6 hours 59 minutes
Welcome back yet again. Siberians.
This is the M s 3 65 Security Administration course
I'm your starter. Jim dangles in this video. We are all model to
identity and access. Lesson one user and group security
part for managing passwords.
Our objectives. In this lesson, we're gonna go over password policies, authentication,
implementation of multi factor authentication and self service password management, SSP or
planning password policies and authentication
by default and remonstrate. 65 passwords expire 90 days,
and the user receives a notification 14 days before that expiration.
The industry 65 Admin center
and power shell allows organizations to change default password policy as well as reset passwords for users. Single were in bulk.
If you forget your own administrator password,
the two available options are.
Ask another administrator to reset it for you
or reset the password yourself
with self service Password reset. EFTA has been set up within your tenant.
Passports can also be said to never expire for the entire 10. This is not best practice.
If you need to disable password expiration for a single user,
you can use the following
power. So command
set dash mso user
with the password never expires. Switch.
You have options of recent user passwords in the M S for 65 admin center.
As you can see on the strain,
you can also do it via power show with set dash mso user password command.
Multi factor authentication requires two or more of the following authentication methods something you know
something you have
something you are.
So it's a spider man, for example. Here
something he knows his password, user name and password,
something he has.
You can use a smartphone
sport device, phone, badge, fob
something. You are
so the spotter man's facial recognition, maybe a retina scan. Armor scan fingerprints.
So more than one method
is the base definition of what a factor. Authentication
a mystery 65 uses em if a
to provide an additional layer off. Security
verification methods include password,
mobile, SMS text,
which within that you can do a rolling off code or you can do an approval. Push approved and I
you also have a voice robo call with code to fund.
You can also enable users to authenticate from a Federated
one premise directory for them. Essay
to enable multi factor authentication
you can use one this power show to enable it for a user,
that's a look at set that's emissary a user
and the strong with indication requirement.
If you want, enable it with the M s. 3 65 Admin Center.
In the Settings menu, click on Services Ad ends
on the Adan's Pais. Click on as a M F A.
When that pays quick manage and I think
security defaults and azure 80 make it easier to be secure and protect your organization.
Security defaults contain pre configure security settings.
Four. Common attacks
some of the security defaults, and you can enable
unified in the favor registration
that requires your users to register for M F A.
That 14 days until they are required. They can't skip the registration problem anymore.
The 14 days start when each user logs in after security defaults are enabled.
You missed a enforcement.
You can enforce it for all users, or you can force it for privilege. In this race. 65 accounts
They are users that were assigned
at Monroe was such a global admin and SharePoint at man exchange. Admin user I'm and billing admin and so on. So forth
another security default.
It is blocking of legacy authentication protocols,
so clients that don't use modern off
all the swing 10 on below
legacy. You know, protocols, including SMTP pop I'm app
in exchange. Active sync, Basic authentication
there's could be blocked
if we pull up Azure at the directory
and we go into properties, we can actually see
some of the security defaults so we can actually enable them right here on the tenant settings,
according to Garner, the organization that
everyone loves when it supports your argument or your choice.
Also the organization that everyone thinks is overrated when it doesn't include their product in the top magic water.
According to Gartner, of the 40% of the service desk call volume relates to password issues,
one of the solutions that Emissary 65 has in place for this to reduce
that 40% volume just for passport issues, it's self service password management,
so service password management also referred to when the user side of self service password reset SSP are.
It lets users reset their own pastors 24 7 without that's the key work without requiring assistance by an admin
SSP or is not enabled by default.
To reset a password the users have to authenticate. There are dinner, the first
same methods as the M F A.
But you also have security questions. If users have not entered alternate authentication methods, they can. I use this SPR
so you have to actually register.
There's authentication methods, and SS people has to be enabled within the tenant.
It works with the cloud identity model by default,
as her 80 premium
P one is required for password right back,
which allows SSP artwork.
One premise. Manage identities
within or environment
we use as radi connect.
Our users have azar 80 premium. So we do password right back,
and that allows us
to have our users 24 7
reset a password in the browser and M s 3 65
and rice their new password back to their local one premise. End of director account.
Pretty cool stuff.
As your 80 also supports fighter to. It's a new open standard for secure authentication
that lost credentials to a device
it enables you to manage. Pass wordless authentication for your users and groups to all of your as your 80 connected absent services.
This means you can keep identity safe no matter where you are. Physically
Fighting to offers Key fighter to security keys offer flexibility for workers to rotate between computers and work stations.
It also offers these advantages
password free access to his many APS and devices as possible.
Strong two. Factor authentication on Windows 10 devices with Windows Hello
so again, Windows saying hello for business that utilizes fighter to is utilizes as security key.
Passport of the solution can also integrate in with the authenticator mobile app.
Authenticator Mobile app is a past world with solution for Android and Apple medical devices.
Users verify their identity and authenticate to their azure out of directory account.
Identity's confirmed through a pin fingerprint, facial or iris recognition.
Password was signed him with Microsoft. Authenticated requires users
their account has to be enabled for as or anything
and devices are enrolled with intern
or another third party in point manager.
So you have a lot of stuff going on with the authenticator out.
Yeah, I'm your users can use it for past wireless
authentication, but they also can use it with the azure N F A
where they can install that happened use as one of their verification mythos along with their password.
When those hello for business, this is passed. Wireless authentication.
We knows how low is not the same as Wonders. How for business.
If you know Microsoft's naming convention sky for business
one. Drop for business
we know when it's a lover. Business is their enterprise equivalent of Windows. Hello,
it replaces passwords.
Was two factor authentication.
Authentication consists of
a new type of user credential. Time to a device
that uses a by measure or a pin
when there's a lot of features only appear when your computer has compatible hardware.
It is hardware dependent
business users can authenticate to
at a directory or, as Randall Directory
has deployed a manners through group policy
or into policies.
A second look at the Windows Hello for business authentication work. For
has to prove their identity.
The identity provider
prove the identity,
and it creates and trust a unique he or authenticates by validating on the signal requests
after his validated.
Yeah, Danny provider
gives an authentication token to the machine.
the Internet resource is have their own policies to trust or not trust that you are
authentication token from the provider given to the machine
S S P R is enabled by default and m s 3. 65 environments. True or false,
you have a 50% chance of getting the right answer.
One this question. Don't overthink it.
Well, famously say false.
It is not enabled by default.
You must enable for your tenants
azar out of directory access reviews. This is a fantastic management solution.
Enables organizations to efficiently manage membership of groups, access to applications and privileges. Rolla Science.
With these access reviews, global admin is and user account at men's can perform these tasks.
They can evaluate guests user access
across the whole entire attendant
that it can evaluate employees access to applications
that are assigned based on group memberships
they can quite access. Review controls in the programs that are relevant
means you can organize your review programmes
and you can re certify role assignments of administrative users who are assigned those roles.
Access review requires a as radi premium P two lessons
that's available either ala carte
force included in the Inter Possibility Security
E five license week
and the M S 3 65 E five License week
Access reviews are created in the azure Admin dashboard.
You will go into identity governance,
and then you will go under the access Review section.
Welcome access review, get a new access review and get that process started.
When you create a new access review, you have a few options. You can configure frequency.
That's how often that reviews conducted.
Duration. How many days that reviews open for input
how it ends?
have a regular occurrence?
Or does it end after one or two times
users to review in the members of a group
as Ryan, A directory application assignment should get based on assignment based on group membership
Those are people that are actually going to do the access review you can set for a group. Owners review membership for their group and sign off on it.
You can specify users
and members do self review, depending on the group or the department or the scope.
These options may change
programs. Organized reviews from different purposes In the groups.
You may have something for financial
that reviews more often than you have for personnel membership.
All of this could be tailored. Organized into review. Gers based on your policy's
Finally, if a user doesn't respond,
you are You can do anything. No change. Remove access on my quit proven,
you know have recommendations.
There are Mackley enacted the fund
so in recap for today's lesson. Removing password expiration is not best practice. Generally avoid that prime this
I m f requires to form or authentication methods.
and self service. Password management allows users to reset their passwords 24 7 without administrative assistance.
Windows Hello for business and then by herself, authenticator at both. Provide options for past borderless authentication.
Access reviews. Allow efficient management of group memberships.
Access applications in privileged role assignments.
Thanks again for joining me
in this lesson and I hope to see you back for the next one. Thank you.