Why migrate MFA and SSPR Microsoft has announced the depreciation of historical portals. All DSIs have until January 2024 to proceed with the migration. We will see in this post how to operate this migration step by step. The migration can be done respecting its own schedule with a deadline of January 2024. Please note that the process is fully reversible. The tenant-wide MFA & SSPR policies can continue to be used during the migration. A user group is used…
Administrative units is an Azure AD features. She contains only users, groups or devices and permit to restrict permissions in a role. One user can be members of multiple administrative units(by division and country for example.
Group writeback permit to write Azure Group on Active Directory OnPrem. For this operation, Azure AD Connect Sync is used. Limitation The following limitation must be taken into account when Group writeback is implemented.
I received my FIDO2 NeoWave key a few weeks ago. Different models are available at NeoWave.
Today, it is important to respect the policy of least privilege. We had the ability to configure the Active Directory connector for Azure AD Connect with user account. User account without admin right. However, the Azure AD connector still needed an Azure AD account with the Global Admin role.
Azure AD Password Protection it’s an interested feature. He permit to secure your authentification by deny simple password. Microsoft update frequently a list of simple password. When you enable this feature, this list is used for deny user password if it’s on this list. This verification is performed when the password is modified by user or resetted by IT Admins
With Office 365 project, it is common to have external user access (b2b collaboration). This users may need access to a resource (sharepoint, etc.). These users usually have an Office 365 account and are therefore guest users. Nevertheless, security being an extremely important point nowadays, it is important to set up security rules.
Conditional access is a very interesting feature. It provides an additional level of security. Indeed, access to applications (sharepoint, exchange, etc.) as well as to data can only take place if the user complies with certain conditions. It is common to see conditional access activated to ensure that the MFA is activated or that compliance rules are respected. We will see a new example. I want to make sure that access to Exchange Online or Sharepoint Online from an IP…
Windows 10 allows Azure Active Directory users to synchronize their security settings and application parameter data directly in the cloud. This reduces the time required for reconfiguration when using a new device.
The addition of users in privileged groups changes more or less regularly. It is therefore important to regularly check the privileged rights given to certain users. Azure PIM can be used to review these accesses. This operation can be done manually or automatically.
Azure AD Identity permit to secure your Azure Active Directory. The Identity score is a number between 1 and 223. He permit give an Indicator for how aligned you are with the Microsoft Best Pratice. This Best Practice is a recommandation for the security of your Azure AD, users, … The Identity score feature can be used by Global admin, security admin ou security readers. The secure score contains five categories :
It is strongly recommended that you use the MFA solution to secure authentication in Azure AD. However, this requires the use of a password and a second factor (phone, mobile phone, mobile application). Microsoft recommends to stop using password.
Azure PIM PIM (Privileged Identity Management) is a service used for manage and monitor access of the privilegied ressource. This ressource can be Azure AD ressource, Azure ressource or other (Office 365 or Microsoft Intune). It is important to limit the number of people with privileged access. This reduces the attack area of a malicious actor. With this feature, organizations can give users just-in-time (JIT) privileged access to Azure resources and Azure AD. PIM offer this functionnality :
Azure Active Directory Identity Protection permit to automate the detection and the remediation of identity-based risks. He permit to investigate risks using data and export risk detection data to third-party utilities.
Authentification without password The mutli-factor authentification or MFA permit to secure the access to the company’s cloud resources. With the functionnality of passwordless in Azure AD, the password is removed, the user can access to the cloud ressources without password. However, they must authenticate themselves from their phone (Microsoft Authenticator app) or Windows 10 computer (FIDO2 security keys).
The Pass-through Authentication This authentification allows you to use the same password for the on-premise and Cloud-based applications. However, it’s important to note that user authentication is done through the Active Directory on-premise and not through Azure Active Directory. It’s a good alternative to Azure AD Password Hash Synchronization. However, it makes it easier to apply a security policy to passwords.
We have had the possibility for many years to join a machine to an Active Directory domain. With cloud services (Office 365, Azure AD, …) identity management has become a very important point. Microsoft implemented in Windows 10, the functionality Azure AD Join (previously Workplace Join) allowing the junction of the machine in Azure AD Join.
Licensing is an important part of a cloud service. It allows a user to access and use the service concerned (Office 365, Azure AD, …). This action was operating through the Office 365 console, so Microsoft now enables licenses to be enabled from the new Azure console (Ibiza).
It is unfortunately common to see in a company of cloud applications (dropbox,…) used in services unless the IT team is aware. This can cause data loss and security problems. Cloud App Discovery is a feature present with the Premium of Azure AD version, it allows to perform application detection cloud used by the company.
MAM Without Enrollment Microsoft has implemented a MAM (Mobile Application Management) solution in Intune. However, this solution requires enroll the device in the MDM (Mobile Device Management). For people not wishing to add their equipment in a type MDM platform, it is possible to proceed with the creation of rules MAM without enrollment.
Azure Ad Connect is a tool provided by Microsoft that allows to extend the scope of AD accounts for cloud services. Indeed the AD user accounts can be used only in an AD domain. To allow a user to use the login and password in a cloud service (Azure, EMS, Office 365,…) it is necessary to proceed with the synchronization of accounts. Several solutions are possible, using ADFS server, the password synchronization or Azure AD pass-through). The tool can be…
Groups on Azure AD The group management has been implemented in Azure AD, this feature allows easier administration of access to resources. These may be local (resources present in the Azure Active Directory) or external (SharePoint site, SAAS application,…). Access to a resource can be done in several ways:
Azure AD Connect Health is a tool that allows the administrator to monitor infrastructure AD On Premise. Until now several tools was provides the administrator (Scom – System Center Operation Manager-, event log,…) It is now possible to conduct surveillance through Azure AD Connect Health. This can very quickly see performance alerts or sync error… You can also monitor your infrastructure ADFS (Active Directory Federation Service) 2.0 and 3.0.