Freshly brewed with Microsoft Azure and Microsoft 365

Month: April 2022

Backup and Restore Microsoft Authenticator App

Using Multi-Factor Authentication (MFA) in conjunction with the Microsoft Authenticator app significantly increases identity security.

The Microsoft Authenticator app can store credentials from Microsoft services and others. A user does not need to install multiple applications for the same tasks.

But what happens if the mobile phone with the Microsoft Authenticator app is lost or replaced? Do all account information have to be re-registered manually?

Azure AD: Roll over Kerberos decryption key

Users can use the same credentials for on-premises and cloud-based services with Seamless SSO. There is no need for recurring prompts to enter credentials between services. The necessary data are automatically synced between Active Directory and Azure Active Directory.

When configuring Seamless SSO, the computer account “AZUREADSSOACC” is created. For security reasons, the Kerberos encryption key for this account should be rolled over every 30 days.

Microsoft Entra Privileged Identity Management (PIM): Request Microsoft Entra roles or Microsoft Azure roles by User

Microsoft Entra Privileged Identity Management (PIM) optimizes the management of privileged roles to Microsoft Azure and Microsoft 365 resources. This contributes to the improvement of the security standards of cloud services. An additional feature is the Just-in-Time authorization, where a user is granted elevated privileges only for the period in which they are actually needed. This minimizes the risk of misuse and unauthorized access.

This guide explains how a user can apply for a Microsoft Entra role or Microsoft Azure role for a specific period of time and how an administrator can efficiently manage this requests.

Microsoft Entra Privileged Identity Management (PIM): Basic Configuration

Microsoft Entra Privileged Identity Management (PIM) manages and monitors access to Microsoft Entra roles and Microsoft Azure roles. Access to Azure resources and Microsoft online services is on-demand and time-restricted.
Users can request privileged roles online. An administrator can approve or deny the request afterwards. The role removes automatically after the specified duration expires.

Microsoft Entra Privileged Identity Management (PIM) can minimize the following risks:

  • Number of users and their authorization duration on privileged roles are reduced to a minimum
  • Users are better protected against accidental compromise of sensitive data. (no unnecessary privileged roles when they are not needed).
  • Attackers do not get privileged access

This guide configures Microsoft Entra Privileged Identity Management (PIM) for Microsoft Entra roles and Microsoft Azure roles.

Protect user accounts with Microsoft Entra Smart Lockout

Microsoft Entra Smart Lockout is a service that monitors all logins to Microsoft Entra ID. Using various mechanisms, Microsoft Entra Smart Lockout detects an attack on user accounts and locks them out. Among others, it detects try to guess users passwords or brute force attacks.

After 10 failed attempts, Microsoft Entra Smart Lockout locks the account for 1 minute. You can adjust these default values to your own needs.

Powered by WordPress & Theme by Anders Norén