1/3/2019 1:47 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Azure Active Directory hybrid identity and banned password detection 1/3/2019 1:47 PM THR3036 Azure Active Directory hybrid identity and banned password detection John Craddock Identity and security architect, XTSeminars Ltd @John_Craddock johncra@xtseminars.co.uk © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Agenda Where’s you password Banned password detection Adding banned password detection to on-premises AD
Types of Users Cloud only users Hybrid users External users Users with an on-premises AD and Azure AD identity Require synchronization from on-premises AD External users Enterprise identities B2B Social identities B2C
Hybrid user sign-in to Azure AD All methods require the user account to be synchronised Password hash synchronization Password hashes, hashed and synchronised Username and password Password validated against password in Azure AD Pass-through authentication Username and password AuthN agent Username and password “sent” to on-premises agent Username and password validated against AD Federation with AD FS /other IdP Username Identifies user’s domain as federated redirects user to AD FS Username and password WAP AD FS Username and password validated against AD On-premises AD authoritative for passwords
Managing on-premises passwords With password hash synchronisation enabled On-premises password changes synced to Azure AD within 2 minutes Password reset for on-premises passwords available via the Azure AD Requires password writeback Works for passwords reset by the administrator Works for Self-Service Password Resets (SSPR) Synchronous operation Enforces on-premises password policies Passwords for protected on-premises accounts cannot be reset
Banned Passwords Passwords changed in the cloud are subject to checks against a Microsoft global banned password list The top 1000 (aprox) most used passwords are banned plus all character replacement variations Over 1M potential passwords are blocked Custom password lists can be created Ban passwords that are specific to your environment Company name Project names Best/worst boss ever!
Creating a custom list
Password checks Global list Custom list
Hybrid users – receives the same messages SSPR Global list Custom list Cloud only user Hybrid users – receives the same messages
On premises password policies apply Even if you pass the banned password check, you may fail to meet the corporate password policy
Password protection on-premises On-premises AD forest DC1 DC2 DC3 Retrieve banned password policy PF DLL PF DLL PF DLL RPC Proxy Agent Agent Agent Member server Associated Azure AD tenant DFSR sysvol replication More details at https://www.xtseminars.co.uk/blog/azure-ad-hybrid-identity-and-banned-password-detection
On-premises change using banned password
Audit mode or enforce
Banned password detection licensing Azure AD passwords protected with global banned password list Azure AD passwords protected with global and custom banned password list Cloud-only users Azure AD free Azure AD basic Hybrid users P1 or P2 https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises
Great password, but you still can’t sign-in Risk Event Type Risk Level Users with leaked credentials High Sign-ins from anonymous IP addresses Medium Impossible travel to atypical locations Sign-ins from unfamiliar locations Sign-ins from infected devices Low Sign-ins from IP addresses with suspicious activity Use a part of your conditional access policies Sign-in mitigation Requires P2 and password hash sync for hybrid users
Finding out more… Attend my masterclass 5-Day Hands-on Microsoft Identity Masterclass with John Craddock US, UK, The Netherlands, Scandinavia, Germany and Austria Indepth course with over 35 hands-on labs Deep-dive into federation protocols including OpenID Connect and OAuth 2.0 www.xtseminars.co.uk for full course details and booking links
Please evaluate this session Your feedback is important to us! 1/3/2019 1:47 PM Please evaluate this session Your feedback is important to us! Please evaluate this session through MyEvaluations on the mobile app or website. Download the app: https://aka.ms/ignite.mobileApp Go to the website: https://myignite.techcommunity.microsoft.com/evaluations © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Consulting services on request Johncra@xtseminars.co.uk @john_craddock John has designed and implemented computing systems ranging from high-speed industrial controllers through to distributed IT systems with a focus on security and high-availability. A key player in many IT projects for industry leaders including Microsoft, the UK Government and multi-nationals that require optimized IT systems. Developed technical training courses that have been published worldwide, co-authored a highly successful book on Microsoft Active Directory Internals, presents regularly at major international conferences including TechEd, IT Forum and European summits. John can be engaged as a consultant or booked for speaking engagements through XTSeminars. www.xtseminars.co.uk John Craddock Identity and security Architect XTSeminars Ltd
1/3/2019 1:47 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.