08448380779 Call Girls In Friends Colony Women Seeking Men
Colabora.dk - Meetup - 29.october 2018
1. CoLabora User Group Meeting – October 2018
- Azure AD: Passwordless, Hardware OATH tokens and integration between Azure AD and Log Analytics
Peter Selch Dahl – Azure MVP – I’m ALL Cloud First
Level 200-300
2. Microsoft MCSA: Cloud Platform - Certified 2018,
Microsoft MCSA: Office 365 - Certified 2018,
Microsoft MCSE: Cloud Platform and Infrastructure - Certified 2018
Microsoft MCSA: 2016 Windows Server 2016,
Microsoft MCSA: 2012 Windows Server 2012,
Microsoft MCITP: 2008 Server and Enterprise Administrator,
Microsoft MCSA: 2008 Windows Server 2008,
Microsoft MCSA/MCSE : 2003 Security,
Microsoft MCSA/MCSE : 2000 Security,
VMWare Certified Professional VI3/VI4/VI5,
CompTIA A+, Network+,
EC-Council: Certified Ethical Hacker (CEH v7),
And more
Peter Selch Dahl
Cloud Architect, Azure MVP
Twitter: @PeterSelchDahl
www: www.peterdahl.net
Blog : http://blog.peterdahl.net
Mail: psd@apento.com
3. • Passwordless authentication
• Using Azure Authenticator and OATH Hardware Key
• Azure Active Directory integration with Log Analytics
• Using the Log Analytics Dashboard
4. Microsoft Identity: Going passwordless
NOVEMBER 8, 2018
4
Intune
Windows Server
Active Directory
Microsoft Azure
Active Directory
Username
Password
Username
Password
Primary
Refresh
Token
PRT
TGT
OneDrive Office 365
Dynamics
5. Microsoft Identity: Going passwordless
NOVEMBER 8, 2018
5
Intune
Windows Server
Active Directory
Microsoft Azure
Active Directory
SSO
Token
OneDrive Office 365
Dynamics
Kerberos
TicketPRT
TGT
12. What’s available today?
1. Develop
password-
replacement
offerings
2. Reduce user-
visible password
surface area
3. Transition into
password-less
deployment
4. Eliminate
password from
identity directory
Windows Hello for Business
Authenticator app
19. Works with the same devices people use every
day
Based on public key cryptography
Biometrics and keys never leave the device
Protects against phishing, man-in-the-middle and
replay attacks
Standards-based,
interoperable authentication
2.0
20. Microsoft Identity: Going passwordless
NOVEMBER 8, 2018
@EWUGDK
20
- Microsoft joined the FIDO alliance in 2016
23. FIDO 2.0 compliant
• Device sign in (POC with FIDO dongle)
Windows S is passwordless ready
One time code + SMS sign in
https://cloudblogs.microsoft.com/microsoftsecure/2018/05/
01/building-a-world-without-passwords/
24. Personas Day to Day Activities
Our Recommended Passwordless
Solutions
Executives
• Uses their own PCs (desktop, laptop &
phone)
• Requires access to modern as well as
legacy apps (i.e. financial software)
• Windows Hello
• FIDO
• Authenticator App
Information Workers
• Uses their own PCs (desktop, laptop &
phone sometimes)
• Windows Hello
• Authenticator App
• FIDO
Deskless Workers
• Uses shared PCs • FIDO dongles (cheap)
• One time code + SMS sign in
26. On-premises app
Web app
SaaS service
Device sign in
Microsoft Authenticator
Device + Biometric
Biometric on device
+
Windows 10 or other OS
Microsoft Edge or other browser
Any device
Azure Active
Directory
Microsoft
account
28. New hires download the
authenticator app during
orientation
Set up their machine using
the authenticator app
Provision Windows Hello
(face, fingerprint and/or
PIN)
Unlock PC with Hello and
get SSO into apps
Incorporate FIDO as it starts
to gain more ground
Use authenticator app to
access web resources
29. Allowed methods
Password All users i
Authentication methods
Wingtiptoys – Azure AD Security
ResetMethods Registration
Save Discard
Phone call All users i
configure
All users i
configure
Mobile app notification i
Add/remove methods
Quick start
Overview
Use this page to enable authentication methods for groups of users. Once a user is
enabled for a particular method and have registered that method, they can use it to
verify their identity in your organization.
• Troubleshoot
• FAQ
• Top Tips from our customers
Read
Targeting
Configuration
Some methods require additional configuration. Select the “configure”
option under each method to change settings related to that method.
To enable a method, click the checkbox next to the method. Then,
choose “All users” or a specific group to enable the method for that
group.
Add/remove authentication methods
Add
Password
Phone call
Mobile app notification (enabled)
Text message
Verification code – mobile app
Verification code – hardware token
Duo
FIDO
Email address
Security questions
PIN
Wingtip toys > Password reset > Authentication methods
Select methods to add or remove to the list of
allowed methods. Enabled methods must be
disabled from allowed methods list before then
can be deselected and removed.
38. Cancel
Sign in with FIDO
Use your FIDO device to sign in.
Insert your security key into the USB
port
Web site microsoft.com wants to verify your identity
39. Cancel
Sign in with FIDO
Use your FIDO device to sign in.
Insert your security key into the USB
port
Web site microsoft.com wants to verify your identity
PIN
Change PIN
Continue
Enter your security key PIN to continue
Web site microsoft.com wants to verify your identity for
kelly@outlook.com
Alpha-numeric passwords are hard for humans to remember and easy for computers to guess.
Frequent password changes lead to predictable pattern transformations.
Credential reuse across multiple services increases attack surface.
People work around policies that are too difficult.
Even the strongest passwords are easily phishable.
Who here has successfully deployed these? If yes, what are your experiences with it?
<Ask Karanbir to come talk quickly about Windows Hello>
Overall we have more than 37M users using Windows Hello, including consumer and commercial users.
More than 200 enterprises have deployed Windows Hello for Business.
Our biggest enterprise deployment of Windows Hello for Business, outside of Microsoft itself, is 25000+ users in a single enterprise.
Based on public key cryptography
Keys stay on device and no server-side shared secrets to steal
Protects against phishing, man-in-the-middle and replay attacks
Biometrics, if used, never leave device
No link-ability between services or accounts
No 3rd party in the protocol
--
Reduces reliance on complex passwords
Single gesture to log on
Works with the same devices people use every day
User the same authentication with different services
Other industry partners for FIDO
yes we're working on making this process easier. Our current recommendation is below:One-time bypass ETA: Now, kindof Bypass is a feature that can be used when a user doesn't have the ability to register for MFA, or temporarily can't do MFA. It removes the requirement to do MFA so that they can log in with just their password. If you're looking for a way to let someone temporarily do MFA if other methods are inaccessible, look at "Time-limited passcode" below. There is currently a workaround to support one-time bypass in Azure MFA, if you're enforcing MFA through Conditional Access as is recommended. Follow these steps: Create a "bypass" group and add it as an excluded group to any Conditional Access policies that enforce MFA. Delegate ownership of the group to anyone who should have the authority to allow users to bypass MFA, for example help desk workers. Set up a script to automatically clear the group at the end of your business day. When someone needs to bypass MFA (e.g. forgot their phone at home) they will call the helpdesk and the helpdesk will validate their identity (your process is up to your organization, but it should be more intense than just reaching the helpdesk). The user will be able to log in with just a password for the day, and then the next day they'll be required to do MFA again. This setup provides good flexibility – you can allow the bypass based on your policies. For example, if MFA is always required for certain apps for compliance or security reasons, you can not add the bypass group as an exclusion. Someone who has the bypass can log into Outlook without MFA, but not your important apps – they'll have to go get their phone if they need to do a critical operation that day. That said, there is more work to be done. We are working on formalizing this process – creating a group for you, adding it as an exclusion to policies, and providing a built-in way to remove users from the group after a certain amount of time. ETA: In design, not started collapse
Right now our big gap is legacy apps
Add windows hello and auth app on the fourth quadrant
But come on this journey with us.
We do have gaps for sure, such as legacy apps and password requirements for a lot of our VM scenarios. However we are slowly figuring out how to scrub password requirements from the OS as well as our service so atleast us and companies such as yourselves can go passwordless if you want to.
For legacy apps, we are exploring time restricted passwords or one time passwords, which will help get around those gnarly hardcoded password requirements that we don’t control. But it’s definitely a journey and we are learning too as we are going through it.