Microsoft Entra: Roll Over Kerberos Decryption Key
With Seamless Single Sign-On (Seamless SSO), users can leverage the same credentials for both on-premises and cloud-based services. Repeated authentication prompts between these environments are eliminated, as authentication data is automatically exchanged between Active Directory and Microsoft Entra. As part of the Seamless SSO configuration, a computer account named AZUREADSSOACC is created in the on-premises Active Directory. For security reasons, Microsoft recommends rotating the associated Kerberos decryption key every 30 days.
Microsoft Entra Privileged Identity Management (PIM): Request Microsoft Entra roles or Microsoft Azure roles by User
Microsoft Entra Privileged Identity Management (PIM) optimizes the management of privileged roles to Microsoft Azure and Microsoft 365 resources. This contributes to the improvement of the security standards of cloud services. An additional feature is the Just-in-Time authorization, where a user is granted elevated privileges only for the period in which they are actually needed. This minimizes the risk of misuse and unauthorized access. This guide explains how a user can apply for a Microsoft Entra role or Microsoft Azure role for a specific period of time and how an administrator can efficiently manage this requests.
Microsoft Entra Privileged Identity Management (PIM): Basic Configuration
Microsoft Entra Privileged Identity Management (PIM) manages and monitors access to Microsoft Entra roles and Microsoft Azure roles. Access to Azure resources and Microsoft online services is on-demand and time-restricted.Users can request privileged roles online. An administrator can approve or deny the request afterwards. The role removes automatically after the specified duration expires. Microsoft Entra Privileged Identity Management (PIM) can minimize the following risks: This guide configures Microsoft Entra Privileged Identity Management (PIM) for Microsoft Entra roles and Microsoft Azure roles.
Protect user accounts with Microsoft Entra Smart Lockout
Microsoft Entra Smart Lockout is a service that monitors all logins to Microsoft Entra ID. Using various mechanisms, Microsoft Entra Smart Lockout detects an attack on user accounts and locks them out. Among others, it detects try to guess users passwords or brute force attacks. After 10 failed attempts, Microsoft Entra Smart Lockout locks the account for 1 minute. You can adjust these default values to your own needs.
Enable Enterprise State Roaming in Azure Active Directory
Windows 10 and Windows 11 synchronizes user settings to Azure Cloud via enterprise state roaming. The settings of the applications are thus the same on every device to which a user logs on. When installing a new device, many settings are already present. Enterprise State Roaming encrypts the data with Azure Right Management (Azure RMS) and synchronizes it to the Azure Cloud. Enterprise state roaming is well suited for enterprise devices that have different locations outside the usual office premises. Unlike roaming profiles, enterprise state roaming does not require a connection to on-premise servers.
Microsoft Entra Hybrid Join: The Configuration Guide for Administrators
Microsoft Entra Hybrid Join is an identity solution that allows devices to authenticate in both a Windows Server Active Directory domain and Microsoft Entra ID. This provides companies with the flexibility and security they need to effectively manage resources while ensuring a high level of security. Microsoft Entra ID is built with global high availability. In conjunction with features such as seamless single sign-on (SSO) or Microsoft Entra Conditional Access, Microsoft Entra ID offers additional features that significantly increase security and can only be implemented at a high cost with a pure Windows Server Active Directory infrastructure. With Microsoft Entra Hybrid Join, you get the best of both worlds (local…