Password | 2 Azure

November 3, 2019November 3, 2019

Azure Risk based conditional access explained and how to set it up!

With the Azure AD Premium P2 license you are entitled for Azure AD Identity Protection. You will get the option in Conditional Access to assign risk level based options to your policies. Azure AD Identity Protection can detect six different types of suspicious sign-in activities with 3 different levels of risks.

Six suspicious sign-in activities and 3 risk levels

With the riks levels combined with conditional access policies we can protect sensitive application and data access. With this article I am going to show you how to create risk-based conditional access policies

So let’s create a Policy and get Conditional Access applied with risk levels

Step 1: Log in to the Azure Portal: https://portal.azure.com

July 10, 2019

Convert federated domain to managed domain

If you have a ADFS server for your user authentication in Office 365 / Azure AD, and you want to use Pass Through Authentication and/or password Hash Synchronization we will need to change a few things and run a few Powershell commands.

So before we can change the domain to managed, verify if your domain has password sync enabled using the AD connect wizard:

July 5, 2019July 5, 2019

Let’s go password less, because passwords are bad! Part 2

Last week we talked about why passwords are bad. Today we will continue with part 2, how to get the passwords gone, and we will zoom in on Windows Hello for Business!

So what is Windows Hello? Windows Hello is a modern way of authenticating users on their laptop, where this will be a two factor authentication. The first factor is the integrated TPM chip in the device, and the 2nd factor is the bio-metric of the user.

By enabling the TPM chip and the bio-metric data from the end user we will eliminate the need of a password on the users device. Off course the user can use his password to unlock the device in case bio-metric verification fails because of different reasons.

If you have a on-premise domain with Windows Hello for business enabled, it is also possible to enable the convenience PIN, however, I wouldn’t recommend it, as Microsoft has disabled this in Azure AD as well. In short:

Windows Hello for Business is: An asymmetric key-pair protected and stored in the TPM, unlock with PIN or Bio-metric Authentication

June 29, 2019July 5, 2019

Let’s go password less, because passwords are bad! Part 1

Quite a statement, passwords are bad? Today I’d like to explain why you should work on better security by using other authentication methods than just 1 password.

Why passwords are bad

Password are problematic, very often you see that passwords fall in the hands of unpleasant people. Here are a few things that might happen with a password:

June 20, 2019June 21, 2019

Reset Azure AD User password with a predefined password

In the Azure portal you can reset the password of a user, but this is always a temporary password. But PowerShell to the resque again, lets set the password in Azure AD with PowerShell with a predefined password! On your Windows device open a PowerShell prompt and connect to Azure AD. (Click here if you don’t know how to)

First we need to get the object ID from the user where we want the password to be reset. Run the following command (replace emailadres):

Get-AzureADUser -filter "userPrincipalName eq 'username@2azure.nl'"

Copy the ObjectId from the user where you want to have the password reset. And run the following commands (replace the password text for the new password):

$password = ConvertTo-SecureString 'Please enter the new password' -AsPlainText -Force

Set-AzureADUserPassword -ObjectId  "a8d5e982-6c3d-406e-a533-a21b275e3d37" -Password $password

June 3, 2019June 2, 2019

How to deploy Azure Active Directory Domain Services (AD DS)

Today we will learn how to deploy Azure AD Domain services. So let’s go to the Azure portal and let’s get you started!

Step 1: Go to Azure AD Domain Services and create a new Azure AD Domain services!

Step 2: Now we can start te setup of ADDS, fill in your preferred domain name. You can leave the default which is the same as your Azure Active Directory name ending with .onmicrosoft.com, but I would recommend a public URL like in my case adds.2azure.nl.

May 7, 2019June 28, 2019

What is Microsoft Enterprise Mobility + Security (EM+S)?

Enterprise Mobility + Security is a Microsoft solution specially developed for management and securing users, company data and applications. This gives you and your users always secured access to your company information without ever worrying about security!

With EM+S we are moving from a managed device to data management and security. This means that it will not only protect your device, but most important, it will take care of security on a document level where you can prevent that confidential data is readable by unauthorized persons.

By using this security suite you can prevent abuse of stolen credentials when one of your users is tricked by a phishing email. You can limit access to company data to only trusted devices (Company and BYOD) by using the Intune portal. But we can limit access to it as well with IP black / white listing. This includes Geoblocking as well, it is impossible to travel from the Netherlands to Russia for example in 5 minutes.

To protect your valuable company data I recommend to always use EM+S for optimal protection. If you want the security to be at its best, E5 is your way to go!

Main features

Simple management and security of your devices
Multifactor authentication (MFA)
Selfservice portal for password reset en securitygroep management
Application company portal
Mobile device management (MDM)
Integrated device management (Laptop/Desktop)
Securing company data en restrict access to company data
Conditional access (geo-blocking and more)
Advanced Threat Protection with reporting
Risk-Based conditional access (E5 only)
Privileged identity management (E5 only)
Intelligent data classification and labeling (E5 only)

April 6, 2019April 7, 2019

Microsoft Advanced Threat Protecion

Microsoft bied op verschillende diensten Advanced Threat protection aan. Helaas zit er marketing technisch nog steeds hier en daar de naam Defender aan vast, waar het onder water een compleet ander product is. Het is inmiddels geen simpel antivirus pakket meer, maar een all-in-one oplossing tegen aanvallen van buitenaf en binnenuit. Dit gebeurt door Windows ATP voor bescherming van je device, Office 365 ATP voor bescherming van je Email, SharePoint, OneDrive en teams data en als laatste Azure ATP voor bescherming van alle identiteiten.

Als kers op de taart is er voor on-premise omgevingen is het Azure Security center ontworpen, die net als Windows, constant in contact staat met de Microsoft Azure datacenters om data en informatie uit te wisselen. Inmiddels zijn alle bedreigingen zo uitgebreid en geavanceerd geworden dat 1 enkele computer de rekenkracht ontbreekt om alles te analyseren. De kracht van de Cloud komt hier om de hoek kijken. Informatie die verzameld is bij andere klanten wordt gebruikt om jouw omgeving en apparaat veilig te houden. Het mooie is dat de ATP client standaard in Windows 10 is ingebouwd waardoor er relatief weinig hoeft te gebeuren om het in te zetten.

February 27, 2019April 1, 2019

Regelmatig je wachtwoord wijzigen, zinvol of niet?

Mensen blijken zich op een voorspelbare wijze te gedragen wanneer ze een wachtwoord moeten maken wat aan bepaalde vereisten voldoet. Op deze manier werken de eisen die we stellen aan de wachtwoorden die ze bedenken contraproductief, en worden de wachtwoorden dus zwakker.

Afdwingen van lange wachtwoorden werkt niet

Vereisen dat een wachtwoord minimaal 10 karakters lang is, heeft tot gevolg dat wachtwoorden eenvoudiger te raden worden. Mensen hebben namelijk de nijging om korte woorden te herhalen tot de vereiste lengte. Denk aan combinaties als “loginlogin”, “abcabcabc” en “passwordpassword”.

January 10, 2019April 9, 2019

Azure AD exclude user from password experation policy

Connect to Azure AD with PowerShell:

Connect-azuread

Now we would like to get an overview of all users, run the following command:

Get-azureAduser

If you have the UserPrincipalName or email address we might shorten the list to just that single user bij adding a filter:

Get-AzureADUser -ObjectId <UserPrincipleName>

Next task is to link the default password policy without a password expiration to this user. Run the following command:

Set-AzureADUser -ObjectId <UserPrincipalName> -PasswordPolicies DisablePasswordExpiration

Once this has been completed, verify if the policy has been set correctly with the following command:

Get-AzureADUser -ObjectId <UserPrincipalName> | fl UserPrincipalName,passwordpolicies