AZ-500: Microsoft Azure Security Technologies
Manage Identity and Access: Deploy Azure AD Identity Protection
Deploy and configure Identity Protection
Configure MFA for users, groups, and applications
Create Conditional Access policies to ensure your security
Create and follow an access review process
Azure AD Identity Protection - A tool that enables an org to automate the detection and remediation of ID-based risks, and assists with data logs in the portal or with a 3rd party utility.
ID Protection Default Policies
Azure MFA Registration Policy, Sign-in Risk Policy, Custom Conditional Access Policy
User Risk Policy - Identifies and responds to user accounts that may have compromised credentials. Can prompt the user to create a new password.
Sign-in Risk Policy - Identifies and responds to suspicious sign-in attempts. Can prompt the user to provide additional forms of verification using Azure AD Multi-Factor Authentication.
MFA Registration Policy - Makes sure users are registered for Azure AD Multi-Factor Authentication. If a sign-in risk policy prompts for MFA, the user must already be registered for Azure AD Multi-Factor Authentication.
Example Risk Detection Triggers:
Users with leaked credentials.
Sign-ins from anonymous IP addresses.
Impossible travel to atypical locations.
Sign-ins from infected devices.
Sign-ins from IP addresses with suspicious activity.
User Risk - User risk is a calculation of probability that an ID has been compromised.
User Risk Policy
Risky Users Report - Contains data for which users are at risk for up to the past 30 days, remediated risk, or had risk dismissed. Also has details about detection types, a history of all risky sign-ins, Conditional Access policies applied, MFA details, and device/app/location info.
Admin can set a response to a given condition/trigger, responses include:
Force a password reset
Confirm user compromised
Dismiss user risk
Block or Allow the sign-in
Investigate further using Azure ATP (Advanced Threat Protection)
Example Condition Triggers:
Location
Client Apps - Browser-based apps, mobile apps, and desktop clients
Risky Sign-ins
Azure Active Directory Multi-Factor Authentication (MFA) - Provides additional security by requiring a second form of authentication.
Authentication methods include:
Something you know (password/PIN)
Something you have (generated code, a specific device)
Something you are (biometrics)
MFA options
MFA Settings
Account Lockout - Set number of attempts allowed before lockout, time until lockout counter resets, time until account is auto unlocked.
Block/Unblock Users - Blacklist/whitelist user accounts
Fraud Alert - Configure so users can report fraud attempts, set auto block users when fraud is reported, fraud blocks account for 90 days or until released by an admin, and admin can review sign-in logs.
Notifications - Configure email notifications for fraud reports (typically sent to an ID admin).
OATH Tokens - Azure AD supports OATH-TOTP SHA-1 (keychain) tokens that refresh codes every 30 or 60 seconds.
Trusted IPs - Feature to allow federated users or IP address ranges to bypass MFA (only for inside of the company intranet)
Enable MFA - Azure AD>User Properties>Multi-Factor Authentication
All users start out Disabled. When you enroll users in per-user Azure AD Multi-Factor Authentication, their state changes to Enabled. When enabled users sign in and complete the registration process, their state changes to Enforced. Administrators may move users between states, including from Enforced to Enabled or Disabled.
Azure AD Conditional Access - Tool used by AAD (Azure AD) to bring signals together to make decisions and enforce org policy. Enables an identity driven control plane (control of traffic).
Identity as a Service (IDaaS)
Conditional Access
Conditions: user/group, cloud application, device state, location (IP range), client application, and sign-in risk
Azure AD Access Reviews - Manage group membership, access to enterprise apps, and role assignments. User’s access can be reviewed on a regular basis.
When to access review:
Too many users in privileged roles
When automation is infeasible
When a new group is used for a new purpose
Business critical data access
To maintain a policy’s exception list
Ask group owners to confirm they still need guests in their groups
Have reviews recur periodically