2. Thank you to all our generous sponsors
Supported by Powered by Organized by
Sponsored by
3. Vignesh Ganesan
Securing your Azure Identity infrastructure
@cloudvignesh
https://www.linkedin.com/in/vigne
sh-ganesan-mcse-mcsa-mct-itilv3-
9246384a/
Powered By
September 16th & 17th
Online Event
International Conference
Speaker
4. What to expect from today’s session
Strengthen your
credentials
Automate threat response
Utilize cloud intelligence
Enable end-user
self-service
Reduce your attack surface
7. Azure Active Directory
• Microsoft’s cloud-based identity and access management service
• Azure AD provides access to both external and internal resources
• Many similarities with Active Directory
• Features include:
• Multi-factor authentication
• Single sign-on
• Conditional Access
• Multiple license options
Azure AD Pricing : https://www.microsoft.com/en-in/security/business/identity-access-
management/azure-ad-pricing?rtc=1
8. Comparison between Active Directory , Azure AD and Azure AD Domain Services
Ref : https://www.ciraltos.com/active-directory-domain-service-azure-active-directory-and-azure-active-
directory-domain-service-explained/
10. 2,000,000+
active apps
Azure Active Directory
Cornerstone OnDemand
Workplace by Facebook
Canvas
Concur
Salesforce
Clever
SuccessFactors
Google G Suite
Workday
ServiceNow
World’s largest enterprise IDaaS service
based on SaaS app user traffic.
Request additional integrations at aka.ms/AzureADAppRequest
15. 1. Strengthen your credentials
Make sure your organization uses strong authentication
Start banning commonly attacked passwords and turn off traditional complexity,
and expiration rules.
Protect against leaked credentials and add resilience against outages
Implement Azure AD Smart lockout /AD FS extranet smart lockout
Take advantage of intrinsically secure, easier to use credentials
Most enterprise security breaches originate with an account compromised with one
of a handful of methods such as password spray, breach replay, or phishing
16. Make sure your organization uses strong
authentication
Azure AD MFA
Azure AD Security Defaults
Azure AD MFA: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks
Azure AD Security defaults : https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults
17. Start banning commonly attacked passwords and turn off
traditional complexity, and expiration rules.
Azure AD Password Protection
Azure AD Password Protection for
Active Directory Domain Services
Custom banned password list
Brand names
Product names
Locations, such as company headquarters
Company-specific internal terms
Abbreviations that have specific company meaning
* Global and Custom banned password list
18. Design principles - Azure AD Password Protection for
Active Directory Domain Services
• Domain controllers (DCs) never have to communicate directly with the internet.
• No new network ports are opened on DCs.
• No AD DS schema changes are required. The software uses the existing AD
DS container and serviceConnectionPoint schema objects.
• No minimum AD DS domain or forest functional level (DFL/FFL) is required.
• The software doesn't create or require accounts in the AD DS domains that it protects.
• User clear-text passwords never leave the domain controller, either during password validation operations or at any other
time.
• The software isn't dependent on other Azure AD features. For example, Azure AD password hash sync (PHS) isn't related
or required for Azure AD Password Protection.
• Incremental deployment is supported, however the password policy is only enforced where the Domain Controller Agent
(DC Agent) is installed.
Ref : https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-on-premises
19. Protect against leaked credentials and add resilience
against outages
•The Users with leaked credentials report in the Azure AD
management warns you of username and password pairs, which
have been exposed on the "dark web." An incredible volume of
passwords is leaked via phishing, malware, and password reuse on
third-party sites that are later breached. Microsoft finds many of
these leaked credentials and will tell you, in this report, if they
match credentials in your organization – but only if you enable
password hash sync or have cloud-only identities!
•In the event of an on-premises outage (for example, in a
ransomware attack) you can switch over to using cloud
authentication using password hash sync. This backup
authentication method will allow you to continue accessing apps
configured for authentication with Azure Active Directory, including
Microsoft 365. In this case, IT staff won't need to resort to personal
email accounts to share data until the on-premises outage is
resolved.
Password hash synchronization is one of the sign-in methods used to
accomplish hybrid identity. Azure AD Connect synchronizes a hash,
of the hash, of a user's password from an on-premises Active
Directory instance to a cloud-based Azure AD instance.
Required for premium features such as Identity Protection and
Azure AD Domain Services
20. Implement Azure AD smart lockout / AD FS extranet smart lockout
Smart lockout helps lock out bad actors that try to guess your users' passwords or use brute-force methods to get in. Smart
lockout can recognize sign-ins that come from valid users and treat them differently than ones of attackers and other unknown
sources. Attackers get locked out, while your users continue to access their accounts and be productive.
• AD FS in Windows Server 2012R2 Implement ADFS extranet lockout protection
• AD FS in Windows Server 2016 Implement ADFS extranet smart lockout protection
21. Password-less with Windows 10 Hello
Password-less authentication
User-friendly experience
Enterprise-grade security
47M
enterprises have deployed
Windows Hello for Business
active Windows
Hello users 6.5K
Hello Melanie
Take advantage of intrinsically secure, easier to use
credentials
23. 2. Reduce your attack surface
Given the pervasiveness of password compromise, minimizing the attack surface in
your organization is critical. Eliminating use of older, less secure protocols, limiting
access entry points, and exercising more significant control of administrative access to
resources can help reduce the attack surface area.
Block legacy authentication
Block invalid authentication entry points
Restrict user consent operations
Implement Azure AD Privileged Identity Management
24. Block legacy authentication
Legacy authentication apps authenticate on behalf of the user and prevent Azure AD from doing advanced security evaluations. The alternative, modern authentication,
will reduce your security risk, because it supports multi-factor authentication and Conditional Access. Apps using legacy authentication are POP3, IMAP4, or SMTP clients
1.Block legacy authentication if you use AD FS.
2.Setup SharePoint Online and Exchange Online to use modern authentication.
3.If you have Azure AD Premium, use Conditional Access policies to block legacy authentication, otherwise use Azure AD Security Defaults.
25. Corporate
Network
Geo-location
Microsoft
Cloud App Security
MacOS
Android
iOS
Windows
Windows
Defender ATP
Client apps
Browser apps
Google ID
MSA
Azure AD
ADFS
Require
MFA
Allow/block
access
Block legacy
authentication
Force
password
reset
******
Limited
access
Controls
Employee & Partner
Users and Roles
Trusted &
Compliant Devices
Physical &
Virtual Location
Client apps &
Auth Method
Conditions
Machine
learning
Policies
Real time
Evaluation
Engine
Session
Risk
3
40TB
Effective
policy
Block invalid authentication entry points
26. Commonly applied CA policies
• Requiring multi-factor authentication for users with
administrative roles
• Requiring multi-factor authentication for Azure
management tasks
• Blocking sign-ins for users attempting to use legacy
authentication protocols
• Requiring trusted locations for Azure AD Multi-
Factor Authentication registration
• Blocking or granting access from specific locations
• Blocking risky sign-in behaviors
• Requiring organization-managed devices for
specific applications
Ref : https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-
policy-common
30. 3. Automate threat response
Azure Active Directory has many capabilities that automatically intercept attacks, to
remove the latency between detection and response. You can reduce the costs and
risks, when you reduce the time criminals use to embed themselves into your
environment
Implement user risk security policy using Azure AD Identity Protection
Implement sign-in risk policy using Azure AD Identity Protection
31. Implement user risk security policy using Azure AD
Identity Protection
Identity Protection is a tool that allows
organizations to accomplish three key tasks:
Automate the detection and remediation of
identity-based risks.
Investigate risks using data in the portal.
Export risk detection data to your SIEM.
Type of Risks which Identity Protection can detect
•Anonymous IP address use
•Atypical travel
•Malware linked IP address
•Unfamiliar sign-in properties
•Leaked credentials
•Password spray
•and more...
35. 4. Utilize cloud intelligence
Auditing and logging of security-related events and related alerts are essential
components of an efficient protection strategy. Security logs and reports
provide you with an electronic record of suspicious activities and help you
detect patterns that may indicate attempted or successful external penetration
of the network, and internal attacks.
Monitor Azure AD
Monitor Azure AD Connect Health in hybrid environments
Monitor Azure AD Identity Protection events
Audit apps and consented permissions
36. • Application sign-in Success/Failure
• User display name and UPN
• Session conditions: location, IP, Date/Time
• MFA info: Required, Method, Result
• Client conditions: Device ID, browser, OS
• Conditional Access: Policy, Controls, Result
• Correlation ID!
• Latency is 2 to 5 mins
Monitor Azure AD -Azure AD Sign-in Logs
37. • Actions performed that change the state of a resource, e.g.
• Password Reset
• Privileged Identity Management (PIM) Elevations
• Terms of Use Acceptance
• B2B Redemptions
• SaaS App Configuration/Provisioning
• Latency is 2 to 5 mins
Monitor Azure AD – Azure AD Audit Logs
39. • Global Administrator
• Global Reader
• Security Administrator
• Security Reader
• Reports Reader
• Application Admin
• No difference in data scope between roles
• Users can access their own sign-in logs
Who can access logs in Azure AD
40. Monitor Azure AD Connect Health in hybrid environments
Azure Active Directory (Azure AD) Connect Health provides robust monitoring of your on-premises identity infrastructure. It enables you to
maintain a reliable connection to Microsoft 365 and Microsoft Online Services. This reliability is achieved by providing monitoring capabilities
for your key identity components. Also, it makes the key data points about these components easily accessible.
41. Monitor Azure AD Identity Protection events
• Azure AD Identity Protection is a notification,
monitoring and reporting tool you can use to
detect potential vulnerabilities affecting your
organization's identities. It detects risk
detections, such as leaked credentials,
impossible travel, and sign-ins from infected
devices, anonymous IP addresses, IP
addresses associated with the suspicious
activity, and unknown locations.
• Enable notification alerts to receive email of
users at risk and/or a weekly digest email.
42. Audit apps and consented permissions
Illicit consent grant attack in Microsoft 365 : https://docs.microsoft.com/en-us/microsoft-365/security/office-365-
security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide#what-is-the-illicit-consent-grant-attack-in-
microsoft-365
44. 5. Enable end-user self-service
As much as possible you'll want to balance security with productivity. Along the same
lines of approaching your journey with the mindset that you're setting a foundation for
security in the long run, you can remove friction from your organization by
empowering your users while remaining vigilant.
Implement self-service password reset
Implement self-service group and application access
Implement Azure AD access reviews
47. Implement Azure AD access reviews
• Provide oversight for which users have access to
what resources
• Prompts users to ensure their access is limited
to the resources they need
• Applies to employees and guest users