Microsoft Identity, Authentication & Authorisation Made Easy!

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this deep dive session we're going to take you inside Microsoft identity authentication and authorization what are they and how do they work are you ready foreign [Music] so nice to see you again welcome to the channel Andy here uh this week I thought I would take a look at Microsoft identity authentication and authorization three critical components that don't just identify your users but also authorize them and authenticate them into everyday work now as a security component it's absolutely critical that we understand exactly how each of these elements work so in this video I've got a really nice presentation and it's followed by a number of different demonstrations we're going to take it from the perspective of a user account within a company so I'm going to introduce you a talk a little bit about how active directory works and compare that to the likes of azure active directory in the cloud so if you're interested in certification and learning and moving your career forward I guarantee that this is going to be a session that you're going to really enjoyed now if you enjoy the session please pump the like button up there it really does make a difference to my channel and if you've not subscribed Warhead come on board come and join our great learning community and I love your comments and questions so please just get those down below I really do like those all right so without any further Ado I'm going to jump into the presentation and then we're going to take a look at some demos now stick around because I guarantee you're going to learn something all right so when we talk about identity it really is all about you so in this session we're going to talk about identity authentication and authorization now if you read any book about identity and security these are the elements that are absolutely critical so identity is about identifying yourself and you can typically do this by your name a username a an ID number or some other method typically authentication is how you prove your identity to someone so again you might use a simple password or a PIN number or something like that the problem with that method of course is it doesn't prove who you are it simply proves that you know the password or you know the pin number or something like that ultimately then once you've been authenticated we then look at things like authorization so what are you authorized to get access to so it might be files and folders it might be printers it might be resources in the cloud and so on and ultimately an identity platform will also have accountability so I need to know what the user did what resources the user accessed and so on so in its most basic form identity is this you walk into a building of course and before you can get access to the building you typically go up to the reception desk and you say I'm here for a meeting and they will say we need to prove your identity so the first thing then is who you who are you so who are you either in the organization and so on so first of those then we're going to talk about active directory so in the days gone by many companies still use this system active directory is a database of users contacts and groups that is maintained on premises in what we call a domain controller so active directory domain Services is a service that you can install on Windows server and you can see here on the left hand side that's the representation of me installing the database and on the right hand side this is active directory users and computers and this is where you would create your users groups contacts and so on so active directory is basically creates your objects into organizational units so organizational units of course are like folders and it means that you can organize your users groups computers devices and so on now because it's a database and it's identity of course then databases typically have attributes so user's first name last name email address and so on and of course once the user is in the database you need to set up a password or other form of authentication and once that user has been authenticated they'll then get access to those resources so let's take a look at creating an identity in Microsoft Windows Server active directory so here I am in Windows server server manager I'm going to come up to tools and I'm going to come into active directory users and computers and in here you can see that I have quite a number of objects first of all I'm going to go into my organizational unit called it and here in it I'm going to right click here and I'm going to create a new identity and you can create an identity of course for a computer for a contact a group or in this case I'm going to create one for my user and my user here his name is James Kirk I'm a bit of a Trekkie as you may know and I'm going to create a logon name for Captain Kirk and I'm going to use his surname and an initial and you can see it's at mycompany.com domain name here so I put my password in now and again I'm just going to take that checkbox out just for the purpose of this demo and I'm going to click on next and I've now completed this user account so when I click onto the user account here I can now see that I've created an identity for this user in active directory and of course I can control things like his logon hours which workstations I'm going to allow him to log on to I can fill in his details because of course it's just a database of course um so I'm happy with this and I'm going to click ok so now we have an identity so Captain Kirk has his identity he's got his username name and he's got his password so now the next stage is to authenticate himself so what happens next so what happens when the user Pops in their username and password well on the left hand side starting off here they contact the active directory domain controller of course and the domain controller is running something called the key distribution center now a component that's part of that is something called the ticket granting service so when the user presents their credentials the first thing that the ticket granting service will do is they will look through the users sets of Rights and permissions so is this a genuine user are they using the correct password and so on based on those credentials the ticket granting service will generate something called a ticket granting ticket a token if you will and that token is then cached on the user's machine of course if the user requires any additional roles in the company so for example if the user joins a group or is granted a specific permission the user would need to log off and log back on in order to refresh their ticket granting ticket or token so what happens if the user requires access to a resource such as an exchange server or a SharePoint resource well in this case the user simply passes their ticket granting ticket back to the key distribution center or ticket granting service again the ticket granting service will look through its list of Rights and permissions and it will say hey yes absolutely you have the right to access this resource and the the user is then granted a what we call a service ticket and you can see that stage four here well stage three the user passes that service ticket to the resource us once it's been authorized that an authorization token is then passed to the user's machine and again it's cached and the user again gets their desktop access to their resource and everybody's happy so how does that that's basically what it is on premises how does it compare though with Azure active directory and obviously life in the cloud well Azure active directory differs from active directory in the fact that it's your data is stored in these vast data centers that host millions of users and your data is replicated all around the world which is absolutely awesome but again we essentially identity is the major control plane here but instead of Hosting active directory on your servers in your in your own workplace we now store active directory as a service or identity as a service and in this case we call it Azure active directory so in this case Microsoft are managing all aspects of the directory service and if you want to manage your own users then essentially you create a folder or tenant in this case so if you use a Microsoft 365 account Azure whatever the service you'll create a tenant and in that tenant you're responsible for creating your users groups of course and any devices that you might have so just like Azure actor or active directory I should say any objects that you create will also have attributes and of course the benefit here though is once the user is often authenticated the user will then get access to lots of different resources so let's have a quick look at how we create an identity in Microsoft 365. so here I am in Microsoft 365 and I'm going to come up here and I'm going to go into my users and I'm going to go into active users and here of course is my directory service hang on a minute Andy you just told me that we're going into Azure active directory well in fact if I scroll down and go into Azure active directory you'll see that in fact they are one and the same so Azure active directory of course is now part of Microsoft enter and indeed if I go into my users here you can see that sure enough my users are exactly the same as what I have in the cloud so essentially it doesn't really matter which service that you use as long as you're accessing your corporate directory so in this case what I'm going to do is I'm going to go ahead and I'm going to add in a user there and in this user I'm going to create a user called Jean-Luc and John Luke of course his second name is Jean-Luc Picard and I'm going to put in a username of Picard J for Jean-Luc of course I'm a Trekkie of course now in terms of a password you can automate the password but in this case I'm going to create my own password for this user and I'll just take that check box out at the moment I'm going to go ahead I'm going to click on next and of course I the next thing the difference here in 365 is you've got to choose a location for the user account so in this case I'm just going to accept the United States here I'm going to assign him a license so first up I'm going to assign him an E5 license and an emns license and yeah give him a Windows 10 license Windows 10 11 license as well and I'm going to click on next now the other thing I can also do is do I want John Luke to have any kind of admin access in this case no he's just going to be a regular user and I'm going to click on here so there you have it I have now created an identity for my friend Jean-Luc Picard so here I put in my username and I'm going to click on next and I'm going to put in the user's password and again it now goes through the authentication so the authentication is the next part that's proving who you are now in this case I'm using Jean Luke's username and password and you can see that I now have access to my Microsoft 365 portal and all of its resources so on the subject of authentication we need to prove who you are and you can prove who you are in a number of ways so I'm sure you maybe have been in to buildings like this where you need a card key or some form of token to gain access and the fact is that well you know you can ask what's wrong with this picture and the fact is the answer is simple that it relies simply on a on a username and password so there has to be something more so ultimately time is moving on and it's time to say goodbye to those passwords so basically something that you know is classed as a type 1 authentication method method um so it's something that you know now something that you know doesn't prove who you are it just proves that you know the username and password whereas something that you have might be a card token might be your phone might be some kind of something physical that you actually have on you so for example if you're using Windows hello for business or Windows hello on a Windows laptop or if you've got a Mac and using a fingerprint or if you've got an iPhone that's using facial recognition there you go again something that you are is a fingerprint so not only do I have the physical device something that I have but I'm proving Who I Am by a physical attribute facial recognition are a an iris scan the color portion of your eye and also you might even authenticate users by somewhere where they are so for example Azure active directories conditional access feature so think about it you know if you're a four-star general and you're in the comms Hut then you have access you're a four-star general you've got access to the system and you're in a a trusted location so you can see that's the concept of multi-factor authentication passwords rely on something that you know and sharing passwords is very much a common place and of course there are many tools out there that will steal users passwords John the Ripper loofcrap Kanan Abel they all are designed to intercept and steal users passwords and many of these tools are 25 years old and they still work perfectly so we really have to get away from passwords and just to prove by the way that hackers are hacking into you then check out this if you go into my sign-ins so microsoft.com my sign-ins you can go in and it will actually show you where you're logged into so multi-factor authentication is definitely something that you need to do so I'm we all use MFA nowadays so when you log into a resource the Microsoft Azure or your authentication resource will say hey hang on you know I need something else rather than just a password so you can use the authentication the authenticator app of course has just been updated and it will include a challenge a number challenge so you simply enter that challenge and if you're approved you'll then get access to the appropriate resource now you can deploy as administrators multiple authentication methods in the likes of azure active directory let's take a quick look at some of those so on the subjects of authentication methods then what I'm going to do is I'm in here in Azure active directory and I'm going to come down here into protect and secure so in here we have a whole bunch of different mechanisms that we can use to protect and secure our resources so first up then what I'm going to do is I'm going to have a look at the authentication methods option here so authentication methods here you can choose which methods you want to bring in so do you want to use a Fido key so these are hardware-based tokens do you want to use the Microsoft authenticator app SMS we can also issue new employees with something called a temporary access pass and you can even use third-party software as well and recently Microsoft have added in you can voice calls of course you've got one-time passcodes I'm sure we've all seen those if you've done anything any work with your bank and you can even have a digital certificate as an authentication mechanism so um just looking at one of those I can come into the Microsoft authenticator so I want to really encourage my users to use the their authentication methods so I can assign the authentication method to a particular group of users so I can Target all groups or all users or selected users so in this case I've added in I've selected my group and I've added in the Oslo group here okay so my Oslo group has now been added so now what I can do is I can now configure this and I'm going to say yes allow users to use the one-time passcodes for the Microsoft authenticator I've enabled it I'm saying all these users within the group and I'm saying yes the application so when the user receives a notification from the authenticator it will show the application that's requesting access and also it will show where they're requesting access from so if you suddenly find yourself with a an authentication request for an app that's in Australia and you're in London that's not right so you would then quickly reject that so this is really useful for deploying multi-factor authentication so as well as the authentication methods as I mentioned multi-factor authentication you can enforce or deploy multi-factor authentication through something called conditional access and if you've not seen my conditional access videos then definitely go and have a look at those so one of the first things that you can do before you create a conditional access video is you can actually add in trusted either IP address ranges trusted locations so when a multi-factor authentication process identifies a user and attempts to authenticate that user essentially what this does is it tests to see if the user is in a specific location so again this is another form of multi-factor Authentication so in here a conditional access policy essentially is an additional layer of security and essentially it looks for signals so is the user a particular member of a group for example are they using a particular application or app and in this case I've said all apps so in this case they have to meet certain conditions so for example are they high risk what device platform are they using are they in a particular location and so on and based on those conditions you can then of course either choose to either allow or block access and you can if you allow access you might say Okay I need the device that they're logging in on to be a trusted device or they require multi-factor authentication and and check it out you can even control the session as well so you can limit the time the user can remain in use on that system so conditional access is awesome at adding an additional layer of authentication mechanisms okay so authorization is the final component here so you've been identified you've been authorized but what can you actually do so in this section we're going to talk about the different access models so essentially a subject or a user is essentially granted permissions to access or gain information on an object for example a file a folder a printer or something like that um typically you have a series of access control rules all right now there are a number of different models out there and I'm not going to bore you with them but essentially mandatory Access Control if you think about the 1960s and the 1970s and the military use of security then typically if you had top secret clearance and a file was labeled top secret you would typically have access to a file of that sort because it uses this labeling and classification and in fact Microsoft 365 uses this feature nowadays in Microsoft purview another access method is discretionary access control so this is where this is user controlled so for example imagine yourself in file explorer in Windows well file explorer you can set your permissions on files who can access what are you going to give somebody read-only permission or full access control and ultimately administrators you can grant them what we call our back or role-based access control so this is based on your job function um so in the in Years Gone by you don't want to have a company that's full of top level administrators things might go horribly wrong so with our back what you can do is you can assign permission based on job role so for example if I'm in the exchange admin team so Microsoft Exchange of course is email then I have all the rights and privileges to manage that email if I changed job roles then I would have access to a different set of rules that would only grant me permissions for that particular application so our back is excellent at protecting not just your data but also you from your users from having too many Privileges and potentially making mistakes another type of Access Control is Rule based so rule-based Access Control you might see for example on a firewall so only allow specific types of traffic through a firewall okay um and again what I've done here is I've put in a few slides so as I said mandatory Access Control you might see this um military use or labeling and classification so you label content dependent on how sensitive that data is so other access control methods include things like file and folder access so you grant access to a particular file or a folder and typically in the likes of Windows you might have different levels of permissions so full control for example might include all the individual access rights on the left hand side whereas read only you might only have read and execute permissions so you're not allowed to make changes to the file and so on so again access permissions and group roles so for example we have an access control list so remember what I said when the user logs in that ticket granting ticket will contain a list of all the rights and privileges that that user has access to another type of permissioned control is ABAC and we're starting to see this more and more now so there's nothing worse than assigning you permissions and then you're joining a group and then you join another group and another group and essentially what happens is as you move from group to group the permissions are cumulative so suddenly five years down the line you go ah oh my goodness they've got all of those permissions whereas ABAC is based on attribute access control so typically let's say you're in a school I set permissions on let's say year five students that they have access to a particular resource so in your user account properties you're in the year five students Department if I change the department to let's say year six then you will no longer have access to the year five and it's Dynamic this is why it's such a powerful feature all right so ABAC is definitely the next big thing and it's coming in big time so let's have a look then at some of the authorization mechanisms that we have here in Microsoft 365. so what I'm going to do first of all I'm going to open up OneDrive for business so here in OneDrive of course these are all my personal files that I might have here so within the OneDrive for business again I can just go into my files here and you can see I've got a folder I've got some documents here and so on and one of the things you might want to do is you might want to share out this document so I can go to the share tab here and I can say Hey you know I want to share this out let's say with Joni in my organization I can put in a little message and I can say okay what permissions do I want this user to have so I can share it with people in my organization I can say they can edit it or I just want them to be able to view so that's the read and execute permission as opposed to read write and change so in this case I'm gonna I just want Joni's view so I don't want her to be able to download this file though so I can actually block the download and this will prevent her from downloading it which means she can still access the document on site so I'm going to click on apply and again I could now send that link off to Joni all right and I've now shared that file so that's an example of a authorization so you set the permissions and she's then authorized to access that content so what about our back then the job roles well first of all I'm going to come back into active users here in my Azure active directory and I'm going to scroll down here and remember Jean-Luc Picard so we created a user called Jean-Luc so what I want to do is I want to give Jean-Luc an admin role so I can do this in a number of ways I can either go in through role assignments here or I can simply come into the user account and at the moment John Luke has no admin access so I can go in and I can manage the role and I can say Hey you know okay I want John Luke to be let's say well a global admin is essentially a god user so these guys can basically do everything it's considered not good practice to have too many Global admins so in this case I want uh Jean-Luc to be a help desk admin and a service support administrator and he'll have all the rights and privileges associated with that role so I can go ahead and I can say yeah hey great that's it I have now assigned Jean-Luc those appropriate roles for his job and you can see there we go okay now another type of attribute based control or role-based control you can find if I go into let's say groups so if I go into teams and groups and active teams and groups here I can go in in fact I will do this through Azure active directory here actually it's a little bit easier I'm going to go into groups and I'm going to create a new group and what I'm going to do is I'm going to create this as a security group and I'll call this group The it bosses okay and in here I'm going to say I don't want to assign membership to a group you can assign an owner if you want to but instead of assigning manually what I'm going to do here is I'm going to use a back or attribute based access control so I'm going to come into Dynamic user and here is where I do a dynamic query so I'm going to add in and say right okay choose a property so I'm going to say hey well if the department equals let's say equals it okay and my account or city will say equals let's say aberd let's say Oslo because I'm in Oslo this week and there you go there's the rule so if the user equals department and they're in Oslo then that is the rule and the user would then become a member of that group so now what I'm going to do is I'm going to go back into jean-luc's account so I'm just scrolling down I'm going to go into Jean-Luc Picard and um what instead of making Jean-Luc a member of a group here what I simply want to do is I want to change the attributes for Jean-Luc so I simply go to his contact information I now make him a member of the IT team and of course I can specify that he's now in Oslo so now Jean-Luc is a member of that group that is an example of ABAC so if John Luke changed department or change role he would dynamically be removed or added and so on so there you have it three critical components in the modern organization identity authentication and authorization I really hope that you enjoyed the session and if you did bump the like button it really does make a difference and if you've not subscribed well hey come on on board click that subscribe button ring that Bell and come and join the great learning community that I'm trying to build out and if you've got questions about this or in fact any of my other sessions of course just get them down below and I will do my very best for you that's it for this time so from a chili Oslo I will see you soon take care foreign hey thanks so much for dropping by today here's a couple of videos that you may enjoy and while you're here go ahead click on the Subscribe button and you won't miss out foreign [Music]

Info

Channel: Andy Malone MVP

Views: 14,336

Rating: undefined out of 5

Keywords: Learn Microsoft Identity, Authentication & Authorization, Microsoft 365, Microsoft Entra, Microsoft Azure AD, Andy Malone MVP

Id: zS79FDhAhBs

Channel Id: undefined

Length: 35min 43sec (2143 seconds)

Published: Fri Mar 31 2023