Presentation is loading. Please wait.

Presentation is loading. Please wait.

1/3/2019 1:47 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS.

Published byLeoš Bureš Modified over 5 years ago

Similar presentations

Presentation on theme: "1/3/2019 1:47 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS."— Presentation transcript:

1 1/3/2019 1:47 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 Azure Active Directory hybrid identity and banned password detection
1/3/2019 1:47 PM THR3036 Azure Active Directory hybrid identity and banned password detection John Craddock Identity and security architect, XTSeminars Ltd @John_Craddock © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3 Agenda Where’s you password Banned password detection
Adding banned password detection to on-premises AD

4 Types of Users Cloud only users Hybrid users External users
Users with an on-premises AD and Azure AD identity Require synchronization from on-premises AD External users Enterprise identities B2B Social identities B2C

5 Hybrid user sign-in to Azure AD
All methods require the user account to be synchronised Password hash synchronization Password hashes, hashed and synchronised Username and password Password validated against password in Azure AD Pass-through authentication Username and password AuthN agent Username and password “sent” to on-premises agent Username and password validated against AD Federation with AD FS /other IdP Username Identifies user’s domain as federated redirects user to AD FS Username and password WAP AD FS Username and password validated against AD On-premises AD authoritative for passwords

6 Managing on-premises passwords
With password hash synchronisation enabled On-premises password changes synced to Azure AD within 2 minutes Password reset for on-premises passwords available via the Azure AD Requires password writeback Works for passwords reset by the administrator Works for Self-Service Password Resets (SSPR) Synchronous operation Enforces on-premises password policies Passwords for protected on-premises accounts cannot be reset

7 Banned Passwords Passwords changed in the cloud are subject to checks against a Microsoft global banned password list The top 1000 (aprox) most used passwords are banned plus all character replacement variations Over 1M potential passwords are blocked Custom password lists can be created Ban passwords that are specific to your environment Company name Project names Best/worst boss ever!

8 Creating a custom list

9 Password checks Global list Custom list

10 Hybrid users – receives the same messages
SSPR Global list Custom list Cloud only user Hybrid users – receives the same messages

11 On premises password policies apply
Even if you pass the banned password check, you may fail to meet the corporate password policy

12 Password protection on-premises
On-premises AD forest DC1 DC2 DC3 Retrieve banned password policy PF DLL PF DLL PF DLL RPC Proxy Agent Agent Agent Member server Associated Azure AD tenant DFSR sysvol replication More details at

13 On-premises change using banned password

14 Audit mode or enforce

15 Banned password detection licensing
Azure AD passwords protected with global banned password list Azure AD passwords protected with global and custom banned password list Cloud-only users Azure AD free Azure AD basic Hybrid users P1 or P2

16 Great password, but you still can’t sign-in
Risk Event Type Risk Level Users with leaked credentials High Sign-ins from anonymous IP addresses Medium Impossible travel to atypical locations Sign-ins from unfamiliar locations Sign-ins from infected devices Low Sign-ins from IP addresses with suspicious activity Use a part of your conditional access policies Sign-in mitigation Requires P2 and password hash sync for hybrid users

17 Finding out more… Attend my masterclass
5-Day Hands-on Microsoft Identity Masterclass with John Craddock US, UK, The Netherlands, Scandinavia, Germany and Austria Indepth course with over 35 hands-on labs Deep-dive into federation protocols including OpenID Connect and OAuth 2.0 for full course details and booking links

18 Please evaluate this session Your feedback is important to us!
1/3/2019 1:47 PM Please evaluate this session Your feedback is important to us! Please evaluate this session through MyEvaluations on the mobile app or website. Download the app: Go to the website: © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

19 Consulting services on request
@john_craddock John has designed and implemented computing systems ranging from high-speed industrial controllers through to distributed IT systems with a focus on security and high-availability. A key player in many IT projects for industry leaders including Microsoft, the UK Government and multi-nationals that require optimized IT systems. Developed technical training courses that have been published worldwide, co-authored a highly successful book on Microsoft Active Directory Internals, presents regularly at major international conferences including TechEd, IT Forum and European summits. John can be engaged as a consultant or booked for speaking engagements through XTSeminars. John Craddock Identity and security Architect XTSeminars Ltd

20 1/3/2019 1:47 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "1/3/2019 1:47 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS."

Similar presentations

SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.

SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.
Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,

Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,
SIM402. Kerberos, NTLM, Basic, Digest, Forms?

SIM402. Kerberos, NTLM, Basic, Digest, Forms?
Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,

Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,
Troubleshooting Federation, AD FS 2.0, and More…

Troubleshooting Federation, AD FS 2.0, and More…
Windows Azure Insights for the Enterprise IT Pro John Craddock Infrastructure and Identity Architect XTSeminars AZR301.

Windows Azure Insights for the Enterprise IT Pro John Craddock Infrastructure and Identity Architect XTSeminars AZR301.
Get identities to the cloud Mix on-premises and cloud identity for improved PC, mobile, and web productivity Cloud identities help you run your business.

Get identities to the cloud Mix on-premises and cloud identity for improved PC, mobile, and web productivity Cloud identities help you run your business.
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.

Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
A deep dive into Azure AD B2C

A deep dive into Azure AD B2C
Recording Brief EMS Partner Bootcamp Variables Values Module Title

Recording Brief EMS Partner Bootcamp Variables Values Module Title
Microsoft Azure Active Directory Identity Solutions

Microsoft Azure Active Directory Identity Solutions
Implementing and Managing Azure Multi-factor Authentication

Implementing and Managing Azure Multi-factor Authentication
Deployment Planning Services

Deployment Planning Services
Throw away your DMZ Azure Active Directory Application Proxy deep-dive

Throw away your DMZ Azure Active Directory Application Proxy deep-dive
Deployment Planning Services

Deployment Planning Services
Microsoft Ignite 2016 4/27/2018 9:00 AM THR2016

Microsoft Ignite /27/2018 9:00 AM THR2016
Recording Brief EMS Partner Bootcamp Variables Values Module Title

Recording Brief EMS Partner Bootcamp Variables Values Module Title
Azure Active Directory - Business 2 Consumer

Azure Active Directory - Business 2 Consumer
Enterprise Security in Practice

Enterprise Security in Practice
Deployment Planning Services

Deployment Planning Services

Similar presentations

Ads by Google