Authentication capabilities of Azure AD

Authentication capabilities of Azure AD

https://docs.microsoft.com/en-us/learn/modules/explore-authentication-capabilities/

MFA in Azure AD

• MFA requires more than one form of verification instead addition to just a password
• Other forms could be a trusted device or a fingerprint
• This prevents access to an account by an attacker even though they have the username and password; they are missing the trusted device or fingerprint
• it is quite simple for users and commonly used in all services be it enterprise or consumer
• Something you know such as a password or PIN
• Something you have such as a trusted device like a mobile phone running an app
• Something you are such as biometrics like a fingerprint or face scan
• MFA is part of Azure AD sign-on events
• Azure AD handles this for you when enabled with no changes to the service being accessed
• The admin can choose from the following forms of verification
  • Microsoft Authenticator app
  • SMS
  • Voice call
  • OATH hardware token (RSA key for example)

Security defaults and MFA

• These are the basic identity mechanisms recommended by Microsoft
• When enabled they will be automatically enforced
• An easy way to allow any organization to have baseline security enabled at no cost (available in Azure AD Free tier)
• The defaults include
  • Enforcing MFA for all users
  • Forcing MFA for administrators
  • Requiring all users to complete multi factor authentication when needed

Different authentication methods of Azure AD

Passwordless authentication

• Based on something you are (biometric) rather than something you know (password)
• Windows Hello uses biometrics and not password
• A fingerprint scan or a FIDO2 device is something you are
• Passwordless authentication with Azure AD includes the following options
  • Windows Hello for Business
  • Microsoft Authenticator app
  • FIDO2 security key

Microsoft Authenticator app

• A mobile phone app
• Can use biometrics
• Works on iOS and Android
• During the logon event if the user chooses authenticator as the MFA then request is pushed to the device where the user then has to approve/deny

Windows Hello for Business

• Biometric
• Hand, iris, face or fingerprint

OATH

• Open Authentication (OATH)
• Open standard
• Specifies how time-based one-time password (TOTP) codes are generated
• Can be an app or physical device
• When used the OATH token presents the user with a PIN code that last for only 30-60 seconds which the user enters into the challenge/response option during the logon event

Phone

• SMS
• Voice call

Windows Hello for Business

• Built into Windows 10
• Replaces passwords with two-factor authentication on PC and mobile
• User credential is tied to the device and uses biometric or PIN
• User can authenticate to:
  • Microsoft account
  • Active Directory account
  • Azure Active Directory account
  • IdP that supports FIDO2
• PIN and biometric data is stored on the local device and never sent externally

Windows Hello convenience PIN is configured by the user and is not backed by asymmetric or certificate-based authentication

Windows Hello for Business is configured by group policy or MDM policy such as Intune. The PIN or biometric data is backed by key-based or certificate-base authentication making it more secure than convenience PIN

Why is Hello safer than a password?

• Whilst a PIN is similar to a password it is tied to a particular device meaning that even knowing the PIN is alone usless as you also need the device to logon
• A password is transmitted to the IdP meaning it could be stolen in transit
• Windows Hello is backed by a TPM (trusted platform module) chip which is a secure cryptographic processor designed for cryptographic operations and is also tamper resistant.

Self-service password reset (SSPR) in Azure AD

• Allows users to change or reset their password without assistance from IT
• If the account is locked or password is forgotten the user can follow prompts to fix the account
• Passwords reset using SSPR can be written back to on-premises AD

Password change

Password reset

Account unlock

To use SSPR a user must be:

• Assigned a license
• Enabled for SSPR
• Registered with the authentication methods; two or more are required
  • Mobile app notification
  • Mobile app code
  • Email
  • Mobile phone
  • Office phone
  • Security questions

Password protection and management capabilities of Azure AD

• Password protection reduces the risk of weak passwords
• It detects and block known weak passwords and variants
• Default global banned passwords are automatically applied to all users in an Azure AD tenant
• Business defined password lists can also be maintained
• User passwords are checked against these lists when they are changed
• Requires Azure AD P1 or P2

Banned password lists

Global banned password list

• Automatically updated by Microsoft
• Examples are Pa$$w0rd or Passw0rd1 and all variations
• Variations are exposed by an algorithm transposing the text from a 1 to l so all variations of a weak password can be handled
• The list if enforced and cannot be changed
• If a user tries to use a globally banned password they receive a notification asking them to use a more secure one
• The list is made up of real-world password spray attack data

Custom banned password list

• Created by the business and works in addition to the global list
• Often used to stop users using business specific passwords that use company names or locations

Protecting against password spray

• This attack uses weak a few passwords against all users
• Password protection blocks this by not allowing weak passwords in the first place

Hybrid security

• Integrates Azure AD password protection with on-premises AD
• A service installed in the on-premises environment receives banned password lists from Azure AD
• An on-premises DC uses the lists to process password change events
• Means users are protected whether they change their password in Azure AD or on-premises AD