32,39 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Fachliteratur
- Sprache: Englisch
The Microsoft 365 Security, Compliance, and Identity Administration is designed to help you manage, implement, and monitor security and compliance solutions for Microsoft 365 environments.
With this book, you’ll first configure, administer identity and access within Microsoft 365. You’ll learn about hybrid identity, authentication methods, and conditional access policies with Microsoft Intune. Next, you’ll discover how RBAC and Azure AD Identity Protection can be used to detect risks and secure information in your organization. You’ll also explore concepts such as Microsoft Defender for endpoint and identity, along with threat intelligence. As you progress, you’ll uncover additional tools and techniques to configure and manage Microsoft 365, including Azure Information Protection, Data Loss Prevention (DLP), and Microsoft Defender for Cloud Apps.
By the end of this book, you’ll be well-equipped to manage and implement security measures within your Microsoft 365 suite successfully.
Das E-Book können Sie in Legimi-Apps oder einer beliebigen App lesen, die das folgende Format unterstützen:
Seitenzahl: 439
Veröffentlichungsjahr: 2023
Ähnliche
Microsoft 365 Security, Compliance, and Identity Administration
Plan and implement security and compliance strategies for Microsoft 365 and hybrid environments
Peter Rising
BIRMINGHAM—MUMBAI
Microsoft 365 Security, Compliance, and Identity Administration
Copyright © 2023 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
Group Product Manager: Pavan Ramchandani
Publishing Product Manager: Neha Sharma
Senior Editor: Shruti Menon
Technical Editor: Arjun Varma
Copy Editor: Safis Editing
Project Manager: Neil Dmello
Proofreader: Safis Editing
Indexer: Pratik Shirodkar
Production Designer: Alishon Mendonca
Marketing Coordinator: Marylou De Mello
First published: July 2023
Production reference: 180723
Published by Packt Publishing Ltd.
Grosvenor House
11 St Paul's Square
Birmingham
B3 1RB.
ISBN 978-1-80461-192-0
www.packtpub.com
To George, my oldest son. The world is tough and challenging, but it is also full of amazing opportunities, good surprises, and happy accidents. Go find yours and turn them into happiness above all else!
– Peter Rising
Contributors
About the author
Peter Rising has over 25 years of experience in IT. He has worked for several IT solutions providers and private organizations in a variety of technical and leadership roles, with a focus on Microsoft technologies. Since 2014, Peter has specialized in the Microsoft 365 platform, focusing most recently on security and compliance in his role as a consulting services manager for Insight. Peter is heavily involved in the wider Microsoft community and has been recognized by Microsoft as an MVP. He holds several Microsoft certifications, including MCSE: Productivity; Microsoft 365 Certified: Enterprise Administrator Expert; and Microsoft 365: Cybersecurity Architect Expert.
About the reviewers
Rahul Singh is a seasoned IT professional and Chief Teaching Officer at SV9 Academy, which is a Microsoft Learning Partner. Rahul has 17+ years of experience in the IT field as of 2023, and holds numerous certifications in the Microsoft technological stack. In addition, Rahul has also been a Microsoft Certified Trainer since 2020. He is deeply passionate about technology and demystifying complex technical architectures using various pedagogies and a systems-based learning mechanism, making learning an enjoyable and enriching experience.
With the ever-changing technical world, testing and reviewing technical content can be a very daunting task requiring perseverance and patience. I would like to take this opportunity to thank my lovely parents, who I have been blessed with by the Divine, as without their support I would not have been able to be a part of this amazing project from Packt.
Rogier Dijkman is a Principal Cloud Security Consultant at Nedscaper and a Microsoft Security MVP. With a background in architecture and software development, he is currently focusing on event-driven security in Microsoft Azure. Rogier specializes in cloud security testing and contributes to the development of tools for penetration and security teams. In his spare time, Rogier enjoys improving his coding skills and contributing to the Microsoft Security Community, but also has a passion for running and loves to train for marathons.
I would like to thank my wife, Liesbeth, for giving me the opportunity to be the best version of myself. Without her, I wouldn’t have the time and space necessary to pursue my professional and personal interests.
Table of Contents
Preface
Part 1: Implementing and Managing Identity and Access
1
Planning for Hybrid Identity
Planning your hybrid environment
Authentication methods in Azure AD
Multi-factor authentication
Self-service password reset
Conditional Access
Passwordless authentication
Synchronization methods with Azure AD Connect
Password hash synchronization
Pass-through authentication
Federation
Azure AD Seamless Single Sign-On
Azure AD Connect cloud sync
Event monitoring and troubleshooting in Azure AD Connect
Summary
Questions
Further reading
2
Authentication and Security
Implementing Azure AD dynamic group membership
Creating a dynamic group in Azure AD using the Azure portal
Creating dynamic groups with Azure AD PowerShell
Using group-based licensing in Azure AD
Implementing password management
Setting up SSPR
Registering for SSPR
Using SSPR to reset passwords
Combined registration for SSPR and MFA
Implementing and managing external identities
Implementing and managing MFA
Enabling MFA
Service settings
Configuring secondary authentication methods
Planning and implementing device authentication methods
Summary
Questions
Further reading
3
Implementing Conditional Access Policies
Explaining Conditional Access
Creating a Simple Conditional Access policy
Conditional Access and Microsoft Intune
Introducing the types of Conditional Access
Device-based Conditional Access
App-based Conditional Access
Monitoring Conditional Access events
Summary
Questions
Further reading
4
Managing Roles and Identity Governance
Planning and configuring PIM
Planning PIM
Configuring PIM
Monitoring PIM
Planning and configuring entitlement management
Planning and configuring access reviews
Summary
Questions
Further reading
5
Azure AD Identity Protection
Understanding Identity Protection
Protecting users with risk and registration policies
Configuring user risk and sign-in risk policies
Configuring MFA registration policies
Configuring alert options
Users at risk detected alerts
Weekly digest
Managing and resolving risk events
Examining users at risk
Examining risky sign-ins
Examining risk detections
Risky workload identities (preview)
Risk-based Conditional Access policies
Summary
Questions
Further reading
Part 2: Implementing and Managing Threat Protection
6
Configuring a Microsoft Defender for Identity Solution
Identifying the organizational need for MDI
Understanding suspicious activity
Exploring advanced attacks and malicious activities
Understanding the MDI architecture
Setting up MDI
Prerequisites for MDI
Installing and configuring MDI
Additional configuration options
Managing and monitoring MDI
Entity tags
Excluded entities
Monitoring MDI
Summary
Questions
Further reading
7
Configuring Device Threat Protection with Microsoft Defender for Endpoint and Intune
Planning and implementing MDE
Onboarding devices
Managing and monitoring MDE
Vulnerability management
Partners and APIs
Evaluation & tutorials
Configuration management
Implementing Microsoft Defender Application Guard, Application Control, and exploit protection
Configuring Microsoft Defender Application Guard
Configuring Microsoft Defender Application Control
Configuring Microsoft Defender Exploit Guard
Encrypting your Windows devices using BitLocker
Implementing application protection policies
Summary
Questions
Further reading
8
Configuring Microsoft Defender for Office 365
Protecting users and domains with anti-phishing protection and policies
Setting up an anti-phishing policy
Configuring Safe Attachments options and policies
Creating a Safe Attachments policy
Creating a Safe Attachments policy using Windows PowerShell
Configuring Safe Links options, blocked URLs, and policies
Creating a new Safe Links policy
Creating a Safe Links policy using Windows PowerShell
Monitoring and remediating with Microsoft Defender for Office 365 reports
Running simulated attacks with Microsoft Defender for Office 365
Further attack simulation configuration options
Summary
Questions
Further reading
9
Using Microsoft Sentinel to Monitor Microsoft 365 Security
Planning and configuring Microsoft Sentinel
Connecting Microsoft Sentinel to a workspace
Connecting Microsoft Sentinel to data sources
Configuring playbooks in Microsoft Sentinel
Creating a simple playbook
Creating a playbook using templates
Creating and using automation rules to manage responses
Managing and monitoring your Microsoft Sentinel instance
Summary
Questions
Further reading
10
Configuring Microsoft Defender for Cloud Apps
Planning your MDA implementation
Configuring MDA
Managing Cloud App Discovery
Managing the MDA catalog
Managing apps and app connectors in MDA
Configuring policies and templates
Using Conditional Access App Control with MDA
Reviewing and interpreting alerts, reports, and dashboards
Summary
Questions
Further reading
Part 3: Implementing and Managing Information Protection
11
Managing Sensitive Information
Planning a sensitivity label solution for your organization
Creating and managing SITs
Setting up sensitivity labels and policies
Setting up labels
Setting up label policies
Using sensitivity labels
Configuring and using Activity explorer
Using sensitivity labels with Teams, SharePoint, OneDrive, and Office apps
Summary
Questions
Further reading
12
Managing Microsoft Purview Data Loss Prevention
Planning and implementing DLP
Managing DLP policies for Microsoft 365 workloads
Creating a DLP policy
Testing your DLP policy
Editing your DLP policy
DLP reporting and alerting capabilities
Using PowerShell with DLP reporting
Required permissions for DLP reports
Further alerting capabilities
Implementing Endpoint DLP
Summary
Questions
Further reading
13
Managing Microsoft Purview Data Lifecycle Management
Planning for data lifecycle management
Records management
Analyzing reports and dashboards
Content explorer
Activity explorer
Configuring retention labels and policies
Creating a retention label
Creating a retention label policy
Applying retention labels
Creating a retention policy
Planning and implementing adaptive scopes
Finding and recovering deleted Microsoft 365 data
User mailboxes
OneDrive
Summary
Questions
Further reading
Part 4: Managing Compliance Features in Microsoft 365
14
Monitoring and Analyzing Audit Logs and Reports in Microsoft Purview
Planning for auditing and reporting
Investigating compliance activities by using audit logs
Performing an audit log search
Reviewing and interpreting compliance reports and dashboards
Configuring alert policies
Configuring audit log retention policies
Summary
Questions
Further reading
15
Planning For, Conducting, and Managing eDiscovery Cases
Recommending eDiscovery (Standard) or eDiscovery (Premium)
Planning for content searches and eDiscovery
Delegating the required permissions to use search and discovery tools
Creating eDiscovery cases
Managing eDiscovery cases
Adding custodians
Collecting data
Analyzing the review set results
Exporting and downloading case data
Additional tasks
Summary
Questions
Further reading
16
Managing Regulatory and Privacy Requirements
Planning your regulatory compliance journey in Microsoft 365
Managing regulatory compliance in Microsoft Purview Compliance Manager
Access to Compliance Manager
Improvement actions
Assessments and assessment templates
Exploring Microsoft Priva
Implementing privacy risk management
Implementing and managing Subject Rights Requests with Microsoft Priva
Summary
Questions
Further reading
17
Managing Insider Risk Solutions in Microsoft 365
Implementing Customer Lockbox
Implementing and managing Communication Compliance policies
Implementing and managing insider risk management policies
Getting started with Insider Risk Management policies
Creating Insider Risk Management policies
Implementing and managing Information Barriers policies
Segments and policies for Information Barriers
Implementing and managing Privileged Access Management
Summary
Questions
Further reading
Answers
Chapter 1
Chapter 2
Chapter 3
Chapter 4
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Chapter 9
Chapter 10
Chapter 11
Chapter 12
Chapter 13
Chapter 14
Chapter 15
Chapter 16
Chapter 17
Index
Other Books You May Enjoy
Preface
In this book, you will learn how to manage the principles of security, compliance, identity, management, and privacy within a Microsoft 365 environment.
By the end of this guide, you will understand how to securely implement and manage hybrid identity and advanced security features to protect your users and devices. You will also have learned how to deploy compliance features for information protection and governance, to ensure that business and regulatory requirements for your organization are being fulfilled.
Azure Active Directory (Azure AD) was renamed by Microsoft in July 2023 as Microsoft Entra ID. This book references the Microsoft Entra portal frequently, but still refers to Azure AD in many places. Please note that only the name has changed; so, wherever you see Azure AD mentioned, this is in fact referring to Microsoft Entra ID. For more information, please refer to https://learn.microsoft.com/en-gb/azure/active-directory/fundamentals/new-name.
Who this book is for
This book is designed to help IT professionals, administrators, or anyone looking to pursue a career in security administration to enhance their skills in utilizing the Microsoft 365 security features. Readers of this book will ideally already be well versed in the basic implementation and administration principles of Microsoft 365 and Azure Active Directory. This book will help them learn how to apply modern security, compliance, and identity principles to Microsoft 365 hybrid environments in line with best practices, while providing a user environment that is accessible and easy to use.
What this book covers
Chapter 1, Planning for Hybrid Identity, teaches you how to plan your hybrid environment with Azure AD Connect and introduces you to additional authentication security methods.
Chapter 2, Authentication and Security, covers the implementation of Azure AD dynamic groups, Azure AD self-service password reset (SSPR), multi-factor authentication (MFA), and managing external identities.
Chapter 3, Implementing Conditional Access Policies, explains the principles of Azure AD Conditional Access, how it integrates with Microsoft Intune, and how Conditional Access may be used with device- and app-based policies.
Chapter 4, Managing Roles and Identity Governance, shows you how, with the help of Privileged Identity Management (PIM), you can reduce your permanently assigned admin roles and implement eligibility with just-in-time access. You will also learn about entitlement management and access reviews.
Chapter 5, Azure AD Identity Protection, introduces the principles of identity protection, how to configure user- and sign-in-based risk policies, and how to manage and respond to alerts.
Chapter 6, Configuring a Microsoft Defender for Identity Solution, explains how to set up and manage a Defender for Identity instance and install sensors on servers.
Chapter 7, Configuring Device Threat Protection with Microsoft Defender for Endpoint and Intune, helps you to understand how to reduce your attack surface by configuring policies for Microsoft Defender Application Guard, Application Control, Exploit Guard, and Secure Boot. In addition, you will learn how BitLocker device encryption can protect Windows devices.
Chapter 8, Configuring Microsoft Defender for Office 365, covers how to protect users and domains with anti-phishing and anti-spam protection, and the application of safe attachments and safe links policies. It also covers running simulated attacks and running reports.
Chapter 9, Using Microsoft Sentinel to Monitor Microsoft 365 Security, shows you how to configure and use Microsoft Sentinel to respond to threats with playbooks.
Chapter 10, Configuring Microsoft Defender for Cloud Apps, demonstrates how to track your SaaS application usage, configure file and activity policies, integrate with Conditional Access, and navigate dashboards and logs.
Chapter 11, Managing Sensitive Information, explains how to create sensitive information types; how to plan, set up, and implement sensitivity labels and policies; and how to use content explorer and Activity explorer.
Chapter 12, Managing Microsoft Purview Data Loss Prevention, covers the planning and creation of DLP policies and how to review DLP alerts.
Chapter 13, Managing Microsoft Purview Data Lifecycle Management, teaches you how to understand retention requirements for your organization, how to configure retention labels and retention policies, how to find and recover deleted data, and how to use adaptive scopes.
Chapter 14, Managing and Analyzing Audit Logs and Reports in Microsoft Purview, teaches you how to plan for auditing and reporting, as well as understanding how to use the audit logs and alert policies and configure audit log retention.
Chapter 15, Planning For, Conducting, and Managing eDiscovery Cases, shows you how to identify and understand the different versions of eDiscovery, the roles needed to run cases, and how to manage cases.
Chapter 16, Managing Regulatory and Privacy Requirements, explains how to manage regulatory compliance in Microsoft Purview, as well as implementing privacy risk management and subject rights requests.
Chapter 17, Managing Insider Risk Solutions in Microsoft 365, teaches you the principles of privileged access management, Customer Lockbox, Insider risk management policies, and Communication Compliance policies. It also goes over Information Barriers segments and policies.
To get the most out of this book
To get the most out of this book, it is highly recommended to create a test or practice Microsoft 365 environment, where you can follow along and recreate the steps that are covered in each chapter. Unfortunately, trial licenses for Microsoft 365 E5 are not available. The best option for working along with this book is to sign up for an Office 365 E5 trial at https://www.microsoft.com/en-gb/microsoft-365/business/office-365-enterprise-e5-business-software?activetab=pivot:overviewtab and an EM+S E5 trial at https://www.microsoft.com/en-us/microsoft-365/enterprise-mobility-security/compare-plans-and-pricing. These trial subscriptions will allow you to recreate most of the steps covered in the chapters contained in this book. Should you wish to test the process of establishing a hybrid identity, it is recommended that you acquire a trial Azure subscription, which will allow you to create a Windows virtual server that you may use to install Azure AD Connect and synchronize to your test Microsoft 365 tenant.
This book also has some sample PowerShell commands that can be used instead of the Microsoft 365 admin centers. Therefore, it is recommended to have a Windows 10/11 device available to you where you can run PowerShell and practice some of the commands included in the chapters.
A Windows 10/11 device will also be useful for the purposes of testing how to set up Microsoft 365 test profiles to fully test and deploy features such as Microsoft Intune, Azure AD Conditional Access, MFA, Information Protection, and many more of the features described in the book. A mobile device, such as an iOS or Android device, will also be useful for testing Microsoft Intune in particular.
Software/hardware covered in the book
Operating system requirements
Microsoft 365
Windows, macOS, or Linux
If you are using the digital version of this book, we advise you to type the code yourself or access the code from the book’s GitHub repository (a link is available in the next section). Doing so will help you avoid any potential errors related to the copying and pasting of code.
Conventions used
There are a number of text conventions used throughout this book.
Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: “The Start-ADSyncSyncCycle -PolicyType Initial command will initiate a full synchronization.”
Any command-line input or output is written as follows:
New-RetentionPolicyTag -Name "Personal-2-year-move-to-archive" -Type All -AgeLimitForRetention 730 -RetentionActionMoveToArchiveBold: Indicates a new term, an important word, or words that you see on screen. For example, words in menus or dialog boxes appear in bold. Here is an example: “Click Save to complete the setup of your retention tag.”
Tips or important notes
Appear like this.
Get in touch
Feedback from our readers is always welcome.
General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.
Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.
Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.
If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.
Share Your Thoughts
Once you’ve read Microsoft 365 Security, Compliance, and Identity Administration, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.
Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.
Download a free PDF copy of this book
Thanks for purchasing this book!
Do you like to read on the go but are unable to carry your print books everywhere?
Is your eBook purchase not compatible with the device of your choice?
Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.
Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.
The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily
Follow these simple steps to get the benefits:
Scan the QR code or visit the link belowhttps://packt.link/free-ebook/978-1-80461-192-0
Submit your proof of purchaseThat’s it! We’ll send your free PDF and other benefits to your email directlyPart 1: Implementing and Managing Identity and Access
In this part, you will learn how to configure and manage Microsoft 365 identity and access components. On completion, you will be able to describe authentication and synchronization methods, user security, Conditional Access, Privileged Identity Management, andIdentity Protection.
This part has the following chapters:
Chapter 1, Planning for Hybrid IdentityChapter 2, Authentication and SecurityChapter 3, Implementing Conditional Access PoliciesChapter 4, Managing Roles and Identity GovernanceChapter 5, Azure AD Identity Protection1
Planning for Hybrid Identity
This book aims to act as a general administration guide for security, compliance, identity, management, and privacy administrators of Microsoft 365 environments, whether they are cloud-only or hybrid. You will learn about umbrella terms for technology principles, such as Microsoft Defender, Microsoft Purview, and Microsoft Entra, and understand their purpose and how they relate to each other. You will see how to access, plan, and configure these technologies via administrative portals, as well as by using PowerShell. In this first chapter, we begin by focusing on identity.
Configuring a Microsoft 365 hybrid environment requires an understanding of your organization’s identity needs. This will enable you to plan and deploy the correct Azure Active Directory (AD) authentication and synchronization method within your environment. This chapter discusses how you can plan your identity methodology and describes the process of monitoring and understanding the events recorded by Azure AD Connect.
By the end of this chapter, you will be able to determine your business needs, analyze on-premises identity infrastructure, and develop a plan for hybrid identity. You will understand how to design and implement authentication and application management solutions, how to enhance data security through strong identity, and how to analyze events and configure alerts in Azure AD Connect.
This chapter covers the following topics:
Planning your hybrid environmentAuthentication methods in Azure ADSynchronization methods with Azure AD ConnectAzure AD Connect cloud syncEvent monitoring and troubleshooting in Azure AD ConnectPlanning your hybrid environment
Identity is key when planning and implementing a Microsoft 365 environment. While the default identity method within Microsoft 365 is cloud-only, many organizations with reliance on legacy on-premises infrastructure and applications need to plan the deployment of hybrid identities when introducing Microsoft 365 to their organization.
So, what is a hybrid identity? In simple terms, it is the process of providing your users with an identity in the cloud that is based on their on-premises identity. There are several ways in which this can be achieved and they will be explained in detail throughout this chapter.
The basic principles of hybrid identity in Microsoft 365 are shown in the following diagram:
Figure 1.1: Hybrid identity
We will now explain how you can start planning for hybrid identities in Microsoft 365.
You should start by establishing the correct identity type for the business needs of your organization. It is important, at this stage, to recognize who your stakeholders will be in this process, understand their current working tools and practices, and assess how Microsoft 365 could be used best enabling them to work more efficiently and securely.
The following are some examples of your possible stakeholders:
UsersPower usersIT teamSecurity teamCompliance teamBusiness ownersEach stakeholder will have their challenges that need to be considered. However, your users account for the highest percentage of your stakeholders. Therefore, your primary focus should be to ensure that the transition to new ways of working is seamless. This is because many users will be nervous about change. How you introduce them to new technologies and working practices is directly related to the success or failure of your project. If your users buy into the changes you are introducing and can realize the benefits, then the rest of your stakeholders are also more likely to follow suit.
While your main users will be focused on doing their job, the remaining stakeholders will have a deeper interest in how a Microsoft 365 hybrid environment meets business requirements. Some of the common business requirements are as follows:
The modernization of existing IT services and toolsProviding and securing cloud Software as a Service (SaaS) applicationsReducing risk by establishing a modern identity-based security perimeterFor addressing these requirements, a logical starting point is to examine how on-premises identities are currently configured. This will give you a better understanding of what you need to plan and implement for identity authentication in the cloud. You need to be aware of any current on-premises synchronization solutions that may be in place, including any third-party solutions. You will also need to consider any existing use of cloud applications in the organization. These will need to be identified and plans made for their continued use, integration, or possible replacement.
Note
Cloud App Discovery using Microsoft Defender for Cloud Apps can be used to analyze existing SaaS app usage within your organization. This will be covered in a later chapter of this book.
Understanding your on-premises identity infrastructure will help you to plan for modernization or digital transformation. So, what is modernization considered to be in the world of information technology? Essentially, it is based on the principle that IT users now wish and expect to be more mobile. They want quick and easy access to their emails, chats, and documents anywhere, anytime, and on any device.
This requirement creates the challenge of how to effectively secure and protect the services within the Microsoft 365 platform while simultaneously ensuring that they are easily available and accessible to users. How is this achieved? It is not possible to wrap a firewall around Microsoft 365 in the traditional sense. Instead, you need to look at the various modern authentication security methods that are available within Azure AD. Let’s discuss these methods in detail in the next section.
Authentication methods in Azure AD
Several approaches can be leveraged to authenticate your users to Azure AD. In this section, you will explore these methods and understand their use cases.
The authentication security methods available in Microsoft 365 are as follows:
Multi-factor authentication (MFA)Self-service password reset (SSPR)Conditional AccessPasswordlessThe following sections will briefly introduce the principles of these methods; however, each of these will be explored in greater detail in Chapter 2, Authentication and Security, and Chapter 3, Implementing Conditional Access Policies.
Multi-factor authentication
MFA in Azure AD provides two-step verification for Microsoft services via a combination of approved authentication methods determined by Microsoft 365 administrators. The available methods can be based on the following:
Something you know, such as your passwordSomething you own, such as your mobile phone or an OAuth hardware tokenSomething you are, such as biometric identification (fingerprint or facial recognition)When setting up MFA for users in your Microsoft 365 environment, users must first complete a registration process to provide information about themselves to Azure AD and set their authentication method preferences.
Once set, users will be challenged with an MFA prompt when accessing Microsoft 365 services and applications using their Azure AD credentials, as shown in the following diagram:
Figure 1.2: Azure MFA
MFA can also be configured to work in conjunction with Conditional Access, with trusted locations that you define by entering the IP ranges of your business operating units so that users will not be issued an MFA challenge when working in these locations. Conditional Access with MFA also enables you to apply another layer of security by ensuring that any access requests to specific apps and resources can be secured and protected, by requiring the requesting user to complete an MFA challenge before being granted the access they require.
Note
It is recommended that you configure MFA for all privileged user accounts within your Microsoft 365 environment, except for your permanent break-glass accounts, which should be cloud-only accounts with the domain suffix of the .onmicrosoft.com domain name. Alternative authentication protection should be applied to these break-glass accounts. Break-glass accounts will be covered in more detail in Chapter 3, Implementing Conditional Access Policies.
Self-service password reset
Whilst not strictly an authentication method in itself, SSPR is a user feature designed to remove the requirement of IT staff to respond to user requests to reset their passwords in Azure AD. An initial registration process is required at https://aka.ms/SSPRSetup for each user to set up SSPR, during which time they must provide authentication methods to verify their identity.
Note
To reset the password, the user visits https://passwordreset.microsoftonline.com.
SSPR can be used for both cloud-only and hybrid identity users. If the user is cloud-only, then their password is always stored encrypted in Azure AD, whereas hybrid users have their password written back to on-premises AD. This is achieved using a feature that can be enabled in Azure AD Connect called password writeback.
The basic principles of SSPR are illustrated in the following diagram:
Figure 1.3: Self-service password reset
The process of registering your users for SSPR is now combined with that of the MFA registration process. Previously, there were two separate registration processes for these technologies.
When SSPR is enabled on your Azure AD environment, you can assist your users by configuring notifications that make them aware when their passwords have been reset. You can also increase security by setting administrator notifications to monitor and alert whenever an administrator changes a password. It is also possible to customize a helpdesk email or URL to provide immediate guidance to users who experience problems when attempting to reset their passwords.
Note
When using SSPR with password writeback for your hybrid identities, you will require Azure AD Premium P1 licenses.
Conditional Access
Conditional Access is a powerful feature of Azure AD Premium P1 that allows Microsoft 365 administrators to control access to applications and resources within your organization. With Conditional Access, you can automate the process of controlling the level of access that users will have to these applications and resources by setting Conditional Access policies. Azure AD will then make decisions on whether to grant or deny access based on the conditions that you set in these policies. The basic principles are shown in the following diagram:
Figure 1.4: Conditional Access
While it is possible to apply some default security settings to your Microsoft 365 environment with security defaults (auto-applied on newer tenants), you will undoubtedly need to plan and define custom policies with specific conditions and exceptions. For example, you would not wish to force MFA on your permanent break-glass global administrator account. We will examine Conditional Access in greater detail in Chapter 3, Implementing Conditional Access Policies.
Note
Conditional Access settings frequently require some additional features of Azure AD to be configured, for example, Azure AD Identity Protection. This will have an impact on your decision-making process as it relates to licensing. While Conditional Access is a feature of Azure AD Premium P1, the use of Azure AD Identity Protection features would necessitate Azure AD Premium P2 licenses.
Passwordless authentication
Passwords are more vulnerable than ever before and can be exploited and compromised by malicious actors using techniques such as phishing, spray attacks, and social engineering attacks. Switching to a passwordless authentication method helps mitigate such risks.
Microsoft provides three types of passwordless authentication for Azure AD. These are as follows:
Microsoft Authenticator: Can enable iOS or Android phones to be used as passwordless credentials by providing numerical challenges.FIDO2-compliant security keys: Hardware keys provided by a number of third-party manufacturers; ideal for highly privileged identities or shared machines in kiosks.Windows Hello for Business: Available on Windows computers and ideal for users with their own designated Windows device. Biometric and PIN credentials are directly configured on the device to prevent access from anyone but the authorized user.Note
Links to further resources on Microsoft Authenticator, FIDO2-compliant security keys, and Windows Hello for Business can be found in the Further reading section at the end of this chapter.
Now that you understand the available authentication methods, let’s explore the directory synchronization methods supported by Azure AD Connect.
Synchronization methods with Azure AD Connect
Having covered the concept of hybrid identity and authentication, you will now go through the process that makes hybrid identity possible—directory synchronization. The tool used to configure directory synchronization is called Azure AD Connect (previously known as Azure AD Sync Service and DirSync). Azure AD Connect consists of, or can leverage, the following components:
Synchronization servicesActive Directory Federation Services (AD FS)—an optional componentHealth monitoringAzure AD Connect supports multiple AD forests and multiple Exchange organizations to a single Microsoft 365 tenant. It leverages a one-way process, where it synchronizes users, groups, and contact objects from your on-premises AD to Microsoft 365.
Although this is almost exclusively a one-way process, there are some writeback capabilities that can be leveraged if chosen or required, which will allow attributes from passwords and groups set in Microsoft 365 to be written back to an on-premises AD.
The principles of Azure AD Connect are shown in the following diagram:
Figure 1.5: Azure AD Connect
Once Azure AD Connect is configured and in place, the source of authority for these newly synchronized objects remains with the on-premises AD. Therefore, these objects must be managed by on-premises tools, such as AD Users and Computers or PowerShell. Microsoft 365 administrators will, therefore, not be able to make changes to cloud objects in the Microsoft 365 portal that are synchronized from the on-premises AD.
When setting up Azure AD Connect for the first time, the installation wizard will guide you to select either an Express Settings installation or a customized settings installation. The Express Settings installation is the default setting for Azure AD Connect and is designed for use with password hash synchronization from a single AD forest. The installation dialog is shown in the following screenshot:
Figure 1.6: Express settings
The custom settings installation provides a richer selection of optional features that can be configured to provide enhanced functionality if required. You can start a custom settings installation by clicking on Customize:
Figure 1.7: Custom settings
With the custom settings installation, you are provided with the following options to extend your on-premises identities in the cloud using Azure AD Connect:
Password hash synchronizationPass-through authenticationFederation with AD FSFederation with PingFederateEnable single sign-onDo not configureThe following sections will explain how to configure the first five of these options in detail.
Password hash synchronization
Password hash synchronization is the simplest method to establish a hybrid identity with Azure AD. Also commonly known as same sign-on, password hash synchronization can be set up using Azure AD Connect. This will synchronize a hash of the user passwords to Azure AD from your on-premises AD.
With password hash synchronization, users logging onto their cloud accounts via the Microsoft 365 portal will authenticate directly to Microsoft 365 cloud services as opposed to leveraging on-premises authentication and security:
Figure 1.8: Password hash synchronization
How does this work? Here is the process in a few simple steps:
The password synchronization agent within Azure AD Connect will request the stored password hashes at 2-minute intervals from a domain controller. In response to this, the domain controller will encrypt the hash. This encryption is executed with a key that is acquired from the Remote Procedure Call (RPC) session key and then salted. Salting is a process pertaining to password hashing. Essentially it involves adding a unique value to the end of the password to create a different hash value. This provides an additional layer of security and helps protect against brute-force attacks.The domain controller will then send the result, along with the salt, to the sync agent using RPC. The agent can now decrypt the envelope. It is important to point out that the sync agent never has any access to the password in cleartext.Once decrypted, the sync agent performs a re-hash on the original password hash, changing it to a SHA256 hash by imputing this into the PKDF2 function.The agent will then sync the resulting SHA256-hashed password hash from Azure AD Connect to Azure AD using SSL.When Azure AD receives the hash, it will be encrypted with an AES algorithm and then stored in the Azure AD database.Therefore, when a user signs into Azure AD with their on-premises AD username and password, the password is taken through this process. If the hash result is a match for the hash stored in Azure AD, the user will be successfully authenticated.
Pass-through authentication
Pass-through authentication is an alternative to password hash synchronization. This method is commonly used when Microsoft 365 administrators require users to authenticate their Microsoft 365 logins on-premises as opposed to directly to Azure AD:
Figure 1.9: Pass-through authentication
Unlike password hash synchronization, pass-through authentication does not synchronize passwords from on-premises AD to Microsoft 365. Instead, it allows users to log on to both on-premises and cloud applications and services using the same password. This provides a far more cohesive experience for users, with the added benefit that on-premises passwords are never stored in the cloud in any form.
A lightweight agent is all that is needed to set this up with Azure AD Connect and this agent is automatically installed on the Azure AD Connect server when you run the initial setup for pass-through authentication. To provide resiliency to your pass-through authentication solution, the agent can be installed onto additional servers in your on-premises AD sites. The agents should ideally be installed on servers close to your domain controllers to improve sign-in latency. Servers on which the agent is installed should also be security hardened to the same extent that you would protect domain controllers.
Note
It is recommended to configure a minimum of three authentication agents in your environment. The maximum number of agents that can be installed is 40. It is generally good practice to have at least one agent deployed to each of your AD sites to make pass-through authentication resilient and highly available.
The authentication agents must be able to make outbound requests to Azure AD over the following ports in order to function:
Port
Requirement
80
SSL certificate validation and certificate revocation list download
443
Provides outbound communication for the service
8080
While this port is optional and not required for user sign-ins, it is useful to configure this as authentication agents will report status through port 8080 at 10-minute intervals.
Table 1.1: Azure AD ports
Federation
Federation, in simple terms, can be described as domains that trust each other. They share access to resources across organizations, with authentication and authorization settings configured to control the trust.
It is possible to federate your on-premises AD environment with Azure AD to provide authentication and authorization. As is the case with pass-through authentication, a federated sign-in method enforces all user authentication via on-premises methods as opposed to the cloud.
The main benefits of federation are that it provides enhanced access controls to administrators. However, the drawback of this method is that additional infrastructure will inevitably need to be provisioned and maintained.
In Azure AD Connect, there are two methods available to configure federation with Azure AD. These are AD FS and the more recently added PingFederate.
To explain the infrastructure requirements in more detail, AD FS can be used as an example. In order to configure AD FS in line with Microsoft’s best practices, you will need to install and configure a minimum of two on-premises AD FS servers on your AD environment and two web application proxy servers on your perimeter network.
This configuration provides the necessary security principles to ensure that both internal and (especially) remote users authenticate to the services within your hybrid environment in a manner that provides appropriate authentication and authorization. The process of federation is shown in the following diagram:
Figure 1.10: Federation
So, how does federation actually work? Well, there are two main principles that you need to understand. These are claims-based authentication and federated trusts. The following sections will explain each of these in detail.
Claims-based authentication
Claims-based authentication works on the principle of users making statements about themselves in order to authenticate and gain access to applications by using industry-standard security protocols. User claims rely on the claims issuer, which is the Security Token Service (STS). The STS can be configured on your AD FS server. The statements provided by users can relate to name, identity, key, group, privilege, or capability.
A claim is issued by the user to the claims issuer. It is then assigned values and packaged into a security token by the claims issuer (the STS). This security token is essentially an envelope that contains the claims relating to the user. The token is sent back to the user and then passed to the application that the user wishes to access.
The claim relies on the explicit trust that is established with the issuer. The application that the user wishes to access will only trust the user’s claim if it subsequently trusts the claims issuer (the STS).
With claims-based authentication, you can configure a number of authentication methods. The most commonly used ones are as follows:
Kerberos authenticationForms authenticationX.509 certificatesSmart cardsAlthough many older applications do not support claims-based authentication, the main use-case argument for applications that do support it is that it simplifies the process of trust for those target applications. Instead of having to place their trust directly in the user making the claim, they can be secure in the knowledge that they can absolutely trust the claims issuer instead.
Federated trust
Federated trusts expand on the capabilities of claims-based authentication by enabling your issuer to accept security tokens from other issuers as opposed to a user having to directly authenticate. In this scenario, the issuer can both issue and accept security tokens from other trusted issuers utilizing the federation trust. This process essentially establishes a business relationship or partnership between two organizations.
Federated trusts enable trusted issuers to represent the users on their side of the trust. The benefit of this configuration is that should you need to revoke the trust, you can do so through a single action. Rather than revoking a trust with many individual external users, you can simply terminate the trust with the issuer.
A good example of how this works in practice would be that if you need to authenticate remote users to your environment, a federated trust will remove the requirement to provide direct authentication for those users. Instead, you will have a trust relationship with the remote user from their organization. This enables these remote users to continue using their own single sign-on methodology and provides an efficient, decentralized way for them to authenticate to your organization.
Note
An alternative method of providing many of the features that federation offers is to use pass-through authentication in conjunction with the rich features of Azure AD Premium, such as Conditional Access and Identity Protection.
Although additional licensing may be required within Azure AD to deploy these features, this method offers simplified setup and administration and also removes the requirement for any additional infrastructure.
Azure AD Seamless Single Sign-On
Azure AD Seamless Single Sign-On (Azure AD Seamless SSO) is a free-to-use feature of Azure AD that provides a single set of credentials for your users to authenticate to applications within Azure AD, when connecting to your organization’s network using a business desktop device. This means that once connected to your organization’s network on their Windows 10/11 domain-joined devices, they will not be asked to provide further credentials when opening any Azure AD applications. The principles of Seamless SSO are shown in the following diagram:
Figure 1.11: Seamless SSO
Seamless SSO is configured via the Azure AD Connect wizard or PowerShell and can be used in conjunction with password hash synchronization and pass-through authentication. It is not compatible with federations such as AD FS or PingFederate.
There are some prerequisites to be aware of when planning to implement Seamless SSO. These include the following:
If you are using Azure AD Connect with password hash sync, ensure that you are using Azure AD Connect Version 1.1.644.0 or later. Further, if possible, ensure that your firewall or proxy is set to allow connections to the *.msappproxy.net URLs over port 443. Alternatively, allow access to the Azure data center IP ranges.Be aware of the supported topologies that are shown at https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies.Ensure that modern authentication is enabled on your tenant.Ensure that the version of your users’ Office desktop clients is a minimum of 16.0.8730.xxxx or above.Note
Although at the time of writing this book, version 1.1.644.0 is still listed as the minimum required version of Azure AD Connect when using Seamless SSO with password hash synchronization, it is important to be aware that version 1 of AD Connect was retired by Microsoft at the end of August 2022. Further details of this can be found in the Further reading section at the end of the chapter.
Once you have verified these prerequisites, you can go ahead and enable the feature. This is most commonly done when setting up Azure AD Connect for the first time by performing a custom installation using the Azure AD Connect wizard and, from the User sign-in page, ensuring that the Enable single sign-on option is selected:
Figure 1.12: User sign-in methods
It is also possible to use PowerShell to set up Seamless SSO. This is a particularly useful method if you need to specify a particular domain(s) in your AD forest to use the feature.
If you need to enable the feature when you already have Azure AD Connect deployed, then you can rerun the setup wizard and choose the Change user sign-in option under the Additional tasks section:
Figure 1.13: Additional tasks
Note
You will need domain administrator credentials to complete setting up Seamless SSO. However, these credentials are only required to enable the feature and will not be required after the setup is complete.
To verify that the setup of Seamless SSO has been completed successfully, log on as a global administrator to https://portal.azure.com and navigate to Azure Active Directory | Azure AD Connect.
From this page, you will be able to verify that Seamless SSO has the status Enabled:
Figure 1.14: User sign-in settings
Finally, when completing your custom settings installation of Azure AD Connect, you are presented with several additional Optional features, as shown in the following screenshot:
Figure 1.15: Optional features
The most commonly used features are Exchange hybrid deployment and Password writeback. Further information on all of the available optional features can be viewed at https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-custom#optional-features.
To deploy the Azure AD Seamless single sign-on feature for your users, you need to ensure that the following URL is added to the required user’s Intranet Zone settings by using Group Policy: https://autologon.microsoftazuread-sso.com.
One of the advantages of deploying this setting with Group Policy is that you can roll out Seamless SSO to groups of users at your own pace.
A more recent alternative to Azure AD Connect to accomplish hybrid identity goals is Azure AD Connect cloud sync, which we will discuss in the next section.
Azure AD Connect cloud sync
Instead of the Azure AD Connect application, a cloud provisioning agent can be used. However, Azure AD Connect cloud sync can also be leveraged along with Azure AD Connect sync to enable the synchronization of data to a tenant from a multi-forest disconnected AD forest environment, which is a functionality that is often used in merger and acquisition scenarios. It also facilitates simplified installation using lightweight provisioning agents, with the management of all sync configuration taking place in the cloud. In addition, it offers multiple provisioning agents to simplify high-availability deployments. Azure AD Connect cloud sync is controlled by Microsoft Online services. Locally, only a lightweight agent needs to be deployed, which acts as a bridge between the on-premises AD and Azure AD.
A detailed comparison of features between Azure AD Connect and Azure AD Connect cloud sync can be viewed at https://learn.microsoft.com/en-us/azure/active-directory/cloudsync/what-is-cloud-sync#comparison-between-azure-ad-connect-and-cloud-sync.
While Azure AD Connect cloud sync does include some powerful features, it also has some limitations. The most notable one is no support for Exchange hybrid writeback, which prevents many organizations still relying on Exchange on-premises from leveraging this technology.
Note
Federation is becoming less used in favor of pass-through authentication, but it is still important to understand AD FS scenarios.
Next, we will look at the monitoring and troubleshooting methods for Azure AD Connect.
Event monitoring and troubleshooting in Azure AD Connect
Now that you have your hybrid identity method configured, it should all run smoothly. However, occasionally, you may still encounter some problems. This is where the ability to assess and troubleshoot Azure AD Connect with tools from the Microsoft 365 portal can assist administrators in quickly identifying and resolving issues. Administrators will be able to perform the following tasks as part of troubleshooting in Azure AD Connect:
Review and interpret synchronization errors by accessing the Microsoft 365 admin center via https://admin.microsoft.com and examining the Azure AD Connect directory sync status. Here, you will see an overview of all directory synchronization errors. A common example may be a duplicate proxy address or UPNs causing conflicts and preventing an object from syncing. The following screenshot shows the Azure AD Connect tile in the admin center. Any issues with synchronization will be shown here by using red circles for critical warnings or yellow triangles for lesser warnings. A green circle means all is OK and healthy:Figure 1.16: Azure AD Connect sync status
The preceding figure shows a sync status of only 37 minutes ago, which results in a yellow warning. Figure 1.17 shows more serious red warnings when sync has not completed for 3 days:
Figure 1.17: Azure AD Connect status
If you scroll down further, you will see additional details about your Directory sync status, as shown in the following screenshot. One of the tools you can download from here is IdFix. You can run this tool from any domain-joined workstation in your environment. It provides detailed information on synchronization issues and guidelines on how to resolve them:Figure 1.18: Directory sync status
Receive and act on email notifications relating to an unhealthy identity synchronization. These email alerts are configured by default to alert only the technical contact defined in your Microsoft 365 tenant under the organization profile. The technical contact will continue receiving these emails until the issue is resolved.Check Synchronization Service Manager on the Azure AD Connect server to confirm that the operations required for successful synchronization have been completed. If any errors occur, they will be displayed here with explanations for why the operation failed:Figure 1.19: Synchronization Service Manager
Directory synchronization occurs every 30 minutes by default. However, you can generate a synchronization on demand by opening the Connectors tab and manually starting the process, as shown in the following screenshot:Figure 1.20: Synchronization Service Manager
Click on Actions and select Run:Figure 1.21: Connector actions
You will be able to run the desired connectors from here, as shown:Figure 1.22: Connector options
It is also possible, and far simpler, to run a manual synchronization process using PowerShell from your AD Connect server with the following commands:To initiate a full synchronization:Start-ADSyncSyncCycle -PolicyType InitialTo initiate a delta synchronizationStart-ADSyncSyncCycle -PolicyType DeltaIn this section, we examined event monitoring and troubleshooting techniques in Azure AD Connect. We learned how to review, interpret, and respond to synchronization errors in the Office 365 portal and by checking the Synchronization Service Manager tool. We also explored how you can manually trigger the synchronization process from the Synchronization Service Manager tool and by using PowerShell.
Summary
This chapter presented the steps and considerations for planning and implementing hybrid identity in Microsoft 365. You should now have an understanding of the synchronization methods available and how to choose the correct one for your environment, along with the principles of additional security authentication. You also learned how to troubleshoot events and alerts when required.
The next chapter will dive deeper into security and authentication features within Microsoft 365, including MFA and SSPR. You will also take a look at Azure AD dynamic groups and managing B2B and Office 365 external sharing.
