Freshly brewed with Microsoft Azure and Microsoft 365

Month: April 2022

Backup and Restore Microsoft Authenticator App

Using Multi-Factor Authentication (MFA) in conjunction with the Microsoft Authenticator app significantly increases identity security.

The Microsoft Authenticator app can store credentials from Microsoft services and others. A user does not need to install multiple applications for the same tasks.

But what happens if the mobile phone with the Microsoft Authenticator app is lost or replaced? Do all account information have to be re-registered manually?

Azure AD: Roll over Kerberos decryption key

Users can use the same credentials for on-premises and cloud-based services with Seamless SSO. There is no need for recurring prompts to enter credentials between services. The necessary data are automatically synced between Active Directory and Azure Active Directory.

When configuring Seamless SSO, the computer account “AZUREADSSOACC” is created. For security reasons, the Kerberos encryption key for this account should be rolled over every 30 days.

This tutorial describes how to manually roll over the Kerberos decryption key every 30 days.

Privileged Identity Management (PIM): Request Azure Roles by User

Privileged Identity Management (PIM) simplifies administration of privileged access to resources in Azure and Microsoft 365. This enhances the security of cloud services. A user get priviliged access only for the period in which they are really necessary (Just-in-Time).

This guide shows how the user can request an Azure role for a specific period of time and how an administrator manages this request.

Privileged Identity Management (PIM): Basic Configuration

Privileged Identity Management (PIM) manages and monitors access to Azure roles. Access to Azure resources and Microsoft online services is on-demand and time-restricted.
Users can request privileged roles online. An administrator can approve or deny the request afterwards. The role removes automatically after the specified duration expires.

Privileged Identity Management (PIM) can minimize the following risks:

  • Number of users and their authorization duration on privileged roles are reduced to a minimum
  • Users are better protected against accidental compromise of sensitive data. (no unnecessary privileged roles when they are not needed).
  • Attackers do not get privileged access

This guide configures Privileged Identity Management (PIM) for Azure AD and Azure Roles.

Protect user accounts with Azure AD Smart Lockout

Azure AD Smart Lockout is a service that monitors all logins to Azure Active Directory. Using various mechanisms, Azure AD Smart Lockout detects an attack on user accounts and locks them out. Among others, it detects try to guess users passwords or brute force attacks.

After 10 failed attempts, Azure AD Smart Lockout locks the account for 1 minute. You can adjust these default values to your own needs.

Azure AD Smart Lockout does not work with Azure AD Connect passthrough authentication (PTA) as authentication happens on the on-premises Active Directory and not in Azure Active Directory.

Powered by WordPress & Theme by Anders Norén