3. Who? Me?
• Senior Architect at Insight
• Host of The Cloud Architects Podcast
• Based in Dallas, TX
• Office Apps and Services MVP
• Microsoft Certified Master – Exchange
• Blog: cgoosen.com
• Twitter: @chrisgoosen
• Podcast: thearchitects.cloud
4. In this session
• Azure AD Identity 101
• Why do I need more?
• What is “The Golden Config”?
• 5 steps to securing your identities
• Deployment best practices
6. Azure AD Identity 101
• All except cloud-only can provide “SSO”
• Cloud-only doesn’t scale well
• Federation/PTA relies on on-prem infra
• What about 3rd party IdPs? (Okta, etc?)
• Apply the KISS principle when designing
• Consider PHS unless you have specific requirements
• PHS is not less secure – HMAC-SHA256
7. Why do I need more?
• Over 6.5 trillion security signals per day
• Phishing attacks are on the increase
• Leaked/Stolen credentials
• Breaches are becoming very common
• 328 Breaches reported in 2019 (US)
• Passwords are the weakest form of auth
• haveibeenpwned.com = 8.5 billion accounts
8. What is “The Golden Config”?
• A prescribed set of policies and guidance to protect access to
services integrated with Azure AD
• Recommendations have been provided
for three different tiers of security and
protection that can be applied based
on the granularity of your needs
• Baseline Protection, Sensitive Protection,
Highly Regulated Protection
Most Customers
Some Customers
Few Customers
9. What is “The Golden Config”?
• Available at aka.ms/m365goldenconfig
• Includes data protection recommendations
• Will probably require additional licenses
• Protection Mechanisms:
• Enforce MFA
• Enforce password change
• Enforce Intune application protection
• Enforce Intune enrollment (COD)
11. 5 - Enable
complete end-
user security
with self-help
4 - Increase your
awareness
5 steps to securing your identities
3 - Automate
threat response
2 - Reduce your
attack surface
area
1 - Strengthen your
credentials
• Strong passwords
!= Strong credentials
• Banning commonly
passwords and turn
off traditional
complexity, and
expiration rules
• Protect against
leaked credentials
• Block legacy
authentication
methods
• Block invalid
authentication entry
points
• Block end-user
consent
• Implement Azure AD
Privileged Identity
Management
• Implement user risk
security policy using
Azure AD Identity
Protection
• Implement sign-in
risk policy using
Azure AD Identity
Protection
• Monitor Azure AD –
Health, Audit logs
etc.
• Monitor Azure AD
Identity Protection
events
• Audit apps and
consented
permissions
• Enable Single Sign-
On (SSO)
• Implement self-
service password
reset
• Implement Azure AD
access reviews
12. Deployment best practices
• Treat identity as the primary security perimeter
• Object health is important - GIGO
• Carefully plan your sync scope
• MFA, MFA, MFA – No… really!
• Plan your network ranges carefully
• Lower exposure of privileged accounts
• Always have at least one “break glass” account