Azure Multi-Factor Authentication: Who do you think you are?

Similar documents
Overview What is Azure Multi-Factor Authentication? How it Works Get started Choose where to deploy MFA in the cloud MFA on-premises MFA for O365

ManageEngine ADSelfService Plus

Identity & Access Management

Microsoft Intune App Protection Policies Integration. VMware Workspace ONE UEM 1811

Partner Center: Secure application model

Welcome! Ready To Secure Access to Your Microsoft Applications?

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Passwords Are Dead. Long Live Multi-Factor Authentication. Chris Webber, Security Strategist

DATACENTER MANAGEMENT Goodbye ADFS, Hello Modern Authentication! Osman Akagunduz

Secure single sign-on for cloud applications

Microsoft. MS-101 EXAM Microsoft 365 Mobility and Security. m/ Product: Demo File

Course 10993A: Integrating On-Premises Identity Infrastructure with Microsoft Azure

Tracking changes in Hybrid Identity environments with both Active Directory and Azure Active Directory

Azure Multi-Factor Authentication. Technical Note

Expertise that goes beyond experience.

MD-101: Modern Desktop Administrator Part 2

Six steps to control the uncontrollable

Multi Factor Authentication & Self Password Reset

How Microsoft s Enterprise Mobility Suite Provides helps with those challenges

Office 365 and Azure Active Directory Identities In-depth

Authlogics for Azure and Office 365

Windows Azure Question-Answer Part V- Azure Active Directory

Securing Office 365 with Conditional Access #ITDEVCONNECTIONS ITDEVCONNECTIONS.COM

Identity as the core of enterprise mobility

Crash course in Azure Active Directory

Yubico with Centrify for Mac - Deployment Guide

[ Sean TrimarcSecurity.com ]

Overview. Premium Data Sheet. DigitalPersona. DigitalPersona s Composite Authentication transforms the way IT

Today s workforce is Mobile. Cloud and SaaSbased. are being deployed and used faster than ever. Most applications are Web-based apps

Go mobile. Stay in control.

Getting Started New User. To begin, open the Multi-Factor Authentication Service in your inbox.

Integration Patterns for Legacy Applications

Use EMS to protect your mobile data and mobile app

SAP Security in a Hybrid World. Kiran Kola

RECOMMENDED DEPLOYMENT PRACTICES. The F5 and Okta Solution for Web Access Management with Multifactor Authentication

Related Labs: Introduction to Universal Access and F5 SAML IDP (Self-paced)

Course 20533B: Implementing Microsoft Azure Infrastructure Solutions

At Course Completion After completing this course, students will be able to:

NetIQ Advanced Authentication Framework. Deployment Guide. Version 5.1.0

Secure your Infrastructure with Azure Multi-Factor Authentication Server

WORKPLACE Data Leak Prevention: Keeping your sensitive out of the public domain. Frans Oudendorp Ronny de Jong

SxS Authentication solution. - SXS

Centrify Identity Services for AWS

Planning for and Managing Devices in the Enterprise: Enterprise Mobility Suite (EMS) & On-Premises Tools

Giovanni Carnovale Technical Account Manager Southeast Europe VASCO Data Security

Microsoft Azure Course Content

Meeting the requirements of PCI DSS 3.2 standard to user authentication

Unlocking Office 365 without a password. How to Secure Access to Your Business Information in the Cloud without needing to remember another password.

AXIAD IDS CLOUD SOLUTION. Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure

Planning for and Managing Devices in the Enterprise: Enterprise Management Suite (EMS) & On-Premises Tools

Hybrid Identity de paraplu in de cloud

SharePoint 2019 and Extranet User Manager

Integration Guide. SafeNet Authentication Manager. SAM using RADIUS Protocol with SonicWALL E-Class Secure Remote Access

SafeNet Authentication Service

[MS20347]: Enabling and Managing Office 365

20398: Planning for and Managing Devices in the Enterprise: Enterprise Mobility Suite (EMS) and On- Premises Tools

Jay Ferron. CEHi, CISSP, CHFIi, C)PTEi, CISM, CRISC, CVEi, MCITP, MCSE, MCT, MVP, NSA-IAM blog.mir.

Microsoft Enabling and Managing Office 365

Office 365 External Sharing Webinar November 7, 2017

Office 365 Administration and Troubleshooting

Single Sign-On Showdown

Double up on security for Active Directory and cloud app authentication

Windows 10 Management Technologies: What s New. Michael Niehaus Senior Product Marketing Manager, Windows Microsoft

Use Microsoft EMS. to Protect your Mobile Data and Mobile Apps. Chris Nackers Nackers Consulting

Managing Microsoft 365 Identity and Access

Windows 10. scalable IT services & solutions. October 25, Bruce Ward, VP of Business Strategy. Dan Sharp, Senior Consultant

20347: Enabling and Managing Office hours

How Windows 10 marks the end of Roaming Profiles

EXPERIENCE SIMPLER, STRONGER AUTHENTICATION

Planning for and Managing Devices in the Enterprise: Enterprise Mobility Suite (EMS) & On- Premises Tools

Enabling and Managing Office 365 (NI152) 40 Hours MOC 20347A

Integrating On-Premises Identity Infrastructure with Microsoft Azure

Office 365: Modern Workplace

Challenges in Authenticationand Identity Management

Microsoft Azure Integration and Security. Course Code: AZ-101; Duration: 4 days; Instructorled

Multi-Factor Authentication (MFA)

Windows Hello for Business Windows Hello for Business Overview How Windows Hello for Business works Manage Windows Hello for Business in your

Implementing Microsoft Azure Infrastructure Solutions (20533)

CloudHealth. AWS and Azure On-Boarding

Veriato Recon / 360. Version 9.0.3

MCSA Office 365 Bootcamp

EXPERIENCE SIMPLER, STRONGER AUTHENTICATION

Enabling and Managing Office 365

Echidna Concepts Guide

10997: Office 365 Administration and Troubleshooting

Active Directory Services with Windows Server

Administering Jive Mobile Apps for ios and Android

Stop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico

TITLE GOES HERE RUCKUS CLOUDPATH ENROLLMENT SYSTEM. The only integrated security and policy management platform that delivers: COMPRISED OF:

Developing Enterprise Cloud Solutions with Azure

Office : Enabling and Managing Office 365. Upcoming Dates. Course Description. Course Outline

Course Outline. Enabling and Managing Office 365 Course 20347A: 5 days Instructor Led

Welcome to Database Exporter for SharePoint

70-742: Identity in Windows Server Course Overview

Securing Your Identities with Azure AD

WHITE PAPER AUTHENTICATION YOUR WAY SECURING ACCESS IN A CHANGING WORLD

Software Token Enrollment: SafeNet MobilePASS+ for Apple ios

Cisco Webex Control Hub

IT Security Training MS-500: Microsoft 365 Security Administration. Upcoming Dates. Course Description. Course Outline $2,

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x

Transcription:

Azure Multi-Factor Authentication: Who do you think you are? Sander Berkouwer CTO at SCCT scct.nl

Sander Berkouwer CTO at SCCT scct.nl Microsoft MVP Veeam Vanguard

A little history Server Microsoft acquired PhoneFactor in 2012 Their flagship product was PhoneFactor Server v5 Microsoft rebranded the server product to Azure MFA Server v6, then v7 Microsoft redid the backend infrastructure in 2017 to get to the new Portal experience Microsoft rebranded the server product to MFA Server with v8 Service Microsoft introduced Azure MFA in 2014 App Microsoft rebranded the app to Microsoft Authenticator in 2015 Personal, Work and School accounts all in one mobile app since 2015 Backups and restores since 2018

How we typically think about multi-factor authentication

When my e-mail address leaks, I change it. When my password leaks, I change it. When my fingerprint leaks

Multi-Factor Authentication Multi-factor authentication (MFA) is authentication that requires the user (as a person) to authenticate with more than one verification method. It works by requiring any two or more of the following verification principles (authentication factors): Something you (can prove you) know Something you (can prove you) have (access to) Something you (can prove you) are Something you normally do

50% Verification 50% Detection

MFA Methods Mobile app Phone call Text message Hardware token One-time Passcode (OTP) Azure Authenticator app Push Notifications Phone Call Phone Call with PIN One-way SMS Two-way SMS One-way SMS with PIN Two-way SMS with PIN OATH-based tokens Automatic One-time Passcode (OTP) generation Auth method Suppliers: * Yubico Feitian Secutech Vasco Back-end systems AD FS RADI US IIS Forms - based MFA Portal AD FS RADIU S IIS Forms - based MFA Portal AD FS RADIU S IIS Forms - based MFA Portal AD FS RADIU S IIS Forms - based MFA Portal Built-in detection Fraud detection Fraud detection One-way SMS: Fraud detection Two-way SMS: Fraud detection Fraud detection * Not an exclusive list

MFA Methods Method Strength Usability Phone Call consent mode Phone Call PIN mode One Way Text message Two Way Text message Mobile App consent mode Mobile App One Time Password OATH One Time Password (HW/SW)

Microsoft Multi-Factor Authentication Products and Services

Azure MFA Server

Introducing MFA Server On-prem server connects to the Internet for MFA Support for various authentication protocols: RADIUS AD FS LDAP Windows Authentication (for IIS web sites) Forms-based Authentication (for IIS web sites)

Licensing MFA Server MFA Server is licensed through an MFA Provider Three models for licensing: Pay per user, enabled in MFA Server Pay per 10 authentications Monthly subscription for Azure MFA, or as part of overarching license (Azure AD Premium+, EMS E3+, M365 E3+) Price per licensing model is identical, but mileage may vary

MFA Server Architecture Microsoft Azure MFA Service Colleague MFA-enabled resources Azure MFA Server Active Directory environment

Designing an MFA Server Implementation Components Implementation scenarios Simple deployment Redundant deployment Stretched deployment Complete deployment Delegation Model

Implementing MFA Server 1. Installing and configuring MFA servers 2. Installing the Web Service SDK (optional) 3. Installing the User Portal (optional) 4. Installing the Mobile Portal (optional) 5. Integrating with AD FS 6. Integrating with RADIUS

Upgrading MFA Server From the inside out 1. Upgrading each server 2. Upgrading each Web Service SDK 3. Upgrading the User Portals (optional) 4. Upgrading the Mobile Portals (optional)

Azure MFA

Introducing Azure MFA Provides functionality to identities in Azure AD Builds on PhoneFactor/MFA Server backend Free for admins in Azure Cloud-based user portal Successor to MFA Server

Why Azure MFA Sometimes it's free Easy to implement No on-premises investment needed * Future proof

Licensing Azure MFA Azure MFA Server is licensed through the Azure AD Tenant Monthly subscription for Azure MFA, or as part of overarching license (Azure AD Premium+, EMS E3+, Microsoft 365 E3+) Azure MFA is free for Azure Admin Roles Yet, only 0,73% of admins is enabled...

Implementing Azure MFA Enable per user No delegation possible, need Global Admin privileges Conditional Access Azure resources Azure AD-integrated applications and services RADIUS MFA Plug-in Separate download, integrates with NPS Native AD FS Adapter in AD FS 4.0, and above Built into Windows Server Updates through Windows Update

Office 365 MFA

Introducing Office 365 MFA Subset of Azure MFA Only applicable to Office 365 services Non-granular Same authentication factors

Licensing Office 365 MFA Office 365 Multi-Factor Authentication is licensed through Office 365 Available in all Office 365 subscriptions Office 365 E1-E5 subscriptions Office 365 A1-E5 subscriptions Office 365 Personal, Business, Business Premium Also available for Office 365 K- subscriptions

Enrolling users Colleague AzureAD PROVISION USER LOG ON FOR ACCOUNT THE FIRST TIME ***** Generated password PERFORM FIRST MFA CHANGE PASSWORD ***** User-chosen password ACCESS TO OFFICE 365 RESOURCES PERFORM MFA SUBSEQUENT LOGONS Admin AUTOMATION First name Last name Phone number Alternative e-mail address

Implementing Office 365 MFA You will need the following privileges in the tenant: Office 365 Admin Delegation is not possible Enable user objects in the Office 365 Portal Enabled equals enforced after first MFA

Windows Hello for Business

Windows Hello for Business No Passwords Password-less strong authentication By default, with multifactor authentication Available on Windows 10 More secure Credentials secured by hardware TPM chip- and virtualization-based security Expendable Windows Hello Companion Device Framework Windows Hello Companion Device Framework Phone USB Wearable Card

Multi-factor Authentication Best Practices

Past and Future of MFA Microsoft purchased PhoneFactor in 2012 Azure MFA offers DUO, Trusona, etc. as MFA Method since Sept 2017 The Old Portal and the PhoneFactor Web Pages went away on January 8 th, 2018 Microsoft is moving away from MFA Providers for licensing RADIUS Plug-in AD FS Plug-in MFA Server is going away in favor of lightweight plugins

App Passwords Some apps and platforms don t support multi-factor authentication (and probably never will): Xbox 360 consoles Windows Phones Microsoft Office 2010 Microsoft Office for Mac 2011 Windows Essentials Apps Microsoft provides a short-cut password to these apps, to circumvent multi-factor authentication Also circumvents conditional access, identity protection and most of the logging in Azure AD That s why we call them crapp passwords.

Azure Identity Protection Microsoft monitors all authentications Microsoft Azure, Office 365 (OrgIDs) Microsoft accounts (MSAs, former Windows Live IDs) Microsoft works together with Google and Facebook, too Risk score based on context is assigned to every authentication Default is to perform MFA when account credentials are breached Azure AD Premium P2 allows managing your organization s risk scoring

Recommendations Avoid deploying new MFA Servers (unless for demo purposes ;-) ) But if you do: Configure authentications to fail for disabled users Configure MFA Server Portals with a public certificate Don t onboard thousands of users with MFA Server all at once. Stage. When using MFA Server with AD FS: Avoid multiple MFA providers in AD FS Avoid specifying a specific MFA method in claims rules Use the claims from adfshelp.microsoft.com

Recommendations, cont. Do it right: Enforce MFA on all Azure admin accounts. Exclude sync accounts. Don t allow crapp passwords. Do the work. Every MFA method has its weaknesses. Mitigate. Not all MFA methods feel like MFA Update work instructions for contingency situations to the new Azure Portal

Concluding

Concluding Three types and license schemes for MFA with Microsoft: Office 365 MFA MFA Server Azure MFA Deploy in the most beneficial way to your organization Be granular where possible with Conditional Access, Identity Protection Choose an MFA solution based on the MFA methods needed and the capabilities of end users Deploy Windows Hello for Business on TPM-enabled Windows 10-based devices MFA all admins!

FUTURE READY SECURITY SKILLS Do you want to gain more knowledge about Microsoft technology? The Future Ready Skills program offers online courseware, online labs, live Q&A s and expert sessions, so you can acquire your official Microsoft Certificate in the most efficient way. For more information: aka.ms/frsblog

Thank you!

Next session 17:30 18:30 Welcome to your new Management service, Windows Admin Center Jan-Tore Pedersen

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback