SlideShare a Scribd company logo

Securing your Azure Identity Infrastructure

Download as PPTX, PDF
Vignesh Ganesan I Microsoft MVP
Vignesh Ganesan I Microsoft MVP

Slide deck from my session on Securing your Azure Identity Infrastructure at the PDCConf 2021

Technology
1 of 50
Securing your Azure Identity infrastructure Vignesh Ganesan | MCSE ,MCSA , MCT & ITIL V3 Enterprise Cloud Architect & Technology Strategist https://www.linkedin.com/company/pdcconf @PDCConf https://www.facebook.com/pdcconf
Thank you to all our generous sponsors Supported by Powered by Organized by Sponsored by
Vignesh Ganesan Securing your Azure Identity infrastructure @cloudvignesh https://www.linkedin.com/in/vigne sh-ganesan-mcse-mcsa-mct-itilv3- 9246384a/ Powered By September 16th & 17th Online Event International Conference Speaker
What to expect from today’s session Strengthen your credentials Automate threat response Utilize cloud intelligence Enable end-user self-service Reduce your attack surface
About Me
Assumptions • Office 365 Administrator /Developer • Azure Administrator/Developer • Active Directory Administrator • Security Analyst • Cloud Security Architect • Cloud Solutions Architect • C-Suite
Azure Active Directory • Microsoft’s cloud-based identity and access management service • Azure AD provides access to both external and internal resources • Many similarities with Active Directory • Features include: • Multi-factor authentication • Single sign-on • Conditional Access • Multiple license options Azure AD Pricing : https://www.microsoft.com/en-in/security/business/identity-access- management/azure-ad-pricing?rtc=1
Comparison between Active Directory , Azure AD and Azure AD Domain Services Ref : https://www.ciraltos.com/active-directory-domain-service-azure-active-directory-and-azure-active- directory-domain-service-explained/
Open Standards { JSON } OData
2,000,000+ active apps Azure Active Directory Cornerstone OnDemand Workplace by Facebook Canvas Concur Salesforce Clever SuccessFactors Google G Suite Workday ServiceNow World’s largest enterprise IDaaS service based on SaaS app user traffic. Request additional integrations at aka.ms/AzureADAppRequest
A complete IAM solution
Federation Server IDP Connector Provisioning Engine HR System(s) App Proxy Event Logs Sign-in provider MFA Server Directory Database(s)
IAM Today Authentication& Authorization Directory Management IdentityGovernance& Administration IdentityforIaaS (VMAccess Management) IdentityDeveloper Platform Customer IAM SingleSignon (SSO + Federation) Identity Governance RBAC Microsoft Identity Platform Azure AD B2C / B2B Multi-Factor Authentication HybridIdentity Passwordless Conditional Access Provisioning Microsoft Graph Identity Protection Secure HybridAccess Group Management Azure AD DS
Strengthen your credentials Reduce your attack surface Automate threat response Utilize cloud intelligence Enable end- user self- service Step 2 Step 1 Step 3 Step 4 Step 5 Ref : https://docs.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity Five steps to securing your identity infrastructure
1. Strengthen your credentials  Make sure your organization uses strong authentication  Start banning commonly attacked passwords and turn off traditional complexity, and expiration rules.  Protect against leaked credentials and add resilience against outages  Implement Azure AD Smart lockout /AD FS extranet smart lockout  Take advantage of intrinsically secure, easier to use credentials Most enterprise security breaches originate with an account compromised with one of a handful of methods such as password spray, breach replay, or phishing
Make sure your organization uses strong authentication Azure AD MFA Azure AD Security Defaults Azure AD MFA: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks Azure AD Security defaults : https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults
Start banning commonly attacked passwords and turn off traditional complexity, and expiration rules. Azure AD Password Protection Azure AD Password Protection for Active Directory Domain Services Custom banned password list Brand names Product names Locations, such as company headquarters Company-specific internal terms Abbreviations that have specific company meaning * Global and Custom banned password list
Design principles - Azure AD Password Protection for Active Directory Domain Services • Domain controllers (DCs) never have to communicate directly with the internet. • No new network ports are opened on DCs. • No AD DS schema changes are required. The software uses the existing AD DS container and serviceConnectionPoint schema objects. • No minimum AD DS domain or forest functional level (DFL/FFL) is required. • The software doesn't create or require accounts in the AD DS domains that it protects. • User clear-text passwords never leave the domain controller, either during password validation operations or at any other time. • The software isn't dependent on other Azure AD features. For example, Azure AD password hash sync (PHS) isn't related or required for Azure AD Password Protection. • Incremental deployment is supported, however the password policy is only enforced where the Domain Controller Agent (DC Agent) is installed. Ref : https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-on-premises
Protect against leaked credentials and add resilience against outages •The Users with leaked credentials report in the Azure AD management warns you of username and password pairs, which have been exposed on the "dark web." An incredible volume of passwords is leaked via phishing, malware, and password reuse on third-party sites that are later breached. Microsoft finds many of these leaked credentials and will tell you, in this report, if they match credentials in your organization – but only if you enable password hash sync or have cloud-only identities! •In the event of an on-premises outage (for example, in a ransomware attack) you can switch over to using cloud authentication using password hash sync. This backup authentication method will allow you to continue accessing apps configured for authentication with Azure Active Directory, including Microsoft 365. In this case, IT staff won't need to resort to personal email accounts to share data until the on-premises outage is resolved. Password hash synchronization is one of the sign-in methods used to accomplish hybrid identity. Azure AD Connect synchronizes a hash, of the hash, of a user's password from an on-premises Active Directory instance to a cloud-based Azure AD instance. Required for premium features such as Identity Protection and Azure AD Domain Services
Implement Azure AD smart lockout / AD FS extranet smart lockout Smart lockout helps lock out bad actors that try to guess your users' passwords or use brute-force methods to get in. Smart lockout can recognize sign-ins that come from valid users and treat them differently than ones of attackers and other unknown sources. Attackers get locked out, while your users continue to access their accounts and be productive. • AD FS in Windows Server 2012R2 Implement ADFS extranet lockout protection • AD FS in Windows Server 2016 Implement ADFS extranet smart lockout protection
Password-less with Windows 10 Hello Password-less authentication User-friendly experience Enterprise-grade security 47M enterprises have deployed Windows Hello for Business active Windows Hello users 6.5K Hello Melanie Take advantage of intrinsically secure, easier to use credentials
Demo
2. Reduce your attack surface Given the pervasiveness of password compromise, minimizing the attack surface in your organization is critical. Eliminating use of older, less secure protocols, limiting access entry points, and exercising more significant control of administrative access to resources can help reduce the attack surface area. Block legacy authentication  Block invalid authentication entry points  Restrict user consent operations  Implement Azure AD Privileged Identity Management
Block legacy authentication Legacy authentication apps authenticate on behalf of the user and prevent Azure AD from doing advanced security evaluations. The alternative, modern authentication, will reduce your security risk, because it supports multi-factor authentication and Conditional Access. Apps using legacy authentication are POP3, IMAP4, or SMTP clients 1.Block legacy authentication if you use AD FS. 2.Setup SharePoint Online and Exchange Online to use modern authentication. 3.If you have Azure AD Premium, use Conditional Access policies to block legacy authentication, otherwise use Azure AD Security Defaults.
Corporate Network Geo-location Microsoft Cloud App Security MacOS Android iOS Windows Windows Defender ATP Client apps Browser apps Google ID MSA Azure AD ADFS Require MFA Allow/block access Block legacy authentication Force password reset ****** Limited access Controls Employee & Partner Users and Roles Trusted & Compliant Devices Physical & Virtual Location Client apps & Auth Method Conditions Machine learning Policies Real time Evaluation Engine Session Risk 3 40TB Effective policy Block invalid authentication entry points
Commonly applied CA policies • Requiring multi-factor authentication for users with administrative roles • Requiring multi-factor authentication for Azure management tasks • Blocking sign-ins for users attempting to use legacy authentication protocols • Requiring trusted locations for Azure AD Multi- Factor Authentication registration • Blocking or granting access from specific locations • Blocking risky sign-in behaviors • Requiring organization-managed devices for specific applications Ref : https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access- policy-common
Restrict user consent operations
Implement Azure AD Privileged Identity Management
Demo
3. Automate threat response Azure Active Directory has many capabilities that automatically intercept attacks, to remove the latency between detection and response. You can reduce the costs and risks, when you reduce the time criminals use to embed themselves into your environment  Implement user risk security policy using Azure AD Identity Protection  Implement sign-in risk policy using Azure AD Identity Protection
Implement user risk security policy using Azure AD Identity Protection Identity Protection is a tool that allows organizations to accomplish three key tasks:  Automate the detection and remediation of identity-based risks.  Investigate risks using data in the portal.  Export risk detection data to your SIEM. Type of Risks which Identity Protection can detect •Anonymous IP address use •Atypical travel •Malware linked IP address •Unfamiliar sign-in properties •Leaked credentials •Password spray •and more...
Implement sign-in risk policy using Azure AD Identity Protection
Azure AD Identity protection policies Ref : https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-policies
Demo
4. Utilize cloud intelligence Auditing and logging of security-related events and related alerts are essential components of an efficient protection strategy. Security logs and reports provide you with an electronic record of suspicious activities and help you detect patterns that may indicate attempted or successful external penetration of the network, and internal attacks.  Monitor Azure AD  Monitor Azure AD Connect Health in hybrid environments  Monitor Azure AD Identity Protection events  Audit apps and consented permissions
• Application sign-in Success/Failure • User display name and UPN • Session conditions: location, IP, Date/Time • MFA info: Required, Method, Result • Client conditions: Device ID, browser, OS • Conditional Access: Policy, Controls, Result • Correlation ID! • Latency is 2 to 5 mins Monitor Azure AD -Azure AD Sign-in Logs
• Actions performed that change the state of a resource, e.g. • Password Reset • Privileged Identity Management (PIM) Elevations • Terms of Use Acceptance • B2B Redemptions • SaaS App Configuration/Provisioning • Latency is 2 to 5 mins Monitor Azure AD – Azure AD Audit Logs
• Users flagged for risk • High, Medium, Low • Risk events/Risky sign-ins • leaked credentials, anonymous IPs, • impossible travel, unfamiliar locations • Vulnerabilities • Users without MFA, Unused Admin Privileges Monitor Azure AD – Azure AD Security Logs
• Global Administrator • Global Reader • Security Administrator • Security Reader • Reports Reader • Application Admin • No difference in data scope between roles • Users can access their own sign-in logs Who can access logs in Azure AD
Monitor Azure AD Connect Health in hybrid environments Azure Active Directory (Azure AD) Connect Health provides robust monitoring of your on-premises identity infrastructure. It enables you to maintain a reliable connection to Microsoft 365 and Microsoft Online Services. This reliability is achieved by providing monitoring capabilities for your key identity components. Also, it makes the key data points about these components easily accessible.
Monitor Azure AD Identity Protection events • Azure AD Identity Protection is a notification, monitoring and reporting tool you can use to detect potential vulnerabilities affecting your organization's identities. It detects risk detections, such as leaked credentials, impossible travel, and sign-ins from infected devices, anonymous IP addresses, IP addresses associated with the suspicious activity, and unknown locations. • Enable notification alerts to receive email of users at risk and/or a weekly digest email.
Audit apps and consented permissions Illicit consent grant attack in Microsoft 365 : https://docs.microsoft.com/en-us/microsoft-365/security/office-365- security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide#what-is-the-illicit-consent-grant-attack-in- microsoft-365
Demo
5. Enable end-user self-service As much as possible you'll want to balance security with productivity. Along the same lines of approaching your journey with the mindset that you're setting a foundation for security in the long run, you can remove friction from your organization by empowering your users while remaining vigilant. Implement self-service password reset  Implement self-service group and application access  Implement Azure AD access reviews
SSPR Solution Architecture Implement self-service password reset
Implement self-service group and application access
Implement Azure AD access reviews • Provide oversight for which users have access to what resources • Prompts users to ensure their access is limited to the resources they need • Applies to employees and guest users
Demo
References: • Azure AD Licensing : https://www.microsoft.com/en-in/security/business/identity-access-management/azure-ad-pricing?rtc=1 • MFA : https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa • Security defaults : https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults • Password protection : https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad • Azure AD Password protection for ADDS: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-on-premises • Authentication methods for Azure AD : https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn • Implement password hash synchronization with Azure AD connect sync : https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect- password-hash-synchronization • Azure AD Smart lockout : https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-smart-lockout • ADFS Extranet Lockout Protection : https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-soft-lockout-protection • Windows Hello for Business overview : https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-overview • Conditional Access overview : What is Conditional Access in Azure Active Directory? | Microsoft Docs • Conditional Access : Block legacy authentication : https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy- block-legacy • PIM : https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure • Azure AD Identity protection policies : https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-policies • Audit logs in Azure AD : https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-audit-logs • Illicit consent grant attack in Microsoft 365 : https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent- grants?view=o365-worldwide#what-is-the-illicit-consent-grant-attack-in-microsoft-365 • Azure AD SSPR : https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr • Self-service group management in Azure AD : https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-self-service-management • Azure AD entitlement management : https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-overview • Azure AD Access reviews : https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview
Thank you!

Recommended

Azure Identity and access management
Azure Identity and access managementAzure Identity and access management
Azure Identity and access managementDinusha Kumarasiri
 
Identity and Access Management from Microsoft and Razor Technology
Identity and Access Management from Microsoft and Razor TechnologyIdentity and Access Management from Microsoft and Razor Technology
Identity and Access Management from Microsoft and Razor TechnologyDavid J Rosenthal
 
Understanding Azure AD
Understanding Azure ADUnderstanding Azure AD
Understanding Azure ADNew Horizons Ireland
 
Azure AD Presentation - @ BITPro - Ajay
Azure AD Presentation - @ BITPro - AjayAzure AD Presentation - @ BITPro - Ajay
Azure AD Presentation - @ BITPro - AjayAnoop Nair
 
Azure active directory
Azure active directoryAzure active directory
Azure active directoryRaju Kumar
 
Azure AD connect- Deep Dive Webinar PPT
Azure AD connect- Deep Dive Webinar PPTAzure AD connect- Deep Dive Webinar PPT
Azure AD connect- Deep Dive Webinar PPTRadhakrishnan Govindan
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and ComplianceKarina Matos
 
48. Azure Active Directory - Part 1
48. Azure Active Directory - Part 148. Azure Active Directory - Part 1
48. Azure Active Directory - Part 1Shawn Ismail
 

Recommended

Azure Identity and access management
Azure Identity and access managementAzure Identity and access management
Azure Identity and access managementDinusha Kumarasiri
 
Identity and Access Management from Microsoft and Razor Technology
Identity and Access Management from Microsoft and Razor TechnologyIdentity and Access Management from Microsoft and Razor Technology
Identity and Access Management from Microsoft and Razor TechnologyDavid J Rosenthal
 
Understanding Azure AD
Understanding Azure ADUnderstanding Azure AD
Understanding Azure ADNew Horizons Ireland
 
Azure AD Presentation - @ BITPro - Ajay
Azure AD Presentation - @ BITPro - AjayAzure AD Presentation - @ BITPro - Ajay
Azure AD Presentation - @ BITPro - AjayAnoop Nair
 
Azure active directory
Azure active directoryAzure active directory
Azure active directoryRaju Kumar
 
Azure AD connect- Deep Dive Webinar PPT
Azure AD connect- Deep Dive Webinar PPTAzure AD connect- Deep Dive Webinar PPT
Azure AD connect- Deep Dive Webinar PPTRadhakrishnan Govindan
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and ComplianceKarina Matos
 
48. Azure Active Directory - Part 1
48. Azure Active Directory - Part 148. Azure Active Directory - Part 1
48. Azure Active Directory - Part 1Shawn Ismail
 
Azure Active Directory | Microsoft Azure Tutorial for Beginners | Azure 70-53...
Azure Active Directory | Microsoft Azure Tutorial for Beginners | Azure 70-53...Azure Active Directory | Microsoft Azure Tutorial for Beginners | Azure 70-53...
Azure Active Directory | Microsoft Azure Tutorial for Beginners | Azure 70-53...Edureka!
 
Microsoft Zero Trust
Microsoft Zero TrustMicrosoft Zero Trust
Microsoft Zero TrustDavid J Rosenthal
 
EPC Group Intune Practice and Capabilities Overview
EPC Group Intune Practice and Capabilities OverviewEPC Group Intune Practice and Capabilities Overview
EPC Group Intune Practice and Capabilities OverviewEPC Group
 
Secure your M365 resources using Azure AD Identity Governance
Secure your M365 resources using Azure AD Identity GovernanceSecure your M365 resources using Azure AD Identity Governance
Secure your M365 resources using Azure AD Identity GovernanceVignesh Ganesan I Microsoft MVP
 
3 Modern Security - Secure identities to reach zero trust with AAD
3 Modern Security - Secure identities to reach zero trust with AAD3 Modern Security - Secure identities to reach zero trust with AAD
3 Modern Security - Secure identities to reach zero trust with AADAndrew Bettany
 
Azure - Identity as a service
Azure - Identity as a serviceAzure - Identity as a service
Azure - Identity as a serviceBizTalk360
 
Azure Information Protection
Azure Information ProtectionAzure Information Protection
Azure Information ProtectionRobert Crane
 
Microsoft Azure Active Directory
Microsoft Azure Active DirectoryMicrosoft Azure Active Directory
Microsoft Azure Active DirectoryDavid J Rosenthal
 
Secure Your Cloud Environment with Azure Active Directory (AD)
Secure Your Cloud Environment with Azure Active Directory (AD)Secure Your Cloud Environment with Azure Active Directory (AD)
Secure Your Cloud Environment with Azure Active Directory (AD)WinWire Technologies Inc
 
Microsoft Information Protection.pptx
Microsoft Information Protection.pptxMicrosoft Information Protection.pptx
Microsoft Information Protection.pptxChrisaldyChandra
 
2 Modern Security - Microsoft Information Protection
2 Modern Security - Microsoft Information Protection2 Modern Security - Microsoft Information Protection
2 Modern Security - Microsoft Information ProtectionAndrew Bettany
 
Microsoft 365 Security Overview
Microsoft 365 Security OverviewMicrosoft 365 Security Overview
Microsoft 365 Security OverviewRobert Crane
 
[Azure Governance] Lesson 4 : Azure Policy
[Azure Governance] Lesson 4 : Azure Policy[Azure Governance] Lesson 4 : Azure Policy
[Azure Governance] Lesson 4 : Azure Policy☁ Hicham KADIRI ☁
 
Microsoft 365 Security and Compliance
Microsoft 365 Security and ComplianceMicrosoft 365 Security and Compliance
Microsoft 365 Security and ComplianceDavid J Rosenthal
 
Microsoft Security - New Capabilities In Microsoft 365 E5 Plans
Microsoft Security - New Capabilities In Microsoft 365 E5 PlansMicrosoft Security - New Capabilities In Microsoft 365 E5 Plans
Microsoft Security - New Capabilities In Microsoft 365 E5 PlansDavid J Rosenthal
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security OverviewAlert Logic
 
Enterprise Mobility Suite-Microsoft Intune
Enterprise Mobility Suite-Microsoft IntuneEnterprise Mobility Suite-Microsoft Intune
Enterprise Mobility Suite-Microsoft IntuneLai Yoong Seng
 
Microsoft Office 365 Security and Compliance
Microsoft Office 365 Security and ComplianceMicrosoft Office 365 Security and Compliance
Microsoft Office 365 Security and ComplianceDavid J Rosenthal
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Amazon Web Services
 
An introduction to Defender for Business
An introduction to Defender for BusinessAn introduction to Defender for Business
An introduction to Defender for BusinessRobert Crane
 
Fundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and ComplianceFundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and ComplianceVignesh Ganesan I Microsoft MVP
 
AzureAAD
AzureAADAzureAAD
AzureAADTonyHotko
 

More Related Content

What's hot

Azure Active Directory | Microsoft Azure Tutorial for Beginners | Azure 70-53...
Azure Active Directory | Microsoft Azure Tutorial for Beginners | Azure 70-53...Azure Active Directory | Microsoft Azure Tutorial for Beginners | Azure 70-53...
Azure Active Directory | Microsoft Azure Tutorial for Beginners | Azure 70-53...Edureka!
 
EPC Group Intune Practice and Capabilities Overview
EPC Group Intune Practice and Capabilities OverviewEPC Group Intune Practice and Capabilities Overview
EPC Group Intune Practice and Capabilities OverviewEPC Group
 
Secure your M365 resources using Azure AD Identity Governance
Secure your M365 resources using Azure AD Identity GovernanceSecure your M365 resources using Azure AD Identity Governance
Secure your M365 resources using Azure AD Identity GovernanceVignesh Ganesan I Microsoft MVP
 
3 Modern Security - Secure identities to reach zero trust with AAD
3 Modern Security - Secure identities to reach zero trust with AAD3 Modern Security - Secure identities to reach zero trust with AAD
3 Modern Security - Secure identities to reach zero trust with AADAndrew Bettany
 
Azure - Identity as a service
Azure - Identity as a serviceAzure - Identity as a service
Azure - Identity as a serviceBizTalk360
 
Azure Information Protection
Azure Information ProtectionAzure Information Protection
Azure Information ProtectionRobert Crane
 
Microsoft Azure Active Directory
Microsoft Azure Active DirectoryMicrosoft Azure Active Directory
Microsoft Azure Active DirectoryDavid J Rosenthal
 
Secure Your Cloud Environment with Azure Active Directory (AD)
Secure Your Cloud Environment with Azure Active Directory (AD)Secure Your Cloud Environment with Azure Active Directory (AD)
Secure Your Cloud Environment with Azure Active Directory (AD)WinWire Technologies Inc
 
Microsoft Information Protection.pptx
Microsoft Information Protection.pptxMicrosoft Information Protection.pptx
Microsoft Information Protection.pptxChrisaldyChandra
 
2 Modern Security - Microsoft Information Protection
2 Modern Security - Microsoft Information Protection2 Modern Security - Microsoft Information Protection
2 Modern Security - Microsoft Information ProtectionAndrew Bettany
 
Microsoft 365 Security Overview
Microsoft 365 Security OverviewMicrosoft 365 Security Overview
Microsoft 365 Security OverviewRobert Crane
 
[Azure Governance] Lesson 4 : Azure Policy
[Azure Governance] Lesson 4 : Azure Policy[Azure Governance] Lesson 4 : Azure Policy
[Azure Governance] Lesson 4 : Azure Policy☁ Hicham KADIRI ☁
 
Microsoft 365 Security and Compliance
Microsoft 365 Security and ComplianceMicrosoft 365 Security and Compliance
Microsoft 365 Security and ComplianceDavid J Rosenthal
 
Microsoft Security - New Capabilities In Microsoft 365 E5 Plans
Microsoft Security - New Capabilities In Microsoft 365 E5 PlansMicrosoft Security - New Capabilities In Microsoft 365 E5 Plans
Microsoft Security - New Capabilities In Microsoft 365 E5 PlansDavid J Rosenthal
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security OverviewAlert Logic
 
Enterprise Mobility Suite-Microsoft Intune
Enterprise Mobility Suite-Microsoft IntuneEnterprise Mobility Suite-Microsoft Intune
Enterprise Mobility Suite-Microsoft IntuneLai Yoong Seng
 
Microsoft Office 365 Security and Compliance
Microsoft Office 365 Security and ComplianceMicrosoft Office 365 Security and Compliance
Microsoft Office 365 Security and ComplianceDavid J Rosenthal
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Amazon Web Services
 
An introduction to Defender for Business
An introduction to Defender for BusinessAn introduction to Defender for Business
An introduction to Defender for BusinessRobert Crane
 

What's hot (20)

Azure Active Directory | Microsoft Azure Tutorial for Beginners | Azure 70-53...
Azure Active Directory | Microsoft Azure Tutorial for Beginners | Azure 70-53...Azure Active Directory | Microsoft Azure Tutorial for Beginners | Azure 70-53...
Azure Active Directory | Microsoft Azure Tutorial for Beginners | Azure 70-53...
 
Microsoft Zero Trust
Microsoft Zero TrustMicrosoft Zero Trust
Microsoft Zero Trust
 
EPC Group Intune Practice and Capabilities Overview
EPC Group Intune Practice and Capabilities OverviewEPC Group Intune Practice and Capabilities Overview
EPC Group Intune Practice and Capabilities Overview
 
Secure your M365 resources using Azure AD Identity Governance
Secure your M365 resources using Azure AD Identity GovernanceSecure your M365 resources using Azure AD Identity Governance
Secure your M365 resources using Azure AD Identity Governance
 
3 Modern Security - Secure identities to reach zero trust with AAD
3 Modern Security - Secure identities to reach zero trust with AAD3 Modern Security - Secure identities to reach zero trust with AAD
3 Modern Security - Secure identities to reach zero trust with AAD
 
Azure - Identity as a service
Azure - Identity as a serviceAzure - Identity as a service
Azure - Identity as a service
 
Azure Information Protection
Azure Information ProtectionAzure Information Protection
Azure Information Protection
 
Microsoft Azure Active Directory
Microsoft Azure Active DirectoryMicrosoft Azure Active Directory
Microsoft Azure Active Directory
 
Secure Your Cloud Environment with Azure Active Directory (AD)
Secure Your Cloud Environment with Azure Active Directory (AD)Secure Your Cloud Environment with Azure Active Directory (AD)
Secure Your Cloud Environment with Azure Active Directory (AD)
 
Microsoft Information Protection.pptx
Microsoft Information Protection.pptxMicrosoft Information Protection.pptx
Microsoft Information Protection.pptx
 
2 Modern Security - Microsoft Information Protection
2 Modern Security - Microsoft Information Protection2 Modern Security - Microsoft Information Protection
2 Modern Security - Microsoft Information Protection
 
Microsoft 365 Security Overview
Microsoft 365 Security OverviewMicrosoft 365 Security Overview
Microsoft 365 Security Overview
 
[Azure Governance] Lesson 4 : Azure Policy
[Azure Governance] Lesson 4 : Azure Policy[Azure Governance] Lesson 4 : Azure Policy
[Azure Governance] Lesson 4 : Azure Policy
 
Microsoft 365 Security and Compliance
Microsoft 365 Security and ComplianceMicrosoft 365 Security and Compliance
Microsoft 365 Security and Compliance
 
Microsoft Security - New Capabilities In Microsoft 365 E5 Plans
Microsoft Security - New Capabilities In Microsoft 365 E5 PlansMicrosoft Security - New Capabilities In Microsoft 365 E5 Plans
Microsoft Security - New Capabilities In Microsoft 365 E5 Plans
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
 
Enterprise Mobility Suite-Microsoft Intune
Enterprise Mobility Suite-Microsoft IntuneEnterprise Mobility Suite-Microsoft Intune
Enterprise Mobility Suite-Microsoft Intune
 
Microsoft Office 365 Security and Compliance
Microsoft Office 365 Security and ComplianceMicrosoft Office 365 Security and Compliance
Microsoft Office 365 Security and Compliance
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)
 
An introduction to Defender for Business
An introduction to Defender for BusinessAn introduction to Defender for Business
An introduction to Defender for Business
 

Similar to Securing your Azure Identity Infrastructure

Fundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and ComplianceFundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and ComplianceVignesh Ganesan I Microsoft MVP
 
What is Windows Azure Platform
What is Windows Azure PlatformWhat is Windows Azure Platform
What is Windows Azure PlatformDavid Chou
 
Azure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDKAzure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDKPeter Selch Dahl
 
Identity and Data protection with Enterprise Mobility Security in ottica GDPR
Identity and Data protection with Enterprise Mobility Security in ottica GDPRIdentity and Data protection with Enterprise Mobility Security in ottica GDPR
Identity and Data protection with Enterprise Mobility Security in ottica GDPRJürgen Ambrosi
 
Hitchhiker's Guide to Azure AD - SPS St Louis 2018
Hitchhiker's Guide to Azure AD - SPS St Louis 2018Hitchhiker's Guide to Azure AD - SPS St Louis 2018
Hitchhiker's Guide to Azure AD - SPS St Louis 2018Max Fritz
 
I1 - Securing Office 365 and Microsoft Azure like a rockstar (or like a group...
I1 - Securing Office 365 and Microsoft Azure like a rockstar (or like a group...I1 - Securing Office 365 and Microsoft Azure like a rockstar (or like a group...
I1 - Securing Office 365 and Microsoft Azure like a rockstar (or like a group...SPS Paris
 
O365con14 - moving from on-premises to online, the road to follow
O365con14 - moving from on-premises to online, the road to followO365con14 - moving from on-premises to online, the road to follow
O365con14 - moving from on-premises to online, the road to followNCCOMMS
 
What's new in Azure Active Directory and what's coming new ?
What's new in Azure Active Directory and what's coming new ?What's new in Azure Active Directory and what's coming new ?
What's new in Azure Active Directory and what's coming new ?Vignesh Ganesan I Microsoft MVP
 
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa ToromanO365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa ToromanNCCOMMS
 
Best Practices in Cloud Security
Best Practices in Cloud SecurityBest Practices in Cloud Security
Best Practices in Cloud SecurityAlert Logic
 
SCU Berlín | Cloud identity for maximum productivity
SCU Berlín | Cloud identity for maximum productivity SCU Berlín | Cloud identity for maximum productivity
SCU Berlín | Cloud identity for maximum productivityDiana Carolina Torres Viasus
 
Cloud Identity and Access Management
Cloud Identity and Access ManagementCloud Identity and Access Management
Cloud Identity and Access ManagementJarek Sokolnicki
 
Análisis de riesgos en Azure y protección de la información
Análisis de riesgos en Azure y protección de la informaciónAnálisis de riesgos en Azure y protección de la información
Análisis de riesgos en Azure y protección de la informaciónPlain Concepts
 
Azure from scratch part 2 By Girish Kalamati
Azure from scratch part 2 By Girish KalamatiAzure from scratch part 2 By Girish Kalamati
Azure from scratch part 2 By Girish KalamatiGirish Kalamati
 
SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...
SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...
SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...Scott Hoag
 
Get your Hybrid Identity in 4 steps with Azure AD Connect
Get your Hybrid Identity in 4 steps with Azure AD ConnectGet your Hybrid Identity in 4 steps with Azure AD Connect
Get your Hybrid Identity in 4 steps with Azure AD ConnectRonny de Jong
 
SC-900 Capabilities of Microsoft Identity and Access Management Solutions
SC-900 Capabilities of Microsoft Identity and Access Management SolutionsSC-900 Capabilities of Microsoft Identity and Access Management Solutions
SC-900 Capabilities of Microsoft Identity and Access Management SolutionsFredBrandonAuthorMCP
 
04_Extending and Securing Enterprise Applications in Microsoft Azure_GAB2019
04_Extending and Securing Enterprise Applications in Microsoft Azure_GAB201904_Extending and Securing Enterprise Applications in Microsoft Azure_GAB2019
04_Extending and Securing Enterprise Applications in Microsoft Azure_GAB2019Kumton Suttiraksiri
 
15th December 2016 - Microsoft Paddington Vuzion Partner Event
15th December 2016 - Microsoft Paddington Vuzion Partner Event15th December 2016 - Microsoft Paddington Vuzion Partner Event
15th December 2016 - Microsoft Paddington Vuzion Partner EventVuzion
 

Similar to Securing your Azure Identity Infrastructure (20)

Fundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and ComplianceFundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and Compliance
 
AzureAAD
AzureAADAzureAAD
AzureAAD
 
What is Windows Azure Platform
What is Windows Azure PlatformWhat is Windows Azure Platform
What is Windows Azure Platform
 
Azure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDKAzure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDK
 
Identity and Data protection with Enterprise Mobility Security in ottica GDPR
Identity and Data protection with Enterprise Mobility Security in ottica GDPRIdentity and Data protection with Enterprise Mobility Security in ottica GDPR
Identity and Data protection with Enterprise Mobility Security in ottica GDPR
 
Hitchhiker's Guide to Azure AD - SPS St Louis 2018
Hitchhiker's Guide to Azure AD - SPS St Louis 2018Hitchhiker's Guide to Azure AD - SPS St Louis 2018
Hitchhiker's Guide to Azure AD - SPS St Louis 2018
 
I1 - Securing Office 365 and Microsoft Azure like a rockstar (or like a group...
I1 - Securing Office 365 and Microsoft Azure like a rockstar (or like a group...I1 - Securing Office 365 and Microsoft Azure like a rockstar (or like a group...
I1 - Securing Office 365 and Microsoft Azure like a rockstar (or like a group...
 
O365con14 - moving from on-premises to online, the road to follow
O365con14 - moving from on-premises to online, the road to followO365con14 - moving from on-premises to online, the road to follow
O365con14 - moving from on-premises to online, the road to follow
 
What's new in Azure Active Directory and what's coming new ?
What's new in Azure Active Directory and what's coming new ?What's new in Azure Active Directory and what's coming new ?
What's new in Azure Active Directory and what's coming new ?
 
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa ToromanO365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
 
Best Practices in Cloud Security
Best Practices in Cloud SecurityBest Practices in Cloud Security
Best Practices in Cloud Security
 
SCU Berlín | Cloud identity for maximum productivity
SCU Berlín | Cloud identity for maximum productivity SCU Berlín | Cloud identity for maximum productivity
SCU Berlín | Cloud identity for maximum productivity
 
Cloud Identity and Access Management
Cloud Identity and Access ManagementCloud Identity and Access Management
Cloud Identity and Access Management
 
Análisis de riesgos en Azure y protección de la información
Análisis de riesgos en Azure y protección de la informaciónAnálisis de riesgos en Azure y protección de la información
Análisis de riesgos en Azure y protección de la información
 
Azure from scratch part 2 By Girish Kalamati
Azure from scratch part 2 By Girish KalamatiAzure from scratch part 2 By Girish Kalamati
Azure from scratch part 2 By Girish Kalamati
 
SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...
SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...
SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...
 
Get your Hybrid Identity in 4 steps with Azure AD Connect
Get your Hybrid Identity in 4 steps with Azure AD ConnectGet your Hybrid Identity in 4 steps with Azure AD Connect
Get your Hybrid Identity in 4 steps with Azure AD Connect
 
SC-900 Capabilities of Microsoft Identity and Access Management Solutions
SC-900 Capabilities of Microsoft Identity and Access Management SolutionsSC-900 Capabilities of Microsoft Identity and Access Management Solutions
SC-900 Capabilities of Microsoft Identity and Access Management Solutions
 
04_Extending and Securing Enterprise Applications in Microsoft Azure_GAB2019
04_Extending and Securing Enterprise Applications in Microsoft Azure_GAB201904_Extending and Securing Enterprise Applications in Microsoft Azure_GAB2019
04_Extending and Securing Enterprise Applications in Microsoft Azure_GAB2019
 
15th December 2016 - Microsoft Paddington Vuzion Partner Event
15th December 2016 - Microsoft Paddington Vuzion Partner Event15th December 2016 - Microsoft Paddington Vuzion Partner Event
15th December 2016 - Microsoft Paddington Vuzion Partner Event
 

More from Vignesh Ganesan I Microsoft MVP

Secure your Access to Cloud Apps using Microsoft Defender for Cloud Apps
Secure your Access to Cloud Apps using Microsoft Defender for Cloud AppsSecure your Access to Cloud Apps using Microsoft Defender for Cloud Apps
Secure your Access to Cloud Apps using Microsoft Defender for Cloud AppsVignesh Ganesan I Microsoft MVP
 
Protect Identities and Access to resources with Azure Active Directory
Protect Identities and Access to resources with Azure Active Directory Protect Identities and Access to resources with Azure Active Directory
Protect Identities and Access to resources with Azure Active Directory Vignesh Ganesan I Microsoft MVP
 
What's new in Security and Compliance in SharePoint , OneDrive for Business &...
What's new in Security and Compliance in SharePoint , OneDrive for Business &...What's new in Security and Compliance in SharePoint , OneDrive for Business &...
What's new in Security and Compliance in SharePoint , OneDrive for Business &...Vignesh Ganesan I Microsoft MVP
 
Introduction to Microsoft 365 bookings and how to use bookings app in Teams f...
Introduction to Microsoft 365 bookings and how to use bookings app in Teams f...Introduction to Microsoft 365 bookings and how to use bookings app in Teams f...
Introduction to Microsoft 365 bookings and how to use bookings app in Teams f...Vignesh Ganesan I Microsoft MVP
 
Skype for business to Microsoft Teams- Guidance for a successful upgrade
Skype for business to Microsoft Teams- Guidance for a successful upgradeSkype for business to Microsoft Teams- Guidance for a successful upgrade
Skype for business to Microsoft Teams- Guidance for a successful upgradeVignesh Ganesan I Microsoft MVP
 
Live events in Microsoft Teams , Yammer and Stream- When to use what
Live events in Microsoft Teams , Yammer and Stream- When to use whatLive events in Microsoft Teams , Yammer and Stream- When to use what
Live events in Microsoft Teams , Yammer and Stream- When to use whatVignesh Ganesan I Microsoft MVP
 
What's new and what's next in SharePoint Development for Enterprise & SPFx
What's new and what's next in SharePoint Development for Enterprise & SPFx What's new and what's next in SharePoint Development for Enterprise & SPFx
What's new and what's next in SharePoint Development for Enterprise & SPFx Vignesh Ganesan I Microsoft MVP
 
Building solutions with SPFx that work across SharePoint and Teams
Building solutions with SPFx that work across SharePoint and TeamsBuilding solutions with SPFx that work across SharePoint and Teams
Building solutions with SPFx that work across SharePoint and TeamsVignesh Ganesan I Microsoft MVP
 
Introduction to Microsoft Kaizala And How to Empower Your Mobile Workforce us...
Introduction to Microsoft Kaizala And How to Empower Your Mobile Workforce us...Introduction to Microsoft Kaizala And How to Empower Your Mobile Workforce us...
Introduction to Microsoft Kaizala And How to Empower Your Mobile Workforce us...Vignesh Ganesan I Microsoft MVP
 
How to succesfully drive Office 365 adpotion in your organization ?
How to succesfully drive Office 365 adpotion in your organization ?How to succesfully drive Office 365 adpotion in your organization ?
How to succesfully drive Office 365 adpotion in your organization ?Vignesh Ganesan I Microsoft MVP
 
SharePoint Saturday Bangalore -Overview of SharePoint Server 2019
SharePoint Saturday Bangalore -Overview of SharePoint Server 2019SharePoint Saturday Bangalore -Overview of SharePoint Server 2019
SharePoint Saturday Bangalore -Overview of SharePoint Server 2019Vignesh Ganesan I Microsoft MVP
 
Accelerate your journey to the cloud using the Microsoft SharePoint Migration...
Accelerate your journey to the cloud using the Microsoft SharePoint Migration...Accelerate your journey to the cloud using the Microsoft SharePoint Migration...
Accelerate your journey to the cloud using the Microsoft SharePoint Migration...Vignesh Ganesan I Microsoft MVP
 
Part 2 -Deep Dive into the new features of Sharepoint Online and OneDrive for...
Part 2 -Deep Dive into the new features of Sharepoint Online and OneDrive for...Part 2 -Deep Dive into the new features of Sharepoint Online and OneDrive for...
Part 2 -Deep Dive into the new features of Sharepoint Online and OneDrive for...Vignesh Ganesan I Microsoft MVP
 

More from Vignesh Ganesan I Microsoft MVP (20)

Getting your enterprise ready for Microsoft 365 Copilot
Getting your enterprise ready for Microsoft 365 CopilotGetting your enterprise ready for Microsoft 365 Copilot
Getting your enterprise ready for Microsoft 365 Copilot
 
How to use Advanced eDiscovery for Microsoft Teams
How to use Advanced eDiscovery for Microsoft TeamsHow to use Advanced eDiscovery for Microsoft Teams
How to use Advanced eDiscovery for Microsoft Teams
 
Advanced eDiscovery with Microsoft Teams
Advanced eDiscovery with Microsoft TeamsAdvanced eDiscovery with Microsoft Teams
Advanced eDiscovery with Microsoft Teams
 
Secure your Access to Cloud Apps using Microsoft Defender for Cloud Apps
Secure your Access to Cloud Apps using Microsoft Defender for Cloud AppsSecure your Access to Cloud Apps using Microsoft Defender for Cloud Apps
Secure your Access to Cloud Apps using Microsoft Defender for Cloud Apps
 
Protect Identities and Access to resources with Azure Active Directory
Protect Identities and Access to resources with Azure Active Directory Protect Identities and Access to resources with Azure Active Directory
Protect Identities and Access to resources with Azure Active Directory
 
What's new in Security and Compliance in SharePoint , OneDrive for Business &...
What's new in Security and Compliance in SharePoint , OneDrive for Business &...What's new in Security and Compliance in SharePoint , OneDrive for Business &...
What's new in Security and Compliance in SharePoint , OneDrive for Business &...
 
Introduction to Microsoft 365 bookings and how to use bookings app in Teams f...
Introduction to Microsoft 365 bookings and how to use bookings app in Teams f...Introduction to Microsoft 365 bookings and how to use bookings app in Teams f...
Introduction to Microsoft 365 bookings and how to use bookings app in Teams f...
 
Skype for business to Microsoft Teams- Guidance for a successful upgrade
Skype for business to Microsoft Teams- Guidance for a successful upgradeSkype for business to Microsoft Teams- Guidance for a successful upgrade
Skype for business to Microsoft Teams- Guidance for a successful upgrade
 
Live events in Microsoft Teams , Yammer and Stream- When to use what
Live events in Microsoft Teams , Yammer and Stream- When to use whatLive events in Microsoft Teams , Yammer and Stream- When to use what
Live events in Microsoft Teams , Yammer and Stream- When to use what
 
What's new in Microsoft Teams
What's new in Microsoft Teams What's new in Microsoft Teams
What's new in Microsoft Teams
 
What's new and what's next in SharePoint Development for Enterprise & SPFx
What's new and what's next in SharePoint Development for Enterprise & SPFx What's new and what's next in SharePoint Development for Enterprise & SPFx
What's new and what's next in SharePoint Development for Enterprise & SPFx
 
Building solutions with SPFx that work across SharePoint and Teams
Building solutions with SPFx that work across SharePoint and TeamsBuilding solutions with SPFx that work across SharePoint and Teams
Building solutions with SPFx that work across SharePoint and Teams
 
Getting started with Microsoft Search
Getting started with Microsoft Search Getting started with Microsoft Search
Getting started with Microsoft Search
 
Introduction to Microsoft Kaizala And How to Empower Your Mobile Workforce us...
Introduction to Microsoft Kaizala And How to Empower Your Mobile Workforce us...Introduction to Microsoft Kaizala And How to Empower Your Mobile Workforce us...
Introduction to Microsoft Kaizala And How to Empower Your Mobile Workforce us...
 
How to succesfully drive Office 365 adpotion in your organization ?
How to succesfully drive Office 365 adpotion in your organization ?How to succesfully drive Office 365 adpotion in your organization ?
How to succesfully drive Office 365 adpotion in your organization ?
 
Overview of SharePoint Server 2019 Public Preview
Overview of SharePoint Server 2019 Public PreviewOverview of SharePoint Server 2019 Public Preview
Overview of SharePoint Server 2019 Public Preview
 
SharePoint Saturday Bangalore -Overview of SharePoint Server 2019
SharePoint Saturday Bangalore -Overview of SharePoint Server 2019SharePoint Saturday Bangalore -Overview of SharePoint Server 2019
SharePoint Saturday Bangalore -Overview of SharePoint Server 2019
 
Accelerate your journey to the cloud using the Microsoft SharePoint Migration...
Accelerate your journey to the cloud using the Microsoft SharePoint Migration...Accelerate your journey to the cloud using the Microsoft SharePoint Migration...
Accelerate your journey to the cloud using the Microsoft SharePoint Migration...
 
Part 2 -Deep Dive into the new features of Sharepoint Online and OneDrive for...
Part 2 -Deep Dive into the new features of Sharepoint Online and OneDrive for...Part 2 -Deep Dive into the new features of Sharepoint Online and OneDrive for...
Part 2 -Deep Dive into the new features of Sharepoint Online and OneDrive for...
 
Security and compliance in Office 365 -Part 1
Security and compliance in Office 365 -Part 1Security and compliance in Office 365 -Part 1
Security and compliance in Office 365 -Part 1
 

Recently uploaded

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 

Recently uploaded (20)

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 

Securing your Azure Identity Infrastructure

  • 1. Securing your Azure Identity infrastructure Vignesh Ganesan | MCSE ,MCSA , MCT & ITIL V3 Enterprise Cloud Architect & Technology Strategist https://www.linkedin.com/company/pdcconf @PDCConf https://www.facebook.com/pdcconf
  • 2. Thank you to all our generous sponsors Supported by Powered by Organized by Sponsored by
  • 3. Vignesh Ganesan Securing your Azure Identity infrastructure @cloudvignesh https://www.linkedin.com/in/vigne sh-ganesan-mcse-mcsa-mct-itilv3- 9246384a/ Powered By September 16th & 17th Online Event International Conference Speaker
  • 4. What to expect from today’s session Strengthen your credentials Automate threat response Utilize cloud intelligence Enable end-user self-service Reduce your attack surface
  • 6. Assumptions • Office 365 Administrator /Developer • Azure Administrator/Developer • Active Directory Administrator • Security Analyst • Cloud Security Architect • Cloud Solutions Architect • C-Suite
  • 7. Azure Active Directory • Microsoft’s cloud-based identity and access management service • Azure AD provides access to both external and internal resources • Many similarities with Active Directory • Features include: • Multi-factor authentication • Single sign-on • Conditional Access • Multiple license options Azure AD Pricing : https://www.microsoft.com/en-in/security/business/identity-access- management/azure-ad-pricing?rtc=1
  • 8. Comparison between Active Directory , Azure AD and Azure AD Domain Services Ref : https://www.ciraltos.com/active-directory-domain-service-azure-active-directory-and-azure-active- directory-domain-service-explained/
  • 10. 2,000,000+ active apps Azure Active Directory Cornerstone OnDemand Workplace by Facebook Canvas Concur Salesforce Clever SuccessFactors Google G Suite Workday ServiceNow World’s largest enterprise IDaaS service based on SaaS app user traffic. Request additional integrations at aka.ms/AzureADAppRequest
  • 11. A complete IAM solution
  • 12. Federation Server IDP Connector Provisioning Engine HR System(s) App Proxy Event Logs Sign-in provider MFA Server Directory Database(s)
  • 13. IAM Today Authentication& Authorization Directory Management IdentityGovernance& Administration IdentityforIaaS (VMAccess Management) IdentityDeveloper Platform Customer IAM SingleSignon (SSO + Federation) Identity Governance RBAC Microsoft Identity Platform Azure AD B2C / B2B Multi-Factor Authentication HybridIdentity Passwordless Conditional Access Provisioning Microsoft Graph Identity Protection Secure HybridAccess Group Management Azure AD DS
  • 14. Strengthen your credentials Reduce your attack surface Automate threat response Utilize cloud intelligence Enable end- user self- service Step 2 Step 1 Step 3 Step 4 Step 5 Ref : https://docs.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity Five steps to securing your identity infrastructure
  • 15. 1. Strengthen your credentials  Make sure your organization uses strong authentication  Start banning commonly attacked passwords and turn off traditional complexity, and expiration rules.  Protect against leaked credentials and add resilience against outages  Implement Azure AD Smart lockout /AD FS extranet smart lockout  Take advantage of intrinsically secure, easier to use credentials Most enterprise security breaches originate with an account compromised with one of a handful of methods such as password spray, breach replay, or phishing
  • 16. Make sure your organization uses strong authentication Azure AD MFA Azure AD Security Defaults Azure AD MFA: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks Azure AD Security defaults : https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults
  • 17. Start banning commonly attacked passwords and turn off traditional complexity, and expiration rules. Azure AD Password Protection Azure AD Password Protection for Active Directory Domain Services Custom banned password list Brand names Product names Locations, such as company headquarters Company-specific internal terms Abbreviations that have specific company meaning * Global and Custom banned password list
  • 18. Design principles - Azure AD Password Protection for Active Directory Domain Services • Domain controllers (DCs) never have to communicate directly with the internet. • No new network ports are opened on DCs. • No AD DS schema changes are required. The software uses the existing AD DS container and serviceConnectionPoint schema objects. • No minimum AD DS domain or forest functional level (DFL/FFL) is required. • The software doesn't create or require accounts in the AD DS domains that it protects. • User clear-text passwords never leave the domain controller, either during password validation operations or at any other time. • The software isn't dependent on other Azure AD features. For example, Azure AD password hash sync (PHS) isn't related or required for Azure AD Password Protection. • Incremental deployment is supported, however the password policy is only enforced where the Domain Controller Agent (DC Agent) is installed. Ref : https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-on-premises
  • 19. Protect against leaked credentials and add resilience against outages •The Users with leaked credentials report in the Azure AD management warns you of username and password pairs, which have been exposed on the "dark web." An incredible volume of passwords is leaked via phishing, malware, and password reuse on third-party sites that are later breached. Microsoft finds many of these leaked credentials and will tell you, in this report, if they match credentials in your organization – but only if you enable password hash sync or have cloud-only identities! •In the event of an on-premises outage (for example, in a ransomware attack) you can switch over to using cloud authentication using password hash sync. This backup authentication method will allow you to continue accessing apps configured for authentication with Azure Active Directory, including Microsoft 365. In this case, IT staff won't need to resort to personal email accounts to share data until the on-premises outage is resolved. Password hash synchronization is one of the sign-in methods used to accomplish hybrid identity. Azure AD Connect synchronizes a hash, of the hash, of a user's password from an on-premises Active Directory instance to a cloud-based Azure AD instance. Required for premium features such as Identity Protection and Azure AD Domain Services
  • 20. Implement Azure AD smart lockout / AD FS extranet smart lockout Smart lockout helps lock out bad actors that try to guess your users' passwords or use brute-force methods to get in. Smart lockout can recognize sign-ins that come from valid users and treat them differently than ones of attackers and other unknown sources. Attackers get locked out, while your users continue to access their accounts and be productive. • AD FS in Windows Server 2012R2 Implement ADFS extranet lockout protection • AD FS in Windows Server 2016 Implement ADFS extranet smart lockout protection
  • 21. Password-less with Windows 10 Hello Password-less authentication User-friendly experience Enterprise-grade security 47M enterprises have deployed Windows Hello for Business active Windows Hello users 6.5K Hello Melanie Take advantage of intrinsically secure, easier to use credentials
  • 22. Demo
  • 23. 2. Reduce your attack surface Given the pervasiveness of password compromise, minimizing the attack surface in your organization is critical. Eliminating use of older, less secure protocols, limiting access entry points, and exercising more significant control of administrative access to resources can help reduce the attack surface area. Block legacy authentication  Block invalid authentication entry points  Restrict user consent operations  Implement Azure AD Privileged Identity Management
  • 24. Block legacy authentication Legacy authentication apps authenticate on behalf of the user and prevent Azure AD from doing advanced security evaluations. The alternative, modern authentication, will reduce your security risk, because it supports multi-factor authentication and Conditional Access. Apps using legacy authentication are POP3, IMAP4, or SMTP clients 1.Block legacy authentication if you use AD FS. 2.Setup SharePoint Online and Exchange Online to use modern authentication. 3.If you have Azure AD Premium, use Conditional Access policies to block legacy authentication, otherwise use Azure AD Security Defaults.
  • 25. Corporate Network Geo-location Microsoft Cloud App Security MacOS Android iOS Windows Windows Defender ATP Client apps Browser apps Google ID MSA Azure AD ADFS Require MFA Allow/block access Block legacy authentication Force password reset ****** Limited access Controls Employee & Partner Users and Roles Trusted & Compliant Devices Physical & Virtual Location Client apps & Auth Method Conditions Machine learning Policies Real time Evaluation Engine Session Risk 3 40TB Effective policy Block invalid authentication entry points
  • 26. Commonly applied CA policies • Requiring multi-factor authentication for users with administrative roles • Requiring multi-factor authentication for Azure management tasks • Blocking sign-ins for users attempting to use legacy authentication protocols • Requiring trusted locations for Azure AD Multi- Factor Authentication registration • Blocking or granting access from specific locations • Blocking risky sign-in behaviors • Requiring organization-managed devices for specific applications Ref : https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access- policy-common
  • 27. Restrict user consent operations
  • 28. Implement Azure AD Privileged Identity Management
  • 29. Demo
  • 30. 3. Automate threat response Azure Active Directory has many capabilities that automatically intercept attacks, to remove the latency between detection and response. You can reduce the costs and risks, when you reduce the time criminals use to embed themselves into your environment  Implement user risk security policy using Azure AD Identity Protection  Implement sign-in risk policy using Azure AD Identity Protection
  • 31. Implement user risk security policy using Azure AD Identity Protection Identity Protection is a tool that allows organizations to accomplish three key tasks:  Automate the detection and remediation of identity-based risks.  Investigate risks using data in the portal.  Export risk detection data to your SIEM. Type of Risks which Identity Protection can detect •Anonymous IP address use •Atypical travel •Malware linked IP address •Unfamiliar sign-in properties •Leaked credentials •Password spray •and more...
  • 32. Implement sign-in risk policy using Azure AD Identity Protection
  • 33. Azure AD Identity protection policies Ref : https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-policies
  • 34. Demo
  • 35. 4. Utilize cloud intelligence Auditing and logging of security-related events and related alerts are essential components of an efficient protection strategy. Security logs and reports provide you with an electronic record of suspicious activities and help you detect patterns that may indicate attempted or successful external penetration of the network, and internal attacks.  Monitor Azure AD  Monitor Azure AD Connect Health in hybrid environments  Monitor Azure AD Identity Protection events  Audit apps and consented permissions
  • 36. • Application sign-in Success/Failure • User display name and UPN • Session conditions: location, IP, Date/Time • MFA info: Required, Method, Result • Client conditions: Device ID, browser, OS • Conditional Access: Policy, Controls, Result • Correlation ID! • Latency is 2 to 5 mins Monitor Azure AD -Azure AD Sign-in Logs
  • 37. • Actions performed that change the state of a resource, e.g. • Password Reset • Privileged Identity Management (PIM) Elevations • Terms of Use Acceptance • B2B Redemptions • SaaS App Configuration/Provisioning • Latency is 2 to 5 mins Monitor Azure AD – Azure AD Audit Logs
  • 38. • Users flagged for risk • High, Medium, Low • Risk events/Risky sign-ins • leaked credentials, anonymous IPs, • impossible travel, unfamiliar locations • Vulnerabilities • Users without MFA, Unused Admin Privileges Monitor Azure AD – Azure AD Security Logs
  • 39. • Global Administrator • Global Reader • Security Administrator • Security Reader • Reports Reader • Application Admin • No difference in data scope between roles • Users can access their own sign-in logs Who can access logs in Azure AD
  • 40. Monitor Azure AD Connect Health in hybrid environments Azure Active Directory (Azure AD) Connect Health provides robust monitoring of your on-premises identity infrastructure. It enables you to maintain a reliable connection to Microsoft 365 and Microsoft Online Services. This reliability is achieved by providing monitoring capabilities for your key identity components. Also, it makes the key data points about these components easily accessible.
  • 41. Monitor Azure AD Identity Protection events • Azure AD Identity Protection is a notification, monitoring and reporting tool you can use to detect potential vulnerabilities affecting your organization's identities. It detects risk detections, such as leaked credentials, impossible travel, and sign-ins from infected devices, anonymous IP addresses, IP addresses associated with the suspicious activity, and unknown locations. • Enable notification alerts to receive email of users at risk and/or a weekly digest email.
  • 42. Audit apps and consented permissions Illicit consent grant attack in Microsoft 365 : https://docs.microsoft.com/en-us/microsoft-365/security/office-365- security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide#what-is-the-illicit-consent-grant-attack-in- microsoft-365
  • 43. Demo
  • 44. 5. Enable end-user self-service As much as possible you'll want to balance security with productivity. Along the same lines of approaching your journey with the mindset that you're setting a foundation for security in the long run, you can remove friction from your organization by empowering your users while remaining vigilant. Implement self-service password reset  Implement self-service group and application access  Implement Azure AD access reviews
  • 45. SSPR Solution Architecture Implement self-service password reset
  • 46. Implement self-service group and application access
  • 47. Implement Azure AD access reviews • Provide oversight for which users have access to what resources • Prompts users to ensure their access is limited to the resources they need • Applies to employees and guest users
  • 48. Demo
  • 49. References: • Azure AD Licensing : https://www.microsoft.com/en-in/security/business/identity-access-management/azure-ad-pricing?rtc=1 • MFA : https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa • Security defaults : https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults • Password protection : https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad • Azure AD Password protection for ADDS: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-on-premises • Authentication methods for Azure AD : https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn • Implement password hash synchronization with Azure AD connect sync : https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect- password-hash-synchronization • Azure AD Smart lockout : https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-smart-lockout • ADFS Extranet Lockout Protection : https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-soft-lockout-protection • Windows Hello for Business overview : https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-overview • Conditional Access overview : What is Conditional Access in Azure Active Directory? | Microsoft Docs • Conditional Access : Block legacy authentication : https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy- block-legacy • PIM : https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure • Azure AD Identity protection policies : https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-policies • Audit logs in Azure AD : https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-audit-logs • Illicit consent grant attack in Microsoft 365 : https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent- grants?view=o365-worldwide#what-is-the-illicit-consent-grant-attack-in-microsoft-365 • Azure AD SSPR : https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr • Self-service group management in Azure AD : https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-self-service-management • Azure AD entitlement management : https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-overview • Azure AD Access reviews : https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview