The previous chapter covered how to take modern authentication a step further by discussing how we can utilize passwordless authentication methods. This chapter will cover Conditional Access policies. This will include planning for and testing these policies to verify that they are working correctly and providing the proper controls. In addition, we will discuss Azure Active Directory (AD) Identity Protection and using sign-in and user risk conditions with policies.

In this chapter, we're going to cover the following main topics:

• Planning and implementing Conditional Access policies and controls
• Configuring Smart Lockout thresholds
• Implementing and managing a user risk policy
• Monitoring, investigating, and remediating elevated risky users

In this chapter, we will continue to explore configuring a tenant for use of Microsoft 365 and Azure. There will be exercises that will require access to Azure AD. If you have not yet created trial licenses for Microsoft 365, please follow the directions provided within Chapter 1, Preparing for Your Microsoft Exam.

Up to this point, the focus has been on planning, configuration, and implementation of the identities within Azure AD and hybrid identity infrastructures. We have discussed how to use multi-factor authentication (MFA) to decrease the amount we rely on passwords as a source of authentication. In this chapter, we discuss advanced capabilities to protect our identities and resources. The first of these solutions is the use of Conditional Access policies. Conditional Access policies enforce additional verification actions based on a signal that a user or device may be potentially compromised. The foundation of Conditional Access policies is the zero-trust methodology. So, before we discuss planning and implementing Conditional Access, let's discuss the main points of zero trust.

Zero-trust methodology

As we have moved as companies to using cloud providers such as Microsoft, the responsibility for securing the...

In the previous sections, we went through the process of creating Conditional Access policies to protect against unauthorized users accessing applications and data while enforcing the zero-trust model for IAM. This section discusses how you can configure Smart Lockout to assist in preventing identity attacks.

Smart Lockout is a part of Azure AD Password Protection. The following screenshot shows how you can search and access this feature:

Figure 9.48 – Searching for Smart Lockout

Smart Lockout is used to protect users in a company from having their identity compromised through a brute-force dictionary attack. These attacks are executed by using the known username, which is generally an email address, and then automating login attempts with commonly used passwords. These attempts generally happen multiple times per minute in order to find a successful attempt. Smart Lockout is a way to configure the threshold of...

In order to implement and manage a user risk policy, your company requires an Azure Active Directory Premium P2 license. This license provides the advanced identity security feature of Azure AD Identity Protection.

Azure AD Identity Protection

Azure AD Identity Protection provides additional capabilities within Azure AD to monitor user activity and recognize, through Microsoft's machine learning (ML) capabilities, anomalous and suspicious activity on user accounts. The following screenshot shows how to search for and access Azure AD Identity Protection within the Azure portal:

Figure 9.50 – Searching for Azure AD Identity Protection

Azure AD Identity Protection provides feedback in two areas: user risk and sign-in risk. Both are related to user behavior, but it is important to understand the differences between them, which are outlined as follows:

• User risk is concerned with activities...

If you are utilizing resources that are touching the internet, then someone is scanning them and attempting to gain access to them. There is an abundance of bad actors that have automated tools to scan usernames and attempt to authenticate with common passwords. Azure AD Identity Protection utilizes the Microsoft Threat Intelligence database and ML tools to look for these threats, identify the users affected, and identify the type of threat that exists. This information feeds into the Identity Protection overview dashboard shown in the following screenshot:

Figure 9.52 – Identity Protection overview

The Report section of the Identity Protection menu provides additional information on users who are at risk and what their risk level is, and allows you to drill down and investigate potential attacks that may have taken place on those user accounts. The following screenshot shows how you can...

In this chapter, we discussed advanced solutions to protect identity and enforce the zero-trust model with Conditional Access policies and Azure Identity Protection. We went through the process of creating Conditional Access policies and then tested scenarios of how they would be applied with the What If function. We discussed how to configure Smart Lockout within Password Protection to protect against password brute-force dictionary attacks. Finally, we discussed how to license and use Identity Protection to identify and protect against user-credential leaks and risky sign-ins. In the next chapter, we will discuss the implementation of single sign-on (SSO) for enterprise applications in our hybrid infrastructure.