Azure Active Directory - Secure Authentication and Identity Governance
•
0 gostou•128 visualizações
Azure Active Directory helps secure and govern authentication with features like conditional access and privileged identity management. It allows organizations to mitigate admin risk, govern identities, and set terms of use policies for authentication and access across cloud and on-premises environments.
Recomendados
Recomendados
Mais conteúdo relacionado
Mais de Cheah Eng Soon
Mais de Cheah Eng Soon (20)
Último
Último (20)
Azure Active Directory - Secure Authentication and Identity Governance
- 1. Azure Active Directory – Secure and Govern
- 62. Mitigate Admin Risk with Privileged Identity Management
- 94. Terms of Use
- 149. Identity Governance
Notas do Editor
- In the modern workplace, the end user’s needs can easily be at odds with the requirements an IT department faces. Deana runs a lean team in IT and is tasked with modernizing Contoso’s identity and access management solution, all while reducing support costs. Not only is Contoso experiencing a hiring surge to support their latest product, but Deana is also dealing with an explosion in the number of apps employees use every day to do their jobs. For Isaiah, as a new member of the Sales team, the ability to interact with teammates across groups and even outside the company is important. He must work seamlessly across a wide array of apps, both external and internal. The question is can he do all of this securely and easily and still be empowered to make good decisions for Contoso on his own. CLICK STEP Click to advance the slide.
- While most of Contoso’s applications are enabled for one-click access, other applications, like BrowserStack, require very high security. IT needs to know that no one but Isaiah is accessing this application. So when Isaiah uses this application, he is prompted to confirm that his identity via authentication using his phone. CLICK STEP Click the BrowserStack app.
- The Microsoft Authenticator app on his mobile device was previously configured to provide passwordless authentication for his work account. CLICK STEP Click Code to trigger typing animation.
- [Presentation will auto type 123456.] This is a very secure method of authentication because: He’s authenticating with something he owns (his personal mobile device) and something he has (his biometrics). Isaiah doesn’t have to use a password anywhere in this entire process. CLICK STEP Click Verify.
- CLICK STEP Click Yes.
- CLICK STEP Click to advance the slide.
- Conditional Access provides the control and protection that Contoso needs to keep corporate data secure, while giving people an experience that allows them to do their best work from any device. With Conditional Access, Deanna can define policies that provide contextual controls at the user, location, device, and app levels. She can allow or block access or challenge users with multi-factor authentication, device enrollment, or a password change. Plus, machine learning-based identity protection, which leverages billions of signals daily, detects suspicious behavior and applies risk-based conditional access that protects Contoso’s applications and critical company data in real time. With Conditional Access by Microsoft, Contoso gets the control needed to ensure that corporate data is secure, while allowing people to roam freely between apps and devices, accessing their data in the cloud and on‑premises. CLICK STEP Click to advance the slide.
- Deana is going to configure Contoso’s environment to require multifactor authentication (MFA) for admins. Requiring MFA for admins protects the following administrator roles: Global administrator SharePoint administrator Exchange administrator Conditional access administrator Security administrator Helpdesk administrator/Password administrator Billing administrator User administrator CLICK STEP In the Contoso – Overview pane, click the scroll bar next to Manage to trigger scroll animation.
- [Presentation will auto scroll.] CLICK STEP Under Security, click Identity Secure Score.
- POINT OUT: Point out Your Identity Secure Score Current Score/Maximum Score Improvement Actions CLICK STEP Under Improvement Actions, click Require MFA for Azure AD p….
- POINT OUT: Point to, but do not click, SCORE IMPACT, MAX SCORE, and DESCRIPTION. CLICK STEP In the Improvement action pane, click the scroll bar to begin scroll animation.
- [Presentation will auto scroll.] POINT OUT: Point to, but do not click, WHAT AM I ABOUT TO CHANGE? and HOW WILL IT AFFECT MY USERS? CLICK STEP Click Get Started.
- CLICK STEP On the Conditional Access – Policies blade, click Baseline policy: Require MFA for admins (Preview).
- POINT OUT: Point to, but do not click, the bulleted list of directory roles. CLICK STEP On the Baseline policy: Require MFA for admins blade, click Use policy immediately.
- CLICK STEP Click Save.
- Deana’s CTO is adamant about higher security on SharePoint due to the sensitive nature of the documents stored there. No one should be able to access the SharePoint site from an unmanaged device. Deana will ensure that these security requirements are set for SharePoint and publish the appropriate policy. CLICK STEP Click the SharePoint admin center browser tab.
- Deana first enables the Access Control Policy for Unmanaged Devices in the SharePoint admin center. This will auto-generate the Conditional Access Policy in Azure Active Directory (Azure AD) for fine tuning and further control. CLICK STEP Click Unmanaged devices.
- CLICK STEP In the Unmanaged devices pane, click Block access.
- CLICK STEP Click Save.
- CLICK STEP Click the Conditional Access – Policies browser tab.
- In Azure Active Directory, Deana adds mobile apps and desktop clients to the devices that must be managed in order to access SharePoint. CLICK STEP Click [SharePoint admin center]Use app-enforced Restrictions for browser access.
- CLICK STEP Under Assignments, click Conditions.
- CLICK STEP Click Client apps (preview).
- CLICK STEP Click Mobile apps and desktop clients.
- CLICK STEP Click Other clients.
- CLICK STEP In the Clients apps (preview) pane, click Done.
- CLICK STEP In the Conditions pane click Done.
- CLICK STEP In the [SharePoint admin center]… pane click the scroll bar to trigger scroll animation.
- [Presentation will auto scroll.] CLICK STEP Under Access controls, click Session.
- POINT OUT Point to, but do not click, Use app enforced restrictions. CLICK STEP Click Select.
- CLICK STEP Click Save.
- Once this policy is enabled, users will no longer be able to access SharePoint from browsers that are not managed by Azure Active Directory. Now, lets see the policy in action from an end user perspective. CLICK STEP Click to advance the slide.
- CLICK STEP Click SharePoint.
- POINT OUT: Point to, but do not click, the Access Denied message. CLICK STEP Click to advance the slide.
- Legacy authentication protocols (ex: IMAP, SMTP, POP3) are normally used by mail clients to authenticate. Legacy protocols do NOT support MFA. Even if you have an MFA policy for your tenant, a bad actor can authenticate using one of these legacy protocols and bypass MFA. CLICK STEP In the left-hand navigation, click Azure Active Directory.
- CLICK STEP In the Contoso – Overview pane, click the scroll bar next to Manage to trigger scroll animation.
- [Presentation will auto scroll.] CLICK STEP Under Security, click Conditional Access.
- Today, majority of all compromising sign-in attempts come from legacy authentication. What better way to get protected than blocking these sign-in attempts altogether! To make it easier for you to block all sign-in requests made by legacy protocols, we recommend enabling the baseline policy that does just that. In fact, Security Basics, a new feature of Azure AD, will be applying these Baseline policies to all new tenants by default. CLICK STEP Under POLICY NAME, click Baseline policy: Block legacy authentication (Preview).
- POINT OUT Point to, but do not click, the bulleted list of apps the policy applies to. CLICK STEP In the Baseline policy: Block lega… pane, click the X.
- POINT OUT: Point to, but do not click, Baseline policy: Require MFA for admins (Preview), Baseline policy: End user protection (Preview), and Baseline policy: Require MFA for Service Management (Preview). CLICK STEP In the left-hand navigation, click Azure Active Directory.
- A great way to keep users secure while empowering employee productivity is by setting up automated remediation policies for any risky users. CLICK STEP In the Contoso – Overview pane, click the scroll bar to trigger scroll animation.
- [Presentation will auto scroll.] First, you’ll want to understand your security posture. Reviewing your Identity Secure Score is a great way to see how many of your users represent low, medium, or high risk. Based on the user risk, you can automatically set risk mediation policies—like requiring a password change when the user risk is medium or higher. CLICK STEP Under Security, click Identity Secure Score.
- CLICK STEP Under Security, click Overview (Preview).
- CLICK STEP Halfway down the Overview (Preview) pane, click Configure user risk policy.
- With so many users being flagged as risky, a policy requiring them to change their password on next logon is a good idea. That way, Deana can be sure any Identities that were leaked are now protected by new passwords. CLICK STEP Click All users.
- CLICK STEP Click Select individuals and groups.
- CLICK STEP Click Select users.
- CLICK STEP Click Search by name or email address, to trigger typing animation.
- [Presentation will auto type sg-s.] CLICK STEP Click sg-Sales and Marketing.
- CLICK STEP Click Select.
- CLICK STEP Click Done.
- CLICK STEP Under Assignments, click Conditions.
- CLICK STEP Click Select a risk level.
- CLICK STEP Click Medium and above.
- CLICK STEP Click Select.
- CLICK STEP Click Done.
- CLICK STEP Under Controls click Select a control.
- POINT OUT Point to, but do not click, Allow access and Require password change. CLICK STEP Click Select.
- CLICK STEP Click Save.
- CLICK STEP Click to advance the slide.
- CLICK STEP Click to advance the slide.
- With Azure AD Privileged Identity Management, Contoso can manage, control, and monitor access within the organization. This includes access to resources in Azure AD and other Microsoft online services like Office 365 or Microsoft Intune. CLICK STEP At the top, click Search resources, services, and docs to trigger typing animation.
- [Presentation will auto type Azure AD Pri.] CLICK STEP Click Azure AD Privileged Identity Management.
- The Azure AD Privileged Identity Management console in the Azure Portal gives Deana important information such as: Alerts that point out opportunities to improve security The number of users who are assigned to each privileged role The number of eligible and permanent admins Ongoing access reviews CLICK STEP Under Manage, click Azure AD roles.
- CLICK STEP Under Manage, click Roles.
- POINT OUT: Point to, but do not click, the ROLE and DESCRIPTION columns. CLICK STEP On the far right click the scroll bar to trigger scroll animation.
- [Presentation will auto scroll.] CLICK STEP Click Global Administrator.
- Contoso has several permanent Global Admins. They have full access and control over the directory and the Office 365 tenant all the time. This means that Contoso is continually open to malicious attacks. CLICK STEP In the Global Administrator - Members blade, on the entry for Isaiah Langer, click the ellipsis (…).
- With Privileged Identity Management, Contoso can decide who should have permanent access and who should just have temporary access when required. Isaiah does not need permanent admin access, so the admin sets him to eligible. CLICK STEP Click Make eligible.
- Eligible admins are users that need privileged access now and then, but not every day. The role is inactive until Isaiah needs access. When he needs access, he will complete an activation process and becomes an active admin for a predetermined amount of time. CLICK STEP Click X to close the Global Administrator - Members blade.
- CLICK STEP Under Manage, click Settings.
- CLICK STEP Click Roles.
- CLICK STEP On the Roles pane, click the scroll bar to trigger scroll animation.
- [Presentation will auto scroll.] CLICK STEP Click Global Administrator.
- The admin can also configure the details of the admins access, including how long it lasts, and if any notification or additional authentication is needed. Note that for certain high privileged roles, MFA is always required. CLICK STEP Click the bar under Maximum activation duration (hours).
- CLICK STEP Under Notifications, click Enable.
- CLICK STEP At the top of the Global Administrator pane, click Save.
- CLICK STEP Click to advance the slide.
- When Isaiah needs higher privileges for a specific task, he can go into Privileged Identity Management in the Azure portal and request activation for the access role. Any type of admin can use Azure AD Privileged Identity Management to activate. CLICK STEP Click the email from Microsoft Azure with the title PIM: You can now active…
- CLICK STEP Click Activate role.
- CLICK STEP Click Maybe later.
- CLICK STEP Click We have deprecated this blade.
- CLICK STEP Under Tasks, click My roles.
- CLICK STEP On the line for Global Administrator, click Activate.
- CLICK STEP At the top of the Global Administrator pane, click Activate.
- CLICK STEP In the Activation reason (max 500 characters), click to trigger typing animation.
- [Presentation will auto type Demo.] Isaiah can now activate the request. Role activation is customizable. In the PIM settings, Isaiah can determine the length of the activation and provide a business justification. CLICK STEP At the bottom, click Activate.
- Isaiah is auto-approved for the requested access with an expiration time for that permission. CLICK STEP In the Activation status pane, click Sign out.
- Using Azure AD Privileged Identity Management, the admin can track changes in privileged role assignments and role activation history. CLICK STEP On the Roles pane, click the X.
- CLICK STEP On the Azure AD roles – Settings pane, click the scroll bar to trigger scroll animation.
- CLICK STEP Under Activity, click Directory roles audit history.
- The admin can see Isaiah just requested access as a Global Administrator. This information can be critical for auditing and forensic investigations. CLICK STEP Click to advance the slide.
- This demo shows how a Global Administrator can require users to accept the Terms of Use. CLICK STEP Click to advance the slide.
- Azure AD Terms of Use provides a simple method that organizations can use to present information to end users. This presentation ensures users see relevant disclaimers for legal or compliance requirements. CLICK STEP In the Contoso – Overview pane, next to Manage, click the scroll bar to trigger scroll animation.
- [Presentation will auto scroll.] CLICK STEP Under Security, click Conditional Access.
- CLICK STEP Under Manage, click Terms of use.
- CLICK STEP Click + New terms.
- Azure AD Terms of Use uses the PDF format to present content. The PDF file can be any content, such as an existing contract documents, allowing you to collect end-user agreements during user sign-in. CLICK STEP Next to Terms of use document, click the folder icon.
- CLICK STEP Click ToUPDF.pdf.
- CLICK STEP Click Open.
- CLICK STEP In the Example: ‘All users terms of use’ box, click to trigger typing animation.
- [Presentation will auto type Contoso Terms of Use Policy.] CLICK STEP In the Example: ‘Contoso Terms of Use’ box, click to trigger typing animation.
- [Presentation will auto type Contoso Terms of Use.] CLICK STEP Click Select default language.
- CLICK STEP In the drop-down list, click the scroll bar to trigger scroll animation.
- CLICK STEP Click English.
- CLICK STEP Next to Require users to expand the terms of use, click On.
- CLICK STEP In the New terms of use pane, click the scroll bar to trigger scroll animation.
- CLICK STEP Click Policy templates.
- When the option Create conditional access policy later is selected, the terms of use will appear in the grant control list when creating a conditional access policy. CLICK STEP Click Create conditional access policy later.
- CLICK STEP Click Create.
- CLICK STEP In the Conditional Access – Terms of use pane, click Policies.
- CLICK STEP Click + New policy.
- CLICK STEP Click Example: ‘Device compliance app policy’, to trigger typing animation.
- [Presentation will auto type External User Saas Apps Terms of Use Policy.] CLICK STEP Under Assignments, click Users and groups.
- CLICK STEP Click Select users and groups.
- CLICK STEP Click Users and groups.
- CLICK STEP Click Select.
- CLICK STEP Click Search by name or email address to trigger typing animation.
- [Presentation will auto type sg-s.] CLICK STEP Click sg-Sales and Marketing.
- CLICK STEP Click Select.
- CLICK STEP Click Done.
- CLICK STEP Under Assignments, click Cloud apps or actions.
- CLICK STEP Click Select apps.
- CLICK STEP Click Select.
- CLICK STEP In the Select pane, click the scroll bar to trigger scroll animation.
- [Presentation will auto scroll.] CLICK STEP Click Salesforce.
- CLICK STEP Click Select.
- CLICK STEP Click Done.
- CLICK STEP Under Access controls, click Grant.
- CLICK STEP Click Contoso Terms of Use Policy.
- CLICK STEP Click Select.
- CLICK STEP In the New pane, click the scroll bar to trigger scroll animation.
- CLICK STEP Under Enable policy, click On.
- CLICK STEP Click Create.
- CLICK STEP Click to advance the slide.
- An external user’s Terms of Use policy can be verified via the newly enhanced Conditional Access feature. This custom control enables verification of a complete set of terms of use to manage users and group access. CLICK STEP Click Salesforce.
- CLICK STEP Click Accept.
- POINT OUT: Point to, but do not click, the warning message. CLICK STEP Click Ok.
- CLICK STEP Click Contoso Terms of Use.
- CLICK STEP Click the far-right scroll bar to trigger scroll animation.
- CLICK STEP Click Accept.
- When a company policy changes or new compliance rules are to be enforced, Conditional Access for Terms of Use easily manages the changes for all users, in a systematic and targeted way. CLICK STEP Click to advance the slide.
- The Terms of use blade shows a count of the users who have accepted and declined. CLICK STEP In the Contoso – Overview pane, click the scroll bar next to Manage to trigger scroll animation.
- CLICK STEP Under Security, click Conditional Access.
- CLICK STEP Under Manage, click Terms of use.
- These counts and who accepted/declined are stored for the life of the Terms of use. CLICK STEP Under ACCEPTED, click 1.
- POINT OUT: Point to, but do not click, Isaiah Langer’s status as Accepted. CLICK STEP Click to advance the slide.
- In the modern workplace, the end user’s needs can easily be at odds with the requirements an IT department faces. Deana runs a lean team in IT and is tasked with modernizing Contoso’s identity and access management solution, all while reducing support costs. Not only is Contoso experiencing a hiring surge to support their latest product, but Deana is dealing with an explosion in the number of apps employees are using every day to do their jobs. For Isaiah, as a new member of the Sales team, the ability to interact with teammates across groups and even outside the company is important. He must work seamlessly across a wide array of apps, both internal and external. The question is whether he can do all of this securely and easily, and still be empowered to make good decisions for Contoso on his own. CLICK STEP Click to advance the slide.
- Identity is the center of security. More than ever before, employees, customers and partners share information across devices, locations, and a world of apps. Today, the power of the cloud is leveraged to ensure identities and access to information and apps are seamless and secure. Let’s look at a specific example of how identity improves both security and productivity–Identity governance. Identity Governance allows Deana to manage, monitor and audit the end-to-end Identity Access management lifecycle. CLICK STEP Under Entitlement management (Preview), click Access packages.
- When users request access to resources, governance policies ensure access is granted easily, securely and in line with your security and compliance requirements. Let me show you how an admin can grant resource access to a partner company using this capability. CLICK STEP Click Sales and Marketing.
- The admin for Adatum Corporation wants to enable a business partner inside Contoso to collaborate with their Sales and Marketing team. With the new Azure AD Identity Governance feature, he creates an entitlement. CLICK STEP Under Manage click Policies.
- CLICK STEP Click Initial Policy.
- CLICK STEP Click Edit.
- CLICK STEP Under Users who can request access, click For users not in your directory.
- CLICK STEP Click the far-right scroll bar to trigger scroll animation.
- CLICK STEP Click + Add directories.
- CLICK STEP Click Search by domain, example: contoso.com to trigger typing animation.
- [Presentation will auto type adatum.com.] CLICK STEP In the Select directories pane, click the scroll bar to trigger scroll animation.
- [Presentation will auto scroll.] CLICK STEP Click Add.
- CLICK STEP Click Select.
- POINT OUT: Point to, but do not click, Request approval, Access package expires, and Enable policy. CLICK STEP Click Updated.
- Entitlements are the cornerstone of governance, and allow the Administrator to group users, resources and policies needed to grant access. CLICK STEP Under Manage, click Resource roles.
- For this demo, the Adatum Administrator has already created a set of entitlements for his organization. Let’s look at the Sales and Marketing entitlement that will enable employees from Contoso, a partner organization, to collaborate with Adatum. First, resources must be specified and associated with the entitlement. Here, 2 apps, 1 user group, and 1 SharePoint site are listed. More resources can be added here, as necessary. CLICK STEP At the top, click Search resources, services, and docs.
- [Presentation will auto type Identity Gov.] There are quite a few ways to control application access in Azure AD. A lot of organizations use groups in AD or Azure AD to control access. Users can also request application access. The Office 365 Groups feature allows more users across your organization to create their own groups and pick who they want in those groups. CLICK STEP Click Identity Governance.
- Of course, over time, group memberships and application access assignments can get stale–people change jobs or no longer need access to a particular application. For example, maybe a guest who was given access isn’t affiliated with their original organization any longer. This staleness can cause a problem for protecting business-sensitive assets or applications subject to compliance. To avoid access getting out of hand, organizations can now schedule access reviews to make sure only the users they want to have access to their assets and applications o. CLICK STEP Under Access reviews, click Access reviews.
- CLICK STEP Click Salesforce Access Review.
- POINT OUT: Point to, but do not click, Owner, App, Scope, Review status, and Recurrence. An access review asks users to recertify (or “attest”) to access rights to an app or membership in a group. You can ask users to review their own rights or select reviewers to review everyone in a group, or everyone currently assigned access to an app. You can also ask the group owners to review. And finally, for those organizations that have other processes in place to manage employee access, you can scope the review to include only guest members or guests who have access. CLICK STEP Click + to open a new browser tab.
- There are two ways users’ access can be reviewed: by group membership or by application access. The access review is configured to run for a time to allow the reviewers to review and respond. Reviewers will receive an email notification that an access review needs their response. To review the results, the reviewers can click on the link in the email or access the results via https://myapps.microsoft.com. CLICK STEP Click Search or enter web address to trigger typing animation.
- CLICK STEP Click Access reviews.
- CLICK STEP Click Begin review.
- For a user that has not signed in recently, the recommendation is access denial. This can be overridden if desired. In one click, all the Access Review recommendations can be accepted. When the review period ends, or if the review is manually stopped, the results can then be applied. CLICK STEP Click Lynne Robbins.
- CLICK STEP Click Approve.
- POINT OUT: Point to, but do not click, the Reason box is now required. CLICK STEP Click Cancel.
- CLICK STEP Click the Salesforce Access Review tab.
- Admins can see the results of an access review through Azure Identity Governance at any time once the access review is created. In the Results pane they can see the list of users, the outcome, the recommended action, the reason, and the reviewer for each entry of the access review. Should changes be made to the access review settings, the Admin can use the Audit logs to review them. CLICK STEP Under Manage, click Results.
- POINT OUT: Point to, but do not click, User, Outcome, and Reviewed By columns. CLICK STEP Under Activity, click Audit logs.
- POINT OUT: Point to, but do not click, Service, Category, Activity, Status, Target(s), and Initiated By columns. Should an Admin wish to create an access review from scratch, they may do this in the Identity Governance – Access reviews blade. CLICK STEP At the top in the breadcrumbs, click Identity Governance – Access reviews.
- CLICK STEP Click + New access review.
- Admins can set the frequency, scope, and start date for the review to run. The access review can be targeted to members of a group or to an application. Reviewers can be selected individually or given to group owners. Results of the access review can be auto-applied with or without reviewer response. Once an access review is started it can take some time to complete, so reminders can be sent to reviewers once the review is started and to admins when a review completes. CLICK STEP Click the Review name box to trigger typing animation.
- [Presentation will auto type Salesforce Access Review Admin.] CLICK STEP Click Members of a group.
- CLICK STEP Click Assigned to an application.
- CLICK STEP Click the far-right scroll bar to trigger scroll animation.
- CLICK STEP Click Everyone.
- CLICK STEP Click Select an application.
- CLICK STEP Click Search by name or email address to trigger typing animation.
- [Presentation will auto type S.] CLICK STEP Click Salesforce.
- CLICK STEP Click Select.
- CLICK STEP Click 0 users selected.
- CLICK STEP Click Search by name or email address to trigger typing animation.
- [Presentation will auto type MOD.] CLICK STEP Click MOD Administrator.
- CLICK STEP Click Select.
- CLICK STEP Click Start.
- CLICK STEP Click to advance the slide and end the presentation.
- <End of presentation.>