5. Azure Active Directory
Identity Source for Azure & Office 365
subscriptions
Key takeaways for protecting identities
Multi-Factor Authentication
Privileged Identity Management
Conditional Access
6. Multi-Factor Authentication (MFA)
What is it?
A method of authentication
requiring the use of more than
one verification method to
authenticate a user.
How does it work
Requires two or more verification
methods
Something you know (typically a
password)
Something you have (a trusted device
that is not easily duplicated, like a phone
number.
6
1. Login using username and
password
2. Microsoft Azure MFA
Challenge
3. Response to challenge from device
7. What is Privileged Identity Management?
Manage, control, and
monitor access within your
organization
Includes access to resources
in Azure AD and other
Microsoft online services like
Office 365 or Microsoft
Intune
8. Configuring Conditional Access
Protection against stolen
or phished credentials
Keeps Data Safe
Enforces BYOD policies
Works with Azure AD and
MFA
Applied to individual users
or groups
11. Protecting Your Infrastructure
Available Tools
Isolated Virtual Networks
Network Security Groups
Virtual Appliances
App Service Environment
Disk Encryption
Anti-Malware
Secure Endpoints (SQL and Storage)
12. Virtual Network Best Practices
Isolate workloads in different subnets
Deploy Network Security Groups to minimize
surface attack area
Avoid exposure to the Internet except where
necessary
Control routing
Enable Forced Tunneling
Deploy Security Appliances
Enforce a DMZ
15. Data at Rest- Encryption Points
Microsoft:
• Storage Service Encryption
• Automatically encrypts customer data prior to
persisting to storage and decrypts prior to
retrieval
• Microsoft manages encryption keys
Customers:
• Azure VMs
• Disk Encryption
• PaaS
• Azure SQL Database supports TDE
• Applications
• Client Side encryption through .NET Crypto API
• RMS Service and SDK for file encryption by your
applications
16. Data In Transit - Encryption Points
Data in transit
between a user
and the service
Protects user from
interception of
their
communication
and helps ensure
transaction
integrity
Data in transit
between data
centers
Protects from
bulk
interception of
data
End-to-end
encryption of
communication
s between
usersProtects from
interception or
loss of data in
transit between
users
Microsoft:
• Azure Portal
• Encrypts transactions through Azure Portal using
HTTPS
• Strong Ciphers are used / FIPS 140-2 support
• Import / Export
• Only accepts bit locker encrypted data disks
• Datacenter to Datacenter
• Encrypts customer data transfer between Azure
datacenters (via Site-to-Site VPN connections)
Customers:
• Azure Services
• Various services offer additional capabilities for
securing data in transit
• N-Tier Applications
• Encrypt traffic between Web client and server by
implementing TLS on IIS
20. Tools for Governance
Azure EA Portal
Azure AD
Resource Groups
Policies
Role Based Access Control
Resource Locks
Security Center
Operations Management Suite (OMS)
Templates and Command Line
21. Policies Role Based Access Control
• Manage what resources or
configurations are available at
the subscription, resource
group or resource level
• Examples
• Supported Regions
• Naming Conventions
• Supported Services
• Supported SKUs
• Tag requirements
• Manage which users or groups
can perform which actions on
which resources
• Examples
• Owner
• Contributor
• Reader
• Resource specific roles like
Storage Account Contributor
• Custom Roles