Time
6 hours 59 minutes
Difficulty
Intermediate
CEU/CPE
7

Video Transcription

00:00
Welcome back yet again. Siberians.
00:03
This is the M s 3 65 Security Administration course
00:07
I'm your starter. Jim dangles in this video. We are all model to
00:12
identity and access. Lesson one user and group security
00:17
part for managing passwords.
00:21
Our objectives. In this lesson, we're gonna go over password policies, authentication,
00:27
implementation of multi factor authentication and self service password management, SSP or
00:35
planning password policies and authentication
00:38
by default and remonstrate. 65 passwords expire 90 days,
00:43
and the user receives a notification 14 days before that expiration.
00:49
The industry 65 Admin center
00:51
and power shell allows organizations to change default password policy as well as reset passwords for users. Single were in bulk.
01:00
If you forget your own administrator password,
01:03
the two available options are.
01:06
Ask another administrator to reset it for you
01:10
or reset the password yourself
01:12
with self service Password reset. EFTA has been set up within your tenant.
01:19
Passports can also be said to never expire for the entire 10. This is not best practice.
01:25
If you need to disable password expiration for a single user,
01:29
you can use the following
01:30
power. So command
01:32
set dash mso user
01:34
with the password never expires. Switch.
01:38
You have options of recent user passwords in the M S for 65 admin center.
01:42
As you can see on the strain,
01:45
you can also do it via power show with set dash mso user password command.
01:52
Multi factor authentication requires two or more of the following authentication methods something you know
02:00
something you have
02:01
something you are.
02:04
So it's a spider man, for example. Here
02:07
something he knows his password, user name and password,
02:10
something he has.
02:14
You can use a smartphone
02:15
sport device, phone, badge, fob
02:20
something. You are
02:22
so the spotter man's facial recognition, maybe a retina scan. Armor scan fingerprints.
02:30
So more than one method
02:32
from those
02:34
is the base definition of what a factor. Authentication
02:38
a mystery 65 uses em if a
02:40
to provide an additional layer off. Security
02:45
verification methods include password,
02:47
mobile, SMS text,
02:50
mobile app,
02:51
which within that you can do a rolling off code or you can do an approval. Push approved and I
02:59
you also have a voice robo call with code to fund.
03:04
You can also enable users to authenticate from a Federated
03:07
one premise directory for them. Essay
03:10
to enable multi factor authentication
03:15
you can use one this power show to enable it for a user,
03:19
that's a look at set that's emissary a user
03:23
and the strong with indication requirement.
03:25
If you want, enable it with the M s. 3 65 Admin Center.
03:30
In the Settings menu, click on Services Ad ends
03:35
on the Adan's Pais. Click on as a M F A.
03:38
When that pays quick manage and I think
03:40
security defaults and azure 80 make it easier to be secure and protect your organization.
03:47
Security defaults contain pre configure security settings.
03:51
Four. Common attacks
03:53
some of the security defaults, and you can enable
03:57
unified in the favor registration
03:59
that requires your users to register for M F A.
04:02
That 14 days until they are required. They can't skip the registration problem anymore.
04:09
The 14 days start when each user logs in after security defaults are enabled.
04:15
You missed a enforcement.
04:17
You can enforce it for all users, or you can force it for privilege. In this race. 65 accounts
04:25
They are users that were assigned
04:28
at Monroe was such a global admin and SharePoint at man exchange. Admin user I'm and billing admin and so on. So forth
04:34
another security default.
04:36
It is blocking of legacy authentication protocols,
04:41
so clients that don't use modern off
04:43
all the swing 10 on below
04:45
legacy. You know, protocols, including SMTP pop I'm app
04:48
in exchange. Active sync, Basic authentication
04:51
there's could be blocked
04:54
if we pull up Azure at the directory
04:57
and we go into properties, we can actually see
05:00
some of the security defaults so we can actually enable them right here on the tenant settings,
05:10
according to Garner, the organization that
05:13
everyone loves when it supports your argument or your choice.
05:17
Also the organization that everyone thinks is overrated when it doesn't include their product in the top magic water.
05:25
According to Gartner, of the 40% of the service desk call volume relates to password issues,
05:30
including Reset,
05:31
one of the solutions that Emissary 65 has in place for this to reduce
05:38
that 40% volume just for passport issues, it's self service password management,
05:44
so service password management also referred to when the user side of self service password reset SSP are.
05:49
It lets users reset their own pastors 24 7 without that's the key work without requiring assistance by an admin
05:59
SSP or is not enabled by default.
06:01
To reset a password the users have to authenticate. There are dinner, the first
06:06
same methods as the M F A.
06:11
But you also have security questions. If users have not entered alternate authentication methods, they can. I use this SPR
06:18
so you have to actually register.
06:21
There's authentication methods, and SS people has to be enabled within the tenant.
06:28
It works with the cloud identity model by default,
06:31
as her 80 premium
06:33
P one is required for password right back,
06:38
which allows SSP artwork.
06:40
One premise. Manage identities
06:42
within or environment
06:44
we use as radi connect.
06:46
Our users have azar 80 premium. So we do password right back,
06:50
and that allows us
06:53
to have our users 24 7
06:56
reset a password in the browser and M s 3 65
07:00
and rice their new password back to their local one premise. End of director account.
07:04
Pretty cool stuff.
07:06
As your 80 also supports fighter to. It's a new open standard for secure authentication
07:14
that lost credentials to a device
07:15
it enables you to manage. Pass wordless authentication for your users and groups to all of your as your 80 connected absent services.
07:26
This means you can keep identity safe no matter where you are. Physically
07:30
Fighting to offers Key fighter to security keys offer flexibility for workers to rotate between computers and work stations.
07:39
It also offers these advantages
07:42
password free access to his many APS and devices as possible.
07:46
Strong two. Factor authentication on Windows 10 devices with Windows Hello
07:51
so again, Windows saying hello for business that utilizes fighter to is utilizes as security key.
07:59
Passport of the solution can also integrate in with the authenticator mobile app.
08:05
Authenticator Mobile app is a past world with solution for Android and Apple medical devices.
08:11
Users verify their identity and authenticate to their azure out of directory account.
08:16
Identity's confirmed through a pin fingerprint, facial or iris recognition.
08:22
Password was signed him with Microsoft. Authenticated requires users
08:26
their account has to be enabled for as or anything
08:31
and devices are enrolled with intern
08:33
or another third party in point manager.
08:37
So you have a lot of stuff going on with the authenticator out.
08:39
Yeah, I'm your users can use it for past wireless
08:43
authentication, but they also can use it with the azure N F A
08:48
where they can install that happened use as one of their verification mythos along with their password.
08:54
When those hello for business, this is passed. Wireless authentication.
09:00
We knows how low is not the same as Wonders. How for business.
09:03
If you know Microsoft's naming convention sky for business
09:07
one. Drop for business
09:09
we know when it's a lover. Business is their enterprise equivalent of Windows. Hello,
09:15
it replaces passwords.
09:16
Was two factor authentication.
09:18
Authentication consists of
09:20
a new type of user credential. Time to a device
09:24
that uses a by measure or a pin
09:28
when there's a lot of features only appear when your computer has compatible hardware.
09:31
It is hardware dependent
09:33
business users can authenticate to
09:37
at a directory or, as Randall Directory
09:39
has deployed a manners through group policy
09:43
or into policies.
09:46
A second look at the Windows Hello for business authentication work. For
09:50
step one,
09:52
the user
09:54
has to prove their identity.
09:56
The identity provider
09:58
prove the identity,
10:00
and it creates and trust a unique he or authenticates by validating on the signal requests
10:07
after his validated.
10:09
Yeah, Danny provider
10:11
gives an authentication token to the machine.
10:16
From there,
10:18
the Internet resource is have their own policies to trust or not trust that you are
10:24
authentication token from the provider given to the machine
10:28
quiz.
10:30
S S P R is enabled by default and m s 3. 65 environments. True or false,
10:37
you have a 50% chance of getting the right answer.
10:39
One this question. Don't overthink it.
10:46
Dwight Schrute.
10:48
Well, famously say false.
10:50
It is not enabled by default.
10:54
You must enable for your tenants
10:56
azar out of directory access reviews. This is a fantastic management solution.
11:03
Enables organizations to efficiently manage membership of groups, access to applications and privileges. Rolla Science.
11:11
With these access reviews, global admin is and user account at men's can perform these tasks.
11:18
They can evaluate guests user access
11:20
across the whole entire attendant
11:22
that it can evaluate employees access to applications
11:26
that are assigned based on group memberships
11:30
they can quite access. Review controls in the programs that are relevant
11:33
means you can organize your review programmes
11:37
and you can re certify role assignments of administrative users who are assigned those roles.
11:43
Access review requires a as radi premium P two lessons
11:48
that's available either ala carte
11:50
force included in the Inter Possibility Security
11:54
E five license week
11:56
and the M S 3 65 E five License week
12:01
Access reviews are created in the azure Admin dashboard.
12:07
You will go into identity governance,
12:09
and then you will go under the access Review section.
12:11
Welcome access review, get a new access review and get that process started.
12:18
When you create a new access review, you have a few options. You can configure frequency.
12:22
That's how often that reviews conducted.
12:28
Duration. How many days that reviews open for input
12:33
and
12:33
how it ends?
12:35
Does it
12:37
have a regular occurrence?
12:39
Or does it end after one or two times
12:43
users to review in the members of a group
12:46
as Ryan, A directory application assignment should get based on assignment based on group membership
12:52
reviewers.
12:54
Those are people that are actually going to do the access review you can set for a group. Owners review membership for their group and sign off on it.
13:01
You can specify users
13:05
and members do self review, depending on the group or the department or the scope.
13:11
These options may change
13:13
programs. Organized reviews from different purposes In the groups.
13:18
You may have something for financial
13:20
membership review
13:22
that reviews more often than you have for personnel membership.
13:26
All of this could be tailored. Organized into review. Gers based on your policy's
13:33
Finally, if a user doesn't respond,
13:37
what happens
13:37
you are You can do anything. No change. Remove access on my quit proven,
13:43
you know have recommendations.
13:46
There are Mackley enacted the fund
13:48
so in recap for today's lesson. Removing password expiration is not best practice. Generally avoid that prime this
13:56
I m f requires to form or authentication methods.
14:03
SST or
14:03
and self service. Password management allows users to reset their passwords 24 7 without administrative assistance.
14:13
Windows Hello for business and then by herself, authenticator at both. Provide options for past borderless authentication.
14:20
Access reviews. Allow efficient management of group memberships.
14:24
Access applications in privileged role assignments.
14:28
Thanks again for joining me
14:31
in this lesson and I hope to see you back for the next one. Thank you.

Up Next

MS-500: Microsoft 365 Security Administration

The Microsoft 365 Security Administration course is designed to prepare students to take and pass the MS-500 certification exam. The course covers the four domains of the exam, providing students with the knowledge and skills they need to earn their credential.

Instructed By

Instructor Profile Image
Jim Daniels
IT Architect
Instructor