1 / 42

Preparation to exam AZ-102 « Microsoft Azure Administrator Certification Transition (beta) »

Implement advanced virtual networking (5-10%). Implement advanced virtual networking (5-10%). Preparation to exam AZ-102 « Microsoft Azure Administrator Certification Transition (beta) » Module 8 – Secure Identities (5-10%). Stanislas Quastana Cloud Solution Architect for Partners

jhelene
Download Presentation

Preparation to exam AZ-102 « Microsoft Azure Administrator Certification Transition (beta) »

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Implement advanced virtual networking (5-10%) Implement advanced virtual networking (5-10%) Preparation to exam AZ-102 « Microsoft Azure Administrator Certification Transition (beta) » Module 8 – Secure Identities (5-10%) Stanislas Quastana Cloud Solution Architect for Partners Microsoft France

  2. Objectives • Implement Multi-Factor Authentication (MFA) • May include but not limited to: Enable MFA for an Azure tenant; configure user accounts for MFA; configure fraudalerts; configure bypass options; configure trustedIPs; configure verificationmethods; manage role-based access control (RBAC); implement RBAC policies; assign RBAC Roles; create a custom role; configure access to Azure resources by assigningroles; configure management access to Azure

  3. Implement Multi-Factor Authentication (MFA) Part 1

  4. Content • May include but not limited to: Enable MFA for an Azure tenant; configure user accounts for MFA; configure fraudalerts; configure bypass options; configure trustedIPs; configure verificationmethods; manage role-based access control (RBAC); implement RBAC policies; assign RBAC Roles; create a custom role; configure access to Azure resources by assigningroles; configure management access to Azure

  5. Enable MFA for an Azure tenant • Prerequisites: • A global administrator account in your Azure AD tenant • Correct licenses assigned to users • Choose how to enable • Enabled by conditional access policy : It is the most flexible means to enable two-step verification for your users • Enabled by Azure AD Identity Protection : needs Azure AD Premium 2 license • Enabled by changing user state - traditional method for requiring 2-step verification • Chooseauthenticationmethods • We find that when enabled for users the Microsoft Authenticator app provides the best user experience

  6. Enable MFA for an Azure tenant • Getusers to enroll • Recommandation : use https://aka.ms/mfasetup

  7. Configure user accounts for MFA • Method 1 : enable each user for MFA • When users are enabled individually, they perform two-step verification each time they sign in • Method 2 : conditional access policy • Choose one of these methods to require two-step verification, not both. Enabling a user for Azure Multi-Factor Authentication overrides any conditional access policies.

  8. Configure user for MFA with Powershell

  9. Configure fraudalerts • Configure the fraud alert feature so that your users can report fraudulent attempts to access their resources. Users can report fraud attempts by using the mobile app or through their phone

  10. Configure Fraud Alert

  11. Configure bypass options • The one-time bypass feature allows a user to authenticate a single time without performing two-step verification. • The bypass is temporary and expires after a specified number of seconds. In situations where the mobile app or phone is not receiving a notification or phone call, you can allow a one-time bypass so the user can access the desired resource.

  12. Configure trustedIPs • The Trusted IPs feature of Azure Multi-Factor Authentication is used by administrators of a managed or federated tenant. The feature bypasses two-step verification for users who sign in from the company intranet. • The feature is available with the full version of Azure Multi-Factor Authentication, and not the free version for administrators. 

  13. Configure trusted IPs

  14. Configure trusted IPs • Enable named locations by using conditional access • Enable the Trusted IPs feature by using conditional access • Enable the Trusted IPs feature by using MFA service settings 

  15. Configure verificationmethods

  16. Manage role-based access control (RBAC)

  17. ImplementRBACpolicies • Azure Policy is a service in Azure that you use to create, assign and, manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.  • There are a few key differences between policy and role-based access control (RBAC). RBAC focuses on user actions at different scopes. 

  18. Assign RBAC Roles

  19. Assign RBAC Roles

  20. Assign RBAC Roles

  21. Assign RBAC Roles - PowerShell • To grant access for the user, you use the New-AzureRmRoleAssignment command to assign a role. You must specify the security principal, role definition, and scope. $subScope = "/subscriptions/00000000-0000-0000-0000-000000000000" New-AzureRmRoleAssignment -SignInName rbacuser@example.com -RoleDefinitionName"Reader" ` -Scope $subScope New-AzureRmRoleAssignment -SignInName rbacuser@example.com -RoleDefinitionName"Contributor"-ResourceGroupName"rbac-tutorial-resource-group"

  22. Assign RBAC Roles - PowerShell Get-AzureRmRoleAssignment -SignInName rbacuser@example.com -Scope $subScope • Get-AzureRmRoleAssignment -SignInName rbacuser@example.com -ResourceGroupName"rbac-tutorial-resource-group" Remove-AzureRmRoleAssignment -SignInName rbacuser@example.com -RoleDefinitionName"Contributor"-ResourceGroupName"rbac-tutorial-resource-group"

  23. Create a custom role • A role definition is a collection of permissions. It's sometimes just called a role. • A role definition lists the operations that can be performed, such as read, write, and delete. It can also list the operations that can't be performed or operations related to underlying data. • Previously, role-based access control was not used for data operations. Authorization for data operations varied across resource providers. The same role-based access control authorization model used for management operations has been extended to data operations (currently in preview)

  24. Create a custom role • Custom role can be defined in JSON file • To view the list of operations, you can use the Get-AzureRMProviderOperation or az provider operation list commands. To specify the permissions for your custom role, you add the operations to the Actions or NotActions properties of the role definition. • Use the New-AzureRmRoleDefinition or az role definition create commands to create the custom role

  25. Role JSON example « Contributor » { "Name": "Contributor", "Id": "b24988ac-6180-42a0-ab88-20f7382dd24c", "IsCustom": false, "Description": "Letsyou manage everythingexcept access to resources.", "Actions": [ "*" ], "NotActions": [ "Microsoft.Authorization/*/Delete", "Microsoft.Authorization/*/Write", "Microsoft.Authorization/elevateAccess/Action" ], "DataActions": [ ], "NotDataActions": [ ], "AssignableScopes": [ "/" ] }

  26. Role JSON example « Storage Blob Data Reader » { "Name": "Storage Blob Data Reader (Preview)", "Id": "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1", "IsCustom": false, "Description": "Allows for read access to Azure Storage blob containers and data", "Actions": [ "Microsoft.Storage/storageAccounts/blobServices/containers/read" ], "NotActions": [ ], "DataActions": [ "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read" ], "NotDataActions": [ ], "AssignableScopes": [ "/" ] }

  27. Configure access to Azure resources by assigningroles

  28. Configure management access to Azure • For most organizations, the security of business assets depends on the integrity of the privileged accounts that administer and manage IT systems. Cyber-attackers focus on privileged access to infrastructure systems (such as Active Directory and Azure Active Directory) to gain access to an organization’s sensitive data.

  29. Configure management access to Azure • It's critical to protect privileged access, regardless of whether the environment is on-premises, cloud, or hybrid on-premises and cloud hosted services.  • Securing privileged access requires changes to • Processes, administrative practices, and knowledge management • Technical components such as host defenses, account protections, and identity management

  30. Configure management access to Azure • Turn on Azure AD Privileged Identity Management (Azure AD Premium P2 or EMS E5) • The first person to use Azure AD Privileged Identity Management in your tenant is automatically assigned the Security administrator and Privileged role administrator roles in the tenant. Only privileged role administrators can manage the Azure AD directory role assignments of users • Identify and categorize accounts that are in highly privileged roles • Define at least 2 emergency access accounts • Emergency access accounts are limited to emergency for 'break glass' scenarios where normal administrative accounts cannot be used. 

  31. Configure management access to Azure • Turn on multi-factor authentication and register all other highly-privileged single-user non-federated admin accounts

  32. Manage access to Azure resources with Privileged Identity Management • To protect privileged accounts from malicious cyber-attacks, you can use Azure Active Directory Privileged Identity Management (PIM) to lower the exposure time of privileges and increase your visibility into their use through reports and alerts • PIM does this by limiting users to only taking on their privileges "just in time" (JIT), or by assigning privileges for a shortened duration after which privileges are revoked automatically.

  33. PIM for Azure resources • With Azure Active Directory Privileged Identity Management (PIM), you can now manage, control, and monitor access to Azure Resources within your organization. • This includes Subscriptions, Resource Groups, and even Virtual Machines. Any resource within the Azure portal that leverages the Azure Role Based Access Control (RBAC) functionality can take advantage of all the great security and lifecycle management capabilities Azure AD PIM has to offer

More Related