1. Passwordless Authentication
So far in this course, we’ve seen that we can create users, assign these users passwords, and even enforce the multi-factor authentication options on them. But there’s also this interesting authentication option called the “password less model,” which would mean that the user doesn’t even have to use a password. Microsoft has now published a graph in their documentation stating that passwords are convenient but insecure. Passwords requiring multifactor or tooth factor authentication are both inconvenient and secure. And they put this concept of password list authentication into practice in a way that was both convenient and high-security.
So let’s see what that is. So with Microsoft Azure, there are three ways that you can enable this password list authentication in Azure. One is called Windows. Hello and good day. The second one is the Microsoft Authenticator app, which we’ve talked about before. And the third is called a “502 security key.” Now, at first, you might recognise this concept as Windows Hello for Business. Even though it’s got a funny name, this is when you have a modern Windows 10 or higher device and that device can actually recognise your face.
I have a Surface laptop at home that has a front-facing camera, and when I open it, it basically uses the camera to look at me and then it recognizes me. I don’t have to log in; just recognize me. So, believe it or not, this is actually considered high security. This is a biometric credential that only the device’s owner has access to. Underneath the hood is a public key infrastructure, PKI Security, that basically ensures that no one can fake this login. It has to be the actual owner and their face. All right, so let’s look at this. a password less model. And I’m on the home page of my tenant, and there are a couple of ways to get to it.I can go into security here, or I can just go straight down to authentication methods right off of the homepage here. So you can see here that there are four authentication methods. Two of them are in preview mode, so we’re not going to talk about them.
Preview mode features are not often on the exam. So we can see that neither of the two we’re looking at right now, our Microsoft Authenticator nor the 502 security key, is set up for password less authentication. Now, with Microsoft Authenticator, we’re kind of familiar with it at this point. It’s an app that you’ve downloaded. You can use it for two-factor authentication, but you can also configure it to be the thing for users and groups. So now if you’ve got the Authenticator app on your phone, as long as you respond to this password authentication request, you don’t have to provide a password. So I’m going to say enable it, and it will allow all users to log in using this method. Now the other option that we can talk about is the 502 security key. Now this is an actual hardware key. Actually, what’s interesting is that we talked about Windows Hello for business. Windows Hello is sort of tied into the entire operating system and the device itself.
So, like I said, I have it on my Surface, and the entire Surface itself is a security device. The Microsoft Authenticator is an app, so it’s software-based authentication. You can install it on your iOS, Windows, or Android device. And this Fido security key is a hardware device. So these are three completely different methods of security, and you may or may not trust one or the other. So this is a hardware device, and these are the ones that are known to work with Microsoft. With this type of device, it can be useful in situations where having a mobile app is just not a practical matter. So this could be a kiosk in a public location. This could be a hospital where you don’t want your nurses and doctors running around with their personal phones and then having to authenticate using the phone. You could have this type of device that is tied to the computer that they’re using, and they provide their fingerprints or their iris or whatever it is. And this is basically enabling them to use their biometrics to connect to Microsoft Azure. As an authenticated user, I’m not going to turn this on for now.
We don’t even have a device to play with here. So for the Microsoft Authenticator app, what people are going to see is that they’re going to sign in and provide their email address. And we’ve seen this in a number of other locations, but I think Google does this a lot too, where they’re just asking you to compare your phone with what they’re seeing on screen. And if you tap the correct number, then we know that you actually have physical access to your device. And because it’s backwards, where you’re not entering a number, you’re actually having to use the device to get the number. Then we can be relatively sure that we’ve got the right person. Of course, you can deny access if it’s not you or something else making a mistake. So this is the concept of passwordless authentication. relatively easy to turn on in terms of going into the authentication settings of the portal authentication methods and turning on Microsoft Authenticator.
2. Password Protection
Let’s talk about password protection now that we’re in the Authentication Methods Service. This is a requirement of this exam as well. I mean, it’s fairly basic. It’s talking about somebody basically trying to log in with their password. We’re not talking about MFA or any of the other methods that are available. And how many attempts can they make before the account is locked out? Ten seems quite generous. If it were me, I would only allow three or four attempts and then say you are locked out. The duration is only 60 seconds. Again, that seems to be quite small. Although if it does increase, whether it’s the second lockout or the third lockout, then it’s going to increase. I think five minutes is a reasonable amount of time if you can’t remember your password after four attempts, waiting five minutes is a reasonable request.
Interesting set of band passwords. And so let’s say you want your company name to not be an allowed password. I could say that in my case, GetCloudSkills is not an allowed password. I can also say password is not a valid password and other such things. And this is just banning particular words from being part of your password. It helps increase the security of your password. We can enable password protection on Windows Server’s active directory. So, if we have authentication controllers installed within Azure, which we don’t by default but could if you installed some Azure Domain servers, this is a setting for that. And I’m not sure why this is a setting at all, but this will be for the band password list. Do we want just to record that they’re using bad passwords, or do we want to stop them from using bad passwords? So these are the password protection settings within these authentication methods within Azure Ad Security.
3. Self-Service Password Reset
So the next feature Azure will talk about is called self-service password reset. Now, believe it or not, the users within your Active Directory do not have a feature to update their own passwords unless you enable that. And so if we go down under Settings to Password Reset, you can see that the self-service password reset is set to none by default. We can allow selected users to reset their password. As an example, we can say that only users in the teachers group are permitted to reset their own password. And you might ask what would happen if a user were to forget their password or get locked out.
Well, the expectation would be that they would contact your support team, open a ticket, or whatever that is. But if you want to allow users to create and update their own passwords, then you can change the setting to “selected” or “all” and click Save. So this is going to allow users to proactively update their own passwords. Administrators, as stated, are always enabled for self-service password reset. One implication of this is that if you use on-premises Active Directory and synchronise it with the cloud, allowing users to update their passwords in the cloud means that they must be pushed back into the on-premises in order to maintain synchronization.
So this is going to be Active DirectConnect settings, which I don’t believe we talk about in this course. I’m just checking to make sure. So Active Directory connect and connecting Active Directory to the on-premises environment are not discussed in this exam. But the implication of this is that you do need to push back passwords to the master server, which would be the on-premises ActiveDirectory if you were synchronising that. So we can see that the settings are fairly straightforward. You simply enter password reset and set it. Looking at some of the other properties listed here, we can say, for example, that you have multi-factor authentication. If they do want to reset their password, do they then need to provide one or two other methods of authentication? How do they reset their password? They can be reset using an email or SMS code. You can enable mobile apps, mobile codes, and security questions. which we haven’t really talked about much, but you can’t use security questions as multifactor authentication, but you can use them to reset a password. This registration feature means that, obviously, in order to reset your password, you need to have an alternative email or SMS phone the first time users log in. Do they need to provide this information in order to have that in your ad? That’s certainly fair for security purposes. You do want to notify people when their passwords are changed so that hackers are not changing passwords without any kind of notification. And there’s a feature here to notify administrators when other administrators reset their passwords. defaults to no.
So just like with the portal customization, you can obviously customise the link to the password reset, and if there’s a help desk that you can point them to, there’s a URL that you can provide if there is a help desk. We were just talking about Active Directory Connect, and so we don’t have on-premises integration enabled, but if we did, we would have the option of writing the password back to the directory, and of course in Azure Active Directory, you want administrators to be treated a little bit differently. A self-service password reset is enabled by default, and they do need to provide, say, their email in order to get the link. And these are the methods, and as you can see, we can’t edit it; it’s just the information at this point only, so that’s the password reset link within your account settings here, which is not enabled by default for most users. If you want them to be able to manage themselves, you certainly can enable it. Obviously, there’s a security risk to having users be able to say, “I forgot my password,” have an email sent to them, and things like that. There’s a certain security risk, but the downside is that you’re going to get those support tickets if you don’t allow them to do that.
4. Enable Tenant Restrictions
So the last feature of Azure user authentication that we’ll talk about is the concept of managing tenant restrictions to limit the tenants that your users in your organisation can log into. Now, the last that I’ve heard of, there are more than 5 million organisations that use Azure advertising. So there are currently over 5 million tenants running within Azure. and I’m sure that number just keeps going up. Now, your organisation may only have one, two, or three tenants. So, from this universe of 5 million, you might want to restrict and limit the number of tenants into which your users can log in. And there is a way to do this. So if you have this need to be very restrictive in terms of what websites your users visit, who they log in as, etc., then you can implement what’s called “tenant restrictions.” Now, this is done by injecting a header into outgoing HTTP requests.
So you’re going to do this at the router level, where your organisation is sending traffic out onto the web. You can inject this header, and the header is going to contain a list of the permitted tenants, and Microsoft Azure is going to honour that list. So this is not something that the user controls; this is something that the client controls. This is injected along the way. And again, Microsoft Azure is going to block users from logging into a tenant that’s not on that list. And what we can see is that somebody tried to log into, let’s say, their Xbox account or Skype, and that was blocked by your organization. Then they’re going to see a message like this. So, yeah, basically, that’s done by injecting headers into the outbound. We should point out that you can review some reports relating to this right off of the tenant home page, the overview page. There is a list of tenant restrictions that you can see again if it’s been blocked. If you are using the tenant restrictions in the headers that are leaving your traffic, you can see them reported on under the tenant restrictions.
