User and Group Security Part 4: Managing Passwords

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
6 hours 59 minutes
Difficulty
Intermediate
CEU/CPE
7
Video Transcription
00:00
Welcome back yet again. Siberians.
00:03
This is the M s 3 65 Security Administration course
00:07
I'm your starter. Jim dangles in this video. We are all model to
00:12
identity and access. Lesson one user and group security
00:17
part for managing passwords.
00:21
Our objectives. In this lesson, we're gonna go over password policies, authentication,
00:27
implementation of multi factor authentication and self service password management, SSP or
00:35
planning password policies and authentication
00:38
by default and remonstrate. 65 passwords expire 90 days,
00:43
and the user receives a notification 14 days before that expiration.
00:49
The industry 65 Admin center
00:51
and power shell allows organizations to change default password policy as well as reset passwords for users. Single were in bulk.
01:00
If you forget your own administrator password,
01:03
the two available options are.
01:06
Ask another administrator to reset it for you
01:10
or reset the password yourself
01:12
with self service Password reset. EFTA has been set up within your tenant.
01:19
Passports can also be said to never expire for the entire 10. This is not best practice.
01:25
If you need to disable password expiration for a single user,
01:29
you can use the following
01:30
power. So command
01:32
set dash mso user
01:34
with the password never expires. Switch.
01:38
You have options of recent user passwords in the M S for 65 admin center.
01:42
As you can see on the strain,
01:45
you can also do it via power show with set dash mso user password command.
01:52
Multi factor authentication requires two or more of the following authentication methods something you know
02:00
something you have
02:01
something you are.
02:04
So it's a spider man, for example. Here
02:07
something he knows his password, user name and password,
02:10
something he has.
02:14
You can use a smartphone
02:15
sport device, phone, badge, fob
02:20
something. You are
02:22
so the spotter man's facial recognition, maybe a retina scan. Armor scan fingerprints.
02:30
So more than one method
02:32
from those
02:34
is the base definition of what a factor. Authentication
02:38
a mystery 65 uses em if a
02:40
to provide an additional layer off. Security
02:45
verification methods include password,
02:47
mobile, SMS text,
02:50
mobile app,
02:51
which within that you can do a rolling off code or you can do an approval. Push approved and I
02:59
you also have a voice robo call with code to fund.
03:04
You can also enable users to authenticate from a Federated
03:07
one premise directory for them. Essay
03:10
to enable multi factor authentication
03:15
you can use one this power show to enable it for a user,
03:19
that's a look at set that's emissary a user
03:23
and the strong with indication requirement.
03:25
If you want, enable it with the M s. 3 65 Admin Center.
03:30
In the Settings menu, click on Services Ad ends
03:35
on the Adan's Pais. Click on as a M F A.
03:38
When that pays quick manage and I think
03:40
security defaults and azure 80 make it easier to be secure and protect your organization.
03:47
Security defaults contain pre configure security settings.
03:51
Four. Common attacks
03:53
some of the security defaults, and you can enable
03:57
unified in the favor registration
03:59
that requires your users to register for M F A.
04:02
That 14 days until they are required. They can't skip the registration problem anymore.
04:09
The 14 days start when each user logs in after security defaults are enabled.
04:15
You missed a enforcement.
04:17
You can enforce it for all users, or you can force it for privilege. In this race. 65 accounts
04:25
They are users that were assigned
04:28
at Monroe was such a global admin and SharePoint at man exchange. Admin user I'm and billing admin and so on. So forth
04:34
another security default.
04:36
It is blocking of legacy authentication protocols,
04:41
so clients that don't use modern off
04:43
all the swing 10 on below
04:45
legacy. You know, protocols, including SMTP pop I'm app
04:48
in exchange. Active sync, Basic authentication
04:51
there's could be blocked
04:54
if we pull up Azure at the directory
04:57
and we go into properties, we can actually see
05:00
some of the security defaults so we can actually enable them right here on the tenant settings,
05:10
according to Garner, the organization that
05:13
everyone loves when it supports your argument or your choice.
05:17
Also the organization that everyone thinks is overrated when it doesn't include their product in the top magic water.
05:25
According to Gartner, of the 40% of the service desk call volume relates to password issues,
05:30
including Reset,
05:31
one of the solutions that Emissary 65 has in place for this to reduce
05:38
that 40% volume just for passport issues, it's self service password management,
05:44
so service password management also referred to when the user side of self service password reset SSP are.
05:49
It lets users reset their own pastors 24 7 without that's the key work without requiring assistance by an admin
05:59
SSP or is not enabled by default.
06:01
To reset a password the users have to authenticate. There are dinner, the first
06:06
same methods as the M F A.
06:11
But you also have security questions. If users have not entered alternate authentication methods, they can. I use this SPR
06:18
so you have to actually register.
06:21
There's authentication methods, and SS people has to be enabled within the tenant.
06:28
It works with the cloud identity model by default,
06:31
as her 80 premium
06:33
P one is required for password right back,
06:38
which allows SSP artwork.
06:40
One premise. Manage identities
06:42
within or environment
06:44
we use as radi connect.
06:46
Our users have azar 80 premium. So we do password right back,
06:50
and that allows us
06:53
to have our users 24 7
06:56
reset a password in the browser and M s 3 65
07:00
and rice their new password back to their local one premise. End of director account.
07:04
Pretty cool stuff.
07:06
As your 80 also supports fighter to. It's a new open standard for secure authentication
07:14
that lost credentials to a device
07:15
it enables you to manage. Pass wordless authentication for your users and groups to all of your as your 80 connected absent services.
07:26
This means you can keep identity safe no matter where you are. Physically
07:30
Fighting to offers Key fighter to security keys offer flexibility for workers to rotate between computers and work stations.
07:39
It also offers these advantages
07:42
password free access to his many APS and devices as possible.
07:46
Strong two. Factor authentication on Windows 10 devices with Windows Hello
07:51
so again, Windows saying hello for business that utilizes fighter to is utilizes as security key.
07:59
Passport of the solution can also integrate in with the authenticator mobile app.
08:05
Authenticator Mobile app is a past world with solution for Android and Apple medical devices.
08:11
Users verify their identity and authenticate to their azure out of directory account.
08:16
Identity's confirmed through a pin fingerprint, facial or iris recognition.
08:22
Password was signed him with Microsoft. Authenticated requires users
08:26
their account has to be enabled for as or anything
08:31
and devices are enrolled with intern
08:33
or another third party in point manager.
08:37
So you have a lot of stuff going on with the authenticator out.
08:39
Yeah, I'm your users can use it for past wireless
08:43
authentication, but they also can use it with the azure N F A
08:48
where they can install that happened use as one of their verification mythos along with their password.
08:54
When those hello for business, this is passed. Wireless authentication.
09:00
We knows how low is not the same as Wonders. How for business.
09:03
If you know Microsoft's naming convention sky for business
09:07
one. Drop for business
09:09
we know when it's a lover. Business is their enterprise equivalent of Windows. Hello,
09:15
it replaces passwords.
09:16
Was two factor authentication.
09:18
Authentication consists of
09:20
a new type of user credential. Time to a device
09:24
that uses a by measure or a pin
09:28
when there's a lot of features only appear when your computer has compatible hardware.
09:31
It is hardware dependent
09:33
business users can authenticate to
09:37
at a directory or, as Randall Directory
09:39
has deployed a manners through group policy
09:43
or into policies.
09:46
A second look at the Windows Hello for business authentication work. For
09:50
step one,
09:52
the user
09:54
has to prove their identity.
09:56
The identity provider
09:58
prove the identity,
10:00
and it creates and trust a unique he or authenticates by validating on the signal requests
10:07
after his validated.
10:09
Yeah, Danny provider
10:11
gives an authentication token to the machine.
10:16
From there,
10:18
the Internet resource is have their own policies to trust or not trust that you are
10:24
authentication token from the provider given to the machine
10:28
quiz.
10:30
S S P R is enabled by default and m s 3. 65 environments. True or false,
10:37
you have a 50% chance of getting the right answer.
10:39
One this question. Don't overthink it.
10:46
Dwight Schrute.
10:48
Well, famously say false.
10:50
It is not enabled by default.
10:54
You must enable for your tenants
10:56
azar out of directory access reviews. This is a fantastic management solution.
11:03
Enables organizations to efficiently manage membership of groups, access to applications and privileges. Rolla Science.
11:11
With these access reviews, global admin is and user account at men's can perform these tasks.
11:18
They can evaluate guests user access
11:20
across the whole entire attendant
11:22
that it can evaluate employees access to applications
11:26
that are assigned based on group memberships
11:30
they can quite access. Review controls in the programs that are relevant
11:33
means you can organize your review programmes
11:37
and you can re certify role assignments of administrative users who are assigned those roles.
11:43
Access review requires a as radi premium P two lessons
11:48
that's available either ala carte
11:50
force included in the Inter Possibility Security
11:54
E five license week
11:56
and the M S 3 65 E five License week
12:01
Access reviews are created in the azure Admin dashboard.
12:07
You will go into identity governance,
12:09
and then you will go under the access Review section.
12:11
Welcome access review, get a new access review and get that process started.
12:18
When you create a new access review, you have a few options. You can configure frequency.
12:22
That's how often that reviews conducted.
12:28
Duration. How many days that reviews open for input
12:33
and
12:33
how it ends?
12:35
Does it
12:37
have a regular occurrence?
12:39
Or does it end after one or two times
12:43
users to review in the members of a group
12:46
as Ryan, A directory application assignment should get based on assignment based on group membership
12:52
reviewers.
12:54
Those are people that are actually going to do the access review you can set for a group. Owners review membership for their group and sign off on it.
13:01
You can specify users
13:05
and members do self review, depending on the group or the department or the scope.
13:11
These options may change
13:13
programs. Organized reviews from different purposes In the groups.
13:18
You may have something for financial
13:20
membership review
13:22
that reviews more often than you have for personnel membership.
13:26
All of this could be tailored. Organized into review. Gers based on your policy's
13:33
Finally, if a user doesn't respond,
13:37
what happens
13:37
you are You can do anything. No change. Remove access on my quit proven,
13:43
you know have recommendations.
13:46
There are Mackley enacted the fund
13:48
so in recap for today's lesson. Removing password expiration is not best practice. Generally avoid that prime this
13:56
I m f requires to form or authentication methods.
14:03
SST or
14:03
and self service. Password management allows users to reset their passwords 24 7 without administrative assistance.
14:13
Windows Hello for business and then by herself, authenticator at both. Provide options for past borderless authentication.
14:20
Access reviews. Allow efficient management of group memberships.
14:24
Access applications in privileged role assignments.
14:28
Thanks again for joining me
14:31
in this lesson and I hope to see you back for the next one. Thank you.
Up Next