AZ900 Cert Prep :: Lesson 7 : Azure Identity, Access and Security

There are 3 main types of modern authentication methods that are present in Azure

1. SSO (Single Sign-On)
2. MFA (Multi-Factor Authentication)
3. Passwordless Authentication

1. Single Sign-On (SSO)

• Allows you to authenticate using the credentials you used to sign in to your OS.
• If you want to authenticate using your on-premises resource using SSO, you can use Azure AD Connect
• Uses 2 methods to authenticate users : Password Hash Synchronization : hashing is the process where your password is algorithmically converted to an encrypted string of characters that's always the same length regardless of the length of the password. This hash is stored in Azure AD Connect. When you need to authenticate, SSO compares the current hash that was created with the hash stored in the servers, and if those two match, then Azure AD Connect knows that the passwords must also match. So you're successfully authenticated. Pass-through Authentication : This is the method used in Azure AD Connect to authenticate you to on-premises resources In this method. SSO hands your credentials to an on-premises pass through authentication agent and this agent then sends these credentials to an on-premises Active Directory. Once authenticated by via Active Directory on-premises, Azure AD connect passes the authentication back to Azure AD Connect so it can be used to authenticate you to Azure resources.

2. Multi-factor Authentication (MFA)

MFA uses multiple authentication factors. There are 3 essential ways you can authenticate yourself with :

1. Something you know (like username, password, or pin)
2. Something you have (like a mobile, or security key)
3. Something that you are (like a fingerprint or an iris scan)

If you use all three then that's 3-factor authentication. If you use any 2, then that's called 2-factor authentication. And if you use just one, then that's not MFA anymore

Azure MFA uses 2-factor authentication. It could be possible that you use an authentication app with Azure MFA that uses biometrics but that biometric authentication is enforced by your device, not Azure. So it's not considered to be an authentication factor used by Azure MFA.

Azure MFA is only available in Azure Active Directory Premium Plans. So if you're using the free version of Azure Active Directory that comes with your Azure subscription, you won't be able to enable MFA

If you have a premium plan, you can enable MFA in the all users blade of your directory in the Azure portal.

It is enabled no a per-user basis, but you'll have to use a conditional access policy.

3. Passwordless Authentication

Replaces the "something you know" part of the MFA with one of the other security components. These security components are listed below:

1. Fast Identity Online 2 (FIDO2) security key : uses cryptographic keys that are stored on the users device, like a mobile phone or a FIDO security key (often available as a USB key) that contains your encrypted key
2. Microsoft Authenticator App : Available for both Android and iOS. When you use the Microsoft Authenticator App, you'll get a notification and the authenticator app asks you to enter a number that is displayed on your computer screen and once you enter the number, you'll then use biometrics or a pin in your device to complete the authentication.
3. Text Message Authentication : You'll get a text message on your device with a code that you need to enter on your computer to complete your login.
4. Temporary Access Pass (TAP) which is a string of characters that is time limited. This is used for a couple of different scenarios : One is for a user to sign up for one of the other authentication methods Also used in cases where a user has lost a security device, such as a FIDO2 security key or a phone with Microsoft Authenticator App installed on it.
5. Certificate : You can also use a certificate to authenticate using passwordless authentication
6. Windows Hello for Business : which uses facial biometrics on compatible Windows devices

Microsoft Entra ID Conditional Access

Let's talk about what Azure AD Conditional Access is :

• Allows you to apply policies that are applied when your resources are accessed.
• Uses signals from a user and application or other sources and then it uses those signals to make decisions about which action it should take There are a lot of signals that a conditional access can use. It might look at who a user is, or where they are located geographically. It might use the device a user is using or the version of the device's OS or it might use the application that a user is using as a signal
• Can also use Azure AD identity protection to identify insecure behavior in real-time, and it can do the same with Microsoft Defender for Cloud Apps
• Conditional Access feeds these signals to make a decision on how to handle an access request. So for example, it can block access entirely, but it might also allow access, but only if the user uses multi-factor authentication. Or it might require a certain version of the operating system on a device or a specific kind of device. It might also require that the access is via a certain application on the client.
• Using conditional access, administrators can add another level of security when apps or data are accessed.
• The fact that business now allow employees to bring their own device when accessing sensitive resources makes conditional access even more important to a secure environment.

Azure Role Based Access (RBAC)

• Used to control what a user or a resource can do once authenticated
• RBAC authorizes entities based on roles and it uses 3 elements to do so: Security Principal : can be a user, a group, a service principle (which is an app) or a managed identity Managed identity is a special kind of service principle that represents an Azure resource Role : specifies the permission that the security principal has. These permissions are grouped into a role, so that you can easily assign capabilities to a security principal. You can create your own roles with specific permissions, but Azure also includes many predefined roles for specific services Scope : Defined where the RBAC assignments is made. So, if you assign an RBAC role at the resources group level, it applies to all resources in the resource group. Scope is important because RBAC rules are additive. In other words, if you assign a role of owner at the resource group level, and then a more restrictive role to a resource that's inside of that resource group, the more restrictive role won't have any effect because of the additive nature of RBAC

Let's see this in action :

In your homepage, you'll be able to see your webapps and let's say you want to give someone access to that app, so that they can manage it in the Azure portal. You want them to be able to add content and stuff to it. | First step : Go into the web app, and in the menu for this web app, you'll see Access Control (IAM) button [on the left panel] | Click on "+Add" button on the top panel | Add a role assignment | You'll see a list of pre-built roles | Select the role you want to assign | Next | Assign members [using '+members"] | Click on "Review and Assign"

If you want to remove access | Go to "Role Assignment" | select the person | Click on remove

Zero Trust and Defense In Depth

Zero Trust

• Zero Trust is a security methodology that assumes that every access or behavior in a system is a security breach.
• Applies to network endpoints, to data, to apps, to infrastructure, the computers, network components and to the network itself.
• When using zero trust, you use : MFA to authenticate users Conditional Access to apply policies to secure the environment
• In order for zero trust to work, applications need to be designed for the lowest level of access to the data, apps, networks and infrastructure that they must have and no more.

Defense in Depth

• Is another security philosophy like Zero Trust.
• Layered approach to security describes the concept of Defense in Depth
• Often referred to as the "Castle Doctrine" because how it relates to the security system found in ancient castles, where there were archers on top of castles, and castle was surrounded by a water body and secured by a big gate, and even within the castle, there were guards roaming inside. (there were multiple layers of security)

Microsoft Defender for Cloud

• Is a security service that protects azure resources but it can also protect on-premises resources and even resources on other clouds
• Has feature to help you secure your resources help with regulatory compliance (since regulations related to data access are very strict these days, think of HIPPA or GDPR) Also offers workload protection (where workload means VMs, Servers, Apps etc)
• Constantly monitors and assesses your security posture and it looks for problems or vulnerabilities. If it encounters anything that looks weird, it can protect you in real time and activate alerts (so you can take additional actions)
• It's not just reactive, but proactive, and it provides information and guidance to ensure you're following best practices for secure environment.
• When you deploy new resources to your environment, defender for cloud recognizes those new resources and it scans them as well, so you can be sure that you're up-to-date on the security of your environment whether that environment is the cloud or on-premise.