Table of Contents
Implement multi-factor authentication (MFA)
What is Multifactor Authentication (MFA)?
MFA adds an extra layer of security by requiring a second form of identification during sign-in, like a code on your phone or fingerprint scan. This makes it harder for attackers to access your accounts.
How to Enable MFA with Conditional Access Policies:
- Create a Conditional Access Policy:
- Assign a group of users (e.g., MFA-Test-Group) to the policy.
- Choose which cloud apps or actions trigger the policy (e.g., signing in to a specific app).
- Configure MFA requirements:
- Select “Require multifactor authentication” for the access control.
- Activate the policy:
- Set the policy to “On” to enforce MFA.
Testing MFA:
- Sign in to a resource without MFA first (e.g., a different browser window). There should be no prompt for MFA.
- Sign in to a resource covered by the policy (e.g., Microsoft Entra admin center). You’ll be prompted to configure MFA if not already done.
- Choose your preferred MFA method (e.g., phone app) and follow the on-screen instructions.
Additional Configuration Options (Optional):
- Account lockout: Temporarily lock accounts after too many failed MFA attempts.
- Fraud alerts: Allow users to report suspicious sign-in attempts.
- Notifications: Receive email alerts for fraud reports.
- OATH tokens (advanced): Use hardware tokens for additional security.
To better understand how you can enforce MFA with Conditional Access policies, read my previous blog.
Configure Microsoft Entra Verified ID
Decentralized Identity (DID) is a paradigm shift that places individuals in control of their own digital identities. By leveraging blockchain and cryptographic techniques, DIDs offer a more secure and private way to manage identity data.
- Decentralized Identifiers (DIDs): User-generated, self-owned, and globally unique identifiers rooted in decentralized trust systems.
- Verifiable Credentials: Data objects that attest to information about a subject, cryptographically signed by the issuer.
- Trust Systems: Decentralized networks that enable the resolution and validation of DIDs.
How Decentralized Identity Works:
- Issuer Issues Credential:
- Holder requests a VC from an issuer.
- Issuer generates a VC issuance request and sends it to the holder’s wallet.
- Holder’s wallet validates the request and collects necessary information.
- Wallet submits required artifacts to the Microsoft Entra Verified ID service.
- Service returns the signed VC to the wallet.
- Holder Presents Credential:
- Holder interacts with a relying party (RP) to present the VC.
- RP generates a VC presentation request and sends it to the holder’s wallet.
- Wallet validates the request and selects appropriate VC.
- Wallet generates a presentation response and sends it to the Microsoft Entra Verified ID service.
- Service validates the response and calls back the RP with the result.
Key Considerations:
- Trust Establishment: Decentralized systems rely on trust between actors, not centralized authorities.
- DID Resolution: Trust systems enable the discovery of any actor’s DID.
- VC Validation: Verifiers can validate any VC from any issuer.
- Decoupled Operations: Issuers, subjects, and verifiers operate independently.
- Issuer Responsibilities: Issuers service all VC requests without discrimination.
- Subject Ownership: Subjects own their VCs and can present them to any verifier.
- Verifier Validation: Verifiers can validate any VC from any issuer.
Benefits of Decentralized Identity:
- Enhanced user control: Individuals own and manage their own identity data.
- Improved security: Reduces reliance on centralized authorities and minimizes data breaches.
- Increased privacy: Protects user data from unauthorized access.
- Simplified interactions: Streamlines processes for both users and organizations.
Setup
With the following steps you can configure Microsoft Entra for issuing and verifying verifiable credentials using Azure Key Vault for secure key storage.
Prerequisites
- Azure subscription
- Global administrator or authentication policy administrator permissions in Azure AD
- Contributor role for the Azure subscription or resource group where you create the key vault
Quick setup
Advanced steps
- Create an Azure Key Vault:
- Use the Azure portal to create a key vault with the “Key Vault Access Policy” permission model.
- Grant access to the key vault for the Verified ID administrator and the Request Service API principal.
- Set Up Verified ID:
- Sign in to the Microsoft Entra admin center as a Global Administrator.
- Navigate to Verified ID > Setup > Configure organization settings.
- Provide your organization name and a trusted domain (HTTPS required).
- Select the previously created key vault.
- Save the configuration.
- Register an Application in Microsoft Entra ID:
- Register a web application (e.g., verifiable-credentials-app) in Azure AD.
- Grant the “Verifiable Credentials Service Request” service principal the “VerifiableCredential.Create.All” permission.
- Grant admin consent for your tenant.
- Register Decentralized ID and Verify Domain Ownership (Separate Steps):
- Refer to the provided articles for instructions on registering your DID document and verifying domain ownership.
Implement passwordless authentication
This guide helps you ditch passwords and secure your organization with Microsoft Entra’s passwordless authentication methods:
- Microsoft Authenticator: Turns smartphones into secure login tools (Android/iOS).
- FIDO2 Security Keys: Physical keys for secure sign-in on supported devices and browsers.
- Windows Hello for Business: Facial or fingerprint recognition for Windows machines.
Benefits:
- Reduced Attack Surface: Eliminates password vulnerabilities.
- Improved User Experience: Faster and more convenient logins.
Getting Started:
Before deploying passwordless methods, ensure you have:
- Azure subscription
- Global administrator or authentication policy administrator permissions
- Contributor role for the Azure subscription/resource group where you create the key vault
Choosing the Right Method:
The Microsoft Entra admin center’s passwordless methods wizard helps you select the most suitable method for your users based on their devices and needs.
Scenario Examples:
The table summarizes supported passwordless methods on various devices:
| Device Type | Passwordless Method |
|---|---|
| Dedicated non-Windows devices | Microsoft Authenticator, Security Keys |
| Dedicated Windows 10 computers (1703+) | Windows Hello for Business, Security Keys |
| Dedicated Windows 10 computers (pre-1703) | Windows Hello for Business, Microsoft Authenticator |
| Shared devices (tablets, mobiles) | Microsoft Authenticator, One-time Password |
| Kiosks (Legacy) | Microsoft Authenticator |
| Kiosks & Shared Windows 10 computers | Security Keys, Microsoft Authenticator |
Planning and Piloting:
- Plan the project: Define goals, stakeholders, and communication strategy.
- Pilot the deployment: Start with a small group to test and refine your approach.
- Communication plan: Inform users about the switch to passwordless methods and provide clear instructions.
User Registration:
Users register their chosen passwordless method at https://support.microsoft.com/en-us/account-billing/set-up-security-info-from-a-sign-in-page-28180870-c256-4ebf-8bd7-5335571bf9a8. Microsoft Entra logs all registrations.
Temporary Access Passcode:
For first-time users without passwords, admins can provide a temporary passcode for registration.
Microsoft Authenticator:
- Free app for Android and iOS.
- Users download the app and follow instructions to enable phone sign-in.
Technical Considerations:
- Active Directory Federation Services (AD FS): Users with Authenticator may bypass AD FS login prompts unless they choose “Use your password instead.”
- MFA server: Users with existing multi-factor authentication can create a single passwordless credential.
Deploying Authenticator Phone Sign-In:
Refer to the article “Enable passwordless sign-in with Microsoft Authenticator” for step-by-step instructions.
Testing and Troubleshooting Authenticator:
The guide provides sample test cases to ensure user experience and troubleshoot potential issues.
FIDO2 Security Keys:
- Enable compatible security keys (refer to the provided list).
- Plan for secure key distribution, activation, and lifecycle management.
Technical Considerations for Security Keys:
- Three deployment options: web apps, Microsoft Entra joined Windows 10, and hybrid joined Windows 10.
- Specific browser and Windows 10 version requirements (refer to the guide for details).
- Enable Windows 10 support (refer to the guide for options).
See here for an article that shows how to enable Passkeys.
Implement password protection
Microsoft Entra Password Protection is a powerful tool for enhancing on-premises security by:
- Detecting and blocking weak passwords: Identifying and preventing the use of known weak passwords and organization-specific terms.
- Enforcing password policies: Applying consistent password requirements across on-premises domain controllers.
- Minimizing risk: Reducing the likelihood of successful password attacks.
Key Features and Benefits:
- Centralized management: Manage password policies from Microsoft Entra ID.
- Seamless integration: Works seamlessly with existing on-premises Active Directory infrastructure.
- Enhanced security: Protects against common password threats like brute-force and dictionary attacks.
- Flexibility: Supports incremental deployment and customization of password policies.
Implement single sign-on (SSO)
Single Sign-On (SSO):
- Enables users to access multiple applications with a single set of credentials.
- Reduces login complexity and improves user experience.
- Can be implemented using various methods depending on the application.
SSO Options:
| Application Type | SSO Methods |
|---|---|
| Cloud Applications | Federation (SAML, WS-Federation, OpenID Connect), Password-Based, Linked, Disabled |
| On-Premises Applications | Password-Based, Linked, Disabled |
Federation:
- Enables seamless authentication across multiple identity providers.
- Improves security, reliability, and user experience.
- Supported for SAML 2.0, WS-Federation, and OpenID Connect applications.
Password-Based SSO:
- Uses a username and password for initial authentication.
- Stores passwords securely and enables passwordless sign-in options.
Linked SSO:
- Provides a consistent user experience during application migration.
- Requires manual or automatic account provisioning.
- Cannot apply Conditional Access or multifactor authentication.
Disabled SSO:
- Requires users to authenticate separately for each application.
- May be necessary for testing or specific application requirements.
Planning SSO Deployment:
- Consider application hosting location (cloud or on-premises).
- Choose appropriate SSO method based on application configuration.
- Utilize the My Apps portal for managing applications.
Choosing the Right SSO Method
The best SSO method for your application depends on its authentication configuration.
Available Options:
| Application Type | SSO Methods |
|---|---|
| Cloud Applications | OpenID Connect, OAuth, SAML, Password-Based, Linked, Disabled |
| On-Premises Applications | Password-Based, IWA, Header-Based, Linked, Disabled |
SSO Protocols:
- OpenID Connect and OAuth: Ideal for modern applications.
- SAML: Suitable for existing applications.
- Password-Based: Useful for applications with HTML sign-in pages.
- Linked: For applications configured for SSO in another identity provider.
- Disabled: Temporarily disable SSO for testing or specific scenarios.
- IWA (Integrated Windows Authentication): For applications using IWA or claims-aware authentication.
- Header-Based: For applications using headers for authentication.
Use this flowchart to determine the most suitable SSO method for your application.
Integrate single sign on (SSO) and identity providers
Integrating SaaS Applications with Microsoft Entra ID:
- Pre-integrated Apps:
- Check the Microsoft Entra ID Marketplace for a list of pre-integrated SaaS applications.
- Non-integrated Apps:
- If your app isn’t listed, request its addition through the application network portal. Specify if it uses SCIM for automatic provisioning or SAML/OpenID Connect (OIDC) for SSO.
- Configure and Test SSO:
- Once added, configure and test Microsoft Entra ID SSO for your desired application.
Enterprise Applications can be enabled for SSO from the following menu.
ADFS can also be used as IdP, I know it’s legacy but it will give you good understanding on how IdP’s work and you have full control of both Endpoints to debug and tryout different things, strongly suggested.
The following guide explains how to configure Active Directory Federation Services (AD FS) to work as a Single Sign-On (SSO) provider for Microsoft Entra. You can choose between the SAML 2.0 or WS-Fed protocol. The guide also covers finding your AD FS endpoints and generating a metadata URL.
SAML 2.0 Setup
- Configure AD FS:
- Designate AD FS as your Entra identity provider.
- Create a claim rule to transform user names into the required format.
- Create a Relying Party Trust:
- Use the AD FS Management tool to establish a trust for your Entra tenant.
- Specify the required attributes and claims in the trust settings.
WS-Fed Setup:
- Create a Relying Party Trust:
- Use the AD FS Management tool to establish a trust for your Entra tenant.
- Enter the required URLs and configure claims issuance.
- Create Claims Rules:
- Define rules to send user email address and a custom “ImmutableID” claim.
Both Protocols:
- You’ll need an existing and functioning AD FS server.
- Refer to the guide for detailed steps on adding claim descriptions and configuring URLs.
See the full guide from Learn.
AWS
You can also add AWS Identity Center
And using Provisioning
But you can also provision those user accounts with PIM for Groups.
Recommend and enforce modern authentication methods
Why Passwordless Authentication is Preferred:
- Enhanced Security: Passwordless methods (Windows Hello, FIDO2, Microsoft Authenticator) offer superior protection against password-related attacks.
- Simplicity: Combined security information registration streamlines the onboarding process.
- Resiliency: Require multiple authentication methods for added security.
Understanding Authentication Method Strength:
| Authentication Method | Security | Usability | Availability |
|---|---|---|---|
| Windows Hello for Business | High | High | High |
| Microsoft Authenticator | High | High | High |
| Authenticator Lite | High | High | High |
| FIDO2 Security Key | High | High | High |
| Certificate-Based Authentication | High | High | High |
| OATH Hardware Tokens (Preview) | Medium | Medium | High |
| OATH Software Tokens | Medium | Medium | High |
| Temporary Access Pass (TAP) | Medium | High | High |
| SMS | Medium | Medium | Medium |
| Voice | Medium | Medium | Medium |
| Password | Low | High | High |
Closure
Multi-Factor Authentication (MFA)
MFA is a critical security measure that adds an extra layer of protection by requiring users to provide a second form of verification during sign-in. This could be a code sent to their phone, a fingerprint scan, or a security key.
Decentralized Identity (DID)
DID is a paradigm shift that places individuals in control of their own digital identities. By leveraging blockchain technology, DIDs offer a more secure and private way to manage identity data.
Passwordless Authentication
Passwordless authentication eliminates the need for passwords, replacing them with more secure methods like biometrics or security keys. This significantly reduces the risk of password-related attacks.
Password Protection
Microsoft Entra Password Protection helps organizations enforce strong password policies and detect weak passwords, minimizing the risk of unauthorized access.
Single Sign-On (SSO)
SSO enables users to access multiple applications with a single set of credentials, simplifying the login process and improving user experience.
Integrating with Identity Providers (IdPs)
Microsoft Entra can be integrated with other identity providers (IdPs) like Active Directory Federation Services (AD FS) or AWS Identity Center, allowing for seamless authentication across different systems.
Key steps to implement these security measures
- Configure MFA: Create Conditional Access policies to require MFA for specific users or applications.
- Set up DID: Establish a DID infrastructure using blockchain technology and cryptographic techniques.
- Enable passwordless authentication: Choose the most suitable methods for your organization (e.g., Windows Hello, FIDO2, Microsoft Authenticator) and deploy them.
- Implement password protection: Configure password policies and enable password detection features.
- Set up SSO: Integrate your applications with Microsoft Entra to enable SSO.
- Integrate with IdPs: Connect Microsoft Entra with other identity management systems for seamless authentication.
Link to main post
RSS - Posts