Describe the authentication capabilities of Azure AD Flashcards
Phone-based authentication in Azure AD
SMS-based authentication:
- Users can authenticate without using a username and password.
- Users enter their registered mobile phone number during sign-in.
- A verification code is sent via SMS to the mobile phone.
- Users enter the verification code in the sign-in interface.
- Can be used as a primary form of authentication or as a secondary factor during self-service password reset (SSPR) or Azure AD Multi-Factor Authentication.
Voice call verification:
- Users can use voice calls as a secondary form of authentication.
- Used during self-service password reset (SSPR) or Azure AD Multi-Factor Authentication.
- An automated voice call is made to the registered phone number.
- Users need to press # on their keypad to complete the sign-in process.
- Voice calls are not supported as a primary form of authentication in Azure AD.
Note: Phone-based authentication provides additional security by adding a second factor to the authentication process. It is important to consider the security and privacy implications of using phone-based authentication and ensure proper protection of users’ phone numbers and verification codes.
OATH (Open Authentication) in Azure AD
- OATH is an open standard for generating time-based, one-time password (TOTP) codes for user authentication.
- OATH TOTP codes can be generated using software or hardware tokens.
- Software OATH tokens are typically applications where Azure AD generates a secret key or seed that is used to generate each OTP.
- OATH TOTP hardware tokens are small devices that display a code that refreshes every 30 or 60 seconds. These tokens come with a pre-programmed secret key or seed.
- OATH tokens, whether software or hardware, are supported as secondary forms of authentication in Azure AD.
- They can be used to verify identity during self-service password reset (SSPR) or Azure AD Multi-Factor Authentication.
- The secret keys or seeds, along with other token-specific information, need to be input into Azure AD and activated for use by end-users.
Note: OATH tokens provide an additional layer of security by requiring the input of time-based codes in addition to regular authentication credentials. It’s important to properly manage and secure the secret keys or seeds associated with the tokens to ensure the integrity of the authentication process.
Windows Hello for Business
- Windows Hello for Business is a passwordless authentication method in Windows devices.
- It replaces passwords with strong two-factor authentication.
- The two-factor authentication combines a key or certificate tied to the device and either a PIN or biometrics (such as fingerprint or facial recognition).
- When a PIN or biometric gesture is provided, the private key associated with the device is used to sign data that is sent to the identity provider.
- The identity provider verifies the user’s identity and authenticates the user based on the provided PIN or biometric.
- Windows Hello for Business enhances security by requiring both the device and the user’s biometric info or PIN, making it more difficult for unauthorized access.
- It helps protect against credential theft since an attacker would need physical access to the device and the user’s biometric data or PIN.
- Windows Hello for Business can be used as the primary form of authentication, eliminating the need for passwords.
- It can also serve as a secondary form of authentication during multi-factor authentication to further verify the user’s identity.
Note: Windows Hello for Business provides a convenient and secure authentication method, leveraging biometrics and PINs to enhance security and simplify the user experience. It’s important to ensure that devices and biometric data are properly protected to maintain the integrity of the authentication process.
FIDO2 (Fast Identity Online)
- FIDO2 is an open standard for passwordless authentication.
- It incorporates the web authentication (WebAuthn) standard and is supported by Azure AD.
- FIDO2 allows users and organizations to sign in to resources using an external security key or a built-in platform key on a device, eliminating the need for a username and password.
- FIDO2 security keys are unphishable, standards-based devices used for passwordless authentication.
- FIDO2 security keys can be in the form of USB, Bluetooth, or NFC devices.
- By using a hardware device for authentication, the security of an account is increased as there is no password that can be exposed or guessed.
- FIDO2 security keys enable users to sign in to Azure AD, hybrid Azure AD joined Windows 10 devices, supported browsers, and get single sign-on to cloud and on-premises resources.
- FIDO2 security keys are especially beneficial for enterprises with high security requirements or employees who prefer not to use their phone as a second factor.
- FIDO2 serves as a primary form of passwordless authentication.
- It can also be used as a secondary form of authentication during multi-factor authentication.
Note: FIDO2 provides a secure and convenient passwordless authentication method, leveraging external security keys to authenticate users without relying on traditional usernames and passwords. It enhances security by eliminating the risk of password exposure and provides a seamless user experience across various devices and resources.
Microsoft Authenticator app
- The Microsoft Authenticator app is a passwordless authentication method.
- It can be used as a primary form of authentication to sign in to any Azure AD account.
- The app can also be used as an additional verification option during self-service password reset (SSPR) or Azure AD Multi-Factor Authentication events.
- To use Microsoft Authenticator, users need to download the app from the Microsoft Store.
- The app is available for both Android and iOS devices.
- With Passwordless sign-in, the app transforms the user’s iOS or Android phone into a strong, passwordless credential.
- To sign in to their Azure AD account using the Authenticator app, users enter their username, match a number displayed on the screen to the one on their phone, and then confirm using biometrics or a PIN.
- When the Authenticator app is used as a secondary form of authentication, a notification is sent to the user’s phone or tablet.
- Users can approve or deny the authentication request by interacting with the notification in the app.
Note: The Microsoft Authenticator app provides a convenient and secure way to authenticate users without relying on passwords. It leverages the user’s mobile device and offers a seamless authentication experience by utilizing biometrics or a PIN. The app can be used as a primary authentication method or as an additional layer of verification for enhanced security.
Multi-Factor Authentication (MFA)
- Multi-Factor Authentication requires more than one form of verification to prove the legitimacy of an identity.
- It significantly enhances security by adding an extra layer of authentication beyond just a password.
- MFA requires something the user knows (password or PIN), something they have (trusted device), or something they are (biometrics).
- Azure Active Directory (Azure AD) Multi-Factor Authentication integrates with the sign-in process and prompts users for additional verification.
- Users can choose from the verification methods they have registered, such as Microsoft Authenticator app, Windows Hello for Business, FIDO2 security key, OATH hardware token (preview), OATH software token, SMS, or voice call.
- Administrators can enforce specific verification methods or allow users to manage their preferred methods through MyAccount.
Note: Multi-Factor Authentication adds an extra layer of security by requiring users to provide multiple forms of verification during the authentication process. It helps prevent unauthorized access even if a password is compromised. Azure AD supports various verification methods, allowing organizations to choose the most appropriate options based on their security requirements and user preferences.
Security Defaults and Multi-Factor Authentication (MFA)
- Security defaults are a set of recommended identity security mechanisms provided by Microsoft.
- Enabling security defaults automatically enforces basic security measures in an organization at no additional cost.
- Security defaults include features like enforcing Azure AD Multi-Factor Authentication registration for all users.
- Administrators are required to use multi-factor authentication when security defaults are enabled.
- All users are prompted to complete multi-factor authentication when necessary.
- Security defaults are suitable for organizations looking to enhance their security posture without complex requirements or premium Azure AD licensing.
- Organizations with more advanced security needs or Azure AD premium licenses may need to implement custom security configurations.
Note: Security defaults provide organizations with a simple and cost-effective way to implement basic security measures recommended by Microsoft. This includes enforcing multi-factor authentication for users and administrators. While security defaults are a good starting point for many organizations, those with more advanced security needs or premium Azure AD licenses may require custom security configurations to meet their specific requirements.
Self-service password reset (SSPR) in Azure AD
SSPR is a feature in Azure AD that allows users to change or reset their passwords without the need for administrator or help desk assistance. It helps reduce the number of password-related help desk calls and improves user productivity.
- Users can perform password changes, password resets, and account unlocks through SSPR.
- Users need to be assigned an Azure AD license and enabled for SSPR by an administrator to use this feature.
- During SSPR registration, users can choose the authentication methods they want to use for password recovery. It is recommended to select two or more authentication methods for flexibility.
- The available authentication methods for SSPR include mobile app notification, mobile app code, email, mobile phone, office phone, and security questions.
- Security questions can only be used during the SSPR process to confirm the user’s identity and are not used as an authentication method during regular sign-in events. Note that administrator accounts cannot use security questions as a verification method.
- Password write-back is a feature that allows the updated password to be synchronized with an on-premises Active Directory, enabling users to use their new credentials across on-premises devices and applications.
- Email notifications can be configured to notify administrators about SSPR events, including password resets for regular user accounts and privileged admin accounts.
Azure AD Password Protection
- Azure AD Password Protection is a feature in Azure Active Directory that helps reduce the risk of weak passwords being set by users.
- It detects and blocks known weak passwords and their variations, as well as other weak terms specific to your organization.
- Default global banned password lists are automatically applied to all users in an Azure AD tenant, ensuring a baseline level of password strength.
- Custom banned password lists can be created to support your organization’s specific business and security requirements.
- When users change or reset their passwords, these lists are checked to enforce the use of strong passwords.
- It is important to note that while Azure AD Password Protection is beneficial, it should not be solely relied upon for password security.
- Additional security features, such as Azure Active Directory multi-factor authentication (MFA), should be implemented to enhance overall security.
- MFA adds an extra layer of protection by requiring users to provide additional verification factors alongside their passwords.
- Adopting a multi-layered approach that combines strong passwords enforced by Azure AD Password Protection and MFA significantly enhances security.
Global banned password list
- The global banned password list is automatically updated and enforced by Microsoft in Azure AD.
- It contains known weak passwords that are identified by the Azure AD Identity Protection team.
- The list includes passwords commonly used by attackers, such as “P@$$w0rd” or “Passw0rd1,” and their variations.
- Variations of passwords are created using an algorithm that changes text case and replaces letters with numbers (e.g., “1” for “l”).
- Examples of variations on “Password1” include “Passw0rd1” or “Pass0rd1.”
- The global banned password list is continually analysed and expanded based on security telemetry data and real-world password spray attacks.
- The list is automatically applied to all Azure AD users and cannot be disabled.
- When a user attempts to set their password to a weak password from the banned list, they receive a notification to choose a more secure password.
- Azure AD Password Protection efficiently detects and blocks millions of common weak passwords from being used in an enterprise.
- The password validation algorithm uses smart fuzzy-matching techniques to identify strings that approximate the banned password patterns.
Custom Banned Password List
- Admins have the ability to create custom banned password lists in Azure AD to align with specific business security requirements.
- Custom banned password lists are used to prohibit the use of certain passwords that are specific to the organization.
- Passwords added to the custom banned password list should focus on organizational-specific terms such as brand names, product names, locations, company-specific internal terms, and abbreviations with specific company meaning.
- Custom banned password lists are intended to complement the global banned password list and block variations of all the passwords.
- The combination of the global banned password list and the custom banned password list helps prevent users from selecting weak passwords related to the organization.
- Banned password lists feature is available with Azure AD Premium 1 or 2 licensing.
Protecting against password spray attacks
(A password spraying attack is when an attacker acquires a list of usernames, then attempts logins across all usernames using the same password. The attacker repeats the process with new passwords until the attack breaches the target authentication system to gain account and systems access.)
- Password spray attacks involve submitting a few of the known weakest passwords against multiple user accounts in an enterprise to find easily compromised accounts.
- Azure AD Password Protection helps defend against password spray attacks by efficiently blocking all known weak passwords commonly used in such attacks.
- The protection offered by Azure AD Password Protection is based on real-world security telemetry data from Azure AD.
- The global banned password list is a key component of Azure AD Password Protection and is continuously updated by the Azure AD Identity Protection team.
- The global banned password list automatically blocks weak passwords and their variations, preventing their use during password creation or reset.
- By blocking weak passwords commonly used in password spray attacks, Azure AD Password Protection enhances the overall security of an organization’s user accounts.
Hybrid security
- Hybrid security allows admins to integrate Azure AD Password Protection within an on-premises Active Directory environment.
- The on-premises component receives the global banned password list and custom password protection policies from Azure AD.
- Domain controllers in the on-premises environment utilize these lists and policies to process password change events.
- By implementing hybrid security, Azure AD Password Protection is enforced regardless of where a user changes their password.
- While password protection improves password strength, it’s essential to complement it with best practice features like Azure Active Directory multi-factor authentication.
- Multi-factor authentication provides additional layers of security, enhancing overall protection even with strong passwords.
After hearing of a breach at a competitor, the security team wants to improve identity security within their organization. What should they implement to provide the greatest protection to user identities?
A. Multi-factor authentication.
B. Require security questions for all sign-ins.
C. Require strong passwords for all identities.
A. Multi-factor authentication.
Multi-factor authentication dramatically improves the security of an identity.
Which of the following additional forms of verification can be used with Azure AD Multi-Factor Authentication?
A. Microsoft Authenticator app, SMS, Voice call, FIDO2, and Windows Hello for Business
B. Security questions, SMS, Voice call, FIDO2, and Windows Hello for Business
C. Password spray, SMS, Voice call, FIDO2, and Windows Hello for Business
A. Microsoft Authenticator app, SMS, Voice call, FIDO2, and Windows Hello for Business
These are all valid forms of verification with multi-factor authentication.
