Azure AD Authentication Methods and Policies

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello and welcome to my channel I'm so pleased you've joined me in this session you're going to learn about Azure ad authentication method policies and all the different types of authentication that are possible you learn what they are what's new and how to manage them this is really important because Microsoft is going to depreciate the Legacy policies for MFA and self-service password reset in January 2024 I hear you saying what are Legacy policies you're in the right place to learn I suggest you watch the whole video but if you're time limited watch the intro and then dive in and out of the different authentication methods there are clear links to the different sections in the description below to keep up to date and keep learning please subscribe to my channel if you subscribe I will see that you appreciate the content and it will encourage me to do more okay I want to start off by thinking about Authentication why do we authenticate we authenticate or sign in to prove Who We Are we could be authenticating for access to applications and there are many further checks that will go on to see if we're authorized to access the application are we assigned to the app have we met conditional access requirements now that's a biggie conditional access is core to zero trust and Microsoft are doing a lot of work on enhancing conditional access so on a very regular basis if you look at conditional access you'll find additional settings I'm going to do a video on that very soon do you have the correct licensing that could be another check that goes on okay so authenticating for applications but we can also authenticate to provide a second factor for MFA so we might sign in with our password and then we could be prompted to provide a second Factor effectively we are authenticating with that second factor and it could be that we receive an SMS it could be that we're using the Microsoft authenticator app which is the preferred way of doing it another reason that we might be authenticating is because we are trying to do a self-service password reset and as part of that requirement the user has to prove who they are and we do that through an authentication method why don't you come and join me in the cloud okay I'm going to start off here in portal.azio.com and this is the One-Stop shop for doing everything in azir such as creating virtual machines creating key vaults managing your subscription and so on I'm going to go to active directory and again this is uh still in portal.za.com but it's just the active directory management part of the portal but I'm going to go to Microsoft enter because entra is a new portal it is intra.microsoft.com and this is where Microsoft have gathered together that identity and access management components so active directory permissions management verified IDs workload identities governance it's all done through the enter admin Center I'm going to go to Azure active directory and I'm going to go straight off and find and this is always a bit of a hump thimble where's it gone well under protect and secure what we can see is authentication methods so I'm going to choose the authentication methods and you'll see a number of them 502 security Keys Microsoft authenticator SMS in preview temporary access pass and so on if we compare that to what was available in 2020 what you'd have seen is very very few so there's the 502 security key we've got the Microsoft authenticator but only for passwordless sign in not for saying use the authenticator app it was for password and then we've got um text messaging and again the text messaging was for a very specific use which we'll see shortly what's happened over time is more and more has been brought into here now you know you said well we can always do SMS we could always do you know set up the authenticator app where were they set well they were set in what we now call Legacy policies and one of those Legacy policies was under MFA well we looked on the protect and secure you don't see MFA but we scroll down a little bit we've got show more and one thing I quite like about the portal is if I go and uh there's multi-factor authentication if I favorite it it's now available in my favorites so I can actually come up here and I can see multi-factor authentication here so I'm going to click on that and what we've got is the ability to do additional cloud-based multi-factor authentication click on that and what we see is the Legacy policy for MFA so call to a phone text message to a phone so that's an SMS MFA notification through a mobile app so that's a push notification to a mobile app verification code from a mobile app and and that could be a one-time passcode uh it could be from the authenticator app but it equally well could be from the Google Authenticator or a hardware token now these have been moved into the new authentication method policies with one exception Hardware tokens are still have to be set in here but expect that to migrate in the not too distant future so let's go back um again into the enter portal and what I want to do is actually come in here again interactive directory scroll down and under protection secure I can find password reset and if we look at authentication methods what we can see are these are the authentication methods how a user proves who they are for doing a password reset once again these have migrated into the new authentication method policies so this is the Legacy policy we're currently looking at the one thing that hasn't migrated are security questions okay so migrations are coming along really well let's go back again now to authentication methods and if we look under authentication methods we can see here that we've actually got in January 2024 the Legacy multi-factor and self-service password reset policies will be depreciated so by then we need to migrate everything into the new authentication method policies how do we do that well we've got migration settings so here we've got pre-migration and pre-migration the everything is done using the legacies so in terms of SMS in terms of self-service password reset in the new authentication method policies we're basically just dealing with authentication like a 502 security key a temporary access pass and so on if we go to migration in progress what it does is it respects settings in Legacy and it also respects settings in the new authentication methods so for instance if you chose SMS in Legacy then SMS would work if you choose SMS in authentication methods they are overlapping well it said in one of them so SMS will work if I want SMS not to work I need to make sure it's removed from both policies once your migration is complete you choose this option and then the Legacy policies for both multi-factor authentication and self-service password reset are ignored so we're just into using the new authentication methods now at the moment as I said we need Hardware tokens have to come out of the Legacy MFA settings and security questions have to come out of the Legacy settings but by the time January 2024 comes along hopefully everything will be in the new authentication methods let's look at what we're going to do what I'm going to do is actually go through each of these methods I'm not going to go into details of setting up some of these things I'm going to do those in separate videos but what I want to do is just talk about the different methods and show you the user experience for those methods now something that's uh you'll notice the target for all these Methods at the moment is group but if I click on certificate based authentication what I've got is I've got John Williams and I've got a group here called auth search auth um as in certificate authentication now you can only add groups but previously you you could add individual users it still respects individual users if they're already there but now you have to add the groups so remember January 2024 we have to take all the settings you've got in the Legacy policies and migrate them to the authentication methods but before we get started let me just explain how I've set this up so if I look at 502 security keys I see that they're applied for a group called auth Dash 502 if I look at Microsoft authenticator I've got auth Dash m a a as in Microsoft authenticator Dash push that's a group that will get push notifications I've got auth MAA Dash passwordless that's a group which will get passwordless authentication using the Microsoft authenticator app and what I've done is I have really limited my users to being in one of these groups not multiple groups so our individual users that we'll be using for the demos are going to have individual methods that they can use and I thought that was the best way to try and explain this now when it comes to setting up authentication methods some methods will be set up just in here and under the authentication method policies some will require further work to be done by an administrator and some methods will require the user to register something so for instance a user will have to register a 502 key a user will have to register the authenticator app anyway we'll see that as we go along welcome to this section on fido2 security keys we're in authentication methods and I'm going to go to the method to set up this security key so if I click on that we can see that we got security Keys enabled and they're targeted we could Target them to all users or a selected group I've got them targeted to the auth dash 502 group if I used all users I could actually exclude well even if I use a targeted group I could still exclude a group of users so that's a possibility a little bit like conditional access and the ability to exclude when setting up conditional access so if I go to configure what I can see is the first thing is allow self-service setup that has to be on otherwise the users will not be able to register their keys and the users have to be involved in this process Force attestation and enforce key restrictions well they need a little bit more knowledge because what is an attestation what is an A.A guide if you're interested in that watch my video entitled Azure ad 502 temporary access pass that's as in tap and fishing I like to call it Azure ad dogs fighter dancing tap dancing and fishing as in luring your Target in when it comes to using a Fido 2K we can go completely passwordless with it or we can actually use it as a step up authentication method so let's actually look at this I've got my account as a Target and in our particular environment my account does not need MFA it could need MFA but I've just got it set up so it doesn't so I'm going to sign in here and I've signed in using a password I'm John Brown now John Brown has 502 Keys registered for him I need to update information and the first thing that's going to happen is I'm going to be prompted to step up my authentication to multi-factor and I can do that with my security key so I click on that and it's saying give me a a pin which is okay and then it's saying touch the key to prove you're actually here so I'd now touch the key to prove I'm here and I'm in to the security information I've got two security keys in here I can delete them I can find out more information about them oh look and there's that a a guide again come back watch the other video to find out exactly what it means I can actually add a sign in method and the only method available to this particular user is a security key I could add an additional security gate but I'm not going to here now I've just done Step Up authentication so if I go to another application I've already signed in I've got strong authentication if I sign in here now with open ID what I can see is I have an arm claim and that is the authentication method reference claim which is set to password Fido and MFA remember I started off with a password I then elevated my sort of strength of my authentication using the Fido key and then now I've got MFA is seen in there as well this app is an app I created for my identity master class and it's a master class I run online I also run it around the world as well so if you're interested in getting into lots and lots of detail uh it's a good class Let's uh just close that off and now let's go and experience something slightly differently going to go back to oidc and I'm just going to change over my key so I'm going to just change to a different security key and I'm going to go and sign in with open ID it's going to go in as John and I'm going to say other ways to sign in and I'm going to use my security key here now there's a difference here what it's doing is saying touch the key didn't ask me for a pin I'm touching the key and it signed me straight in so in one go I proved I was here and how was I authenticated against the key by using a biometric and what we can see in the arm parameter is we've got Fido and we've got MFA welcome to this section on Microsoft authenticator once again we're in the authentication method policies we choose the Microsoft authenticator and we can see that it's enabled and it's targeted to two different groups one group is going to receive push notifications and the other group which is called the passwordless group is going to receive a passwordless and push notifications this particular setting started off its life with just enabling a user to have go passwordless where did we set up the authenticator for push notifications we did it in the Legacy MFA policy but now we're doing both within here if we look at configuration what we can see is that we've got OTP which we'll come back to in a second we've got the ability to have push notifications with number matching which makes life a lot more secure we can also put in the name of the application and we can show some geographic information and I've got all those settings currently turned on so let's go and experience this and I'm going to start off with a user Don and what Don is going to do is going to go to my accounts no requirement for MFA on my accounts so we're going to sign in to my accounts and he's in now if you want to update his security information because he's already got the authenticator in he has to perform multi-factor Authentication so we're updating the security info and we're being prompted and if we bring up our trusty phone now it's done it's my the my sign-ins is what we're being asked to authenticate for and the location is somewhere near Brighton and we're going to go 80 in there that's done okay so don is actually signed in um what he can do is he can delete the authenticator and the only method that he can add is an authenticator you know we've really restricted each of our demo users as to what they can register let's go across to oidc V2 now and remember signed into as your ad so he'll keep the same authentication strength to a zero ad and we go to our open ID connect application and we can see he did a password and he did MFA so that's in the arm claim or the AMR claim rather the authentication method reference claim right let's go and have a look at a slightly different experience and this time what I'm going to do is I'm going to go in to oidc which requires MFA and I'm going to go in this time as Tina so there's Tina so we could start off with a password batch is using passwordless so it's just saying please approve this request back to the authenticator and it's saying Tina approve and what's the number it's 21. now because of this is passwordless I'm now being prompted on my phone for a biometric so I've just put my thumbprint on there and what we can see down here is that this is showing us RSA and MFA RSA if we're using cryptography Let's uh let's just close that off and let's go back and look at our users and what I want to do is find my users we're going to all users and I'm looking for a user called Don which is that and if I look at the authentication methods for Don we can see that he's got the Microsoft authenticator installed I'm going to delete that I'm doing this as an administrator so he's phoned me up said he's lost my phone can you deal with it and I've done it so he can no longer use the authenticator app from that particular phone okay let's uh go and have Don's experience again and when we go into my accounts remember it's done it's going to use a password we're signing in going to update security information and this time there is no authenticator so I can add a method so I'm going to choose the method and it's going to be the Authenticator now notice down here there is no ability to use any other type of authenticator this is for the Microsoft authenticator so I'm going to go next on that next and it's going to ask me to scan a QR code so my next job is to bring back my trusty phone and I'm going to add in here I'm going to add a work or school account and I'm going to scan the QR code so we'll scan that in hopefully and that was successful and what I've got now is a my Don has been added back so I click next on there and what it's asking me do is confirm the number so again back in here and I put in 30. and that's set it all up for me so now I'm completely set up to actually use the authenticator let's just uh sign Don out and signed on in back again so we can go in as done and we're going in with open ID connect and signing in is done I can sign in with my password I'm now being prompted for the second factor which I can do however imagine the situation whereby Dons in a faraday cage he's in the data center he can't use this there is no other method of actually approving the sign in request and that's where we want OTP so let's cancel that and let's go back and come back to our go back to our authentication methods go back into the Microsoft authenticator configuration and enable OTP okay uh so let's experience it again and where remember Don is in the data center and we're going to sign in open ID we need to supply our password which we'll do first of all and then because this app is using multi-factor we need to approve the sign-in request we can't because we're not going to receive push notifications because we're in the data center and I'm going to go and use a verification code right now if I go across to my trusty app because I'm not in the data center it's actually seen it so I'm going to click done on there and just say no it's not me which gives me the chance of going over here five seven four five one four so five seven four five one four and that has got me in using a password and MFA through OTP so that's how I got my second Factor was with OTP welcome to the section on SMS for second Factor authentication and self-service password reset I'm in the Azure methods policies click on here if we look in here we've actually got two groups one which is just using SMS for second factor and also for self-service password reset and one for sign in I'm going to come back to the sign in in the next section at the moment we have Debbie set up for SMS let's go and have a look at Debbie's experience Debbie can come in to the my accounts and she can choose to sign in with a password so in she goes with a password and she can update her security info and she could add a method and the method is phone so although it's called SMS it's shown here as phone I'm going to actually cancel that and I what I want to do is close let's log in again as Debbie but this time to oidc V2 and oidc V2 requires MFA so it's going to force you to register for MFA we're going to sign in here and we're going to go again as Debbie and with her password and it's saying more information is required next on there and it's asking for a phone number we're going to go to the United Kingdom and I will hide this phone number all right because I don't want to give my phone number away to absolutely everyone next time that and what it's going to do now it's text me a code I'm going to enter the code I just received which is zero one seven nine five four next on there again next that's done but as it was an interrupted signing process I've actually gone into the application with multi-factor so we can see password and MFA it's as simple as that and it just works welcome to this section on using SMS for first Factor sign in so once again I'm in authentication method policies and I'm going to go to SMS preview and we've got a group which is allowed for sign in now what we could do is we could actually get a user in that group and the only user in that group is in fact Maria we could get her to go and register her phone but the whole idea of this is she is going to use her phone number and the received SMS to sign in so she doesn't actually need a username and she doesn't need to remember a password so it could be for occasional workers getting at the administrator involved and the administrator is going to go off to all users and once we got to all users and we've enumerated our users we're going to choose Maria and we're going to go down to authentication methods and under authentication methods we're going to add one and this one is going to be phone number we're going to set our phone number in there and we're going to add that and then because in the authentication methods policy it says this can be used for signing it immediately says this number is ready for SMS sign in so let's go and see Maria's experience going to go to my account and I'm going to sign in as Maria so sign in using another account and now who is this person well it's just her phone number so next on the and it will say to the work or school account so we need to educate on that and we've now got a code that has been sent to her phone so let's just put that in and in fact this phone number is being used in a number of organizations so I'm just going to choose XDS Dev down here which is where Maria is and I don't want to save that so I'm going to close that and she's now signed in to my account and this is a first Factor sign in she goes to security information the interesting thing here is that she is blocked from Gaining access because it says multi-factor authentication is required let's have one other experience for Maria and let's go against oidc and we'll try and go in with her phone number and the code's been sent and again it's asking us where we're from and it says multi-factor authentications required and the credential use is not supported try signing in with another method okay so we're blocked from doing MFA with this particular type of sign in but it could be useful for occasional workers welcome to this section on temporary access pass I'm not going to go into great detail here if you want to see how to actually create a temporary access pass for an individual user so they can use it for registering a 502 key then watch my video azir ad 502 temporary access pass and phishing for now I just want to look at it from the user experience but we start off actually in authentication method policies and if we look in here what we've got is yes temporary access passes can be used so they're enabled and they can be used for members of the auth tap users group now as I say there's another piece of work that needs to be done by the administrator and the administrator has created a tap for Tom so let's have a look at Tom's experience we're going to use our application our oidc app and we're going to sign in and we're going to choose our user Tom and he's being asked for a temporary access pass now why might we give Tom a temporary access pass we might give Tom a temporary access pass because we want him to register a 502 key and to do that you need MFA if we haven't set up MFA for Tom we could go straight in and get him to register if I do keep two key by using a tab Tom might have an authenticator app which is lost so he's lost his phone or he's left it at home he can't get in if his only method for MFA is to use the authenticator app so we give him a temporary access pass so let's actually log in with this temporary access pass so I've got it in my clipboard you're going to go in and I can see that Tom has come in he's got a authentication methods reference of tap and MFA so he's in with strong authentication so he could register a new phone he could register a new 502 key and so on okay that's it remember come back and watch my video on azir ad 502 temporary access pass and phishing welcome to this section on setting up third-party software oath tokens once again we're in the authentication methods and we can see down here there is a method that deals with these tokens we're enabled the tokens are enabled they're enabled for a Target group and I have a single user in that Target group called Derek so let's go to Derek's experience so I'm going to go off to my oidc app and what we'll do is we'll sign in as Derek now remember this oidc app requires multi-factor Authentication so we go in with our password and the next thing is we're being prompted to set up more information well we're going to set up our second Factor method so I'm going to click next on there and we could use the Microsoft authenticator but here we've got the option to use a different authenticator app and that's what I'm going to go for Go Next on there and now we have a QR code to scan now this is using top TP or time based one-time password and if I say I can't scan the image what it does is it gives me the account name to use and also the secret key but I'm going to scan this image and what I'm going to do is scan the image with a piece of software from ubico and this is the ubico authenticator and it's telling me to insert my ubico key so I'm going to insert that and the only use of that key in this particular scenario is to store the time-based one-time password information such as the secret and the account name so I've now inserted my key and I'm going to go here to add an account and I could add an account and Supply the secret key and the account name I can do that but a nice feature of this is it actually allows me to scan the QR code and I'll do a screen scrape and scan the QR code and we have a look at the secret we'll see that the secret is already entered for me it's the same value that is over here okay so we go next on here oh we save that first of all and then the account's been added we go next and what it's asking me for to do is enter the actual time code so we're going to put that in and next on there and that was successful the authenticator set up we're done and we're into the application and we're showing password and MFA so there you are that's setting up a software based oath token welcome to this section on The Voice call method once again I'm in the authentication method policies we go down to the particular method we're interested in here and you'll see that it is currently not enabled I could enable it but the problem is I will not be able to save that enablement because this is not a paid for subscription so I'm going to give you the experience of this using my corporate account but meanwhile if we look at configure we can see that mobile phone calls are always allowed but I can also include an phone call to an office phone let's go and experience it so I'm going to go into my account and I'm going to go into my account using my corporate information so we'll sign in here foreign [Music] request well I'm going to say I can't use my Microsoft authenticator right now and then I've got a number of other options and I'm going to do say do a call so in a second my phone should ring [Music] press the hash key to finish signing in your sign in was successfully verified goodbye and that's it so I'm actually successfully signed in so there we are that is the voice call method welcome to this section on email OTP email optp can be used for self-service password reset which I will be showing in this section and in my next section I will show how it can be used for B2B or guest access so let's start off in authentication method policies go down to email OTP and what we can see it's enabled and it's enabled for a particular group and I have one user in that group and that is Sam now if we look at configuration we'll see that there is a configuration setting for email OTP for guest users or B2B users I'll come back to that in the next section let's have a look at password reset because that's where we'll be using it so at the moment if I look at there's my group authotp for sspr that's and Sam is in that group and if we look at the authentication methods there are no methods set here so if you remember what we've got is this is a legacy policy and we're doing everything in the authentication method policies that's the new policies so let's actually have a look at Sam's experience so I'm going to go and I'm going to go in here to sign in to my account as Sam so get my account and we need to sign in with a different user and I'm going to go in here with Sam and this will get really confusing because what we'll do is we'll get an error message and the reason being that we got an error message is there are persistent cookies which remember where we were the last time so I'm going to go out of that and I'm going to go back in as Sam now and it's deleted the persistent cookies because of the error message so I'm logging in a Sam and is saying more information required so we go next on that and what it's asking for is email so I'm going to put that in there so I'm going to put Sam's email okay this is not her Corporate email this is for password reset so if you can't get into a corporate account obviously you don't want your Corporate email in here so next on there and we've just sent a code to Sam now we're going to have to go and get that code and she's got this set up here on her inbox so I'm going to send to a send and receive on here and there we are we've got the code I'm going to grab that code and I'm going to switch back to put that code in there which is basically proving that she owns the email address so an email was successfully registered okay um let's go down on that and then close and that's effectively sign Sam off so we'll go back in again and to my account oh and it seems to remember that cookie again but let's go sign in as another user we're going to go to Sam and I'm going to say I forgot my password so what Sam needs to do is she needs to put in the captcha and what's happened is we're going to received an email so we just say yes to that we'll go back into our email do a send and receive and we should have got an email which we have we've got a code to go with it so we just grab that code back into the self-service password reset sequence and next on there and it's asking us to put in a new password for Sam well I don't want to change that so I'm just going to cancel out so that is email OTP for self-service password reset welcome to this section on email OTP for guest users when you invite someone into your directory they come in as a guest they're not authenticated by your directory they're authenticated by an external directory such as if you bring someone in from another Azure ad they'll be authenticated by the other Azure ad if you bring someone in with a Microsoft account such as an Outlook account they will be authenticated by Microsoft if you bring someone in from a Gmail account there could be a direct Federation that your tenants set up with Gmail in which case Google will authenticate them the same with Facebook you could have set up a direct Federation with Facebook and then Facebook would authenticate them when dealing with other organizations you could set up a direct Federation that's an organization that does not have an Azure ad so we can set up a direct Federation with them and they would be responsible for authenticating them but sometimes you invite someone in using an email alias and they don't have a source directory that they can be authenticated against or you haven't set up a federation with that Source directory in that case email OTP is used which is a one-time passcode which is emailed to the user that is authenticating I can spend a lot of time on this and I will do a detailed B2B or guest user video in the future but for now what I'd like to do is actually look at this under authentication method policies so we're coming in and we're going to go down to the email OTP and we're going to go to configure and that's where we enable this Behavior so that we can actually authenticate a user by sending them a one-time passcode right it's enabled in this situation so what I'd like to do is experience it for my particular external user but before I do that what I want to do is actually turn off MFA for my particular application so I'm going to come in here and this is um there's my app I've got MFA for all users when always I'm just going to turn that off for the moment so we're going to do that now let's go and have the experience now our external user is PETA and we're going to go to oidc V1 as Peter and I think I've got it in my buffer oops no I yes I have there we go but I didn't delete that out first of all so we're going as Peter and we go next on that and what it's done is send Peter a code because Peter doesn't meet the criteria of being in another as your ad being in a directory which is Federated with our tenant using a Microsoft account so a code's been sent to Peter so let's go across to Peter's email and we're going to use my email over here that has absolutely everybody in it and well it has everybody that doesn't have a direct Azure ad account and there's the code that's been sent so I'm going to grab that code and I'm going to go back over here enter the code and sign in and what we'll see is we've actually signed in using OTP so our authentication methods reference is showing OTP and that's it as I say I will do a video on B2B in detail welcome to this section on certificate-based authentication as always we're starting off in authentication methods policies and we're going to the certificate-based authentication settings we can see it's enabled and it's targeted at the auth dash cert auth group and you'll also notice that it can be targeted at a user well you can't do that anymore you used to be able to Target a user prior to the latest updates but now Microsoft has said okay you can only target to a group however if you previously Target to a user it respects those settings and will show them if I look at configuration we can see that I can treat a certificate a single factor or multi-factor I've got it set for single Factor except I've got a rule here which says if a policy oid that's the policy oil actually in the certificate is one two three four then multi-factor is the protection level we've also got user bindings there's a number of things we need to do to set up certificate-based authentication and I'll show you that in another video I'll also show you how we bring in the certificate Authority into Azure ad because that needs to be registered I'll also show you some tips and tricks about creating certificates for testing with multiple users but let's go over and experience this now as a user so I'm coming over and going to my own IDC V1 application remember MFA is off for the moment so I'm signing in with open ID and I'm going to sign in as Tina okay and I'm going to use another way of signing in rather than using a password and I'm going to use a certificate and the certificates are actually in the local certificate store the certificate store is actually owned by John but I've added some certificates for Tina again in my other video I'll show you how to do that let's sign in with first Factor as Tina and we can see that the AMR claim which is the remember is the authentication methods reference claim is set to RSA so it means we signed on with some cryptographic method well what's more cryptographic than a certificate let's go and close that off what I want to do is actually turn on MFA for the application again so conditional access and what we're looking for down here is our policy and we're going to turn on multi-factor so now we've turned on multi-factor for all the users using our application which is XTS oidc V1 so let's go and experience it again and over we can and we sign in and we're going to sign in uh as Tina with a first factor and so we're going to go first Factor on Tina and despite the fact that Tina does have the capability of providing a second Factor it says multi-factor authentication is required and the credential used is not supported so we cannot use a certificate for multi-factor unless it has been marked as a multi-factor certificate so let's try that again and we'll go in again as Tina and we're going to this time choose her strong certificate so if we look here we've got this strong cert and if we look we are now in with the RSA and MFA so that's certificate-based authentication in action welcome to this section on adding oath Hardware tokens and security questions now if you've been following through all of this video you'll know that both Hardware tokens and security questions are currently not handled by the authentication methods policies this is February 2023 uh by the time you watch this video they may already be included in these policies but for now let's take a look so I'm going to go off and experience this from a user's perspective there's nothing to be done in the authentication method policy section so I'm going to go across to oidcv2 and I'm going to sign in with open ID and I'm going to sign in as my user Tom and it says oh more information required so I click on next and it says success great job you've successfully set up your security information choose done so I choose done and I'm actually in a loop now let's have a look at my account and of course Tom is already logged in so with it we're going in with SSO to my account we look at security information and there are currently no methods available for Tom so what I'm going to do is I'm going to go and set up a hardware key for Tom so let's actually go and do that so we need to close off this and where I go to set that up is I go to multi-factor authentication I go to the oath tokens and I have to upload a CSV file we'll see the format of that in a moment so I'm going to go to upload and I'm going to upload one uh just for Tom um I've actually got multiple CSV files that I could upload but before I do that let's actually have a look at that so I'm going to open up this particular CSV file here and we'll just uh edit that and we'll have a look inside to see what's inside what we've got is a UPN a serial number a secret key time interval manufacturer and model so the name is V Dash Tom that's the serial number of the key not the serial number of my key I made it up that's the secret for my key again I've made that one up the time interval which is the time it takes before it rolls over with another number is 60 seconds it's OTP and I'm using a c200 key which happens to be from feitan so let's uh carry on and actually upload the correct file for Tom which is that one okay and that will whirl away the file will upload and then we can refresh it and we should see that he actually has it's sort of processing the file and there there it is and what I can do now is I can activate this token now it's a hardware token so I need to press the key on the hardware token and I go three five eight six eight three six eight three which is the number of the token and we can okay that and it should verify okay so now we have provisioned an oath token to Tom okay but it's not going to work yet what we need to do is go to the Legacy policies so we need to go into multi-factor Authentication and we need to go to additional cloud-based and what we're looking for here is verification code for mobile apps and hardware token so I'm going to save that change and while we're in the process let's go and look at the one other um Legacy policy which is password reset and I'm going to go to authentication methods and I'm going to set up security questions okay so that's going to be for everybody who is in they will just save that first who is in the auth OTP for sspr group so that's uh well they will now get the ability to set up Secret aggressions and if you remember we set up for Sam Smith uh we had um OTP for sspr for Sam Smith so now she's in that group uh she should have be able to set up her security questions as well okay now don't be surprised if this takes a little bit of time to Ripple through so that we can see it I've seen it take 10 minutes before this happens through through the power of video imagine 10 minutes has gone well that was a quick 10 minutes so let's go straight to our app that quas MFA and we'll sign in and sign in as Tom and Supply the password and now it's asking me to enter a code I shall get a code so 708042 and that's verified in and we can see we've got password and MFA and if we now look at my account for Tom and we look at security information here what we should find is he's got the hardware token which has been added for him and he could delete it if he wanted to and there's a little bit more information that's available to him okay let's close that off and let's go in here as this time we're going to go to my account and we're going to go as Sam who has set up the self-service password reset so if we look at her security information we've got email let's have a look at adding a method and choose a method we can go for security questions now I've hidden the last bit on there because that is something currently under NDA and I've only got it because I'm in the private preview of this program so I'm going to add security questions to Sam and I can add those in welcome to this section on administrator sspr policy administrators are always enabled to do self-service reset now our Global administrator v-admin has no Administration policies actually set up for her let's go and have a look at her experience so I'm going to go into Google Chrome and I'm going to select my account and I'm going to sign in as my administrator and if we look at security information what we can see is that she can add various methods for authentication and you go hang on a minute I didn't set any policies well what we need to do is actually look at the password reset and we see down here administrative policy and we can see that an administrator is already set up for various methods now that I am told in the future will end up inside the authentication method policy settings but for the moment remember it's February 2023 there is no change I hope you've learned about authentication method policies and all the different ways you can sign in don't forget to add to your diary the planned appreciation of the Legacy MFA and self-service password reset policies that's January 2024. if you've enjoyed the video and want more technical content from me then please subscribe that's really important to me click the bell for notifications if that's what you need and leave a comment let me know what you liked about the video what you didn't like about the video and also what content you'd like to hear from me in the future I hope to see you again in the cloud thanks for watching my channel subscribe for more free training you might like to join me for my identity masterclass hopefully see you soon [Music] foreign
Info
Channel: John Craddock Identity and Access Training
Views: 5,067
Rating: undefined out of 5
Keywords: John Craddock Identity and Access Training, Azure AD, Identity, Microsoft Entra, Cloud Deep-dive, Authentication Methods Policy, Legacy Policies, MFA, FIDO2, Microsoft Authenticator, SMS for MFA and SSPR, SMS for 1st Factor Sign-in, Temporary Access Pass (TAP), Software OATH Tokens, Voice Call, Email OTP, Certificate-based Authentication, Hardware OATH tokens, Security Questions, Self service password reset, Migration, Learn, Deep-dive, John Craddock, John_Craddock
Id: lajeFoCr2KM
Channel Id: undefined
Length: 60min 46sec (3646 seconds)
Published: Fri Feb 17 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.