Microsoft Entra ID Authentication Methods Explained
HTML-код
- Опубликовано: 30 май 2024
- In this session I take a look at Microsoft Entra ID’s (Azure AD) various authentication methods, and discuss what are they are how they work. We’ll discuss the different types of authentication strengths and I’ll show you how to create your own customised policies. Furthermore I’’l show you how these phishing resistant methods can be used in tools like Conditional Access to further secure your users and your environment. Finally I’ll mention Security defaults, a great solution to secure a newly created tenant or in a situation in which admins are unsure about what settings to use.
For more on me visit Andymalone.org
Want more? Visit my Patreon Site Patreon.com/AndyMaloneMVP
’ll also be speaking at ESPC 2023 in Amsterdam. 27-30th Nov. Details below. Use Code: ESPCAndy and receive 10% off any ticket on top of Early Bird pricing. The code discounts 15% until September 30th and then it goes to 10%. www.sharepointeurope.com/
Timecodes
00:00 Introductions
01:59 Entra ID Security Defaults Explained
03:16 Entra ID Authentication Options Explained
05:28 Default Password Policies explained
06:04 Password protection for Windows Server Active Directory
07:04 Creating a MFA Registration Campaign
08:17 Creating a Custom Authentication Strength & Conditional Access Implementation
11:53 Authentication Options Explained and how to implement
15:35 Exploring the Tenant Settings
16:15 Activity Reporting & Diagnostics
17:19 Conclusions
I love the delivery and how you get your ideas across. Its great seeing you again - thank you for your content
Excellent video guide and great detail in explaining each option that is required.
Thanks, this helped me a lot.
Lovely as always
great session.!
Hey Andy. i enjoy your video's. Thanks for share .
Thanks again its a big help for me
Thanks brother, great stuff!
Andy! the best!!!!!!
Hey Andy, You are a great tutor. I enjoy and learn a lot while watching you. It would be fantastic if you record a video related password complexity policy. Thanks a lot
Excellent thanks for everything, Well explained concepts as always
My pleasure!
Awesome thank you, funnily enough I’m listening from Adelaide :)
Yay great to have you onboard 👍
Hey Andy, You are a great tutor i really enjoy your sessions. I have a question, Do you have any presentation on AD Reporting?
Not specifically, sorry
I was just reading MFA complaints on reddit.
Hello I am glad to hear your sessions I want to know how to deploy 3rd party authentication methods on Azure
N authentication methods you can deploy 3rd party Oauth hardware tokens. Check documentation for more details.
Hi Andy. Great video.
Are all these settings included in all types of license or do we need an AD premium license?
P1 may be required for some. p2 required for identity protection.
Thank you Andy for the informative explanation. May I know if you may have any recorded any video or will record one for companies that have the free license. I understand we can enable security default. I am wondering if we can disable security default, and still be using Per User MFA. Or that is not secure?
With a free license, you have very limited capabilities in terms of management and security options. I suggest licensing your users as soon as possible. More details on licensing check out learn.microsoft.com. I will go ahead and add this topic to my list as I do feel there is an update due. All the best, Andy
@@AndyMaloneMVP Thank you so much Andy for your response. Happy Holidays!
Andy, how long do you expect for a custom authentication strength from setup to become available so you can pick it up in a conditional access policy?
Normally it becomes available very quickly, however, I have heard that this depends on the data centre. It can take up to 24 hours.
Andy my menthor!! may i ask you , for a company of 5 persons recent born , would you suggest to start using Entra with all that follows , AD , conditional access...
Yes
Hi, I am new to Azure AD. I have a question. After sync Azure AD with ON Prem AD, lets say we are login to the azure AD with ON Prem Sync account. Can wee see the same configurations on the computer like applications , files etc once we logged in to the azure AD, which we were able to see when log in using ON Prem active directory?
These would be configured via Intune. Yea it would be a similar user experience. There are connectors to on Orem for Apps and files
@@AndyMaloneMVP Could you please share if there are any video links for this in your channel please. I am really new to this field.
If Security Details is enabled, but I want to create conditional access for 1 user to require security key to log in, would I lose the features of Security Defaults org-wide?
Yes
@@AndyMaloneMVP Thanks much for your reply. How about if I just enable security keys under "authentication methods" and let the user register the key but no conditional access policy?
Hi, how to enable specific user ID app password? Is it required any specific license to do that?
No
Hi Andy I follow your channel. Like the way you explain about MS Ecosystem. We are a MS Partner in India and have one of our customer requirement : "How to allow sign in from only one device at a time. If user want to access from another device then he should first log out from the first device then he should be allowed to sign in from the 2nd device" They are using MS Business Basic and Entra P1 subscriptions at the moment. Please help with input. Regards
On the top of my head conditional access sounds like that this could be a solution
@@AndyMaloneMVP can you please share where in the conditional access policy we can set this. In Devices- It shows only OS platforms like windows, mac etc., Appreciate your quick help and guidance. Regards
The problem is that I can’t sign in to the authenticator app because i need the code. But the code stand on the authenticator. Have you idea how to solve this?
Ask your administrator to reset your multifactor authentication, and then you’ll be able to login
@@AndyMaloneMVP Great! Thank you!
You need to ask your GA to reset the MFA methods. If you are the lone Global admin for your account then you have to raise the support request and your request will be transferred to DPT team
SMS is relatively new. And to use SMS for anything is bad. SMS is kind of hackable with social engendering, getting a secondary SIM card or cell tower listening. To use SMS for MFA is ok as a last resort. But SMS as a login method? I hope i have misunderstood this but SMS for login as with a FIDO2 key is a really bad idea. So is voice call. I have noticed that even with this authentication method turned off users are required to add mobile phone numbers for password resets. So there is a migration you do here from the legacy manual MFA methods and SSPR methods into this place now. It that what is meant with SMS here, as a MFA or SSPR method and not as a password less login method?
This is why phishing resistant MFA is the way to go👍😊
What would be the best double authentication available when you land, you're outside the airport in another country and at the airport... all your stuff, mobile phone, tablet, computer, clothes are stolen ? How can you get into a cyber café (free) to use your Google account (double authentication methods) to get a phone number of a friend who can send money by Western Union for your holiday ? Of course you will have to go to the Ambassy for the rest (but it's Sunday and they are closed !)...
Have a backup FIDO key
@@AndyMaloneMVP the cyber café at the airport doesn't give the access for the USB port...
@@bluepawn you’ll be able to use your phone as a passkey soon😊👍
@@AndyMaloneMVP if it s been stollen and you need to get a phone number on your Google contacts in a free cybercafé... The computer of the cybercafé will send a double authorization on the stolen smartphone (do you have to contact the robber to click "yes it's me" button if his inside your smartphone s profile on that time ?). Sorry for my irony... Something goes wrong.
This is all great but on my end it doesn't work at all... I have a test-tenant with 3 business-standard licenses. I have fully migrated to the new auth. methods but no matter how I set it up my accounts are NEVER prompted for MFA. When I have a look in the login-logs for the accounts the login is fully satisfied with 1 factor login... I just don't get it...
I’m planning to do a demo on a business standard sub soon so watch out for that. The meantime here is a great resource for you learn.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide
Thank you Andy, when looking at the licensing and pricing from Microsoft I am starting to feel that for Standard licenses I can only user the "security defaults" which IMO is not good at all. To be able to use the authentication methods in some granular way I need a premium license - is that correct? I no that I need a premium license for conditional access - but this new auth. methods doesn't trigger at all @@AndyMaloneMVP