
 
O365Con18 - Azure AD Connect Inside and Out - Sander Berkouwer
O365Con18 - Azure AD Connect Inside and Out - Sander BerkouwerO365Con18 - Azure AD Connect Inside and Out - Sander Berkouwer
O365Con18 - Azure AD Connect Inside and Out - Sander BerkouwerNCCOMMS
 
O365Con19 - A Life Without Passwords Dream or Reality - Sander Berkouwer
O365Con19 - A Life Without Passwords Dream or Reality - Sander BerkouwerO365Con19 - A Life Without Passwords Dream or Reality - Sander Berkouwer
O365Con19 - A Life Without Passwords Dream or Reality - Sander BerkouwerNCCOMMS
 
"Secure Mobile Apps with the Microsoft Identity Platform", Christos Matskas, ...
"Secure Mobile Apps with the Microsoft Identity Platform", Christos Matskas, ..."Secure Mobile Apps with the Microsoft Identity Platform", Christos Matskas, ...
"Secure Mobile Apps with the Microsoft Identity Platform", Christos Matskas, ...Fwdays
 
Azure AD App Proxy Login Scenarios with an On Premises Applications - TSPUG
Azure AD App Proxy Login Scenarios with an On Premises Applications - TSPUGAzure AD App Proxy Login Scenarios with an On Premises Applications - TSPUG
Azure AD App Proxy Login Scenarios with an On Premises Applications - TSPUGRoy Kim
 
Programming Azure Active Directory (DevLink 2014)
Programming Azure Active Directory (DevLink 2014)Programming Azure Active Directory (DevLink 2014)
Programming Azure Active Directory (DevLink 2014)Michael Collier
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseDenis Gundarev
 
CoLabora - Identity in a World of Cloud - June 2015
CoLabora - Identity in a World of Cloud - June 2015CoLabora - Identity in a World of Cloud - June 2015
CoLabora - Identity in a World of Cloud - June 2015CoLaboraDK
 
Azure - Identity as a service
Azure - Identity as a serviceAzure - Identity as a service
Azure - Identity as a serviceBizTalk360
 
Análisis de riesgos en Azure y protección de la información
Análisis de riesgos en Azure y protección de la informaciónAnálisis de riesgos en Azure y protección de la información
Análisis de riesgos en Azure y protección de la informaciónPlain Concepts
 
The bits and pieces of Azure AD B2C
The bits and pieces of Azure AD B2CThe bits and pieces of Azure AD B2C
The bits and pieces of Azure AD B2CAnton Staykov
 
Azure Active Directory - An Introduction for Developers
Azure Active Directory - An Introduction for DevelopersAzure Active Directory - An Introduction for Developers
Azure Active Directory - An Introduction for DevelopersJohn Garland
 
Connect SharePoint Framework solutions to APIs secured with Azure AD
Connect SharePoint Framework solutions to APIs secured with Azure ADConnect SharePoint Framework solutions to APIs secured with Azure AD
Connect SharePoint Framework solutions to APIs secured with Azure ADBIWUG
 
Azure Day 1.pptx
Azure Day 1.pptxAzure Day 1.pptx
Azure Day 1.pptxmasbulosoke
 
FIDO2 : vers la fin des mots de passe ? - Par Arnaud Jumelet
FIDO2 : vers la fin des mots de passe ? - Par Arnaud JumeletFIDO2 : vers la fin des mots de passe ? - Par Arnaud Jumelet
FIDO2 : vers la fin des mots de passe ? - Par Arnaud JumeletIdentity Days
 
SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?
SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?
SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?Scott Hoag
 

Similar to Identity Days 2020 - Quelles sont les méthodes et le niveau de sécurisation/robustesse de chacune des méthodes d’authentification à Azure Active Directory ? (20)

Appliquez le modèle Zero Trust pour le Hardening de votre Azure AD !
Appliquez le modèle Zero Trust pour le Hardening de votre Azure AD !Appliquez le modèle Zero Trust pour le Hardening de votre Azure AD !
Appliquez le modèle Zero Trust pour le Hardening de votre Azure AD !
 
What's new in Azure Active Directory and what's coming new ?
What's new in Azure Active Directory and what's coming new ?What's new in Azure Active Directory and what's coming new ?
What's new in Azure Active Directory and what's coming new ?
 
Azure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDKAzure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDK
 
Office 365 identity
Office 365 identityOffice 365 identity
Office 365 identity
 
O365Con18 - Azure AD Connect Inside and Out - Sander Berkouwer
O365Con18 - Azure AD Connect Inside and Out - Sander BerkouwerO365Con18 - Azure AD Connect Inside and Out - Sander Berkouwer
O365Con18 - Azure AD Connect Inside and Out - Sander Berkouwer
 
O365Con19 - A Life Without Passwords Dream or Reality - Sander Berkouwer
O365Con19 - A Life Without Passwords Dream or Reality - Sander BerkouwerO365Con19 - A Life Without Passwords Dream or Reality - Sander Berkouwer
O365Con19 - A Life Without Passwords Dream or Reality - Sander Berkouwer
 
"Secure Mobile Apps with the Microsoft Identity Platform", Christos Matskas, ...
"Secure Mobile Apps with the Microsoft Identity Platform", Christos Matskas, ..."Secure Mobile Apps with the Microsoft Identity Platform", Christos Matskas, ...
"Secure Mobile Apps with the Microsoft Identity Platform", Christos Matskas, ...
 
Azure AD App Proxy Login Scenarios with an On Premises Applications - TSPUG
Azure AD App Proxy Login Scenarios with an On Premises Applications - TSPUGAzure AD App Proxy Login Scenarios with an On Premises Applications - TSPUG
Azure AD App Proxy Login Scenarios with an On Premises Applications - TSPUG
 
Programming Azure Active Directory (DevLink 2014)
Programming Azure Active Directory (DevLink 2014)Programming Azure Active Directory (DevLink 2014)
Programming Azure Active Directory (DevLink 2014)
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your Enterprise
 
CoLabora - Identity in a World of Cloud - June 2015
CoLabora - Identity in a World of Cloud - June 2015CoLabora - Identity in a World of Cloud - June 2015
CoLabora - Identity in a World of Cloud - June 2015
 
Azure - Identity as a service
Azure - Identity as a serviceAzure - Identity as a service
Azure - Identity as a service
 
Análisis de riesgos en Azure y protección de la información
Análisis de riesgos en Azure y protección de la informaciónAnálisis de riesgos en Azure y protección de la información
Análisis de riesgos en Azure y protección de la información
 
Bye bye Identity Server
Bye bye Identity ServerBye bye Identity Server
Bye bye Identity Server
 
The bits and pieces of Azure AD B2C
The bits and pieces of Azure AD B2CThe bits and pieces of Azure AD B2C
The bits and pieces of Azure AD B2C
 
Azure Active Directory - An Introduction for Developers
Azure Active Directory - An Introduction for DevelopersAzure Active Directory - An Introduction for Developers
Azure Active Directory - An Introduction for Developers
 
Connect SharePoint Framework solutions to APIs secured with Azure AD
Connect SharePoint Framework solutions to APIs secured with Azure ADConnect SharePoint Framework solutions to APIs secured with Azure AD
Connect SharePoint Framework solutions to APIs secured with Azure AD
 
Azure Day 1.pptx
Azure Day 1.pptxAzure Day 1.pptx
Azure Day 1.pptx
 
FIDO2 : vers la fin des mots de passe ? - Par Arnaud Jumelet
FIDO2 : vers la fin des mots de passe ? - Par Arnaud JumeletFIDO2 : vers la fin des mots de passe ? - Par Arnaud Jumelet
FIDO2 : vers la fin des mots de passe ? - Par Arnaud Jumelet
 
SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?
SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?
SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?
 

More from Identity Days

Live Action : assistez à la récupération d’un AD compromis
Live Action : assistez à la récupération d’un AD compromisLive Action : assistez à la récupération d’un AD compromis
Live Action : assistez à la récupération d’un AD compromisIdentity Days
 
Directive européenne NIS2 : Etes-vous concerné ? Comment s’y préparer ?
Directive européenne NIS2 : Etes-vous concerné ? Comment s’y préparer ?Directive européenne NIS2 : Etes-vous concerné ? Comment s’y préparer ?
Directive européenne NIS2 : Etes-vous concerné ? Comment s’y préparer ?Identity Days
 
Quelle approche préventive adopter pour empêcher les mouvements latéraux au s...
Quelle approche préventive adopter pour empêcher les mouvements latéraux au s...Quelle approche préventive adopter pour empêcher les mouvements latéraux au s...
Quelle approche préventive adopter pour empêcher les mouvements latéraux au s...Identity Days
 
Passwordless – de la théorie à la pratique
Passwordless – de la théorie à la pratiquePasswordless – de la théorie à la pratique
Passwordless – de la théorie à la pratiqueIdentity Days
 
L’authentification à l’Ère des grandes ruptures technologiques, un Virage à p...
L’authentification à l’Ère des grandes ruptures technologiques, un Virage à p...L’authentification à l’Ère des grandes ruptures technologiques, un Virage à p...
L’authentification à l’Ère des grandes ruptures technologiques, un Virage à p...Identity Days
 
Est-il possible de combiner sécurité physique, cybersécurité et biométrie déc...
Est-il possible de combiner sécurité physique, cybersécurité et biométrie déc...Est-il possible de combiner sécurité physique, cybersécurité et biométrie déc...
Est-il possible de combiner sécurité physique, cybersécurité et biométrie déc...Identity Days
 
SSO as a Service ou comment mettre en oeuvre une architecture SSO DevOps avec...
SSO as a Service ou comment mettre en oeuvre une architecture SSO DevOps avec...SSO as a Service ou comment mettre en oeuvre une architecture SSO DevOps avec...
SSO as a Service ou comment mettre en oeuvre une architecture SSO DevOps avec...Identity Days
 
Gérer les privilèges locaux en utilisant Intune
Gérer les privilèges locaux en utilisant IntuneGérer les privilèges locaux en utilisant Intune
Gérer les privilèges locaux en utilisant IntuneIdentity Days
 
Comment et pourquoi maîtriser les privilèges d’administrateur local sur Windo...
Comment et pourquoi maîtriser les privilèges d’administrateur local sur Windo...Comment et pourquoi maîtriser les privilèges d’administrateur local sur Windo...
Comment et pourquoi maîtriser les privilèges d’administrateur local sur Windo...Identity Days
 
Les angles morts de la protection des identités : Les comptes de services et ...
Les angles morts de la protection des identités : Les comptes de services et ...Les angles morts de la protection des identités : Les comptes de services et ...
Les angles morts de la protection des identités : Les comptes de services et ...Identity Days
 
Construire un moteur de workflow modulaire et convivial dans une gestion des ...
Construire un moteur de workflow modulaire et convivial dans une gestion des ...Construire un moteur de workflow modulaire et convivial dans une gestion des ...
Construire un moteur de workflow modulaire et convivial dans une gestion des ...Identity Days
 
Démos d’attaques par rebond en environnement hybride Active Directory-Azure AD
Démos d’attaques par rebond en environnement hybride Active Directory-Azure ADDémos d’attaques par rebond en environnement hybride Active Directory-Azure AD
Démos d’attaques par rebond en environnement hybride Active Directory-Azure ADIdentity Days
 
Des outils 100% Open Source pour gérer votre annuaire LDAP et votre Active Di...
Des outils 100% Open Source pour gérer votre annuaire LDAP et votre Active Di...Des outils 100% Open Source pour gérer votre annuaire LDAP et votre Active Di...
Des outils 100% Open Source pour gérer votre annuaire LDAP et votre Active Di...Identity Days
 
SSO et fédération d’identités avec le logiciel libre LemonLDAP::NG
SSO et fédération d’identités avec le logiciel libre LemonLDAP::NGSSO et fédération d’identités avec le logiciel libre LemonLDAP::NG
SSO et fédération d’identités avec le logiciel libre LemonLDAP::NGIdentity Days
 
Gestion de la dette technique – Le tier legacy-2023.pptx
Gestion de la dette technique – Le tier legacy-2023.pptxGestion de la dette technique – Le tier legacy-2023.pptx
Gestion de la dette technique – Le tier legacy-2023.pptxIdentity Days
 
L’iam : au-delà des idées reçues, les clés de la gestion des identités et des...
L’iam : au-delà des idées reçues, les clés de la gestion des identités et des...L’iam : au-delà des idées reçues, les clés de la gestion des identités et des...
L’iam : au-delà des idées reçues, les clés de la gestion des identités et des...Identity Days
 
Réussir son projet de sécurisation des Identités en 5 commandements (parce qu...
Réussir son projet de sécurisation des Identités en 5 commandements (parce qu...Réussir son projet de sécurisation des Identités en 5 commandements (parce qu...
Réussir son projet de sécurisation des Identités en 5 commandements (parce qu...Identity Days
 
Modes de raccordement SSO et utilisations avancées de LemonLDAP::NG
Modes de raccordement SSO et utilisations avancées de LemonLDAP::NGModes de raccordement SSO et utilisations avancées de LemonLDAP::NG
Modes de raccordement SSO et utilisations avancées de LemonLDAP::NGIdentity Days
 
Récupération d’un Active Directory: comment repartir en confiance après une c...
Récupération d’un Active Directory: comment repartir en confiance après une c...Récupération d’un Active Directory: comment repartir en confiance après une c...
Récupération d’un Active Directory: comment repartir en confiance après une c...Identity Days
 
Gestion des identités : par où commencer ?
Gestion des identités : par où commencer ?Gestion des identités : par où commencer ?
Gestion des identités : par où commencer ?Identity Days
 

More from Identity Days (20)

Live Action : assistez à la récupération d’un AD compromis
Live Action : assistez à la récupération d’un AD compromisLive Action : assistez à la récupération d’un AD compromis
Live Action : assistez à la récupération d’un AD compromis
 
Directive européenne NIS2 : Etes-vous concerné ? Comment s’y préparer ?
Directive européenne NIS2 : Etes-vous concerné ? Comment s’y préparer ?Directive européenne NIS2 : Etes-vous concerné ? Comment s’y préparer ?
Directive européenne NIS2 : Etes-vous concerné ? Comment s’y préparer ?
 
Quelle approche préventive adopter pour empêcher les mouvements latéraux au s...
Quelle approche préventive adopter pour empêcher les mouvements latéraux au s...Quelle approche préventive adopter pour empêcher les mouvements latéraux au s...
Quelle approche préventive adopter pour empêcher les mouvements latéraux au s...
 
Passwordless – de la théorie à la pratique
Passwordless – de la théorie à la pratiquePasswordless – de la théorie à la pratique
Passwordless – de la théorie à la pratique
 
L’authentification à l’Ère des grandes ruptures technologiques, un Virage à p...
L’authentification à l’Ère des grandes ruptures technologiques, un Virage à p...L’authentification à l’Ère des grandes ruptures technologiques, un Virage à p...
L’authentification à l’Ère des grandes ruptures technologiques, un Virage à p...
 
Est-il possible de combiner sécurité physique, cybersécurité et biométrie déc...
Est-il possible de combiner sécurité physique, cybersécurité et biométrie déc...Est-il possible de combiner sécurité physique, cybersécurité et biométrie déc...
Est-il possible de combiner sécurité physique, cybersécurité et biométrie déc...
 
SSO as a Service ou comment mettre en oeuvre une architecture SSO DevOps avec...
SSO as a Service ou comment mettre en oeuvre une architecture SSO DevOps avec...SSO as a Service ou comment mettre en oeuvre une architecture SSO DevOps avec...
SSO as a Service ou comment mettre en oeuvre une architecture SSO DevOps avec...
 
Gérer les privilèges locaux en utilisant Intune
Gérer les privilèges locaux en utilisant IntuneGérer les privilèges locaux en utilisant Intune
Gérer les privilèges locaux en utilisant Intune
 
Comment et pourquoi maîtriser les privilèges d’administrateur local sur Windo...
Comment et pourquoi maîtriser les privilèges d’administrateur local sur Windo...Comment et pourquoi maîtriser les privilèges d’administrateur local sur Windo...
Comment et pourquoi maîtriser les privilèges d’administrateur local sur Windo...
 
Les angles morts de la protection des identités : Les comptes de services et ...
Les angles morts de la protection des identités : Les comptes de services et ...Les angles morts de la protection des identités : Les comptes de services et ...
Les angles morts de la protection des identités : Les comptes de services et ...
 
Construire un moteur de workflow modulaire et convivial dans une gestion des ...
Construire un moteur de workflow modulaire et convivial dans une gestion des ...Construire un moteur de workflow modulaire et convivial dans une gestion des ...
Construire un moteur de workflow modulaire et convivial dans une gestion des ...
 
Démos d’attaques par rebond en environnement hybride Active Directory-Azure AD
Démos d’attaques par rebond en environnement hybride Active Directory-Azure ADDémos d’attaques par rebond en environnement hybride Active Directory-Azure AD
Démos d’attaques par rebond en environnement hybride Active Directory-Azure AD
 
Des outils 100% Open Source pour gérer votre annuaire LDAP et votre Active Di...
Des outils 100% Open Source pour gérer votre annuaire LDAP et votre Active Di...Des outils 100% Open Source pour gérer votre annuaire LDAP et votre Active Di...
Des outils 100% Open Source pour gérer votre annuaire LDAP et votre Active Di...
 
SSO et fédération d’identités avec le logiciel libre LemonLDAP::NG
SSO et fédération d’identités avec le logiciel libre LemonLDAP::NGSSO et fédération d’identités avec le logiciel libre LemonLDAP::NG
SSO et fédération d’identités avec le logiciel libre LemonLDAP::NG
 
Gestion de la dette technique – Le tier legacy-2023.pptx
Gestion de la dette technique – Le tier legacy-2023.pptxGestion de la dette technique – Le tier legacy-2023.pptx
Gestion de la dette technique – Le tier legacy-2023.pptx
 
L’iam : au-delà des idées reçues, les clés de la gestion des identités et des...
L’iam : au-delà des idées reçues, les clés de la gestion des identités et des...L’iam : au-delà des idées reçues, les clés de la gestion des identités et des...
L’iam : au-delà des idées reçues, les clés de la gestion des identités et des...
 
Réussir son projet de sécurisation des Identités en 5 commandements (parce qu...
Réussir son projet de sécurisation des Identités en 5 commandements (parce qu...Réussir son projet de sécurisation des Identités en 5 commandements (parce qu...
Réussir son projet de sécurisation des Identités en 5 commandements (parce qu...
 
Modes de raccordement SSO et utilisations avancées de LemonLDAP::NG
Modes de raccordement SSO et utilisations avancées de LemonLDAP::NGModes de raccordement SSO et utilisations avancées de LemonLDAP::NG
Modes de raccordement SSO et utilisations avancées de LemonLDAP::NG
 
Récupération d’un Active Directory: comment repartir en confiance après une c...
Récupération d’un Active Directory: comment repartir en confiance après une c...Récupération d’un Active Directory: comment repartir en confiance après une c...
Récupération d’un Active Directory: comment repartir en confiance après une c...
 
Gestion des identités : par où commencer ?
Gestion des identités : par où commencer ?Gestion des identités : par où commencer ?
Gestion des identités : par où commencer ?
 

Recently uploaded

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 

Recently uploaded (20)

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 

Identity Days 2020 - Quelles sont les méthodes et le niveau de sécurisation/robustesse de chacune des méthodes d’authentification à Azure Active Directory ?

  • 1. Merci à tous nos partenaires ! 29 octobre 2020 @IdentityDays #identitydays2020
  • 2. Quelles sont les méthodes et le niveau de sécurisation/robustesse de chacune des méthodes d’authentification à Azure Active Directory ? Xuan Ahehehinnou & Hakim Taoussi 29 octobre 2020 Identity Days 2020
  • 3. Xuan AHEHEHINNOU Microsoft 365 Solution Architect Abalon Hakim TAOUSSI Senior Architect / MVP Apps & Services vNext Insigth • Rappels sur les identités hybrides • Authentifications • User • Device • Application • Recommandations AGENDA DE LA CONFÉRENCE 29 octobre 2020 Identity Days 2020
  • 5. Rappels sur les identités hybrides Identity Days 2020 29 octobre 2020
  • 6. What does Hybrid look like? Pass-through authentication Microsoft Azure Active Directory Pass-through authentication agent Office 365, SaaS, and LoB apps Federation Password Hash synchronization Windows Server Active Directory On-premises / Private cloud
  • 8. Azure AD Connect On-premises / Private cloud Microsoft Azure Active Directory Power up your credentials
  • 9. User Authentication Identity Days 2020 29 octobre 2020
  • 10. Password Hash Sync Pros: Cloud based authentication with same password as on-premises. Quickest and Easiest to deploy. Seamless SSO. Can be used with PTA and ADFS. Cons: Disabling or editing user on prem needs sync cycle to complete • ` Federated Identity Pros: Windows Integrated Desktop SSO, Certificate Based Auth, 3rd Party MFA integration Cons: On premises deployment. DMZ deployment. 3rd Party Federated Pros: 3rd party tools and services pre- tested for basic auth scenarios with WS-Fed Cons: Only basic scenarios. Second directory store in cloud. Multiple support channels Provisioning only using PowerShell and Graph API Pass-through Authentication Pros: Cloud based authentication with PW validation on prem. Minimal on prem footprint Seamless SSO Cons: Legacy Office clients not supported.
  • 11. Sends result & salt Requests unicodePwd attribute values via MS-DRSR replication protocol Sync Engine ++ MD4 hash of password stored in unicodePwd attribute Encrypts MD4 with salt and MD5 hash of RPC session key Decrypts to obtain MD4 hash of password Azure AD Connect MD4 hash expanded, salt added input to PBKDF2 function 1000 interactions of HMAC-SHA256 Result sent to Azure AD Password stored as original MD4 after processing with salt + PBKDF2 + HMAC-SHA256 Sign in Does supplied password value, after processing with MD4, with salt, PBKDF2 and HMAC-SHA256, match stored value for user? PBKDF = password based Key Derivation Function (RFC 2898) https://www.microsoft.com/security/blog/2019/05/30/demystifying-password-hash-sync/
  • 12. User name and password gathered via Azure AD sign in page Password encrypted with each AuthN agent’s public key Sign in User name and encrypted passwords added to queue Azure Service Bus Queue AuthN agent removes username and password from queue, decrypts the password with its private key and attempts authentication against DCs using Win32 LogonUser API If successful: user authenticated and MFA possible Returns results: success, username/password incorrect, account locked out… No on-premises passwords # Sync required
  • 13. Process token Home realm discovery – via UPN Redirected to your AD FS Return ST for consumption by Azure AD Return new ST Claims-aware app Your AD FS Redirected to Azure AD Authenticate Send Token Return cookies and page Browse app Not authenticated Redirect to your Azure AD App trusts Azure AD Azure AD Trusts your AD FS Directory Synchronization Retrieve full user details if required
  • 14.
  • 15. Feature summary PTA + sSSO PHS + sSSO ADFS Authentication against credentials held on-premises Yes No Yes Single-Sign-On Yes Yes Yes Passwords remain on premises Yes Salted hash synced Yes On-premises MFA solution No No Yes Azure AD MFA Yes Yes Yes On-premises password policies Yes Partial Yes On-premises account enable/disable Yes Delayed (30 mins) Yes On-premises password lockout Yes No Yes Conditional access Yes++ Yes++ Yes Credentials captured from user via Azure AD UI Yes Yes No Protection against on-premise account lockout Smart Lockout N/A Extranet Lockout Cost of implementation Medium Low High Scalability/fault tolerance Cloud scalability Cloud scalability Complex AuthN fails for remote workers if the on-premises Internet connection is down. Requires HA solution. Yes No Yes On-going maintenance for authentication Automated None SSL certificate management Azure AD Connect Health monitoring Not integrated Limited Yes Azure AD Identity Protection (requires P2 license) Yes Yes No
  • 16. Power up your Credentials Call SMS Push TOTP OATH Token Good Better Dependencies Risks FIDO2 Key Windows Hello Best Authenticator app Passwordless Again … MFA prevents 99.9% of identity attacks
  • 17.
  • 18. FIDO2 for AD Authentication Windows 10 Client Kerberos Server Keys Active Directory Domain Key Contoso 394hwp… Redmond Dreo322… Azure AD Domain Key Contoso 394hwp… Redmond Dreo322… Azure AD Connect User authenticates to Azure AD with a FIDO2 security key. Azure AD checks the tenant for a Kerberos server key matching the user’s on-premises AD Domain. • Azure AD Generates a partial Kerberos Ticket Granting Ticket (TGT) for the users on-premises AD Domain. The TGT contains only the user SID. No authorization data (groups) are included in the TGT. Windows contacts on-premises AD Domain Controller and trades the partial TGT for a full TGT. 1 2 4 The partial TGT is returned to the Windows along with Azure AD Primary Refresh Token (PRT). 3 5 Windows now has Azure AD PRT and a full Active Directory TGT. 1 2 3 4 5
  • 19. Device Authentication Identity Days 2020 29 octobre 2020
  • 20. SECURED BY HARDWARE USER CREDENTIAL An asymmetrical key pair Provisioned via PKI or created locally via Windows 10 UTILIZE FAMILIAR DEVICES
  • 21. Windows sends “hello” Azure AD sends back nonce* Windows uses private key to sign nonce and returns to Azure AD with key ID Azure AD returns PRT + encrypted session key protected in TPM User sign-in with bio-gesture unlocks TPM holding private key 6 Windows returns the signed PRT and derived session key to Azure AD to verify Windows 10 device 1 62 3 4 5 2 3 4 5 1 * use of a random number (or string) used as part of the authentication process. It is used to additionally secure the authentication attempt
  • 23.
  • 24.
  • 25. Identity Days 2020 29 octobre 2020 Conclusion
  • 26. Enforce MFA !! Turn on PHS Enable Seamless SSO if your using PTA or PHS Evaluate Authenticator Passwordless and FIDO, while educate end-users Pilot and deploy WHfB Upgrade LOB and web apps to modern authentication Identify & phase out legacy workflows Disable web browser password credential provider …
  • 27. Merci à tous nos partenaires ! @IdentityDays #identitydays2020