Azure AD is a centralized identity provider in the cloud, and authentication is the process of verifying that you are who you say you are. It helps protect a user’s identity and also simplifies the login experience. The Microsoft identity platform makes it easy to authorize and authenticate by providing identity as a service.
In Azure AD, authentication entails more than just verifying a username and password. Azure AD authentication includes the components that will be used to increase security and to reduce the need for contacting the help desk for assistance. These components include the following:
■ Azure AD Multifactor Authentication
■ Hybrid integration to enforce password protection policies for an on- premises environment
■ Hybrid integration to write password changes back to on- premises environment
■ Passwordless authentication
■ Self- service password reset
Azure AD Multifactor Authentication
Azure AD Multifactor Authentication allows you to choose a variety of authentication methods during sign- in, such as receiving a phone call or receiving a verification code or a text message (as seen in Figure 10.12).
By requiring a second form of authentication, you will be increasing your security. If you only use passwords to authenticate a user, this practice can potentially open doors for an attacker.
Azure AD Multifactor Authentication works by requiring two or more of the following:
■ Something you know, such as a password
■ Something you have, such as a trusted device, like a phone or hardware key, that cannot be easily duplicated
■ Something you are, such as biometrics like a fingerprint or face scan
Password Protection
By default, Azure AD blocks weak passwords. An example of a weak password is Password1. Weak and known passwords are added to a global banned password list that is enforced and updated automatically. Therefore, if a user tries to use one of the passwords on the list, they will get a notification that they need to create a password that is more secure.
FIGURE 10.12 Multifactor authentication methods
To boost your security, you can also define a custom password protection policy that will use filters to block different variations of passwords such as those containing names or locations.
You can also incorporate Azure AD password protection with an on- premises AD environment to create hybrid security. An on-p remises component will get the global banned password list and the custom password protection policy and then the domain controllers will use both to process password change events. This will ensure that strong passwords will be enforced regardless of how a user changes their passwords.
Passwordless Authentication
Passwordless authentication is an authentication method that will allow your users to obtain access without answering any security questions or entering a password. This eliminates the requirement of a user to create and remember passwords.
To strengthen security, expand on the user’s experience, and to help reduce operation expenses, passwordless authentication can be used with multifactor authentication (MFA) and single sign- on (SSO) solutions.
When signing in using the passwordless authentication method, the credentials are provided by using approaches such as a fingerprint using biometrics with Windows Hello for Business or a FIDO2 security key. An attacker cannot easily duplicate these forms of authentication.
Planning Azure AD Authentication Options
Self- Service Password Reset (SSPR)
Self- service password reset allows a user to change or reset their password without any assistance from the help desk or the administrator. If a user gets locked out of their account or cannot remember their password, they can simply follow prompts to get themselves back into the system. This ability reduces the number of help desk service calls and prevents loss of employee productivity. SSPR allows users to:
Change Their Password This is used when the user knows their password and wants to change it.
Reset Their Password This is used when the user cannot sign in, because they forgot their password and want to reset it.
Unlock Their Account This is used when the user cannot sign in because the account is now locked and they want to unlock it.
To Enable Self- Service Password Reset
Azure AD allows you to set SSPR to None, Selected, or All Users (see Figure 10.13). Using the Azure portal, you can enable only one Azure AD group for SSPR.
- Using an account with global administrator permissions, sign into the Azure portal.
- Search for and select Azure Active Directory, then select Password Reset from the menu on the left side.
- From the Properties page, under the option Self- Service Password Reset Enabled, choose Selected.
- If your group isn’t visible, choose No Groups Selected, browse for and select your Azure AD group, and then choose Select.
- To enable SSPR for the select users, select Save.