Dr. Authentication Or, How I Learned To Stop Worrying And Love The Azure MFA Saša Kranjac MCT, CEI Security, Azure, Windows Internals
10/5/2017 12:59 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
10/5/2017 12:59 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
What is Multi-Factor Authentication? 10/5/2017 12:59 PM What is Multi-Factor Authentication? Identity Confirmation With Something You: Know: PIN, Password Have: Smart Card, Credit Card, Phone, Token Are: Fingerprint, Eye Retina, Palm 01234 © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
What is Azure Multi-Factor Authentication? 10/5/2017 12:59 PM What is Azure Multi-Factor Authentication? An Azure Service providing an additional level of authentication that prevents unauthorized access to both on-premises and cloud applications. © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
How to get Azure MFA? Part of Azure AD Premium and 10/5/2017 12:59 PM How to get Azure MFA? Part of Azure AD Premium and Enterprise Mobility Suite (EMS) (AAD Premium, Azure RMS, Intune) OR Create a MFA Provider in Azure Per Authentication Per Enabled User © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
How to get Azure MFA? 10/5/2017 12:59 PM Office 365 Exclusively for Office 365 Applications With Office 365 Subscription Azure Administrators Every Azure Admin Gets MFA for FREE Azure MFA With Subscription Full Capabilities © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
MFA For Azure Administrators Azure Multi-Factor Authentication Feature MFA For Office 365 MFA For Azure Administrators Azure Multi-Factor Authentication Administrators can protect accounts with MFA (Azure Admins Only) Mobile app as a second factor Phone call as a second factor SMS as a second factor App passwords for clients that don't support MFA Admin control over authentication methods PIN mode Fraud alert MFA Reports One-Time Bypass Custom greetings for phone calls Customization of caller ID for phone calls Event Confirmation Trusted IPs Suspend MFA for remembered devices MFA SDK MFA for on-premises applications using MFA server
Where and what? User Location Solution Azure Active Directory MFA in the cloud Azure AD + on-premises AD using AD FS MFA in the cloud and Server Azure AD and on-premises AD using AD FS Azure AD + on-premises AD using DirSync, Azure AD Sync, Azure AD Connect - no password sync Azure AD Connect - with password sync On-premises Active Directory MFA Server
What are you trying to secure Where and what? What are you trying to secure MFA in the cloud MFA Server First party Microsoft apps SaaS apps in the app gallery IIS applications published through Azure AD App Proxy IIS applications not published through Azure AD App Proxy Remote access such as VPN, RDG
Authentication using something you KNOW: Mobile App Phone Call Text Message
Authentication 1. Users sign in from any device using existing username/password 2. Users MUST authenticate using phone or mobile device before access is granted Cloud apps On-premises apps Active Directory or other LDAP Multi-factor authentication service Multi-factor authentication service Java, .NET, PHP… SAML RADIUS LDAP IIS RDS/VDI
Authentication 1. User Authenticates and Requires MFA 2. Auth is passed to the MFA Server 3,4 Auth to the identity provider 5. MFA Server checks with the MFA service using TCP port 443 6, 7 Call, SMS, App 8. Notifies the MFA Server to allow authentication 9. The MFA Server allows the client devices
01234 No devices or certificates to purchase, provision, and maintain Suitable No end user training is required Users replace their own lost or broken phones Users manage their own authentication methods and phone numbers Integrates with existing directory for centralized user management and automated enrollment
Scalable Works with all leading on-premises applications Supports ADFS and SAML-based apps for federation to the cloud Built into Microsoft Azure Active Directory for use with cloud apps SDK for integration with custom apps and directories Reliable, scalable service supports high-volume, mission-critical scenarios
Secure Strong multi-factor authentication Real-Time Fraud Alert PIN option Reporting and logging for auditing Enables compliance with NIST 800-63 Level 3, HIPAA, PCI DSS, and other regulatory requirements
Preferred text layout (no bullets) 10/5/2017 12:59 PM Preferred text layout (no bullets) Main topic 1: size 40pt Size 20pt for the subtopics Main topic 2: size 40pt Main topic 3: size 40pt © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Demo Azure MFA nuts and bolts
Photo layout 1 Main topic 1: size 40pt Main topic 2: size 40pt 10/5/2017 12:59 PM Photo layout 1 Main topic 1: size 40pt Size 20pt for the subtopics Main topic 2: size 40pt Main topic 3: size 40pt © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
10/5/2017 12:59 PM Section title © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Type that is size 54pt and larger should be condensed by 1pt 10/5/2017 12:59 PM Character spacing Type that is size 54pt and larger should be condensed by 1pt Type that is smaller than 54pt should be normal © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Sample charts & tables 10/5/2017 12:59 PM © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Adoption curve Type 4 Type 5 Type 3 Type 2 Type 6 Type 1 Type 7 (17%) (12%) Type 3 (11%) Type 4 (19%) Type 6 Type 5 (14%) Type 7 (15%) Category 1 Category 2
Table Column 1 Column 2 Column 3 Column 4 Column 5 Column 6 Column 7 Row 1 17% 12% 11% 19% 14% 15% Row 2 78% 61% 36% 25% 2% Row 3 24% 18% 21% 9% 8% Row 4 64% 46% 41% 47% 26% Row 5 63% 44% 50% 28% 39% 35% Row 6 4% 1% Row 7 5% 3% Row 8 6% Row 9 7% 0%
Clean and modern 80 want to try it again 89 would purchase it 10/5/2017 12:59 PM Clean and modern 80 want to try it again 89 would purchase it 68 are indifferent 77 totally love it © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
10/5/2017 12:59 PM Pie chart 1 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Horizontal bar chart Label 1 Label 2 Label 3 Label 4 Label 5 10/5/2017 12:59 PM Horizontal bar chart Label 1 Label 2 Label 3 Label 4 Label 5 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
2 column table Tables are easy to modify 10/5/2017 12:59 PM 2 column table Tables are easy to modify Text Tip: To quickly add a row, place cursor in this last cell and hit Tab key © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
3 column table Tables are easy to modify 10/5/2017 12:59 PM 3 column table Tables are easy to modify Table header Text Tip: To quickly add a row, place cursor in this last cell and hit Tab key © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Izpolnite anketo! Vam je bilo predavanje všeč? Ste se naučili kaj novega? Vaše mnenje nam veliko pomeni! Da bo NT konferenca prihodnje leto še boljša, vas prosimo, da izpolnite anketo o zadovoljstvu, ki jo najdete v svojem NTK spletnem profilu.
10/5/2017 12:59 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.