azure:az-500:manage_secure_access_by_using_azure_ad

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
azure:az-500:manage_secure_access_by_using_azure_ad [2022/07/21 14:31] – [Conditional Access] mmuzeazure:az-500:manage_secure_access_by_using_azure_ad [2022/07/22 23:17] (current) – [§ Identity Protection] mmuze
Line 12: Line 12:
   * [[azure:az-500:azure_privileged_identity_management|Azure Privileged Identity Management]]   * [[azure:az-500:azure_privileged_identity_management|Azure Privileged Identity Management]]
  
-====== § Identity Protection ======+====== Identity Protection ====== 
 +  * Identity Protection provides policies for a few common scenarios. 
 +  * These policies require an AAD P2 license 
 +  * [[https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-policies]] 
 +  * These are under ''Azure AD/Manage/Security/Identity Protection/Protect'' and include these: 
 +    * **Azure AD MFA registration policy** - requires users to register for MFA 
 +    * **Sign-in risk policy** - a risk score is calculated to indicate the likelihood that a sign-in was not performed by the user. Based on this score administrators can choose to block access, allow access or allow access but require multi-factor authentication. 
 +    * **User risk policy** - a risk score is calculate to indicate the likelihood that a user account has been compromised. Based on this score administrators can choose to block access, allow access or allow access but require a password change. 
   * [[https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection]]   * [[https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection]]
  
Line 43: Line 51:
 ===== Azure MFA Registration Policy ===== ===== Azure MFA Registration Policy =====
   * As a best practice it is recommended to require MFA and this policy does that.   * As a best practice it is recommended to require MFA and this policy does that.
 +  * MFA **Enabled** = The admin has enabled MFA on the account, but the user hasn't set it up.
 +  * MFA **Enforced** = The user has completed the setup of their MFA.
 +  * [[https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates#azure-ad-multi-factor-authentication-user-states]]
  
 ===== Risk Events ===== ===== Risk Events =====
Line 66: Line 77:
   * **Access Reviews** refers the features in Azure and process around it to periodically review user access to make sure only the right people have continued access.   * **Access Reviews** refers the features in Azure and process around it to periodically review user access to make sure only the right people have continued access.
   * Requires an Azure AD P2 license   * Requires an Azure AD P2 license
 +  * Access Reviews can be use to see who has administrative access, who is a Global Administrator, who is a guest/external user.
 +  * There are multiple types of reviews as shown here, [[https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview#where-do-you-create-reviews]]
 +      * security/Office 365 groups
 +      * application access
 +      * AAD role
 +      * ARM/RBAC roles
   * As part of creating an Access Review you specify things like the frequency of the review and who will do the review.   * As part of creating an Access Review you specify things like the frequency of the review and who will do the review.
   * [[https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review]]   * [[https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review]]
  • azure/az-500/manage_secure_access_by_using_azure_ad.1658413868.txt.gz
  • Last modified: 2022/07/21 14:31
  • by mmuze