11/8/2018 5:23 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Azure AD: Do’s and Don'ts 11/8/2018 5:23 PM BRK3408 Azure AD: Do’s and Don'ts Tarek Dawoud @CyberTarek Sean Ivey Program Managers Identity Division @AzureAD © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Agenda & Goals Secure your environment! Block Legacy Authentication 11/8/2018 5:23 PM Agenda & Goals Secure your environment! Focus on three technologies that are easy to implement and can have a huge impact on improving your security posture! Block Legacy Authentication Deploy Hybrid Azure AD Join (HAADJ) Turn on Password Hash Sync (PHS) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Go Do #1: Block Legacy Auth Protocols 11/8/2018 5:23 PM Go Do #1: Block Legacy Auth Protocols © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
What is Legacy Authentication? 11/8/2018 5:23 PM Azure AD Some IdP Exchange Online Mail Service IMAP POP Basic Auth SMTP SMTP over TLS Basic Auth SMTP © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Legacy Authentication examples with Azure AD 11/8/2018 5:23 PM Basic Auth or MSOnline Sign-in Assistant! Clients that use legacy authentication Office 2010 and older Office 2013 by default (can use modern auth with reg key and patch) Clients using older mail protocols: POP, IMAP, SMTP, etc. Older PowerShell modules Anything NOT using modern authentication Client behavior depending on settings © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Why Block Legacy Authentication? 11/8/2018 5:23 PM 350K compromised accounts in April 2018 due to password spray, 200K in the last month. Nearly 100% of password spray attacks we see are from legacy authentication Blocking legacy authentication reduces compromise rate by 66% https://aka.ms/PasswordSprayBestPractices © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Rollout plan: Blocking legacy authentication 11/8/2018 5:23 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
11/8/2018 5:23 PM Step 1: Understand the usage of Legacy Authentication in your organization Use sign in logs to examine current usage. Filter by Client App (add column if you do not see it) POP, IMAP, MAPI, SMTP and ActiveSync go to Exchange Online “Other Clients” shows SharePoint and Exchange Web Services You can export/download the sign in logs, sort by Client App and identify the top offenders © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Step 1.5: What will you find in there? 11/8/2018 5:23 PM What will you find? Mail apps (upgrade) Middle Tier and Backend apps (exclude then rewrite) The one mail client that this one exec cannot possible live without (exclude, then show him this session, then upgrade) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Step 2: Block legacy authentication for those not using it 11/8/2018 5:23 PM Add legacy auth users to a group. Select all users in the Include groups Put the legacy auth group in the Exclude set Under conditions, select only that client apps are “Other clients” Under apps choose all apps or at least Exchange Online and SharePoint Online Under Controls choose Block This protects accounts that do not need legacy auth from attacks that use legacy auth For ADFS, see guidance here: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn592182(v=ws.11) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Step 2.5: Perform Regular Access Reviews for those still allowed to use it. 11/8/2018 5:23 PM If you own P2/EMS E5: https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Step 3: Upgrade to modern auth clients 11/8/2018 5:23 PM Make sure Modern Auth is enabled for your organization per: https://support.office.com/en-gb/article/enable-or-disable-modern-authentication-in-exchange-online-58018196-f918-49cd-8238-56f57f38d662 PC: Office 2013: Modern auth needs to be enabled HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Version REG_DWORD 1 Office 2016 Modern auth enabled by default Mac: Office 2016 for Mac Mobile: Shameless plug: Use Outlook Mobile, it does Modern Auth and proper Conditional Access iOS 11+ Native mail client Don’t forget the old MSOnline PowerShell module! Upgrade to the newer one here or the AzureAD cmdlets here. © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Step 4: Block legacy authentication for ALL users 11/8/2018 5:23 PM Remove the legacy auth group from the exception in the Conditional Access policy. Is that it? Blocking legacy authentication on the Azure AD level is to deny access after the authentication. This means it can leave your users susceptible to lockouts from Legacy Auth attacks. © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Step 5: Block Legacy Auth at the Service Level 11/8/2018 5:23 PM To prevent the Legacy Auth attempt from even happening, shut down the protocol on the Exchange side. To disable a protocol per user: https://support.microsoft.com/en-us/help/2416434/how-to-enable-or-disable-pop3-imap-mapi-outlook-web-app-or-exchange-ac In preview, coming soon to a tenant near you, Authentication policies in EXO: https://support.office.com/en-us/article/disable-basic-authentication-in-exchange-online-bba2059a-7242-41d0-bb3f-baaf7ec1abd7 (This article is very valuable in showing which client uses which legacy protocol.) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Go Do #2: Use Hybrid Azure AD Join 11/8/2018 5:23 PM Go Do #2: Use Hybrid Azure AD Join © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Why deploy Hybrid AADJ? Intermediate step to Azure AD Join Better user experience Fewer MFA prompts Better SSO experience (no HRD in Win 10) Secure despite network location Support for older (Win 7/8.1) clients
Associating Devices with Computers (with Devices)
Azure AD Hybrid Join Do’s and Don’ts Follow the steps for deployment! Update Azure AD Connect and use the wizard Does not work if single forest is syncing to multiple tenants except for one tenant (one SCP in the forest) When registering down-level clients (older than Win 10/Server 2016): Do NOT use with roaming profiles Do NOT use with credential roaming Seamless SSO is required for down-level clients Do not sysprep and image an already registered computer Plan for shared environments (VDI/RDP) Block access to, or require MFA for non-HAADJ’ed devices to sensitive apps/data
Go Do #3: For the love of all your users: ENABLE PASSWORD HASH SYNC NOW!
Enable Password Hash Sync Password Hash != Password You don’t have to change your authentication You get Leaked Credentials Report as part of Azure AD P1 Pull this and all Azure AD reports into your SIEM system If everything goes down, this might end up saving your job Turn on Password Hash Sync! Enabled for 82% of Azure AD active tenants 57% of Azure AD active users 650K compromised credentials detected in 2 years in over 50 million accounts scanned. If your security team argues, ask them if the on-premises hashes are safer than this: https://aka.ms/aaddatawhitepaper
Resources Identity Blog where all the Ignite announcements are: https://aka.ms/IdentityBlog Detailed walkthroughs to deploy Azure AD features: https://aka.ms/deploymentplans Azure AD Data Whitepaper on how data is handled in the service: https://aka.ms/aaddatawhitepaper Password Spray attack prevention best practices: https://aka.ms/PasswordSprayBestPractices
Identity Session List – Part 1 Monday September 24 Track Code Title Time Microsoft 365 GS008 Microsoft security: How the cloud helps us all be more secure 16:00 17:15 Modern Devices THR2238 Joining devices to Azure Active Directory in a hybrid world 16:35 16:55 THR3044 Maximizing business value available with identity in the cloud 17:45 18:05 Tuesday September 25 Microsoft 365 BRK2254 Azure Active Directory: New features and roadmap 9:00 10:15 THR3042 How ML helps Microsoft provide better and more secure Identity experiences 9:35 9:55 WRK2006 Deploy SaaS apps in record time 10:45 12:00 THR3047 Ensure all your users have strong passwords with Azure AD Password Protection 11:20 11:40 THR3041 Staying secure with Azure AD and Microsoft Secure Score 11:55 12:15 THR3043 Secure administration across Office and Azure clouds 12:05 12:25 BRK3031 Getting to a world without passwords 12:30 13:45 BRK2369 Get apps out the door faster and easier: Microsoft's unified programming model for authentication, app management, and securely accessing APIs BRK2252 Taking steps one, two and three to a zero-trust network 12:45 13:30 WRK2034 Extend access to your partners and customers using Azure AD B2C 14:15 15:00 BRK3238 Introduction to identity standards 15:15 16:00 THR3045 Apps for a hybrid world 15:25 15:45 BRK3242 Govern access to your resources with Azure Active Directory Identity Governance 17:15 BRK3239 How to delegate administration in Azure AD 16:30 Wednesday September 26 Microsoft 365 WRK2034R Extend access to your partners and customers using Azure AD B2C (REPEAT) 9:00 10:15 BRK2157 Ensure comprehensive identity protection with Microsoft 365 THR3124 Govern access with Entitlements Lifecycle Management 11:20 11:40 BRK3241 Enable Azure AD Conditional Access to secure user access while unlocking productivity 12:30 13:45 BRK3401 Azure AD security insights with Conditional Access, Identity Protection and reporting 12:45 13:30 BRK3236 Step up your identity infrastructure with a native CASB integration 15:15 16:00
Identity Session List – Part 2 Wednesday September 26 Track Code Title Time Modern Devices BRK3037 Windows devices and Azure Active Directory: What’s new and what’s upcoming 16:00 17:15 Microsoft 365 BRK3248 Protect the keys to your kingdom with Azure AD Privileged Identity Management 16:30 THR3046 Choosing the right authentication method 16:35 16:55 THR2064 Leveling up on identity-driven endpoint security with Conditional access based on device 17:40 18:00 Thursday September 27 Microsoft 365 WRK2006R Deploy SaaS apps in record time (REPEAT) 9:00 10:15 BRK3243 Hybrid identity and access management best practices Azure BRK2265 Architecting your app’s access and security with identity as the control plane 11:00 BRK3251 Shut the door to cybercrime with identity-driven security 10:45 12:00 BRK2253 What's new for Windows Hello for Business 11:30 12:15 BRK3244 Modernize your identity lifecycle management with Azure Active Directory 12:30 13:45 BRK3240 Secure Customer Identity and Access Management using Azure Active Directory B2C 15:15 16:00 THR3048 Replace passwords with new options from Microsoft 16:20 Friday September 28 Azure BRK3226 Secure access to Office 365/Azure Active Directory with new features in AD FS in Windows Server 2019 9:00 9:45 Microsoft 365 BRK3249 Granting Partners and Suppliers access to resources using Azure Active Directory B2B collaboration 10:45 12:00 BRK3383 Lock down access to Azure using identity BRK3030 What's new in Active Directory Federation Services (AD FS) in Windows Server 2019 12:30 13:45 BRK3408 Azure Active Directory best practices from around the world 10:15 11:00
Please evaluate this session Your feedback is important to us! 11/8/2018 5:23 PM Please evaluate this session Your feedback is important to us! Please evaluate this session through MyEvaluations on the mobile app or website. Download the app: https://aka.ms/ignite.mobileApp Go to the website: https://myignite.techcommunity.microsoft.com/evaluations © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
11/8/2018 5:23 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.