Meet Microsoft Entra

Microsoft Entra will verify all types of identities and secure, manage, and govern their access to any resource. The new Microsoft Entra product family will:

Protect access to any app or resource for any user across hybrid, multicloud, and beyond;

  • Secure and verify every identity including for employees, customers, partners, apps, devices, and workloads;
  • Provide only necessary access by discovering and right-sizing permissions, and managing access lifecycles for any identity; and
  • Simplify the human experience with simple sign-in, intelligent security, and unified administration.

But, what it is really Microsoft Entra? A unified portal for securing and managing every identity – The admin center for Microsoft Entra facilitates identity and access management, multicloud permissions management, and administration of verifiable credentials, all in one place.

When Entra will take place? In May 31st

And what happens to my AzureAD? Azure AD continues to be the foundational infrastructure for all new products in Microsoft Entra family. Innovation and investment in Azure AD continues, including the popular Application Gallery, Conditional Access, multifactor authentication, passwordless, and more.

Will I still be able to access my Azure AD Admin portal? short answer yes, long answer see below:

  1. The Azure AD admin center (aad.portal.azure.com) will continue to function for the next 12-18 months, and then redirect to entra.microsoft.com in 2023 after extensive customer notice.
  2. The Azure portal at portal.azure.com will also continue to offer Azure AD for Azure customers.
  3. The M365 portal Azure AD admin page will be redirected to entra.microsoft.com later this summer.

So, can I Buy Microsoft Entra? Microsoft Entra is a product family. Products within Microsoft Entra are available for sale but there is no Entra bundle to purchase

This new product family has an impact on licenses or billing? No, but if you’re interested in sing Microsoft Entra Permissions Management will need to obtain a license for the solution. Microsoft Entra Verified ID is a free service but some scenarios, integrated with Azure AD capabilities, may require an Azure AD P1 or P2 license as a pre-requisite.

More info at: Secure access for a connected world—meet Microsoft Entra – Microsoft Security Blog

Conditional Access extension for Chrome

If you’re implementing conditional access in your company and you’re struggling with Windows 10 devices and Chrome support, probably you will need to visit that Docs link: https://docs.microsoft.com/es-es/azure/active-directory/conditional-access/concept-conditional-access-conditions#chrome-support

But in this post, I want to talk about something related to it, in one of my projects, I have a CA policy that required one of the following selected controls: Require MFA or Require Hybrid AAD joined device

My device was Hybrid, so I was fullfilling one of the requirements, for example, when I was accessing with IE or Edge, the device info gets passed properly and MFA is bypassed for hybrid AAD machines.

But with Chrome, even having the Windows 10 Account extension pushed via GPO, I was able to see in the azure sign-in logs that device info is blank except for Browser and OS, so the AAD join status is not passed and MFA triggers. So it was very weird and it was causing me some problems…

So finally, after hours of troubleshooting, i finally figured out what was wrong. When you automatically install the extension, it doesn’t clear some cookies which Chrome will then try to use the old way of logging in. So in this case what you will need to do is access to chrome://settings/content/all and delete the cookies for login.microsoftonline.com

After doing that, everything was working perfectly, keep aware of that!!

How to protect your identity in the Cloud

Lately, I have blogged about security in the cloud, but as many of you know, most security breaches take place when attackers gain access to an environment by stealing a user’s identity.

It is relatively easy for attackers to gain access by compromising the low privileged user accounts and then leveraging their permissions to super users.

Because of this, we must do:

  • Protect all identities regardless of their privilege level
  • Proactively prevent compromised identities from being abused

For example, Azure has the following services for Identity Management:

  •       Single sign-on
  •       Role based access control
  •       Reverse Proxy
  •       Device registration
  •       Hybrid identity management/Azure AD connect

But what about for identity protection? we can find the following features…

Azure Multi Factor Authentication

I have talked about MFA before, the use of strong passwords and the use of another layer of security, for me nowadays is essential to deploy it in companies. Therefore, even if the user’s password is compromised, hackers cannot access your data and applications.

Security Monitoring, alerts, and machine learning-based reports  

With AAD is it possible to monitor and secure the identity as well as draw reports that provide a comprehensive view of activity in the cloud. As an example, we can find the following:

  • Do you want to know who has signed-in to your cloud applications, when, to which application, and from where? Check AAD Sign-ins Report.
  • Do you want to know who has done which activity and when? Check AAD Audit Logs Report.
  • Do you want to know which identity is at risk? Check AAD Users Flagged for Risk Report.
  • Do you want to know the risk events, like users who signed in from anonymous IP address? Check AAD Risk Events Report.

Azure AD Identity Protection

In any version od AAD we can find monitoring and security reports, but only as a matter of reporting. But is you want to automate responses to detected suspicious actions is where AAD Identity Protection takes places.

You will be able to set different policies to act against the defined potential risks, like requiring Azure MFA registration, MFA authentication, or password change for risky users. Alternately, you can block the risky user from signing in.

Azure AD Privileged Identity Management

Lastly, we can find AAD Privileged Identity Management (PIM) helps you to mitigate the risk of excessive, unnecessary, or misused access rights.

PIM reduces the need for reviews. Instead, you can proactively control who or what is accessing the resources, when, where, and why. Also allows time-bound access that requires approval from predefined approvers to activate a role, and sends notification emails to you when the role is activated.

Take into account that some of these features require AAD Premium P2 license, but sometimes and extra cost is necessary, think in the money that you will lose (in money and image) if someone external to your company gain access to your data 😉

How to backup your Microsoft Authenticator Application

It happened to me, I had configured the Microsoft Authentication app in my phone and then I changed the phone, so the experience to recreate all the MFA accounts, was simply horrible… but now Microsoft Authenticator allows to backup your multi factor accounts and recover them.

It works for both personal and work profiles, the only requirement is to have a Microsoft Account (MSA) to backup your Microsoft Authenticator application; even if you use it from the device work profile. Something important: You can not use Corporate account to backup your Microsoft Authenticator application.

To enable the backup capability, just access the Options menu (the 3 dot shown at the top right of the application) and choose to Turn on backup – or access the Settings and enable the Cloud Backup feature.

Screenshot_2019-10-01-13-54-32-446_com.azure.authenticator

It will then automatically use your MSA account

Screenshot_2019-10-01-13-54-45-078_com.azure.authenticator

 

Keep in mind that, once you have enabled the backup for one instance, and try to enable it on the second one, you will be requested if you want to overwrite it if you use the same MSA account