azure:az-500:manage_secure_access_by_using_azure_ad

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
azure:az-500:manage_secure_access_by_using_azure_ad [2022/06/24 14:56] – [Access Reviews] mmuzeazure:az-500:manage_secure_access_by_using_azure_ad [2022/07/22 23:17] (current) – [§ Identity Protection] mmuze
Line 12: Line 12:
   * [[azure:az-500:azure_privileged_identity_management|Azure Privileged Identity Management]]   * [[azure:az-500:azure_privileged_identity_management|Azure Privileged Identity Management]]
  
-====== § ======+====== Identity Protection ====== 
 +  * Identity Protection provides policies for a few common scenarios. 
 +  * These policies require an AAD P2 license 
 +  * [[https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-policies]] 
 +  * These are under ''Azure AD/Manage/Security/Identity Protection/Protect'' and include these: 
 +    * **Azure AD MFA registration policy** - requires users to register for MFA 
 +    * **Sign-in risk policy** - a risk score is calculated to indicate the likelihood that a sign-in was not performed by the user. Based on this score administrators can choose to block access, allow access or allow access but require multi-factor authentication. 
 +    * **User risk policy** - a risk score is calculate to indicate the likelihood that a user account has been compromised. Based on this score administrators can choose to block access, allow access or allow access but require a password change. 
 + 
 +  * [[https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection]]
  
 Identity Protection is a tool that allows organizations to accomplish three key tasks: Identity Protection is a tool that allows organizations to accomplish three key tasks:
Line 33: Line 42:
   * Administrators can choose to block access, allow access, or allow access but require a password change using Azure AD self-service password reset   * Administrators can choose to block access, allow access, or allow access but require a password change using Azure AD self-service password reset
   * [[https://docs.microsoft.com/en-us/learn/modules/azure-ad-identity-protection/4-user-risk-policy]]   * [[https://docs.microsoft.com/en-us/learn/modules/azure-ad-identity-protection/4-user-risk-policy]]
- 
-===== Azure MFA Registration Policy ===== 
-  * As a best practice it is recommended to require MFA and this policy does that. 
  
 ===== Sign-in Risk Policy ===== ===== Sign-in Risk Policy =====
   * Sign-in risk represents the probability that a given authentication request isn't authorized by the identity owner.   * Sign-in risk represents the probability that a given authentication request isn't authorized by the identity owner.
   * Identity Protection analyzes signals from each sign-in, both real-time and offline, and calculates a risk score based on the probability that the sign-in wasn't performed by the user. Administrators can decide based on this risk score signal to enforce organizational requirements. Administrators can choose to block access, allow access, or allow access but require multi-factor authentication.   * Identity Protection analyzes signals from each sign-in, both real-time and offline, and calculates a risk score based on the probability that the sign-in wasn't performed by the user. Administrators can decide based on this risk score signal to enforce organizational requirements. Administrators can choose to block access, allow access, or allow access but require multi-factor authentication.
 +  * Sign-in risk is about a particular sign-in event, whereas user risk is about multiple factors, including anomalous sign-ins.
 +  * [[https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#sign-in-risk]]
 +
 +===== Azure MFA Registration Policy =====
 +  * As a best practice it is recommended to require MFA and this policy does that.
 +  * MFA **Enabled** = The admin has enabled MFA on the account, but the user hasn't set it up.
 +  * MFA **Enforced** = The user has completed the setup of their MFA.
 +  * [[https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates#azure-ad-multi-factor-authentication-user-states]]
  
 ===== Risk Events ===== ===== Risk Events =====
Line 55: Line 69:
   * //Conditional Access// is a capability that takes in various signals and determines whether a given user should be granted access to resources.   * //Conditional Access// is a capability that takes in various signals and determines whether a given user should be granted access to resources.
   * Conditional Access requires a AAD P1 license, but the risk-based policy capabilties requires a P2 license   * Conditional Access requires a AAD P1 license, but the risk-based policy capabilties requires a P2 license
 +  * When a user/group is both included and excluded in a policy the exclusion overrides the inclusion.
  
 {{:azure:az-500:conditional-access-overview-how-it-works.png|}} {{:azure:az-500:conditional-access-overview-how-it-works.png|}}
  
-  * When organizations both include and exclude a user or group the user or group is excluded from the policy, as an exclude action overrides an include in policy. 
  
 ====== Azure AD Access Reviews ====== ====== Azure AD Access Reviews ======
-  * Requires an Azure AD P3 license+  * **Access Reviews** refers the features in Azure and process around it to periodically review user access to make sure only the right people have continued access. 
 +  * Requires an Azure AD P2 license 
 +  * Access Reviews can be use to see who has administrative access, who is a Global Administrator, who is a guest/external user. 
 +  * There are multiple types of reviews as shown here, [[https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview#where-do-you-create-reviews]] 
 +      * security/Office 365 groups 
 +      * application access 
 +      * AAD role 
 +      * ARM/RBAC roles 
 +  * As part of creating an Access Review you specify things like the frequency of the review and who will do the review. 
 +  * [[https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review]] 
 +  * **Licensing:** [[https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection]]
  
  
  
  • azure/az-500/manage_secure_access_by_using_azure_ad.1656082618.txt.gz
  • Last modified: 2022/06/24 14:56
  • by mmuze