Hi Dean, thanks for this great video. I have a question about the secure score that you mentioned at the begining. In my tenant I have 2 break-glass admins which are excluded from all conditional access policies and MFA. However, these two accounts are listed as not compliant for the secure score evaluation (for example for the ensure all user can complete MFA registration). This makes me lose a lot of point (%) on the secure score caluclation. Is there a way that the algorithm knows that these two accounts are "best-practice" exclusion? Many thank in advance and best regards, Sebastien
Good question, on my end, adding the break glass accounts to the exclude lists removes them from the policy requirements, at least from how my tenant looks. So it’s not just excluding from the conditional access policy, but all the exclude policies I showed in the video.
This is what I used for the dynamic query (user.companyName -eq "azure academy") and (user.userType -eq "Member") and (user.extensionAttribute1 -eq "SSPR")
Hi Dean, thanks for the video! In one of my tenants we are using security defaults. Under Authentication methods policies we haven't configured any method yet and the registration campaign is set to Microsoft Managed. The Authentication method is set to Microsoft Authenticator - All users. How does this work in practice? Because when I open the user registration details or registration and reset events there is no entry. How do I ensure that even using security defaults is enforcing the 2FA using Microsoft Authenticator? Or does the enforced MFA using security defaults not reporting in registration details?
@@AzureAcademy Yes, they do! But why is the registration for this not visible in the registration events? Or is this nornal behavior? What if I migrate to CA, do they need to update their MFA?
@@AzureAcademy Today Ive set up a new tenant with security defaults enabled. In this case the users weren't prompted for MFA. I've read something about Microsoft will prompt users only when necessary. In case of unknown location or device it should prompt the users?
The best practice is not to use the common names like BackDoor or BreakGlass. Those are the first which are attacked via brute force. Use not so common names, and document it in your secure environment (like KeePass, Passkey and or any other Passkey Safe).
Thanks for the great videos. I would like to tell you that music is very annoying while someone overhears you :( I really can't focus what you're talking about. Would you please not add any sound effects or any music. Happy learning :)
This video used action music because it was a more "exciting" topic to defend from attacks. and I worked to keep the music in the background so you would "feel the tension" while learning. Please watch the previous video, its how I normally do things, and let me know if it is better for you 👉 ruclips.net/video/RnnnY0hr3vE/видео.html
you don’t need to install a proxy on every domain controller. Instead, you’ll set up the Microsoft Entra Password Protection Proxy service on any domain-joined machine within your Active Directory forest.
🔥AFTER THIS 👉 tinyurl.com/AzureAcademy-EntraID 👈
So informative! Thanks so much
Thanks For Watching! Let me know what other topics you are interested in for the series!
Hi Dean, thanks for this great video.
I have a question about the secure score that you mentioned at the begining. In my tenant I have 2 break-glass admins which are excluded from all conditional access policies and MFA. However, these two accounts are listed as not compliant for the secure score evaluation (for example for the ensure all user can complete MFA registration). This makes me lose a lot of point (%) on the secure score caluclation. Is there a way that the algorithm knows that these two accounts are "best-practice" exclusion?
Many thank in advance and best regards,
Sebastien
Good question, on my end, adding the break glass accounts to the exclude lists removes them from the policy requirements, at least from how my tenant looks. So it’s not just excluding from the conditional access policy, but all the exclude policies I showed in the video.
Question regarding the dynamic group to exclude admins. How did you configure the rule for that? As I don't see a property that would fit.
This is what I used for the dynamic query
(user.companyName -eq "azure academy") and (user.userType -eq "Member") and (user.extensionAttribute1 -eq "SSPR")
@@AzureAcademy Ah! ok, that implies you have to set the extensionAttribute1 of all users which needs a bit more thought.
in my case...yes...but you should create your own dynamic query that fits your needs 🤔
Hi Dean, thanks for the video! In one of my tenants we are using security defaults. Under Authentication methods policies we haven't configured any method yet and the registration campaign is set to Microsoft Managed. The Authentication method is set to Microsoft Authenticator - All users.
How does this work in practice? Because when I open the user registration details or registration and reset events there is no entry.
How do I ensure that even using security defaults is enforcing the 2FA using Microsoft Authenticator?
Or does the enforced MFA using security defaults not reporting in registration details?
I’m not following? If Security Defaults are in place, your users sign in, do they get prompted to setup MFA or not?
@@AzureAcademy Yes, they do! But why is the registration for this not visible in the registration events? Or is this nornal behavior?
What if I migrate to CA, do they need to update their MFA?
No, CA just forces MFA, once they are registered they are done…unless you change to another MFA solution
@@AzureAcademy Today Ive set up a new tenant with security defaults enabled. In this case the users weren't prompted for MFA. I've read something about Microsoft will prompt users only when necessary. In case of unknown location or device it should prompt the users?
No, users get promoted according to the conditional access and MFA policies.
The best practice is not to use the common names like BackDoor or BreakGlass. Those are the first which are attacked via brute force. Use not so common names, and document it in your secure environment (like KeePass, Passkey and or any other Passkey Safe).
A good point! I had not seen any specific guidance to not use breakglass or backdoor but makes sense ☺️
Is this on the free version are you moving up to P1-2 etc?
I have a P2 for my account, but all the features I showed are in the free
Thanks for the great videos. I would like to tell you that music is very annoying while someone overhears you :( I really can't focus what you're talking about. Would you please not add any sound effects or any music. Happy learning :)
This video used action music because it was a more "exciting" topic to defend from attacks. and I worked to keep the music in the background so you would "feel the tension" while learning. Please watch the previous video, its how I normally do things, and let me know if it is better for you 👉 ruclips.net/video/RnnnY0hr3vE/видео.html
@@AzureAcademy I noticed the music and did get the tension! Great video by the way.
Awesome, thanks Alan!
For entra password protection proxy do i need to install proxy on every dc ?
you don’t need to install a proxy on every domain controller.
Instead, you’ll set up the Microsoft Entra Password Protection Proxy service on any domain-joined machine within your Active Directory forest.