Data
Reader small image

You're reading from  Microsoft Identity and Access Administrator Exam Guide

Product typeBook
Published inMar 2022
Reading LevelBeginner
PublisherPackt
ISBN-139781801818049
Edition1st Edition
Languages
C#
Tools
AzureAzure Functions
Concepts
Identity Management
Right arrow
Author (1)
Dwayne Natwick
Dwayne Natwick
author image
Dwayne Natwick

Dwayne Natwick is a Cloud Training Architect Lead at Opsgility, a Microsoft CSP. He has been in IT, security design, and architecture for over 30 years. His love of teaching led him to become a Microsoft Certified Trainer (MCT) Regional Lead and a Microsoft Most Valuable Professional (MVP). Dwayne has a master’s degree in Business IT from Walsh College, the CISSP from ISC2, and 18 Microsoft certifications, including Identity and Access Administrator, Azure Security Engineer, and Microsoft 365 Security Administrator. Dwayne can be found providing and sharing information on social media, industry conferences, his blog site, and his YouTube channel. Originally from Maryland, Dwayne currently resides in Michigan with his wife and three children.
Read more about Dwayne Natwick

Right arrow

Chapter 7: Planning and Implementing Azure Multi-Factor Authentication (MFA) and Self-Service Password Reset (SSPR)

The previous chapter covered the various ways to implement hybrid identity synchronization between Azure Active Directory and Windows Active Directory, and how to implement seamless single sign-on. In this chapter, we will discuss the planning and implementation of Azure MFA and SSPR for users and groups. This will include deploying, managing, and configuring MFA for users and groups. This chapter will also cover the differences between verifying identity with MFA and SSPR.

In this chapter, we're going to cover the following main topics: 

  • Planning Azure MFA deployment (excluding MFA Server)
  • Implementing and managing Azure MFA settings
  • Configuring and deploying SSPR
  • Deploying and managing password protection
  • Planning and implementing security defaults

Technical requirements

In this chapter, we will continue to explore configuring a tenant for the use of Microsoft 365 and Azure. There will be exercises that will require access to Azure Active Directory. If you have not yet created the trial licenses for Microsoft 365, please follow the directions provided within Chapter 1, Preparing for Your Microsoft Exam.

Planning an Azure MFA deployment

As more companies move to cloud technologies and having identities within the cloud, the ability to protect those identities become paramount to avoiding security breaches. Microsoft and Azure Active Directory provide many ways to protect these identities and mitigate risks. Some examples of these solutions include the following:

  • Password complexity rules are used to protect against users utilizing common terms and easy-to-guess passwords. Enforcing certain lengths and complexities, such as the use of alphanumeric and special characters, along with a minimum length, can deter attackers from their ability to utilize password dictionary attacks or identify dates and information from social media accounts that could be used as a password.
  • Password expiration rules are utilized to avoid a password remaining the same for an extended period of time. The longer that a password is used by a user, the more likely that it is to eventually be exposed...

Implementing and managing MFA settings

When we were planning for Azure AD MFA and the authentication methods that are used, we showed the MFA service settings within the Azure AD MFA portal as the location that you use to define the allowed MFA authentication methods for the second factor. In addition to the authentication methods, MFA service settings have other configuration options to customize the use of MFA within the company. The MFA service settings become the company-wide settings for Azure AD MFA that pertain to all users that are enrolled in Azure AD MFA.

In this section, we will look at each of these settings in detail and how they can be used for the Azure AD MFA enforcement within your company:

  1. To access the MFA service settings, access Azure AD > All users > Per-user MFA, as shown in Figure 7.19:

Figure 7.19 – Access per-user MFA

  1. This will take you to the Azure AD MFA portal site. From this site, select service...

Configuring and deploying SSPR

SSPR is helpful to both the user and to administrators. SSPR saves time because passwords can be reset without a phone call to a support team. There is the convenience of a user being able to change their password when they forget it. It also helps from a security perspective if a user believes that their password has been compromised.

With this convenience, there is also a level of risk. With SSPR enabled, this allows someone who has obtained user credentials to potentially change a user password and lock them out of their account. Therefore, it is important that the configuration and deployment of SSPR protects against this taking place. This section is going to go through the steps and best practices for configuring SSPR.

To access the configuration for SSPR, navigate to Azure AD > Users. Within the Users tile, select Password reset, as shown in Figure 7.25:

Figure 7.25 – Password reset

The next steps will...

Deploying and managing password protection

Azure AD Password Protection is used to configure certain parameters to avoid brute force or dictionary attacks on user identities. These attacks are accomplished by an attacker sending multiple requests with a username and multiple passwords to attempt to find the password being used and gain access. Setting up a threshold of how many attempts can be made before lockout and then the lockout duration will stop these attacks. In addition, administrators can identify passwords that are not allowed to be used within the Azure AD tenant. Microsoft also has a list of passwords that they may also block when attempting to use as a password to protect again dictionary attacks.

Once Azure AD Password Protection is configured, it can be set to enforce across the company or simply to audit initially to gauge the effectiveness. Figure 7.28 shows the Azure AD Password protection tile and the fields that can be configured. This can be accessed in the...

Planning and implementing security defaults

Microsoft provides security defaults within Azure Active Directory to assist companies that are new to Azure AD and Microsoft's cloud in protecting identities. In new tenants, security defaults are already turned on and in place, so there isn't any planning and implementation required. However, there are situations where security defaults will need to be turned off as more advanced identity protection solutions are enabled, such as Conditional Access policies. To access security defaults, navigate to Azure AD, scroll down under Manage in the left menu to Properties, and then scroll down in the Properties tile to Manage Security defaults, as shown in Figure 7.29:

Figure 7.29 – Manage security defaults

Security defaults provide basic identity security settings to the entire tenant and are very helpful in protecting a company. These settings include the following:

  • Requiring all users to register...

Summary

In this chapter, we described how we can protect the identities of our users using Azure AD MFA, how to configure Azure AD MFA, and the settings to provide flexibility to how Azure AD MFA is utilized. We discussed the implementation of SSPR for user and administrator flexibility. We discussed password protection and security defaults for additional protection for identities within the Azure AD tenant.

In the next chapter, we will take identity protection and authentication a step further through the use of passwordless authentication.

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 11 of 24
Next Chapter
You have been reading a chapter from
Microsoft Identity and Access Administrator Exam Guide
Published in: Mar 2022Publisher: PacktISBN-13: 9781801818049
© 2022 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Author (1)

author image
Dwayne Natwick

Dwayne Natwick is a Cloud Training Architect Lead at Opsgility, a Microsoft CSP. He has been in IT, security design, and architecture for over 30 years. His love of teaching led him to become a Microsoft Certified Trainer (MCT) Regional Lead and a Microsoft Most Valuable Professional (MVP). Dwayne has a master’s degree in Business IT from Walsh College, the CISSP from ISC2, and 18 Microsoft certifications, including Identity and Access Administrator, Azure Security Engineer, and Microsoft 365 Security Administrator. Dwayne can be found providing and sharing information on social media, industry conferences, his blog site, and his YouTube channel. Originally from Maryland, Dwayne currently resides in Michigan with his wife and three children.
Read more about Dwayne Natwick

Personalised recommendations for you

Based on your interests and search pattern

Et al.

Et al.

Ever wonder why speech recognition systems don't understand the Scottish accent, or what would happen if an astronaut only ate mac 'n' cheese, or other spurious reflections you'd have at a bar? We did, then collated those deliberations into absurd research articles with fake figures and methodologies inspired by even more fictionally absurd studies.

BookAug 2023230 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages4
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages1
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Mastering Tableau 2023

Mastering Tableau 2023

This book is a comprehensive resource to mastering your Tableau skills and becoming a BI expert. As you progress, you will learn how to build advanced dashboards and improve your storytelling to derive key business insight, as well as make you well-versed with advanced functionalities of Tableau in the business intelligence domain.

BookAug 2023684 pages
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages5
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages2
Data Engineering with AWS

Data Engineering with AWS

Embark on a journey to master data engineering pipelines on AWS! Our book offers a hands-on experience of AWS services for ingesting, transforming, and consuming data. Whether you're an absolute beginner or someone with basic data engineering experience, this guide is an indispensable resource.

BookOct 2023636 pages5
Modern Data Architecture on AWS

Modern Data Architecture on AWS

Every organization wants an agile, performant, and cost-effective data platform that meets all their current and future business needs. Purpose-built AWS analytics services and their features play a big part in building such a modern data platform. This book brings to you all the design and architectural patterns that’ll help you achieve this goal.

BookAug 2023420 pages5
Practical Guide to Applied Conformal Prediction in Python

Practical Guide to Applied Conformal Prediction in Python

Discover the power of Conformal Prediction with the "Practical Guide to Applied Conformal Prediction in Python." Master the latest techniques to quantify uncertainty in machine learning and computer vision models, and seamlessly apply them to your industry applications.

BookDec 2023240 pages
TinyML Cookbook

TinyML Cookbook

With over 70 project-based recipes, the TinyML Cookbook is a practical guide that will help you to get the most out of your microcontrollers. It provides a comprehensive understanding of the theoretical foundations while giving you hands-on experience training ML models for deployment on Arduino Nano 33 BLE Sense, Raspberry Pi Pico, and SparkFun RedBoard Artemis Nano microcontrollers.

BookNov 2023664 pages