SC-900: Microsoft Security, Compliance, and Identity Fundamentals Certification Video Training Course

SC-900: Microsoft Security, Compliance, and Identity Fundamentals certification video training course by prepaway along with practice test questions and answers, study guide and exam dumps provides the ultimate training package to help you pass.

Module 2 Describe the concepts & capabilities of Microsoft identity and access

22. Self-service password reset in Azure AD

A key feature in this case is self-service password reset. I'm calling it important because this is changing the lives of the administrators of the Help Desk, people who are constantly helping employees change their passwords. Not anymore with this particular feature, because "self-service password reset" as a name itself says that users will be able to reset their passwords without the administrator's or Help Desk's involvement. So what happens if the user is logged out because they typed their password incorrectly? Or what happens if they forget the password because the user just came back from their wonderful vacation? Well, users can follow a prompt to reset their passwords and get back to work. There are several advantages to self-service password reset.

Let's talk about that. So it's increasing security. Yeah, it's a security feature as well. So we do not need to employ additional Help Desk guys. So there is a possibility of a "man in the middle" attack where an attacker is acting as Help Desk personnel. Right. SSPR also saves the organization money by reducing the number of calls and requests to the help desk staff, which increases productivity and allows the user to get back to work faster. What are the use cases here? What are the scenarios in which self-service password reset will be useful? Okay, so think about password changes, password resets, or account unlocks, right?

So when the user knows their password but wants to change it to something new, in the second case, when the user cannot sign in, such as because they forgot their password, maybe, and wants to reset their password, And the last one is account lockout, where this guy totally forgot his password and tried to login with multiple passwords, but then it didn't work. So the user cannot sign in because their account will be eventually logged out because they're just trying several times with passwords. That's not correct. Now, how do we use this self-service password reset? Now, in order to use the SSPR, the users must have an Azure Active Directory license. The SSPR must be enabled by the administrator, and the users must be registered with the authentication methods they want to use.

Well, there are several authentication methods. You're probably already aware of it; you're probably already aware of it. There is a mobile app notification where you can be authenticated using a code sent to your mobile app. Probably an email, a mobile phone, or a ring on your office phone, or perhaps some security questions that can be answered will assist you in resetting the password. So when a user resets their password using SSPR, that password can also be written back to on-premises Active Directory. Well, that's a very important thing and a very important feature as well. What happens is that when a user tries to reset their password, it is actually reset in the cloud-based Azure Active Directory, and it needs to be written back or updated on the on-premise domain controllers as well.

As a result, passwords are written back on premises. The technical terminology used here is called "writeback." So password writeback is allowing users to use their updated credentials on their on-premises devices and on-premises applications without any delay. Administrators can also configure email notifications to be sent when a self-service password event happens when users reset their credentials. Now, these notifications can cover both regular user accounts and admin accounts as well. So when somebody, a regular user, resets their password, a whole bunch of people get notified, or maybe just a single user gets notified, which can be configured by the admin for admin accounts.

This notification provides an additional layer of awareness. When a privileged administrator account password is reset using SSPR, you can have all the global admins notified when such a SSPR for a high-profile account gets reset. like an admin account. Right? Okay, so that was about self-service password reset, and by this time, you know all the good features of SSPR, right? So let's go ahead and talk more about the security features that Azure Active Directory has. For example, how Azure ActiveDirectory protects those passwords What are the management capabilities of Azure Active Directory? So we'll do this stunt of learning new features of Azure Active Directory in the next lesson. Thanks for watching so far. I hope this video or lesson has been informative to you. I'll see you there.

23. Password protection and management capabilities of Azure AD

There must be a way to reduce the risk of users setting weak passwords. So I would like to have my password as my pet's name or probably my kids' name, maybe with 1230nexclamation in the end, but that's still a weak password. I'm going to have my employees not choose a weak password. Fortunately, we have a feature called password protection.

This is a feature of Azure Active Directory that reduces the risk of users setting weaker passwords. So there is no way you can use your pet's name as a password. Now, what Azure Active Directory does is that it detects and blocks any known weak passwords or any of their variants, and it can also block additional weak passwords that are specific to your organization. With Azure Active Directional Protection, you can have two things. The first is a global band password, and the second is a custom band passwordless.

Let's go ahead and understand that. But before we get into these two options, I want to tell you that if you want to support your business and the security needs of your business, you can define different kinds of entries in the custom band password list. So when users change or reset their passwords, these band password lists are checked to ensure or enforce the use of strong passwords. And then on top of it, you can put multifactor authentication in place so that you do not rely on strong passwords, which are enforced by Azure AD password protection. Okay, so now let's get into the meat of this topic, which is the global band password list and custom band password lists. So what is a global band password list? Now, this is a list of known weak passwords that is automatically updated and enforced not by your organization but by Microsoft. This is maintained by Microsoft teams.

There's a special task force called the Azure Active Directory Identity Protection Team that will be analysing the security telemetry data to find weak passwords, compromised passwords, etc. There are several blogged passwords and variations on that theme. And the variations are created using an algorithm that will transpose text, case, and letters to a number, such that l is changed to one variation on a password. One will be like a password, with the letter O transformed or transposed as zero. These passwords are then checked and added to the global band password list and made available to all Azure Active Directory users. This global band password list is automatically applied, and you cannot disable it.

So if you're an Azure Active Directory user trying to set your password to one of the weak ones, you will receive a notification to choose a more secure one. The global ban password list is sourced from actual real-world password spray attacks. Now, password-spray attacks are something that the attackers will be doing with a well-known list of passwords. Now, this approach will improve the overall security and effectiveness of the password validation algorithm, which uses something called "smart fuzzy matching" techniques. Now, as a result of all of these algorithms, Azure Active Directory password protection efficiently detects and blocks millions of common weak passwords from being used in your enterprise. I hope that's clear when it comes to the global band password list. Let's go. Get on to the next topic. custom banned password list. So, what's that? Administrators in your organisation can now create a custom band password list to meet specific business security requirements. Now, what is that?

What is a "custom ban password list"? This is something that will prohibit passwords such as an organization's name or location. Passwords can be added to the custom band password list for organisation-specific terms. For example, no employee should use company-specific brand names, product names, locations such as company headquarters, company-specific internal terms, or abbreviations. So this custom banned password list is then combined with what we just spoke of, the global band password list, to block the variations of all the passwords. Do you need to pay something for this? Is there an additional cost? Well, the band password list is a feature that comes from the Premium One and Premium Two versions of Azure Active Directory.

24. Protecting against password spray

You might have heard of brute-force attacks. Well, password spraying is a variant of a brute-force attack. Now, what happens in a traditional brute force attack is that the perpetrator attempts to gain unauthorised access to a single account by guessing the password repeatedly in a very short period of time. Most organisations have employed quite a lot of countermeasures, most commonly a lockout or something called an account lockout.

After a couple of attempts, mostly three or five, what's going on in the password spray attack is that the attacker circumvents any kind of common countermeasure, for example, account lockouts, by spraying the same password across multiple accounts before trying another password. So that way, the attacker gets enough time and the account doesn't get locked out as well. So this person, this attacker, is employing the same password across multiple accounts. Azure Active Directory password protection helps you defend against password spray attacks. Most of these "password spray" attacks submit a small number of known weak passwords against each of the accounts in an enterprise.

This technique will allow the attacker to quickly search for an easily compromised account and avoid potential detection thresholds. Azure Active Directory password protection will efficiently block all known weak passwords that are possibly likely to be used in password attacks. And then this protection is based on the real-world security telemetry data from Azure Active Directory, which is then used to build the global band password list. Let's talk about hybrid security in the next lesson. Thanks for watching so far. I hope you found this information useful. I'll see you in the next lesson.

25. Hybrid security

For hybrid security, administrators will be integrating Azure Active Directory password protection with an on-premises Active Directory environment. A component installed in the on-premises environment receives the global band password list and also the custom password protection policies from Azure Active Directory. The domain controller will then use them to process password change events.

This hybrid approach will make sure that whenever a user changes their password, the Azure ActiveDirectory password protection is applied as well. Although password protection improves the overall strength of passwords, you should still take advantage of new features of Azure ActiveDirectory like multi-factor authentication. Passwords alone, even strong ones, are not as secure as multiple layers of security. So we just bumped into a new terminology here: multiple layers of security, also known as multiple layers of defense. Absolutely. So we need to have multiple layers of defence mechanisms to protect our identities. First and foremost, we have passwords.

Of course, we've been using it for a very long time, but then we make sure they're complex, and that's not enough. You also need to have multifactor authentication with at least one of the mechanisms. As previously discussed, you will most likely want to use a mobile app notification, a mobile app code, or something that you receive via email, mobile phone, or office phone, or you will most likely use security questions, Windows Hello, or a feeder to possibly use biometrics.

So there are numerous options that you have on your display that Azure Active Directory supports to make sure that your identities are secure. Thanks for watching so far. I'll see you in the next lesson. We'll be talking about more security features that Azure Active Directory provides, like conditional access controls and the areas around role-based access controls, like built-in roles and custom roles, and how you grant access to users to the resources that they need. So there's a lot coming up in the next lesson. Stay connected.

26. Describe the access management capabilties of AzureAD

By this time, you already know that Azure Active Directory is doing a lot of things, including authentication, authorization, and auditing. But one of the main purposes of Azure Active Directory is to manage access. The security perimeter today has shifted away from organisation boundaries to user, device, and service identities. In this particular module, we'll learn about Azure Active Directory and how that uses intelligent mechanisms and intelligent access capabilities to protect your organisational assets. We'll also talk about conditional access, which will help you improve security, and how to use Azure Active Directory roles to control access to Azure Active Directory resources in the Directory. So you know about two main things: conditional access and its benefits, and Azure Active Directory roles in the upcoming lessons. Thanks for watching so far. I'll see you in the next lesson.

Prepaway's SC-900: Microsoft Security, Compliance, and Identity Fundamentals video training course for passing certification exams is the only solution which you need.