Azure Active Directory helps secure and govern authentication with features like conditional access and privileged identity management. It allows organizations to mitigate admin risk, govern identities, and set terms of use policies for authentication and access across cloud and on-premises environments.
In the modern workplace, the end user’s needs can easily be at odds with the requirements an IT department faces. Deana runs a lean team in IT and is tasked with modernizing Contoso’s identity and access management solution, all while reducing support costs. Not only is Contoso experiencing a hiring surge to support their latest product, but Deana is also dealing with an explosion in the number of apps employees use every day to do their jobs.
For Isaiah, as a new member of the Sales team, the ability to interact with teammates across groups and even outside the company is important. He must work seamlessly across a wide array of apps, both external and internal. The question is can he do all of this securely and easily and still be empowered to make good decisions for Contoso on his own.
CLICK STEP
Click to advance the slide.
While most of Contoso’s applications are enabled for one-click access, other applications, like BrowserStack, require very high security. IT needs to know that no one but Isaiah is accessing this application. So when Isaiah uses this application, he is prompted to confirm that his identity via authentication using his phone.
CLICK STEP
Click the BrowserStack app.
The Microsoft Authenticator app on his mobile device was previously configured to provide passwordless authentication for his work account.
CLICK STEP
Click Code to trigger typing animation.
[Presentation will auto type 123456.]
This is a very secure method of authentication because:
He’s authenticating with something he owns (his personal mobile device) and something he has (his biometrics).
Isaiah doesn’t have to use a password anywhere in this entire process.
CLICK STEP
Click Verify.
CLICK STEP
Click Yes.
CLICK STEP
Click to advance the slide.
Conditional Access provides the control and protection that Contoso needs to keep corporate data secure, while giving people an experience that allows them to do their best work from any device. With Conditional Access, Deanna can define policies that provide contextual controls at the user, location, device, and app levels. She can allow or block access or challenge users with multi-factor authentication, device enrollment, or a password change. Plus, machine learning-based identity protection, which leverages billions of signals daily, detects suspicious behavior and applies risk-based conditional access that protects Contoso’s applications and critical company data in real time.
With Conditional Access by Microsoft, Contoso gets the control needed to ensure that corporate data is secure, while allowing people to roam freely between apps and devices, accessing their data in the cloud and on‑premises.
CLICK STEP
Click to advance the slide.
Deana is going to configure Contoso’s environment to require multifactor authentication (MFA) for admins. Requiring MFA for admins protects the following administrator roles:
Global administrator
SharePoint administrator
Exchange administrator
Conditional access administrator
Security administrator
Helpdesk administrator/Password administrator
Billing administrator
User administrator
CLICK STEP
In the Contoso – Overview pane, click the scroll bar next to Manage to trigger scroll animation.
[Presentation will auto scroll.]
CLICK STEP
Under Security, click Identity Secure Score.
POINT OUT:
Point out
Your Identity Secure Score
Current Score/Maximum Score
Improvement Actions
CLICK STEP
Under Improvement Actions, click Require MFA for Azure AD p….
POINT OUT:
Point to, but do not click, SCORE IMPACT, MAX SCORE, and DESCRIPTION.
CLICK STEP
In the Improvement action pane, click the scroll bar to begin scroll animation.
[Presentation will auto scroll.]
POINT OUT:
Point to, but do not click, WHAT AM I ABOUT TO CHANGE? and HOW WILL IT AFFECT MY USERS?
CLICK STEP
Click Get Started.
CLICK STEP
On the Conditional Access – Policies blade, click Baseline policy: Require MFA for admins (Preview).
POINT OUT:
Point to, but do not click, the bulleted list of directory roles.
CLICK STEP
On the Baseline policy: Require MFA for admins blade, click Use policy immediately.
CLICK STEP
Click Save.
Deana’s CTO is adamant about higher security on SharePoint due to the sensitive nature of the documents stored there. No one should be able to access the SharePoint site from an unmanaged device. Deana will ensure that these security requirements are set for SharePoint and publish the appropriate policy.
CLICK STEP
Click the SharePoint admin center browser tab.
Deana first enables the Access Control Policy for Unmanaged Devices in the SharePoint admin center. This will auto-generate the Conditional Access Policy in Azure Active Directory (Azure AD) for fine tuning and further control.
CLICK STEP
Click Unmanaged devices.
CLICK STEP
In the Unmanaged devices pane, click Block access.
CLICK STEP
Click Save.
CLICK STEP
Click the Conditional Access – Policies browser tab.
In Azure Active Directory, Deana adds mobile apps and desktop clients to the devices that must be managed in order to access SharePoint.
CLICK STEP
Click [SharePoint admin center]Use app-enforced Restrictions for browser access.
CLICK STEP
Under Assignments, click Conditions.
CLICK STEP
Click Client apps (preview).
CLICK STEP
Click Mobile apps and desktop clients.
CLICK STEP
Click Other clients.
CLICK STEP
In the Clients apps (preview) pane, click Done.
CLICK STEP
In the Conditions pane click Done.
CLICK STEP
In the [SharePoint admin center]… pane click the scroll bar to trigger scroll animation.
[Presentation will auto scroll.]
CLICK STEP
Under Access controls, click Session.
POINT OUT
Point to, but do not click, Use app enforced restrictions.
CLICK STEP
Click Select.
CLICK STEP
Click Save.
Once this policy is enabled, users will no longer be able to access SharePoint from browsers that are not managed by Azure Active Directory.
Now, lets see the policy in action from an end user perspective.
CLICK STEP
Click to advance the slide.
CLICK STEP
Click SharePoint.
POINT OUT:
Point to, but do not click, the Access Denied message.
CLICK STEP
Click to advance the slide.
Legacy authentication protocols (ex: IMAP, SMTP, POP3) are normally used by mail clients to authenticate. Legacy protocols do NOT support MFA.
Even if you have an MFA policy for your tenant, a bad actor can authenticate using one of these legacy protocols and bypass MFA.
CLICK STEP
In the left-hand navigation, click Azure Active Directory.
CLICK STEP
In the Contoso – Overview pane, click the scroll bar next to Manage to trigger scroll animation.
[Presentation will auto scroll.]
CLICK STEP
Under Security, click Conditional Access.
Today, majority of all compromising sign-in attempts come from legacy authentication. What better way to get protected than blocking these sign-in attempts altogether!
To make it easier for you to block all sign-in requests made by legacy protocols, we recommend enabling the baseline policy that does just that.
In fact, Security Basics, a new feature of Azure AD, will be applying these Baseline policies to all new tenants by default.
CLICK STEP
Under POLICY NAME, click Baseline policy: Block legacy authentication (Preview).
POINT OUT
Point to, but do not click, the bulleted list of apps the policy applies to.
CLICK STEP
In the Baseline policy: Block lega… pane, click the X.
POINT OUT:
Point to, but do not click, Baseline policy: Require MFA for admins (Preview), Baseline policy: End user protection (Preview), and Baseline policy: Require MFA for Service Management (Preview).
CLICK STEP
In the left-hand navigation, click Azure Active Directory.
A great way to keep users secure while empowering employee productivity is by setting up automated remediation policies for any risky users.
CLICK STEP
In the Contoso – Overview pane, click the scroll bar to trigger scroll animation.
[Presentation will auto scroll.]
First, you’ll want to understand your security posture. Reviewing your Identity Secure Score is a great way to see how many of your users represent low, medium, or high risk. Based on the user risk, you can automatically set risk mediation policies—like requiring a password change when the user risk is medium or higher.
CLICK STEP
Under Security, click Identity Secure Score.
CLICK STEP
Under Security, click Overview (Preview).
CLICK STEP
Halfway down the Overview (Preview) pane, click Configure user risk policy.
With so many users being flagged as risky, a policy requiring them to change their password on next logon is a good idea. That way, Deana can be sure any Identities that were leaked are now protected by new passwords.
CLICK STEP
Click All users.
CLICK STEP
Click Select individuals and groups.
CLICK STEP
Click Select users.
CLICK STEP
Click Search by name or email address, to trigger typing animation.
[Presentation will auto type sg-s.]
CLICK STEP
Click sg-Sales and Marketing.
CLICK STEP
Click Select.
CLICK STEP
Click Done.
CLICK STEP
Under Assignments, click Conditions.
CLICK STEP
Click Select a risk level.
CLICK STEP
Click Medium and above.
CLICK STEP
Click Select.
CLICK STEP
Click Done.
CLICK STEP
Under Controls click Select a control.
POINT OUT
Point to, but do not click, Allow access and Require password change.
CLICK STEP
Click Select.
CLICK STEP
Click Save.
CLICK STEP
Click to advance the slide.
CLICK STEP
Click to advance the slide.
With Azure AD Privileged Identity Management, Contoso can manage, control, and monitor access within the organization. This includes access to resources in Azure AD and other Microsoft online services like Office 365 or Microsoft Intune.
CLICK STEP
At the top, click Search resources, services, and docs to trigger typing animation.
[Presentation will auto type Azure AD Pri.]
CLICK STEP
Click Azure AD Privileged Identity Management.
The Azure AD Privileged Identity Management console in the Azure Portal gives Deana important information such as:
Alerts that point out opportunities to improve security
The number of users who are assigned to each privileged role
The number of eligible and permanent admins
Ongoing access reviews
CLICK STEP
Under Manage, click Azure AD roles.
CLICK STEP
Under Manage, click Roles.
POINT OUT:
Point to, but do not click, the ROLE and DESCRIPTION columns.
CLICK STEP
On the far right click the scroll bar to trigger scroll animation.
[Presentation will auto scroll.]
CLICK STEP
Click Global Administrator.
Contoso has several permanent Global Admins. They have full access and control over the directory and the Office 365 tenant all the time. This means that Contoso is continually open to malicious attacks.
CLICK STEP
In the Global Administrator - Members blade, on the entry for Isaiah Langer, click the ellipsis (…).
With Privileged Identity Management, Contoso can decide who should have permanent access and who should just have temporary access when required. Isaiah does not need permanent admin access, so the admin sets him to eligible.
CLICK STEP
Click Make eligible.
Eligible admins are users that need privileged access now and then, but not every day. The role is inactive until Isaiah needs access. When he needs access, he will complete an activation process and becomes an active admin for a predetermined amount of time.
CLICK STEP
Click X to close the Global Administrator - Members blade.
CLICK STEP
Under Manage, click Settings.
CLICK STEP
Click Roles.
CLICK STEP
On the Roles pane, click the scroll bar to trigger scroll animation.
[Presentation will auto scroll.]
CLICK STEP
Click Global Administrator.
The admin can also configure the details of the admins access, including how long it lasts, and if any notification or additional authentication is needed. Note that for certain high privileged roles, MFA is always required.
CLICK STEP
Click the bar under Maximum activation duration (hours).
CLICK STEP
Under Notifications, click Enable.
CLICK STEP
At the top of the Global Administrator pane, click Save.
CLICK STEP
Click to advance the slide.
When Isaiah needs higher privileges for a specific task, he can go into Privileged Identity Management in the Azure portal and request activation for the access role. Any type of admin can use Azure AD Privileged Identity Management to activate.
CLICK STEP
Click the email from Microsoft Azure with the title PIM: You can now active…
CLICK STEP
Click Activate role.
CLICK STEP
Click Maybe later.
CLICK STEP
Click We have deprecated this blade.
CLICK STEP
Under Tasks, click My roles.
CLICK STEP
On the line for Global Administrator, click Activate.
CLICK STEP
At the top of the Global Administrator pane, click Activate.
CLICK STEP
In the Activation reason (max 500 characters), click to trigger typing animation.
[Presentation will auto type Demo.]
Isaiah can now activate the request. Role activation is customizable. In the PIM settings, Isaiah can determine the length of the activation and provide a business justification.
CLICK STEP
At the bottom, click Activate.
Isaiah is auto-approved for the requested access with an expiration time for that permission.
CLICK STEP
In the Activation status pane, click Sign out.
Using Azure AD Privileged Identity Management, the admin can track changes in privileged role assignments and role activation history.
CLICK STEP
On the Roles pane, click the X.
CLICK STEP
On the Azure AD roles – Settings pane, click the scroll bar to trigger scroll animation.
CLICK STEP
Under Activity, click Directory roles audit history.
The admin can see Isaiah just requested access as a Global Administrator. This information can be critical for auditing and forensic investigations.
CLICK STEP
Click to advance the slide.
This demo shows how a Global Administrator can require users to accept the Terms of Use.
CLICK STEP
Click to advance the slide.
Azure AD Terms of Use provides a simple method that organizations can use to present information to end users. This presentation ensures users see relevant disclaimers for legal or compliance requirements.
CLICK STEP
In the Contoso – Overview pane, next to Manage, click the scroll bar to trigger scroll animation.
[Presentation will auto scroll.]
CLICK STEP
Under Security, click Conditional Access.
CLICK STEP
Under Manage, click Terms of use.
CLICK STEP
Click + New terms.
Azure AD Terms of Use uses the PDF format to present content. The PDF file can be any content, such as an existing contract documents, allowing you to collect end-user agreements during user sign-in.
CLICK STEP
Next to Terms of use document, click the folder icon.
CLICK STEP
Click ToUPDF.pdf.
CLICK STEP
Click Open.
CLICK STEP
In the Example: ‘All users terms of use’ box, click to trigger typing animation.
[Presentation will auto type Contoso Terms of Use Policy.]
CLICK STEP
In the Example: ‘Contoso Terms of Use’ box, click to trigger typing animation.
[Presentation will auto type Contoso Terms of Use.]
CLICK STEP
Click Select default language.
CLICK STEP
In the drop-down list, click the scroll bar to trigger scroll animation.
CLICK STEP
Click English.
CLICK STEP
Next to Require users to expand the terms of use, click On.
CLICK STEP
In the New terms of use pane, click the scroll bar to trigger scroll animation.
CLICK STEP
Click Policy templates.
When the option Create conditional access policy later is selected, the terms of use will appear in the grant control list when creating a conditional access policy.
CLICK STEP
Click Create conditional access policy later.
CLICK STEP
Click Create.
CLICK STEP
In the Conditional Access – Terms of use pane, click Policies.
[Presentation will auto type External User Saas Apps Terms of Use Policy.]
CLICK STEP
Under Assignments, click Users and groups.
CLICK STEP
Click Select users and groups.
CLICK STEP
Click Users and groups.
CLICK STEP
Click Select.
CLICK STEP
Click Search by name or email address to trigger typing animation.
[Presentation will auto type sg-s.]
CLICK STEP
Click sg-Sales and Marketing.
CLICK STEP
Click Select.
CLICK STEP
Click Done.
CLICK STEP
Under Assignments, click Cloud apps or actions.
CLICK STEP
Click Select apps.
CLICK STEP
Click Select.
CLICK STEP
In the Select pane, click the scroll bar to trigger scroll animation.
[Presentation will auto scroll.]
CLICK STEP
Click Salesforce.
CLICK STEP
Click Select.
CLICK STEP
Click Done.
CLICK STEP
Under Access controls, click Grant.
CLICK STEP
Click Contoso Terms of Use Policy.
CLICK STEP
Click Select.
CLICK STEP
In the New pane, click the scroll bar to trigger scroll animation.
CLICK STEP
Under Enable policy, click On.
CLICK STEP
Click Create.
CLICK STEP
Click to advance the slide.
An external user’s Terms of Use policy can be verified via the newly enhanced Conditional Access feature. This custom control enables verification of a complete set of terms of use to manage users and group access.
CLICK STEP
Click Salesforce.
CLICK STEP
Click Accept.
POINT OUT:
Point to, but do not click, the warning message.
CLICK STEP
Click Ok.
CLICK STEP
Click Contoso Terms of Use.
CLICK STEP
Click the far-right scroll bar to trigger scroll animation.
CLICK STEP
Click Accept.
When a company policy changes or new compliance rules are to be enforced, Conditional Access for Terms of Use easily manages the changes for all users, in a systematic and targeted way.
CLICK STEP
Click to advance the slide.
The Terms of use blade shows a count of the users who have accepted and declined.
CLICK STEP
In the Contoso – Overview pane, click the scroll bar next to Manage to trigger scroll animation.
CLICK STEP
Under Security, click Conditional Access.
CLICK STEP
Under Manage, click Terms of use.
These counts and who accepted/declined are stored for the life of the Terms of use.
CLICK STEP
Under ACCEPTED, click 1.
POINT OUT:
Point to, but do not click, Isaiah Langer’s status as Accepted.
CLICK STEP
Click to advance the slide.
In the modern workplace, the end user’s needs can easily be at odds with the requirements an IT department faces. Deana runs a lean team in IT and is tasked with modernizing Contoso’s identity and access management solution, all while reducing support costs. Not only is Contoso experiencing a hiring surge to support their latest product, but Deana is dealing with an explosion in the number of apps employees are using every day to do their jobs.
For Isaiah, as a new member of the Sales team, the ability to interact with teammates across groups and even outside the company is important. He must work seamlessly across a wide array of apps, both internal and external. The question is whether he can do all of this securely and easily, and still be empowered to make good decisions for Contoso on his own.
CLICK STEP
Click to advance the slide.
Identity is the center of security. More than ever before, employees, customers and partners share information across devices, locations, and a world of apps. Today, the power of the cloud is leveraged to ensure identities and access to information and apps are seamless and secure.
Let’s look at a specific example of how identity improves both security and productivity–Identity governance.
Identity Governance allows Deana to manage, monitor and audit the end-to-end Identity Access management lifecycle.
CLICK STEP
Under Entitlement management (Preview), click Access packages.
When users request access to resources, governance policies ensure access is granted easily, securely and in line with your security and compliance requirements.
Let me show you how an admin can grant resource access to a partner company using this capability.
CLICK STEP
Click Sales and Marketing.
The admin for Adatum Corporation wants to enable a business partner inside Contoso to collaborate with their Sales and Marketing team. With the new Azure AD Identity Governance feature, he creates an entitlement.
CLICK STEP
Under Manage click Policies.
CLICK STEP
Click Initial Policy.
CLICK STEP
Click Edit.
CLICK STEP
Under Users who can request access, click For users not in your directory.
CLICK STEP
Click the far-right scroll bar to trigger scroll animation.
CLICK STEP
Click + Add directories.
CLICK STEP
Click Search by domain, example: contoso.com to trigger typing animation.
[Presentation will auto type adatum.com.]
CLICK STEP
In the Select directories pane, click the scroll bar to trigger scroll animation.
[Presentation will auto scroll.]
CLICK STEP
Click Add.
CLICK STEP
Click Select.
POINT OUT:
Point to, but do not click, Request approval, Access package expires, and Enable policy.
CLICK STEP
Click Updated.
Entitlements are the cornerstone of governance, and allow the Administrator to group users, resources and policies needed to grant access.
CLICK STEP
Under Manage, click Resource roles.
For this demo, the Adatum Administrator has already created a set of entitlements for his organization. Let’s look at the Sales and Marketing entitlement that will enable employees from Contoso, a partner organization, to collaborate with Adatum.
First, resources must be specified and associated with the entitlement. Here, 2 apps, 1 user group, and 1 SharePoint site are listed. More resources can be added here, as necessary.
CLICK STEP
At the top, click Search resources, services, and docs.
[Presentation will auto type Identity Gov.]
There are quite a few ways to control application access in Azure AD. A lot of organizations use groups in AD or Azure AD to control access. Users can also request application access. The Office 365 Groups feature allows more users across your organization to create their own groups and pick who they want in those groups.
CLICK STEP
Click Identity Governance.
Of course, over time, group memberships and application access assignments can get stale–people change jobs or no longer need access to a particular application. For example, maybe a guest who was given access isn’t affiliated with their original organization any longer. This staleness can cause a problem for protecting business-sensitive assets or applications subject to compliance. To avoid access getting out of hand, organizations can now schedule access reviews to make sure only the users they want to have access to their assets and applications o.
CLICK STEP
Under Access reviews, click Access reviews.
CLICK STEP
Click Salesforce Access Review.
POINT OUT:
Point to, but do not click, Owner, App, Scope, Review status, and Recurrence.
An access review asks users to recertify (or “attest”) to access rights to an app or membership in a group. You can ask users to review their own rights or select reviewers to review everyone in a group, or everyone currently assigned access to an app. You can also ask the group owners to review. And finally, for those organizations that have other processes in place to manage employee access, you can scope the review to include only guest members or guests who have access.
CLICK STEP
Click + to open a new browser tab.
There are two ways users’ access can be reviewed: by group membership or by application access.
The access review is configured to run for a time to allow the reviewers to review and respond. Reviewers will receive an email notification that an access review needs their response.
To review the results, the reviewers can click on the link in the email or access the results via https://myapps.microsoft.com.
CLICK STEP
Click Search or enter web address to trigger typing animation.
CLICK STEP
Click Access reviews.
CLICK STEP
Click Begin review.
For a user that has not signed in recently, the recommendation is access denial. This can be overridden if desired.
In one click, all the Access Review recommendations can be accepted.
When the review period ends, or if the review is manually stopped, the results can then be applied.
CLICK STEP
Click Lynne Robbins.
CLICK STEP
Click Approve.
POINT OUT:
Point to, but do not click, the Reason box is now required.
CLICK STEP
Click Cancel.
CLICK STEP
Click the Salesforce Access Review tab.
Admins can see the results of an access review through Azure Identity Governance at any time once the access review is created. In the Results pane they can see the list of users, the outcome, the recommended action, the reason, and the reviewer for each entry of the access review. Should changes be made to the access review settings, the Admin can use the Audit logs to review them.
CLICK STEP
Under Manage, click Results.
POINT OUT:
Point to, but do not click, User, Outcome, and Reviewed By columns.
CLICK STEP
Under Activity, click Audit logs.
POINT OUT:
Point to, but do not click, Service, Category, Activity, Status, Target(s), and Initiated By columns.
Should an Admin wish to create an access review from scratch, they may do this in the Identity Governance – Access reviews blade.
CLICK STEP
At the top in the breadcrumbs, click Identity Governance – Access reviews.
CLICK STEP
Click + New access review.
Admins can set the frequency, scope, and start date for the review to run. The access review can be targeted to members of a group or to an application. Reviewers can be selected individually or given to group owners. Results of the access review can be auto-applied with or without reviewer response. Once an access review is started it can take some time to complete, so reminders can be sent to reviewers once the review is started and to admins when a review completes.
CLICK STEP
Click the Review name box to trigger typing animation.
[Presentation will auto type Salesforce Access Review Admin.]
CLICK STEP
Click Members of a group.
CLICK STEP
Click Assigned to an application.
CLICK STEP
Click the far-right scroll bar to trigger scroll animation.
CLICK STEP
Click Everyone.
CLICK STEP
Click Select an application.
CLICK STEP
Click Search by name or email address to trigger typing animation.
[Presentation will auto type S.]
CLICK STEP
Click Salesforce.
CLICK STEP
Click Select.
CLICK STEP
Click 0 users selected.
CLICK STEP
Click Search by name or email address to trigger typing animation.
[Presentation will auto type MOD.]
CLICK STEP
Click MOD Administrator.
CLICK STEP
Click Select.
CLICK STEP
Click Start.
CLICK STEP
Click to advance the slide and end the presentation.