Az-101t04a-enu-trainerhandbook.pdf

AZ-101T04 Securing Identities

MCT USE ONLY. STUDENT USE PROHIBITED

Microsoft Official Course

MCT USE ONLY. STUDENT USE PROHIBITED

Securing Identities

AZ-101T04

MCT USE ONLY. STUDENT USE PROHIBITED

■■

0 | Welcome  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  Start Here  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 

1 1

■■

1 | Introduction to Identity Protection in Azure  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Role-Based Access Control  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Azure Active Directory (Refresher)  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Protecting Privileged Access in the Environment  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module 1 Review Questions  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

    

5 5 12 18 24

■■

2 | Using Multi-Factor Authentication for Secure Access  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Introducing Multi-Factor Authentication  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Implementing MFA  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module 2 Review Questions  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

   

25 25 31 39

■■

3 | Azure AD Privileged Identity Management  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Getting Started with PIM  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PIM Security Wizard  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PIM Directory Roles  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PIM for Role Resources  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module 3 Review Questions  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

     

41 41 45 48 53 57

MCT USE ONLY. STUDENT USE PROHIBITED

Contents

Start Here Azure Administrator Curriculum

This course is part of a series of courses to help you prepare for Microsoft’s Azure Administrator certification tests. There are two exams: ●● AZ-100, Microsoft Azure Infrastructure and Deployment1, and ●● AZ-101, Microsoft Azure Integration and Security2. Each exam measures your ability to accomplish certain technical tasks. For example, AZ-101 includes four study areas, as shown in the table. The percentages indicate the relative weight of each area on the exam. The higher the percentage, the more questions you are likely to see in that area. AZ-101 Study Areas

Weights

Evaluation and perform server migration to Azure

15-20%

Implement and manage application services

20-25%

Implement advanced virtual networking

30-35%

Securing identities

25-30%

✔️ This course will focus on preparing you for the Securing identities area of the AZ-101 certification exam.

About this Course Course Description

This course teaches IT Professionals to understand the challenges that organizations face in keeping modern IT environments secure, as the more distributed environments that are part of a cloud-first or hybrid world have rapidly created new security challenges for IT. The course focuses on three key areas in the defense against attackers who target security vulnerabilities, resulting particularly from credential 1 2

https://www.microsoft.com/en-us/learning/exam-az-100.aspx https://www.microsoft.com/en-us/learning/exam-az-101.aspx

MCT USE ONLY. STUDENT USE PROHIBITED

0 | Welcome

MCT USE ONLY. STUDENT USE PROHIBITED

2  0 | Welcome

theft and compromised identities: Role-Based Access Control (RBAC), Multi-Factor Authentication (MFA), and Azure Active Directory Privileged Identity Management (PIM). Students learn to implement two-step verification to secure the sign-in process, as well has how to use advanced features like trusted IPs and Fraud Alerts with MFA to customize their identity access strategy. Using Privileged Identity Management, students learn how to apply just the right amount of access rights for just the right amount of time to the various administrative roles as well as to resources. Level: Intermediate Audience This course is for Azure Administrators. Azure Administrators manage the cloud services that span storage, networking, and compute cloud capabilities, with a deep understanding of each service across the full IT lifecycle. They take end-user requests for new cloud applications and make recommendations on services to use for optimal performance and scale, as well as provision, size, monitor and adjust as appropriate. This role requires communicating and coordinating with vendors. Azure Administrators use the Azure Portal and as they become more proficient they use PowerShell and the Command Line Interface. Prerequisites Successful Azure Administrators start this role with experience on operating systems, virtualization, cloud infrastructure, storage structures, and networking. Expected learning ●● Use Azure RBAC to grant a granular level of access based on an administrator’s assigned tasks. ●● Use Azure Multi-Factor Authentication to configure a strong authentication for users at sign-in. ●● User Azure AD Privileged Identity Management to configure access rights based on just-in-time administration.

Syllabus

This course includes content that will help you prepare for the certification exam. Other content is included to ensure you have a complete picture of Azure identity. The course content includes a mix of videos, graphics, reference links, module review questions, and practice labs. Module 1 – Introduction to Identity Protection in Azure In this module, you’ll learn about Role-Based Access Control as the foundation to organizing and managing an organization’s administrative access based on the principle of least privilege. You will also review Azure Active Directory concepts, as well as gaining insight into the threat landscape and security risks that are exposed to IT organizations through breach of privileged access. Lessons include: ●● Role-Based Access Control ●● Azure Active Directory (Refresher) ●● Protecting Privileged Access in the Environment Module 2 – Using Multi-Factor Authentication for Secure Access In this module, you’ll learn about securing the sign-in process through Multi-Factor Authentication (MFA). You’ll learn how MFA works and the differences in implementation between on-premises and cloud scenarios. You’ll also learn about using conditional access policies to provide more fine-grained control over apps and resources in your environment. ●● Introducing Multi-Factor Authentication

●● Implementing MFA Module 3 –Azure AD Privileged Identity Management In this module, you’ll learn how to use Azure Privileged Identity Management (PIM) to enable just-in-time administration and control the number of users who can perform privileged operations. You’ll also learn about the different directory roles available as well as newer functionality that includes PIM being expanded to role assignments at the resource level. Lessons include: ●● Getting Started with PIM ●● PIM Security Wizard ●● PIM for Directory Roles ●● PIM for Role Resources ✔️ The Managing Identities course also covers Azure RBAC and Azure Active Directory. This content has been included here also to provide more context and foundation for the remainder of the course.

Study Guide

The Securing identities objective of the AZ-101 exam, consists of three main areas of study: Manage role-based access control (RBAC), Implement Multi-Factor Authentication (MFA), and Implement Azure Active Director (AD) Privileged Identity Management (PIM). These tables show you what may be included in each test area and where it is covered in this course. ✔️ We recommend you use these tables as a checklist to ensure you are prepared in each area. ✔️ We recommend supplementing your study with a practice test.3 Also, hands-on practice is critical to understanding these concepts and passing the certification exams. There are several ways to get an Azure subscription4. Manage RBAC Testing May Include

Course Content

Create a custom role

01-Introduction to Identity Protection in Azure

Configure access to Azure resources by assigning roles

01-Introduction to Identity Protection in Azure

Configure management access to Azure

01-Introduction to Identity Protection in Azure

Troubleshoot RBAC

01-Introduction to Identity Protection in Azure

Implement RBAC policies

01-Introduction to Identity Protection in Azure

Assign RBAC Roles

01-Introduction to Identity Protection in Azure

Implement MFA Testing May Include

Course Content

Enable MFA for an Azure tenant

02-Using Multi-Factor Authentication for Secure Access

Configure user accounts for MFA

02-Using Multi-Factor Authentication for Secure Access

Configure fraud alerts

02-Using Multi-Factor Authentication for Secure Access

3 4

https://us.mindhub.com/az-100-microsoft-azure-infrastructure-deployment-microsoft-official-practice-test/p/MU-AZ-100 https://azure.microsoft.com/en-us/offers/ms-azr-0044p/

MCT USE ONLY. STUDENT USE PROHIBITED

Start Here  3

MCT USE ONLY. STUDENT USE PROHIBITED

4  0 | Welcome

Testing May Include

Course Content

Configure bypass options

02-Using Multi-Factor Authentication for Secure Access

Configure Trusted IPs

02-Using Multi-Factor Authentication for Secure Access

Configure verification methods

02-Using Multi-Factor Authentication for Secure Access

Implement Azure AD PIM Testing May Include

Course Content

Enable PIM

03-Azure AD Privileged Identity Management

Configure Just-in-time access

03-Azure AD Privileged Identity Management

Configure permanent access

03-Azure AD Privileged Identity Management

Configure PIM management access

03-Azure AD Privileged Identity Management

Configure time-bound access

03-Azure AD Privileged Identity Management

Create a Delegated Approver account

03-Azure AD Privileged Identity Management

Activate a PIM role

03-Azure AD Privileged Identity Management

Process pending approval requests

03-Azure AD Privileged Identity Management

Role-Based Access Control Course Introduction

Cloud adoption has driven companies to find new solutions to doing business and has transformed the traditional IT enterprise. As environments have quickly become more distributed, with employees, partners, and customers integrating new capabilities and services ever more quickly, the concepts around security and protection of assets and resources has also radically changed. In the traditional datacenter, the corporate firewall served as the perimeter for keeping out unauthorized users. Now, identity has become the new control plane and IT organizations must consider it as a critical element in defending against attackers targeting their environments and the data stored in those environments. Scope of the challenges The graphic below is provided to give some idea of the scope of the challenges faced by modern IT environments. Microsoft’s Intelligent Security Graph helps to provide real-time risk assessment and insight into the global threat landscape. From the sheer volume of information, it is easy to see how in a cloud connected world with the proliferation of accounts, partner and third-party dependencies, devices that roam freely between work and home, the opportunities for attackers to do harm have greatly expanded.

MCT USE ONLY. STUDENT USE PROHIBITED

1 | Introduction to Identity Protection in Azure

MCT USE ONLY. STUDENT USE PROHIBITED

6  1 | Introduction to Identity Protection in Azure

What’s the focus in this course? While there are multiple aspects to securing identities in a modern IT environment, in this course, we will focus on two specific features in Azure that form a key defense in preventing and mitigating the types of security threats that attempt to make inroads through identity: Multi-Factor Authentication (MFA), and Privileged Identity Management (PIM). We begin with an overview of Role-Based Access Control in Azure because RBAC is foundational to how you organize and manage your organization’s administrative access, based on the principle of least privilege. We also cover an overview of Azure Active Directory itself. Both these lessons are also part of AZ-100.5, Managing Identities, and we have included them in this course to provide more context and foundational content in preparation for learning about MFA and PIM.

Role-Based Access Control

Managing access to resources in Azure is a critical part of an organization’s security and compliance requirements. Role-based access control (RBAC) is the capability within Azure that lets you grant a very granular level of access based on an administrator’s assigned tasks. This ensures an Administrator can do exactly the task they need to do; no more, no less. Role assignments RBAC is configured by selecting a role (the definition of what actions are allowed and/or denied), then associating the role with a security principal (user, group, or service). Finally, this combination of role and security principal is scoped to a subscription, a resource group, or a specific resource.

– ✔️ Notice that access is inherited from subscriptions, to resource groups, and then to resources. Using the Portal to implement RBAC You can use the Azure Portal to make your role assignments. In this example, the ContosoBlueAD resource group shows on the Access Control (IAM) blade the current roles and scopes. You can add or remove roles as you need. You can add synced users and groups to Azure roles, which enables organizations to centralize the granting of access.

For more information, you can see: Get started with access management in the Azure portal: https://docs.microsoft.com/en-us/azure/ active-directory/role-based-access-control-what-is

Built-in Roles

Azure AD provides many built-in roles1 to cover the most common security scenarios. To understand how the roles work we will examine three roles that apply to all resource types: ●● Owner has full access to all resources including the right to delegate access to others. ●● Contributor can create and manage all types of Azure resources but can’t grant access to others. ●● Reader can view existing Azure resources. Role definition

1

https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-built-in-roles

MCT USE ONLY. STUDENT USE PROHIBITED

Role-Based Access Control  7

MCT USE ONLY. STUDENT USE PROHIBITED

8  1 | Introduction to Identity Protection in Azure

Each role is a set of properties defined in a JSON file. This role definition includes Name, Id, and Description. It also includes the allowable permissions (Actions), denied permissions (NotActions), and scope (read access, etc.) for the role. Name: Owner ID: 8e3af657-a8ff-443c-a75c-2fe8c4bcb65 IsCustom: False Description: Manage everything, including access to resources Actions: {*} NotActions: {} AssignableScopes: {/} In this example the Owner role means all (*) actions, no denied actions, and all (/) scopes. This information is available with the Get-AzureRmRoleDefinition cmdlet. ✔️ Take a minute to open the Azure Portal, open the Subscriptions or Resource Group blade, and click Access Control (IAM). Click Add and take a few minutes to review the built-in roles and see which role you would be most interested in using. For more information, you can see: Built-in roles in Azure - https://docs.microsoft.com/en-us/azure/role-based-access-control/built-inroles Create custom roles for Azure Role-Based Access Control - https://docs.microsoft.com/en-us/azure/ active-directory/role-based-access-control-custom-roles Get-AzureRmRoleDefinition - https://docs.microsoft.com/en-us/powershell/module/azurerm. resources/get-azurermroledefinition?view=azurermps-5.3.0

Role Definitions Actions and NotActions

The Actions and NotActions properties can be tailored to grant and deny the exact permissions you need. Review this table to see how Owner, Contributor, and Reader are defined. Built-in Role

Action

Owner (allow all actions)

*

Contributor (allow all actions except writing or deleting role assignment)

*

Reader (allow all read actions)

*/read

NotActions /Microsoft.Authorization//Delete, ‎Microsoft.Authorization//Write, Microsoft.Authorization/elevateAccess/Action ‎

AssignableScopes Defining the Actions and NotActions properties is not enough to fully implement a role. You must also properly scope your role. The AssignableScopes property of the role specifies the scopes (subscriptions, resource groups, or resources) within which the custom role is available for assignment. You can make the custom role available for assignment in only the subscriptions or resource groups that require it, and not clutter user experience for the rest of the subscriptions or resource groups. * /subscriptions/[subscription id] * /subscriptions/[subscription id]/resourceGroups/[resource group name]

* /subscriptions/[subscription id]/resourceGroups/[resource group name]/ [resource] Example 1 Make a role available for assignment in two subscriptions. “/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e”, “/subscriptions/ e91d47c4-76f3-4271-a796-21b4ecfe3624” Example 2 Makes a role available for assignment only in the Network resource group. “/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/resourceGroups/Network” ✔️ Take a minute to open the Azure Portal and use the Access Control blade to add a role and then assign it to a user. Can you see how for your organization which role assignments you would need? For more information, you can see: Custom roles access control - https://docs.microsoft.com/en-us/azure/active-directory/role-basedaccess-control-custom-roles#custom-roles-access-control2

Azure PowerShell and CLI

When you have large numbers of role assignments, you may prefer to use Azure PowerShell or the CLI. #Role assignment properties $roleName = “Contributor” $assigneeName = [email protected] $resourceGroupName = “contosoblue” Azure PowerShell New-AzureRmRoleAssignment -RoleDefinitionName $roleName -SignInName $assigneeName -ResourceGroupName $resourceGroupName CLI az role assignment create –role $roleName –assignee $assigneeName –resource-group $resourceGroupName ✔️ If you have created a custom JSON role definition file you can use PowerShell or the CLI to create a new custom role definition. In the following examples the sysops.json file has the custom definition. #PowerShell New-AzureRmRoleDefinition -InputFile .\sysops.json #CLI 2

https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-custom-roles

MCT USE ONLY. STUDENT USE PROHIBITED

Role-Based Access Control  9

MCT USE ONLY. STUDENT USE PROHIBITED

10  1 | Introduction to Identity Protection in Azure

az role definition create –role-definition “./sysops.json”

Video - Role-Based Access Control

Demonstration - Role-Based Access Control

Practice - Role-Based Access Control

Role-based access control (RBAC) is the way that you manage access to resources in Azure. In this Quickstart, you grant a user access to create and manage virtual machines in a resource group. Take a few minutes to work through the Grant access for a user using RBAC and the Azure portal3. This Quickstart steps through the basics of: ●● Creating a resource group in the Azure portal. ●● Assign a user to a role. ●● Remove the created role assignment. Using PowerShell Next, try the following tutorial4 to grant a user access to view all resources in a subscription and manage everything in a resource group using Azure PowerShell. In this tutorial you will: ●● Create a user ●● Create a resource group ●● Use the Get-AzureRMRoleAssignment command to list the role assignments ●● Use the Remove-AzureRmResourceGroup command to remove access

3 4

https://docs.microsoft.com/en-us/azure/role-based-access-control/quickstart-assign-role-user-portal https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-role-assignments-user-powershell

For more information, you can see: What is role-based access control - https://docs.microsoft.com/en-us/azure/role-based-access-control/overview

MCT USE ONLY. STUDENT USE PROHIBITED

Role-Based Access Control  11

MCT USE ONLY. STUDENT USE PROHIBITED

12  1 | Introduction to Identity Protection in Azure

Azure Active Directory (Refresher) Azure Active Directory For both IT Admins and Developers

Azure Active Directory (Azure AD) is Microsoft’s multi-tenant cloud-based directory and identity management service. For IT Admins, Azure AD provides an affordable, easy to use solution to give employees and business partners single sign-on (SSO) access to thousands of cloud SaaS Applications like Office365, Salesforce.com, DropBox, and Concur. For application developers, Azure AD lets you focus on building your application by making it fast and simple to integrate with a world class identity management solution used by millions of organizations around the world.

Identity management capabilities and integration Azure AD also includes a full suite of identity management capabilities including multi-factor authentication, device registration, self-service password management, self-service group management, privileged account management, role-based access control, application usage monitoring, rich auditing and security monitoring, and alerting. These capabilities can help secure cloud-based applications, streamline IT processes, cut costs, and help assure corporate compliance goals are met. Additionally, Azure AD can be integrated with an existing Windows Server Active Directory, giving organizations the ability to leverage their existing on-premises identity investments to manage access to cloud based SaaS applications. ✔️ If you are an Office365, Azure or Dynamics CRM Online customer, you might not realize that you are already using Azure AD. Every Office365, Azure and Dynamics CRM tenant is already an Azure AD tenant. Whenever you want you can start using that tenant to manage access to thousands of other cloud applications Azure AD integrates with. For more information, you can see: What is Azure Active Directory? - https://docs.microsoft.com/en-us/azure/active-directory/active-directory-whatis

Azure Active Directory Benefits Azure AD has many benefits.

●● Single sign-on to any cloud or on-premises web app. Azure Active Directory provides secure single sign-on to cloud and on-premises applications including Microsoft Office 365 and thousands of SaaS applications such as Salesforce, Workday, DocuSign, ServiceNow, and Box. ●● Works with iOS, Mac OS X, Android, and Windows devices. Users can launch applications from a personalized web-based access panel, mobile app, Office 365, or custom company portals using their existing work credentials—and have the same experience whether they’re working on iOS, Mac OS X, Android, and Windows devices. ●● Protect on-premises web applications with secure remote access. Access your on-premises web applications from everywhere and protect with multi-factor authentication, conditional access policies, and group-based access management. Users can access SaaS and on-premises web apps from the same portal. ●● Easily extend Active Directory to the cloud. Connect Active Directory and other on-premises directories to Azure Active Directory in just a few clicks and maintain a consistent set of users, groups, passwords, and devices across both environments. ●● Protect sensitive data and applications. Enhance application access security with unique identity protection capabilities that provide a consolidated view into suspicious sign-in activities and potential vulnerabilities. Take advantage of advanced security reports, notifications, remediation recommendations and risk-based policies to protect your business from current and future threats. ●● Reduce costs and enhance security with self-service capabilities. Delegate important tasks such as resetting passwords and the creation and management of groups to your employees. Providing self-service application access and password management through verification steps can reduce helpdesk calls and enhance security. ✔️ What reasons do you have for considering Azure Active Directory? For more information, you can see: ‎The power of common identity across any cloud) - https://myignite.microsoft.com/videos/54694

MCT USE ONLY. STUDENT USE PROHIBITED

Azure Active Directory (Refresher)  13

MCT USE ONLY. STUDENT USE PROHIBITED

14  1 | Introduction to Identity Protection in Azure

Active Directory Domain Services

Active Directory Domain Services (AD DS) AD DS is the traditional deployment of Windows Server-based Active Directory on a physical or virtual server. Although AD DS is commonly considered to be primarily a directory service, it is only one component of the Windows Active Directory suite of technologies, which also includes Active Directory Certificate Services (AD CS), Active Directory Lightweight Directory Services (AD LDS), Active Directory Federation Services (AD FS), and Active Directory Rights Management Services (AD RMS). Although you can deploy and manage AD DS in Azure virtual machines it’s recommended you use Azure AD instead, unless you are targeting IaaS workloads that depend on AD DS specifically. Azure AD is different from AD DS Although Azure AD has many similarities to AD DS, there are also many differences. It is important to realize that using Azure AD is different from deploying an Active Directory domain controller on an Azure virtual machine and adding it to your on-premises domain. Here are some characteristics of Azure AD that make it different. ●● Identity solution. Azure AD is primarily an identity solution, and it is designed for Internet-based applications by using HTTP and HTTPS communications. ●● REST API Querying. Because Azure AD is HTTP/HTTPS based, it cannot be queried through LDAP. Instead, Azure AD uses the REST API over HTTP and HTTPS. ●● Communication Protocols. Because Azure AD is HTTP/HTTPS based, it does not use Kerberos authentication. Instead, it uses HTTP and HTTPS protocols such as SAML, WS-Federation, and OpenID Connect for authentication (and OAuth for authorization). ●● Federation Services. Azure AD includes federation services, and many third-party services (such as Facebook). ●● Flat structure. Azure AD users and groups are created in a flat structure, and there are no Organizational Units (OUs) or Group Policy Objects (GPOs). ✔️ Azure AD is a managed service. You only manage the users, groups, and policies. Deploying AD DS with virtual machines using Azure means that you manage the deployment, configuration, virtual machines, patching, and other backend tasks. Do you see the difference?

Video - Azure Active Directory Overview

Active Directory Editions

Azure Active Directory comes in four editions—Free, Basic, Premium P1, and Premium P2. The Free edition is included with an Azure subscription. The Azure Active Directory Basic, Premium P1, and Premium P2 editions are built on top of your existing free directory, providing enterprise class capabilities spanning self-service, enhanced monitoring, security reporting, Multi-Factor Authentication (MFA), and secure access for your mobile workforce.

The Azure Active Directory Pricing5 page has detailed information on what is included in each of the editions. ●● Azure Active Directory Free. Designed to introduce system administrators to Azure Active Directory. This version includes common features such as directory objects, user/group management, single sign-on, self-service password change, on-premises connect, and security/usage reports. ●● Azure Active Directory Basic. Designed for task workers with cloud-first needs, this edition provides cloud centric application access and self-service identity management solutions. With the Basic edition of Azure Active Directory, you get productivity enhancing and cost reducing features like group-based access management, self-service password reset for cloud applications, and Azure Active Directory Application Proxy (to publish on-premises web applications using Azure Active Directory), all backed by an enterprise-level SLA of 99.9 percent uptime. ●● Azure Active Directory Premium P1. Designed to empower organizations with more demanding identity and access management needs, Azure Active Directory Premium edition adds feature-rich enterprise-level identity management capabilities and enables hybrid users to seamlessly access on-premises and cloud capabilities. This edition includes everything you need for information worker and identity administrators in hybrid environments across application access, self-service identity and access management (IAM), and security in the cloud. ●● Azure Active Directory Premium P2. Azure Active Directory Premium P2 includes every feature of all other Azure Active Directory editions enhanced with advanced identity protection and privileged identity management capabilities. ✔️ Did you look through the pricing list to determine which features your organization needs?

5

https://aka.ms/edx-azure204x-az3

MCT USE ONLY. STUDENT USE PROHIBITED

Azure Active Directory (Refresher)  15

MCT USE ONLY. STUDENT USE PROHIBITED

16  1 | Introduction to Identity Protection in Azure

Choosing Between Azure AD and Azure AD DS

One of the main differences between Azure AD and Azure AD DS is the way devices are registered and joined. Azure AD Domain Services provides a managed AD domain in an Azure virtual network. You can join machines to this managed domain using traditional domain-join mechanisms. Azure AD also enables you to manage the identity of devices used by your organization and control access to corporate resources from these devices. Azure AD joined devices give you the following benefits: ●● Single-sign-on (SSO) to applications secured by Azure AD. ●● Enterprise policy-compliant roaming of user settings across devices. ●● Access to the Windows Store for Business using your corporate credentials. ●● Windows Hello for . ●● Restricted access to apps and resources from devices compliant with corporate policy. Aspect

Azure AD Join

Azure AD Domain Services

Device controlled by

Azure AD

Azure AD Domain Services managed domain

Representation in the directory

Device objects in the Azure AD directory.

Computer objects in the AAD-DS managed domain.

Authentication

OAuth/OpenID Connect based protocols

Kerberos, NTLM protocols

Management

Mobile Device Management (MDM) software like Intune

Group Policy

Networking

Works over the internet

Requires machines to be on the same virtual network as the managed domain.

Great for ...

End-user mobile or desktop devices

Server virtual machines deployed in Azure

For more information, you can see: Choose between Azure Active Directory join and Azure Active Directory Domain Services - https://docs. microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-compare-withazure-ad-join

Video - Azure Active Directory Editions

Video - Azure AD Authentication Options

This video will help you choose the right authentication option when setting up identity in Azure Active Directory. During the video notice how often, MFA is mentioned. MFA provides another layer of security for each of the options that are discussed. We will delve deeper into MFA in Module 2.

For more information, you can see: Choose the right authentication method for your Azure Active Directory hybrid identity solution https://docs.microsoft.com/en-us/azure/security/azure-ad-choose-authn

MCT USE ONLY. STUDENT USE PROHIBITED

Azure Active Directory (Refresher)  17

MCT USE ONLY. STUDENT USE PROHIBITED

18  1 | Introduction to Identity Protection in Azure

Protecting Privileged Access in the Environment Credential Theft

In today’s IT environment malicious users use credential theft attacks one of the main ways to gain access to your environment. Credential theft attacks are those in which an attacker initially gains highest-privilege access to a computer on a network and then uses freely available tooling to extract credentials from the sessions of other logged-on accounts. Depending on the system configuration, these credentials can be extracted in the form of hashes, tickets, or even plaintext passwords.

1. Credential theft begins by establishing a beachhead in a Tier 2 workstation or device. Through phishing attacks and malware, the attacker gains access to local administrator accounts. 2. The local administrator accounts are used to compromise more hosts and credentials in Tier 2. The attacker is looking to escalate their privileges into Tier 1 administrative permissions by presenting recently gained credentials. 3. If the attacker can gain the Domain Admin credentials, possibly through unpatched servers, they begin a more focused attack on your system. At the highest level, Tier 0, the attacker has unlimited permissions to create new users or impersonate existing users. 4. Credential thefts often goes undetected. Attackers can steal data, destroy systems, and remain undiscovered for a very long time. ✔️ Do you know of any credential theft attacks? Can you begin to see how identity becomes a mechanism for attackers to obtain access to not only the system but the ability to do harm based on the level of privilege granted through access to an exposed account. For more information, you can see: Attractive Accounts for Credential Theft - https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/attractive-accounts-for-credential-theft

Demonstration - Credential Theft

One of the main reasons to use Multi-Factor Authentication is to reduce credential thefts attacks, as shown in this video. In conjunction with the other security best practices (outlined in the next topic), MFA can reduce the attack surface dramatically by adding additional levels of verification when a user attempts to sign-in.

Security Best Practices

Many consider identity to be the new boundary layer for security, taking over that role from the traditional network-centric perspective. To help you get started, there is an Azure identity management and access control security best practices page. The best practices were derived from consensus opinion and Azure platform capabilities and feature sets. ●● Centralize your identity management. Ensure that IT can manage accounts from one single location. ●● Enable Single Sign-On (SSO). Provide your users the ability to use the same set of credentials to sign in and access the resources that they need, regardless of whether this resource is located on-premises or in the cloud. ●● Deploy password management. leverage the self-service password reset capability and customize the security options to meet your business requirements. ●● Enforce MFA for users. Enable Azure MFA for your users. This will add a second layer of security to user sign-ins and transactions. ●● Use role-based access control (RBAC). Apply the principle of least privileges. ●● Control locations where resources are created using Resource Manager. Create security policies with definitions that describe the actions or resources that are allowed and denied. ●● Guide developers to leverage identity capabilities for SaaS apps. Ensure developers use a secure methodology to develop SaaS apps. Register any application that outsources authentication to Azure AD. ●● Actively monitor for suspicious activities. Use Azure AD Premium anomaly reports6 and Azure AD identity protection7 capabilities. ✔️ Take a minute to go through each item in the reference link. Are you following these best practices? In this course we focus on enforcing MFA for users and implementing RBAC. For more information, you can see: Azure Identity Management and access control security best practices - https://docs.microsoft.com/ en-us/azure/security/azure-security-identity-management-best-practices

6 7

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-view-access-usage-reports https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotection

MCT USE ONLY. STUDENT USE PROHIBITED

Protecting Privileged Access in the Environment  19

MCT USE ONLY. STUDENT USE PROHIBITED

20  1 | Introduction to Identity Protection in Azure

Video - Introduction to Identity

The following video is part of a series that was produced by the Enterprise Cybersecurity Group at Microsoft. The presenters give a broad overview of the security initiatives that align to four basic pillars that make up a secure modern enterprise: Identity, Apps and Data, Infrastructure, and Device. The principles covered in all of the videos in this lesson apply to both on-premises and the cloud. In this video, the focus is primarily on the Identity pillar with two key aspects: privileged access, which includes the identity systems and the administrators of those systems; the identities themselves, including the devices they are used on.

Video - Protect Your Privileged Access

This video explores the Securing Privileged Access Roadmap, introduced in the previous video. The roadmap publishes Microsoft’s recommendations about what it think organizations should be doing to protect their users and customers against various types of security attacks. Focusing on actions organizations can take to prevent things like credential attacks, and domain controller and Active Directory-related attacks, the presenters introduce the idea of preparing and planning in three stages: immediate actions within the first 2 – 4 weeks, the tasks that can be done within 1 – 3 months, and the actions that will take longer (6 or more months). For more information, see: Securing Privileged Access – http://aka.ms/sparoadmap

Video - Protecting AD and Admin Privileges (2-4 Weeks)

This video continues with the Securing Privileged Access Roadmap and focuses on the first phase of the roadmap, and organization’s first response to the most frequently used attack techniques. The presenters discuss steps to immediately protect Active Directory and Administrator privileges. The four basic steps are: 1. Create a separate Admin account for administrator tasks. 2. Set up Privileged Access Workstations8 (PAWs) for Active Directory administrators.

8

http://aka.ms/CyberPAW

3. Set up unique local administrator passwords9 for each host. 4. Set up unique local administrator passwords for servers.

Video - Protecting AD and Admin Privileges (1-3 Months) This video continues with the Securing Privileged Access Roadmap and focuses on the middle phase of the roadmap (1 – 3 months), and continues with the steps to harden systems and further protect Active Directory and Administrator privileges. The six steps are: 1. Set up Privileged Access Workstations (PAWs)10 for Tier 1 and Tier 2 administrators. 2. Enable timebound privileges for administrators. (http://aka.ms/PAM, http://aka.ms/AzurePIM) 3. Enable Multifactor for elevation. 4. Implement Just Enough Administration (JEA)11. 5. Lower the attack surface12 of domains and domain controllers. 6. Perform threat detection analysis13. ✔️ While this series of videos introduces the Securing Privileged Access roadmap, Step 3, enable multifactor for elevation, is highlighted on the graphic as MFA will be the main focus of this module.

Video - Protecting AD and Admin Privileges (6 Months)

This video concludes the short series on the Securing Privileged Access Roadmap and focuses on the last phase of the roadmap (6 months+), which initiates a more proactive security stance in the process of protecting Active Directory and administrative privileges. This phase in the roadmap is where companies can take steps to get ahead of the attacker techniques.

9 10 11 12 13

http://aka.ms/LAPS http://aka.ms/CyberPAW http://aka.ms/JEA http://aka.ms/HardenAD http://aka.ms/ata

MCT USE ONLY. STUDENT USE PROHIBITED

Protecting Privileged Access in the Environment  21

MCT USE ONLY. STUDENT USE PROHIBITED

22  1 | Introduction to Identity Protection in Azure

The presenters cover the following 5 steps: 1. Review roles and delegation model. 2. Require multifactor authentication14 for all administrators. 3. Implement an administrative forest based on the Enhanced Security Administrative Environment (ESAE)15 reference architecture. 4. Implement code integrity policies for domain controllers. 5. Virtualize domain controllers using shielded VMs16. ✔️ You can access the Securing Privileged Access Roadmap here17.

Securing the Modern IT Environment

Most enterprises combine traditional on-premises assets, remote resources, such as branch offices, and some level of cloud solutions or services. In many cases, IT departments are not aware of third-party solutions or services their users are using or that have not been authorized. Securing access in a modern IT environment is extremely challenging because the environment is a very complex entity to begin with. Where’s the security boundary today? Also the traditional security boundary has been typically drawn around the network. However, because users are now using so many third party applications, of software as a service (SaaS) resources, the data flows easily in and out of the perimeter. Accordingly, attackers have had much success in gaining access through the traditional network perimeter. In reality, identity has become the security “perimeter” in the modern IT enterprise. Credential theft scenario In this next video, the presenter discusses the typical credential theft attack that was also covered in a previous topic to explain how attackers can exploit holes in the system and use lateral movement within a domain to persist their unauthorized access and presence and steal credentials. Once those credentials are obtained, it is usually too late to prevent the attacker from gaining access to data and resources, as with this method of attack an attacker can remain undetected for some time. ✔️ The video points out a common misconception in the assumption that using Run As protects against credential theft or “pass the hash” attacks. A Run As session on a Windows computer is just as vulnerable to attack as a standard fully logged on session.

14 15 16 17

http://aka.ms/Passport http://aka.ms/ESAE http://aka.ms/shieldedvms http://aka.ms/sparoadmap

Video - Securing the Modern IT Environment

MCT USE ONLY. STUDENT USE PROHIBITED

Protecting Privileged Access in the Environment  23

MCT USE ONLY. STUDENT USE PROHIBITED

24  1 | Introduction to Identity Protection in Azure

Module 1 Review Questions Module 1 Review Questions Implementing Role-Based Access Control

Which built-in role lets you create and manage all types of Azure resources, but doesn't allow you to grant additional permissions to users, groups, or service principals? With RBAC, how would you create a custom role?

Suggested Answer ↓  The Contributor built-in role can create and manage all types of Azure resources, but can't grant access to others. Contributor is one of three basic roles in Azure that apply to all resource groups. The others are Owner - which has full access to all resources, including the right to delegate access to others, and Reader - which can only view all existing Azure resources. To create a custom role, you would use PowerShell, the CLI, or a REST API. Azure Active Directory List three differences between Active Directory Domain Services (AD DS) and Azure Active Directory (AD).

Suggested Answer ↓  Although the list is by no means conclusive, and you may identify others not listed, here are several characteristics of Azure AD that make it different to AD DS: Azure AD is primarily an identity solution, and it is designed for Internet-based applications by using HTTP and HTTPS communications; Because Azure AD is HTTP/HTTPS based, it does not use Kerberos authentication. Instead, it uses HTTP and HTTPS protocols such as SAML, WS-Federation, and OpenID Connect for authentication (and OAuth for authorization). Also, Azure AD users and groups are created in a flat structure, and there are no Organizational Units (OUs) or Group Policy Objects (GPOs). Credential Theft What are some common ways in which attackers use credential theft to gain access and control of IT environments?

Suggested Answer ↓  A common way in which an attackers initially gains access to environments is through phishing attacks or malware in which a local administrator account at the Tier 2 level is compromised. Those accounts can then serve as a way for the attacker to move latterly, stealing and compromising more hosts and credentials, and quickly moving into Tier 1 server admin levels with the objective of acquiring Domain Admin credentials. Once they obtain domain admin credentials, attackers can not only steal, alter, delete or destroy business data and systems, but they can also persist their presence, undetected, so that they can gain access to the system again at a later date.

Introducing Multi-Factor Authentication Azure MFA Concepts

For organizations that need to be compliant with industry standards, such as PCI DSS version 3.2, MFA is a must have capability to authenticate users. Beyond being compliant with industry standards, enforcing MFA to authenticate users can also help organizations to mitigate credential theft attacks. Azure MFA helps safeguard access to data and applications while maintaining simplicity for users. It provides additional security by requiring a second form of authentication and delivers strong authentication through a range of easy to use authentication methods. How many methods can you identify from this graphic?

The security of MFA two-step verification lies in its layered approach. Compromising multiple authentication factors presents a significant challenge for attackers. Even if an attacker manages to learn the user's password, it is useless without also having possession of the additional authentication method. Authentication methods include: ●● Something you know (typically a password) ●● Something you have (a trusted device that is not easily duplicated, like a phone) ●● Something you are (biometrics) ✔️ Can you think of any ways to overcome the two-step authentication? For example, phishing, stolen devices, or malware. For more information, you can see:

MCT USE ONLY. STUDENT USE PROHIBITED

2 | Using Multi-Factor Authentication for Secure Access

MCT USE ONLY. STUDENT USE PROHIBITED

26  2 | Using Multi-Factor Authentication for Secure Access

Multi-factor authentication - https://azure.microsoft.com/en-us/services/multi-factor-authentication/

Video - MFA Overview

✔️ This is an older video that refers to Windows Azure, but it still makes some excellent points about how to use MFA.

Azure MFA Features

Get more security with less complexity. Azure MFA helps safeguard access to data and applications and helps to meet customer demand for a simple sign-in process. Get strong authentication with a range of easy verification options—phone call, text message, or mobile app notification—and allow customers to choose the method they prefer.

Mitigate threats with real-time monitoring and alerts. MFA helps protect your business with security monitoring and machine-learning-based reports that identify inconsistent sign-in patterns. To help mitigate potential threats, real-time alerts notify your IT department of suspicious account credentials.

Deploy on-premises or on Azure. Use MFA Server on your premises to help secure VPNs, Active Directory Federation Services, IIS web applications, Remote Desktop, and other remote access applications using RADIUS and LDAP authentication. Add an extra verification step to your cloud-based applications and services by turning on Multi-Factor Authentication in Azure Active Directory.

Use with Office 365, Salesforce, and more. MFA for Office 365 helps secure access to Office 365 applications at no additional cost. Multi-Factor Authentication is also available with Azure Active Directory Premium and thousands of software-as-a-service (SaaS) applications, including Salesforce, Dropbox, and other popular services.

Add protection for Azure administrator accounts. MFA adds a layer of security to your Azure administrator account at no additional cost. When it's turned on, you need to confirm your identity to create a virtual machine, manage storage, or use other Azure services. ✔️ Is your organization using MFA? Do you see a need for the feature? For more information, you can see: Multi-Factor Authentication - https://azure.microsoft.com/en-us/services/multi-factor-authentication/

MFA Licensing and Pricing There are three pricing methods for Azure MFA.

Consumption based billing. Azure MFA is available as a stand-alone service with per-user and per-authentication billing options. ●● Per user. You can pay per user. Each user has unlimited authentications. Use this model if you know how many users you have and can accurately estimate your costs. ●● Per authentication. You can pay for a bundle (10) of authentications. Use this model when you are unsure how many users will participate in MFA authentication. MFA licenses included in other products. MFA is included in Azure AD Premium, Enterprise Mobility Suite, and Enterprise Cloud Suite. Direct and Volume licensing. MFA is available through a Microsoft Enterprise Agreement, the Open Volume License Program, the Cloud Solution Providers program, and Direct, as an annual user based model. ✔️ Which of these licensing options is appropriate for your organization? For more information, you can see: MFA Pricing - https://azure.microsoft.com/en-us/pricing/details/multi-factor-authentication/

MCT USE ONLY. STUDENT USE PROHIBITED

Introducing Multi-Factor Authentication  27

MCT USE ONLY. STUDENT USE PROHIBITED

28  2 | Using Multi-Factor Authentication for Secure Access

Microsoft Authenticator App

The Microsoft Authenticator app help prevent unauthorized access to accounts and to stop fraudulent transactions by giving you an additional level of security for your work or school account (for example, [email protected]) or your personal Microsoft account (for example, [email protected]). You can use it either as a second verification method or as a replacement for your password when using phone sign-in. When using the app for two-step verification, it can work in one of two ways: ●● Notification. The app sends a notification to your device. Make sure the notification is correct, and then select Verify. If you don’t recognize the notification, select Deny. ●● Verification code. After you type your username and password, you can open the app and copy the verification code provided on the Accounts screen on to the sign-in screen. The verification code acts as a second form of authentication. ✔️ Remember these app choices. When you enable MFA for a user you will have a chance to select one or both options. For more information, you can see: Get the app - https://www.microsoft.com/en-us/account/authenticator Microsoft Authenticator app FAQ - https://docs.microsoft.com/en-us/azure/active-directory/user-help/microsoft-authenticator-app-faq

Video - Authenticator App

MFA for Global Admins

Azure MFA is included free of charge for global administrator security. Enabling MFA for global administrators provides an added level of security when managing and creating Azure resources, like virtual machines. Secondary authentication includes phone call, text message, and the authenticator app. You can use the portal to enable MFA for administrators. MFA configuration is done through the Active Directory blade and the Configure MFA link.

Once you have located the global administrator of choice you can Enable MFA.

✔️ Remember you can only enable MFA for organizational accounts stored in Active Directory. These are also called work or school accounts. For more information, you can see: Enforce multi-factor authentication (MFA) for subscription administrators - https://docs.microsoft.com/ en-us/azure/security/azure-security-global-admin

On-Premises vs Cloud MFA

There are three questions to help you determine whether on-premises or cloud based MFA is needed. What are you trying to secure? What are you trying to secure

Azure MFA

MFA Server

First-party Microsoft apps

●

●

SaaS apps in the app gallery

●

Web applications published through Azure AD App Proxy

●

IIS applications not published through Azure AD App Proxy

●

Remote access such as VPN, RDG ●

●

Where are your users located? User Location

Azure MFA

Azure Active Directory

●

Azure AD and on-premises AD using federation with AD FS

●

●

Azure AD and on-premises AD using Azure AD Connect - no password hash sync or passthrough authentication

●

●

Azure AD and on-premises AD using Azure AD Connect - with password hash sync or passthrough authentication

●

On-premises Active Directory What features do you need?

MFA Server

●

MCT USE ONLY. STUDENT USE PROHIBITED

Introducing Multi-Factor Authentication  29

MCT USE ONLY. STUDENT USE PROHIBITED

30  2 | Using Multi-Factor Authentication for Secure Access

Feature

Azure MFA

MFA Server

Mobile app notification and ● mobile app verification code as a second factor

●

Mobile app verification code as a ● second factor

●

Phone call or one-way SMS as second factor

●

●

Hardware Tokens as second factor

●

PIN mode

●

Fraud alert and MFA reports

●

Remember MFA for trusted devices

●

Conditional access

●

●

●

✔️ Be sure to read more at the reference link. Are you ready for Azure MFA? For more information, you can see: Which version of Azure MFA is right for my organization? - https://docs.microsoft.com/en-us/azure/ active-directory/authentication/concept-mfa-whichversion

Implementing MFA Video - How MFA Works

✔️ This is an older video that refers to Windows Azure, but it still very relevant and provides an excellent recap of the concepts behind MFA. Windows Azure is now Microsoft Azure

The MFA Process

Here is what happens when somebody attempts to connect to a resource which is being secured by Azure AD MFA: On-premises MFA authentication If the service is on-premises the local MFA authentication service will validate the initial sign in by passing the authentication request to the on-premises Active Directory. If the correct credentials were entered and, validated, the request is then forwarded to Azure MFA authentication server. The Azure MFA server will then send an additional verification challenge to the user. The methods that can be easy configured to use are: ●● Phone Call. A call is placed to the users register phone. ●● Text Message. A six-digit code is sent to the user’s cell phone. ●● Mobile App Notification. A verification request is sent to a user’s smart phone asking them to complete the verification by selecting Verify in the mobile app. ●● Mobile app verification code. A six-digit code is sent to the user mobile app. This code is then entered on the sign in page. ●● Open Authentication (OATH) compliant tokens. This can also be used as a verification method. Azure MFA authentication

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing MFA  31

MCT USE ONLY. STUDENT USE PROHIBITED

32  2 | Using Multi-Factor Authentication for Secure Access

If the service is running in Azure your sign in request will first be sent to Azure Active Directory for initial validation, and then on to MFA authentication server running in Azure. Validation then continues as above. ✔️ MFA provides security for the requesting user that someone cannot easy impersonate them. MFA should be required on all services and, certainly on mobile services.

MFA User Settings

Let’s briefly look at the user settings that are available for MFA. Allow users to create app passwords to sign in to non-browser apps. This would be applicable to older applications like Outlook 2010. ✔️ Notice if you are not using the Authenticator App then the last two verification options may not apply. The last selection is to cache passwords so that users do not have to authenticate on trusted devices. The number of days before a user must re-authenticate on trusted devices can also be configured with the value from 1 to 60 days. The default is 14 days. When MFA is required the first time a user logs in they will be prompted to configure their settings

Authentication Methods

It’s common to hear news reports of passwords being stolen and identities being compromised. Requiring a second factor in addition to a password immediately increases the security of your organization. For this reason, Azure Active Directory (Azure AD) includes features, like Azure MFA and Azure AD self-service password reset (SSPR), to help administrators protect their organizations and users with additional authentication methods.

When a user needs to access a sensitive application, reset their password, or enable Windows Hello, they may be asked to provide additional verification that they are who they say they are. Additional verification may come in the form of authentication methods such as: ●● A code provided in an email or text message. ●● A phone call. ●● A notification or code on their phone. ●● Answers to security questions. Azure MFA and Azure AD SSPR give administrators control over configuration, policy, monitoring, and reporting using Azure AD and the Azure portal to protect their organizations. ✔️ Azure AD self-service password reset (SSPR) was covered in the Managing Identities course. The following topic provides a high-level comparison of MFA and SSPR in terms of which feature supports which authentication method.

MFA and SSPR Comparison

Azure AD self-service password reset (SSPR) and MFA may ask for additional information, known as authentication methods or security info, to confirm you are who you say you are when using the associated features. Administrators can define in policy which authentication methods are available to users of SSPR and MFA. Some authentication methods may not be available to all features. Microsoft highly recommends Administrators enable users to select more than the minimum required number of authentication methods in case they do not have access to one. Authentication Method

Usage

Password

MFA and SSPR

Security questions

SSPR Only

Email address

SSPR Only

Microsoft Authenticator app

MFA and Public Preview for SSPR

SMS

MFA and SSPR

Voice call

MFA and SSPR

App passwords

MFA only in certain cases

✔️ Your Azure AD password is considered an authentication method. It is the one method that cannot be disabled.

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing MFA  33

MCT USE ONLY. STUDENT USE PROHIBITED

34  2 | Using Multi-Factor Authentication for Secure Access

Enabling Multi-Factor Authentication

To enable MFA, go to the User Properties in Azure Active Directory, and then the Multi-Factor Authentication option. From there, you can select the users that you want to modify and enable for MFA. You can also bulk enable groups of users with PowerShell.

✔️ On first-time sign-in, after MFA has been enabled, users are prompted to configure their MFA settings. For example, if you enable MFA so that users must use a mobile device, users will be prompted to configure their mobile device for MFA. Users must complete those steps, or they will not be permitted to sign in, which they cannot do until they have validated that their mobile device is MFA-compliant.

Trusted IPs

Trusted IPs is a feature to allow federated users or IP address ranges to bypass two-step authentication. Notice there are two selections in this screenshot.

Which selections you can make depends on whether you have managed or federated tenants. ●● Managed tenants. For managed tenants, you can specify IP ranges that can skip MFA. ●● Federated tenants. For federated tenants, you can specify IP ranges and you can also exempt AD FS claims users .

✔️ The Trusted IPs bypass works only from inside of the company intranet. If you select the All Federated Users option and a user signs in from outside the company intranet, the user must authenticate by using two-step verification. The process is the same even if the user presents an AD FS claim. For more information, you can see: Trusted IPs - https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#trusted-ips1

One-time Bypass

The one-time bypass feature allows a user to authenticate a single time without performing two-step verification. The bypass is temporary and expires after a specified number of seconds.

✔️ In situations where the mobile app or phone is not receiving a notification or phone call, you can allow a one-time bypass, so the user can access the desired resource. For more information, you can see: Bypass options - https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#one-time-bypass

Conditional Access Policies

As an administrator, you may want to apply a more fine-grained control over access to the apps in your environment. You should consider conditional access policies. Conditional access is a capability of Azure AD (with an Azure AD Premium license) that enables you to enforce controls on the access to apps in your environment based on specific conditions from a central location. With Azure AD conditional access, you can factor how a resource is being accessed into an access control decision. By using conditional access policies, you can apply the right access controls under the required conditions.

1

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing MFA  35

MCT USE ONLY. STUDENT USE PROHIBITED

36  2 | Using Multi-Factor Authentication for Secure Access

In the context of conditional access: ●● “When this happens” is called conditions. ●● “Then do this” is called access controls. The combination of your conditions with your access controls represents a conditional access policy. With access controls, you can either Block Access altogether or Grant Access with additional requirements by selecting the desired controls. You can have several options: ●● Require MFA from Azure AD or an on-premises MFA (combined with AD FS). ●● Grant access to only trusted devices. ●● Require a domain-joined device. ●● Require mobile devices to use Intune app protection policies2. In the preceding list, requiring additional account verification through MFA is a common scenario. While users may be able to sign-in to most of your organization’s cloud apps, you may want that additional verification for things like your email system, or apps that contain personnel records or sensitive information. In Azure AD, you can accomplish this with a conditional access policy. An opportunity to try this is provided at the end of this lesson. ✔️ Do you think conditional access would be something your organization is interested in? For more information, you can see: Conditional access in Azure Active Directory - https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal Grant controls - https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-controls#grant-controls

Fraud Alerts

Configure the fraud alert feature so that your users can report fraudulent attempts to access their resources. Users can report fraud attempts by using the mobile app or through their phone. Block user when fraud is reported: If a user reports fraud, their account is blocked for 90 days or until an administrator unblocks their account. An administrator can review sign-ins by using the sign-in report and take appropriate action to prevent future fraud. An administrator can then unblock the user's account. Code to report fraud during initial greeting: When users receive a phone call to perform two-step verification, they normally press # to confirm their sign-in. To report fraud, the user enters a code before pressing #. This code is 0 by default, but you can customize it.

2

https://docs.microsoft.com/intune/app-protection-policy

Block user when fraud is reported. If a user reports fraud, their account is blocked for 90 days or until an administrator unblocks their account. An administrator can review sign-ins by using the sign-in report and take appropriate action to prevent future fraud. An administrator can then unblock the user's account. Code to report fraud during initial greeting. When users receive a phone call to perform two-step verification, they normally press # to confirm their sign-in. To report fraud, the user enters a code before pressing #. This code is 0 by default, but you can customize it. ✔️ The default voice greetings from Microsoft instruct users to press 0# to submit a fraud alert. If you want to use a code other than 0, record and upload your own custom voice greetings with appropriate instructions for your users. For more information, you can see: Turn on fraud alerts - https://docs.microsoft.com/en-us/azure/active-directory/authentication/ howto-mfa-mfasettings#turn-on-fraud-alerts3

Practice - MFA Authentication Pilot

To simplify the sign-in experience of your users, you might want to allow them to sign in to your cloud apps using a user name and a password. However, some environments may have scenarios where it would be advisable to require a strong form of account verification. Take a few minutes to try this Quickstart4, where you configure an Azure AD conditional access policy that requires multi-factor authentication (MFA) for a selected cloud app in your environment. If you decide to try this Quickstart, you will need: ●● Access to an Azure AD Premium edition - Azure AD conditional access is an Azure AD Premium capability.

3 4

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-based-mfa

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing MFA  37

MCT USE ONLY. STUDENT USE PROHIBITED

38  2 | Using Multi-Factor Authentication for Secure Access

●● A test account called Isabella Simonsen. If you don't know how to create a test account, see Add cloud-based users5. The specific tasks in this Quickstart include: ●● Create the required conditional access policy. ●● Evaluate a simulated sign in. ●● Test the conditional access policy. ✔️ If you can’t meet the prerequisites, read through the steps instead. For more information, you can see: What is conditional access in Azure Active Directory - https://docs.microsoft.com/en-us/azure/ active-directory/active-directory-conditional-access-azure-portal

Practice - MFA Conditional Access

Take a minute to try the Tutorial: Complete an Azure Multi-Factor Authentication pilot roll out6. In this tutorial, you walk you through configuring a conditional access policy enabling Azure MFA when logging in to the Azure portal. The policy is deployed to and tested on a specific group of pilot users. You will learn how to: ●● Enable Azure Multi-Factor Authentication. ●● Test Azure Multi-Factor Authentication. ✔️ Deployment of Azure MFA using conditional access provides significant flexibility for organizations and administrators compared to the traditional enforced method. For more information, you can see: Quickstart: Add new users to Azure Active Directory - https://docs.microsoft.com/en-us/azure/ active-directory/fundamentals/add-users-azure-active-directory Create a group and add members in Azure Active Directory - https://docs.microsoft.com/en-us/azure/ active-directory/fundamentals/active-directory-groups-create-azure-portal

5 6

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-users-azure-active-directory https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-mfa-applications

Module 2 Review Questions Module 2 Review Questions Introducing Multi-Factor Authentication

What are the mechanisms generally used by Multi-Factor Authentication (MFA) two-step verification to authenticating users at sign-in? What is the cost of Azure MFA for global administrators?

Suggested Answer ↓  MFA authentication methods include: something the user knows (typically a password), something a user has (such as a trusted device that is not easily duplicated, like a phone), and something a user us (biometrics). Azure MFA is included free of charge for global administrators. Trusted IPs What functionality does Trusted IPs provide? How do you select its different options?

Suggested Answer ↓  Trusted IPs is a feature that allows federated users or IP address ranges to bypass two-step authentication. The options you select depend on whether you have managed or federated tenants. For managed tenants, you can specify IP ranges that can skip MFA. And for federated tenants, you can specify IP ranges and you can also exempt AD FS claims users. Conditional Access Policies What three questions should you consider to help you determine whether on-premises or cloud based MFA is needed?

Suggested Answer ↓  The three question that you need to ask when determining the type of MFA you want to implement are: what are you trying to secure, where are your users located, and what features do you need? For example, if you were trying to secure remote access such as VPN, while using Azure AD an on-premises AD with AD FS, and you wanted to implement conditional access policies, you would use MFA Server.

MCT USE ONLY. STUDENT USE PROHIBITED

Module 2 Review Questions  39

Getting Started with PIM Video - Identity Protection and PIM

This video covers two things: Identity Protection and PIM. PIM is the focus of this module. Identity Protection was covered in the Manage Identities course

Azure AD PIM

Azure AD Privileged Identity Management (PIM), also known as just-in-time administration, is a cloudbased service designed to protect your cloud-based resources. With Azure AD PIM you can minimize the number of users who can execute privileged operations in Azure AD, Azure, Office 365, or SaaS applications. Azure AD PIM helps to mitigate the risk of excessive, unnecessary, or misused access rights.

Azure AD Privileged Identity Management helps your organization: ●● See which users are assigned privileged roles to manage Azure resources, as well as which users are assigned administrative roles in Azure AD.

MCT USE ONLY. STUDENT USE PROHIBITED

3 | Azure AD Privileged Identity Management

MCT USE ONLY. STUDENT USE PROHIBITED

42  3 | Azure AD Privileged Identity Management

●● Enable on-demand, “just in time” administrative access to Microsoft Online Services like Office 365 and Intune, and to Azure resources of subscriptions, resource groups, and individual resources such as virtual machines. ●● See a history of administrator activation, including what changes administrators made to Azure resources (Preview). ●● Get alerts about changes in administrator assignments. ●● Require approval to activate Azure AD privileged admin roles. ●● Review membership of administrative roles and require users to provide a justification for continued membership. ✔️ Azure AD PIM can manage users assigned to the built-in Azure AD organization roles, such as Global Administrator. PIM can also manage the users and groups assigned via Azure RBAC roles, including Owner or Contributor. ✔️ When you enable PIM for your tenant, a valid Azure AD Premium P2 or Enterprise Mobility + Security E5 paid or trial license is required for each user that interacts with or receives a benefit from the service. For more information, you can see: Azure AD PIM - https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure Azure Active Directory Privileged Identity Management subscription requirements - https://docs. microsoft.com/en-us/azure/active-directory/privileged-identity-management/subscription-requirements

PIM Tasks

Once Azure AD Privileged Identity Management is set up, you will see the navigation blade whenever you open the application.

●● My Roles displays a list of eligible and active roles assigned to you. This is where you can activate any assigned eligible roles. ●● Approve Requests displays a list of requests to activate eligible Azure AD directory roles by users in your directory, which you are designated to approve. ●● Pending Requests displays any of your pending requests to activate eligible role assignments. ●● Review Access lists active access reviews you are assigned to complete, whether you're reviewing access for yourself or someone else.

●● Azure AD directory roles displays the dashboard for privileged role administrators to manage role assignments, change role activation settings, start access reviews, and more. This dashboard is disabled for anyone who isn't a privileged role administrator. ●● Azure Resource roles displays a list of subscription resources you have role assignments. ✔️ At the time of writing, some Azure PIM features are in Preview. Like all Azure features and functionality, this is subject to frequent change, so we don’t always identify when a feature is in preview, unless there is a specific reason to do so. ✔️ Take a few minutes to locate the PIM blade and review the tasks. For more information, you can see: Navigate to your tasks - https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-getting-started#navigate-to-your-tasks1

PIM Access

The global administrator who enables Azure AD Privileged Identity Management (PIM) for an organization automatically get role assignments and access to PIM. No one else gets write access by default, though, including other global administrators. Other global administrators, security administrators, and security readers have read-only access to Azure AD PIM. To give access to PIM, the first user can assign others to the Privileged role administrator role.

Whenever you assign a new role to someone, they are automatically set up as eligible to activate the role. If you want to make them permanent in the role, click the user in the list. Select make perm in the user information menu. ✔️Managing Azure AD PIM requires Azure MFA. Since Microsoft accounts cannot register for Azure MFA, a user who signs in with a Microsoft account cannot access Azure AD PIM. For more information, you can see:

1

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-getting-started

MCT USE ONLY. STUDENT USE PROHIBITED

Getting Started with PIM  43

MCT USE ONLY. STUDENT USE PROHIBITED

44  3 | Azure AD Privileged Identity Management

Giving access to manage Azure AD Privileged Identity Management - https://docs.microsoft.com/ en-us/azure/active-directory/privileged-identity-management/pim-how-to-give-access-topim#give-another-user-access-to-manage-pim2

PIM Dashboard

You can use a resource dashboard to perform an access review in Privileged Identity Management (PIM) for Azure resources. The Admin View dashboard has three primary components: ●● A graphical representation of resource role activations. ●● Two charts that display the distribution of role assignments by assignment type. ●● A data area pertaining to new role assignments.

For more information, you can see: Use a resource dashboard to perform an access review - https://docs.microsoft.com/en-us/azure/ active-directory/privileged-identity-management/pim-resource-roles-overview-dashboards

Practice - Discover and Manage Azure Resources

Learn how to discover and manage Azure resources when you use Privileged Identity Management (PIM) in Azure Active Directory (Azure AD). This information can be helpful to organizations that already use PIM to protect administrator resources, and to subscription owners who are looking to secure production resources. Take a few minutes to try Discover Resources3. ✔️ You can only search for and select subscription resources to manage by using PIM. When you manage a subscription in PIM, you can also manage child resources in the subscription. For more information, you can see: Discover and manage Azure resources by using Privileged Identity Management -https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-discover-resources

2 3

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-give-access-to-pim https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-discover-resources

PIM Security Wizard PIM Security Wizard

If you're the first person to run Azure PIM for your organization, you will be presented with a wizard. The wizard helps you understand the security risks of privileged identities and how to use PIM to reduce those risks. You don't need to make any changes to existing role assignments in the wizard if you prefer to do it later.

✔️ It is important that you have at least one global administrator, and more than one privileged role administrator with an organizational account (not a Microsoft account). If there is only one privileged role administrator, the organization will not be able to manage PIM if that account is deleted. ✔️ After you have made changes, the wizard will no longer show up. The next time you or another privileged role administrator use PIM, you will see the PIM dashboard. For more information, you can see: Using the security wizard in Azure AD Privileged Identity Management - https://docs.microsoft.com/ en-us/azure/active-directory/privileged-identity-management/pim-security-wizard

Review Your Admins

In Step 1 you will be able to review the permanent and temporary admins in your organization. The more permanent admins your organization has, the bigger it’s attack surface, leaving you vulnerable to cyber attacks and security breaches. The idea here is that not all administrators in an organization need be in that role on a permanent basis. While there will be a need for some permanent admin roles, you should evaluate whether all administrators need that level of access all the time. This simple exercise gives an organization more visibility into their administrative set up, where things can be easily missed or overlooked in larger organizations. Personnel come and go all the time, and roles and assignments change periodically.

MCT USE ONLY. STUDENT USE PROHIBITED

PIM Security Wizard  45

MCT USE ONLY. STUDENT USE PROHIBITED

46  3 | Azure AD Privileged Identity Management

✔️ Security Administrator is a new role used to administer Azure AD PIM.

Minimize Your Admins' Attack Surface

In Step 2 you can minimize your attack surface by removing administrators. You can also switch permanent admins to temporary access rights. When an administrator becomes temporary, an email notification is sent to update the admin of the admin of the change and explain the process for activating administrative privileges. Again, the idea is to be able to block opportunities or close loopholes that might present themselves to attackers, due to administrators having extended rights and privileges they either don’t need, or no longer need to have.

Define Temporary Admin Settings

In Step 3 you can define default settings for your temporary admins. These settings only affect users who are eligible admins, not permanent admins.

●● Activations. The time, in hours, that a role stays active before it expires. This can be between 1 and 72 hours. ●● Notifications. You can choose whether the system sends emails to admins confirming that they have activated a role. This can be useful for detecting unauthorized or illegitimate activations. ●● Incident/Request Ticket. You can choose whether to require eligible admins to include a ticket number when they activate their role. This can be useful when you perform role access audits. ●● Multi-Factor Authentication. You can choose whether to require users to verify their identity with MFA before they can activate their roles. They only verify this once per session, not every time they activate a role. Remember users who have Microsoft accounts for their email addresses (typically @ outlook.com, but not always) cannot register for Azure MFA. If you want to assign roles to users with Microsoft accounts, you should either make them permanent admins or disable MFA for that role. ✔️You cannot disable MFA for highly privileged roles for Azure AD and Office365. Do you see why? For more information, you can see: How to manage role activation settings in Azure AD Privileged Identity Management - https://docs. microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-tochange-default-settings Email Notifications - https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-email-notifications

Demonstration - PIM Security Wizard, Alerts, and Reviews

MCT USE ONLY. STUDENT USE PROHIBITED

PIM Security Wizard  47

MCT USE ONLY. STUDENT USE PROHIBITED

48  3 | Azure AD Privileged Identity Management

PIM Directory Roles Directory Roles

Azure AD PIM manages policies for privileged access for users in Azure AD. With PIM you can assign users to one or more roles in Azure AD, and you can assign someone to be permanently in the role, or eligible for the role. When a user is permanently assigned to a role, or activates an eligible role assignment, then they can manage Azure AD, Office 365, and other applications with the permissions assigned to their roles. ✔️ Only a Global Administrator can update which users are permanently assigned to roles in Azure AD. An eligible administrator can activate the role when they need it, and then their permissions expire once they're done. PIM can assign users to many common administrator roles. Here are a few. Check the reference link for other available roles.

●● Global administrator (also known as Company administrator) has access to all administrative features. The person who signs up to purchase Office 365 automatically becomes a global admin. You can have more than one global admin in your organization. ●● Privileged role administrator manages Azure AD PIM and updates role assignments for other users. ●● Billing administrator makes purchases, manages subscriptions, manages support tickets, and monitors service health. ●● Password administrator resets passwords, manages service requests, and monitors service health. Password admins are limited to resetting passwords for users. ●● Service administrator manages service requests and monitors service health. ✔️ Is there anyone, other than the Global Administrator, in your organization that needs a permanent role assignment? Which roles are you interested in using PIM to make assignments? For more information, you can see: Directory roles you can manage using Azure AD PIM - https://docs.microsoft.com/en-us/azure/ active-directory/privileged-identity-management/pim-roles

Demonstration - PIM Approval Workflows

You can use the default PIM approvals or select specific users and groups for a privileged role.

PIM Directory Alerts

Azure Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in your environment. When an alert is triggered, it shows up on the PIM dashboard. Select the alert to see a report that lists the users or roles that triggered the alert.

Alerts are categorized into three areas: High (immediate action is needed), Medium (signals a potential policy violation), and Low (suggests a preferable policy change). Here are some common alerts: “Roles are being activated too frequently” alert This alert triggers if a user activates the same privileged role multiple times within a specified period. You can configure both the time (days, hours, and minutes) and the number of activations (2 to 100). “There are too many global administrators” alert PIM triggers this alert if two different criteria are met, and you can configure both. First, you need to reach a certain threshold of global administrators (2 to 100). Second, a certain percentage (0 to 100%) of your total role assignments must be global administrators. “Administrators aren't using their privileged roles” alert This alert triggers if a user goes a certain amount of time without activating a role. Specify the number of days, from 0 to 100, that a user can go without activating a role. ✔️ PIM will also alert you if roles are being assigned outside of PIM. This is a high severity alert. You should immediately check the users in the list and un-assign them from privileged roles assigned outside of PIM. For more information, you can see: How to configure security alerts in Azure AD Privileged Identity Management - https://docs.microsoft. com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts

MCT USE ONLY. STUDENT USE PROHIBITED

PIM Directory Roles  49

MCT USE ONLY. STUDENT USE PROHIBITED

50  3 | Azure AD Privileged Identity Management

Practice - Assign Directory Roles

The Azure AD Privileged Identity Management (PIM) service also allows privileged role administrators to make permanent directory role assignments. Additionally, privileged role administrators can make users eligible for directory roles. An eligible administrator can activate the role when they need it, and then their permissions expire once they're done. Take a few minutes and try it for yourself, Assign directory roles to users using Azure AD PIM4.

In this tutorial, you learn how to: ●● Make a user eligible for a role. ●● Make a role assignment permanent. ●● Remove a user from a role. ✔️ At the time of this writing, there are no PIM related commands in the AzureAD or AzureADPreview PowerShell Modules. You will need to install Microsoft.Azure.ActiveDirectory.PIM.PSModule from the PowerShell Gallery. This will give you access to commands like Enable-PrivilegedRoleAssignment. For more information, you can see: PowerShell Gallery Microsoft.Azure.ActiveDirectory.PIM.PSModule - https://www.powershellgallery. com/packages/Microsoft.Azure.ActiveDirectory.PIM.PSModule/2.0.0.1513

Practice - Activate and Deactivate PIM Roles

If you have been made eligible for an administrative role, that means you can activate that role when you need to perform privileged actions. Take a few minutes and try How to activate or deactivate roles in Azure AD Privileged Identity Management5 tutorial. 4 5

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-add-role-to-user https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-activate-role

In this tutorial, you learn how to: ●● Add the Privileged Identity Management application. ●● Activate a role. ●● Deactivate a role. ●● Cancel a pending request

Practice - Directory Roles (General)

With Azure AD Privileged Identity Management (PIM), you can manage, control, and monitor access within your organization. This scope includes access to Azure resources, Azure AD and other Microsoft online services like Office 365 or Microsoft Intune. As you've already learned in this lesson, Azure PIM simplifies how you manage privileged access to resources in Azure, and other services. From role activation or deactivation to setting up security alerts for suspicious or unsafe activity in your environment, and many other tasks - PIM helps minimize your environment's attack surface by more granular control of the roles that have administrative access and sets of privileges. There are many things to explore and try in this practice. As you have time try or review any of the following tasks. ●● How to give other admins access to PIM6 ●● How to add or remove a user role7 ●● How to activate or deactivate a role8 ●● How to change or view the default activation settings for a role9 ●● How to configure security alerts10

6 7 8 9 10

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-give-access-to-pim https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-add-role-to-user https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-activate-role https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-change-default-settings https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts

MCT USE ONLY. STUDENT USE PROHIBITED

PIM Directory Roles  51

MCT USE ONLY. STUDENT USE PROHIBITED

52  3 | Azure AD Privileged Identity Management

●● How to start an access review11 ●● How to perform an access review12 ●● How to complete an access review13 ●● How to require MFA14 ●● How to use the audit log15 ✔️ Keep in mind the prerequisites to performing these exercises, such as a valid Azure AD Premium P2 or Enterprise Mobility + Security E5 paid or trial license is required for each user that interacts with or receives a benefit from the service.

11 12 13 14 15

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-start-security-review https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-perform-security-review https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-complete-review https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-require-mfa https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-use-audit-log

PIM for Role Resources Activate Roles

PIM is now being expanded from administrator privileges to resource role assignments. Using Just Enough Administration (JEA) best practices users and group members with assignments in Azure subscriptions or resource groups can activate their existing role assignment at a reduced scope. Eligible role members can schedule activation for a future date and time. They can also select a specific activation duration within the maximum (configured by administrators). If the start date and time are not modified, the role is activated in seconds. In this example, a user has requested activation of the Contributor role.

✔️ Do you see how PIM for Role Resources is different from PIM for Directory Roles? For more information you can see: Activate roles for Azure resources by using Privileged Identity Management - https://docs.microsoft. com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-activateyour-roles

Assign Roles

Role assignments can Just in time or Direct. ●● Just in time. Provides the user or group members with eligible but not persistent access to the role for a specified period or indefinitely (if configured in role settings). ●● Direct. Does not require the user or group members to activate the role assignment (known as persistent access). ✔️ We recommend using direct assignment for short-term use, where access won’t be required when the task is complete. Examples are on-call shifts and time-sensitive activities. For more information, you can see: Manage security alerts for Azure resources by using Privileged Identity Management - https://docs. microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-rolesconfigure-alerts

MCT USE ONLY. STUDENT USE PROHIBITED

PIM for Role Resources  53

MCT USE ONLY. STUDENT USE PROHIBITED

54  3 | Azure AD Privileged Identity Management

PIM Resource Alerts

PIM for Azure Resources generates alerts when there is suspicious or unsafe activity in your environment. When an alert is triggered, it shows up on the Alerts page. This is the same as for the PIM Directory Alerts.

The severity levels (high, medium, and low) are also the same, but the substance of the alert is different. Alert

Severity

Trigger

Recommendation

Too many owners assigned to a resource.

Medium

Too many users have the owner role.

Review the users in the list and reassign some to less privileged roles.

Too many permanent owners assigned to a resource.

Medium

Too many users are permanently assigned to a role.

Review the users in the list and re-assign some to require activation for role use.

Duplicate role created.

Medium

Multiple roles have the same criteria.

Use only one of these roles.

✔️ You determine when the alert will fire by specifying the minimum number of owners and the minimum percentage of owners. Read more at the reference link. For more information, you can see: Manage security alerts for Azure resources by using Privileged Identity Management - https://docs. microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-rolesconfigure-alerts

PIM Workflow Example

Approval workflows, to restrict and protect access to resources, were discussed in the previous lesson. Now let’s look at a specific example.

1. Bob, a resource administrator, uses PIM to assign Alice as an eligible member to the owner role in the Contoso subscription. With this assignment, Alice is an eligible owner of all resource groups (Test, Dev, and Prod) within the subscription. Alice is also an eligible owner of all resources (like virtual machines) within each resource group of the subscription. 2. Bob uses PIM to require all members in the owner role of the subscription request approval to be activated. To help protect the resources in the Prod resource group, Bob also requires approval for members of the owner role of this resource. The owner roles in Test and Dev do not require approval for activation. 3. When Alice requests activation of her owner role for the subscription, an approver must approve or deny her request before she becomes active in the role. If Alice decides to scope her activation to the Prod resource group, an approver must approve or deny this request, too. But if Alice decides to scope her activation to either or both Test and Dev, approval is not required. ✔️ You can selectively apply workflows. For example, is you have contract associates you could create a custom role for access to the Prod resource group. You could then configure PIM to require members of that role, and only that role, to be approved. For more information, you can see: Approval workflow for Azure resource roles in Privileged Identity Management – https://docs.microsoft. com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-approval-workflow

Practice - PIM Resource Workflows

Take a few minutes to try the steps on the Approval Workflow16 page. In this practice you will: ●● Require approval to activate. ●● Specify approvers. ●● Request approval to activate. ●● Approve or deny a request. 16 https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-approval-workflow

MCT USE ONLY. STUDENT USE PROHIBITED

PIM for Role Resources  55

MCT USE ONLY. STUDENT USE PROHIBITED

56  3 | Azure AD Privileged Identity Management

Notice that each role has both assignment and activation settings. The activation settings are just like what you have already see earlier in the module. The assignment settings are new and include expiration information.

Module 3 Review Questions Module 3 Review Questions PIM Features

What is the main purpose of Azure AD PIM? What are some of the things you can do with it?

Suggested Answer ↓  PIM is a cloud-based service designed to protect administration of your cloud-based resources. PIM has many features including: enforce on-demand, just-in-time access; leverage per-role approval workflows, attest admin role membership with access reviews, just-enough-administration for users and groups, and provide visibility through alerts and audit reports. Administrator Access The PIM Security Wizard shows the three main ways you can control administrator access. What are these ways?

Suggested Answer ↓  There are three steps in the PIM Security Wizard. In Step 1, you review the permanent and temporary admins in your organization removing any that are not needed. In Step 2, you switch permanent admins to temporary admins. In Step 3, you configure the temporary admin settings like activation period, email notification, and MFA authentication. PIM Alerts PIM alerts are an important feature to ensure you are being notified of important events. What are the alert severity levels? What are some of the alerts you might see for PIM Directory roles? What are some alerts you might see for PIM Role Resources?

Suggested Answer ↓  There are three PIM alert levels: high, medium, and low. Some of the directory role alerts you might see are: roles are being activated too frequently, there are too many global administrators, and Administrators aren't using their privileged roles. Alerts for resources might include: too many owners assigned to a resource, too many permanent owners assigned to a resource, and duplicate role created.

MCT USE ONLY. STUDENT USE PROHIBITED

Module 3 Review Questions  57