What is Privileged Identity Management?
PIM helps to manage, control, and monitor access to important resources in your organization. These include resources in Microsoft Entra, Azure, and other Microsoft online services such as Microsoft 365 or Microsoft Intune.
PIM mitigates the risks of excessive, unnecessary, or misused access permissions. It requires justification to understand why users want permissions and enforces multifactor authentication to activate any role.
What are the capabilities of PIM?
PIM provides,
- Just in time, providing privileged access only when needed, and not before.
- Time-bound, by assigning start and end dates that indicate when a user can access resources.
- Approval-based, requiring specific approval to activate privileges.
- Visible, sending notifications when privileged roles are activated.
- Auditable, allowing a full access history to be downloaded.
Where can we use PIM?
PIM can be used in Entra Roles, Azure Roles and on PIM for Groups.
- Microsoft Entra roles – Microsoft Entra roles include built-in and custom roles to manage Microsoft Entra ID and other Microsoft 365 online services.
- Azure roles – The role-based access control (RBAC) roles in Azure that grants access to management groups, subscriptions, resource groups, and resources.
- PIM for Groups – Provide just-in-time membership in the group and just-in-time ownership of the group. The Microsoft Entra Privileged Identity Management for Groups feature can be used to govern access to various scenarios that include Microsoft Entra roles, Azure roles, as well as Azure SQL, Azure Key Vault, Intune, other application roles, and third-party applications.
What is Entra ID Protection?
Microsoft Entra ID Protection helps organizations detect, investigate, and remediate identity-based risks. This includes user identities and workload identities.
These identity-based risks can be further fed into tools like Conditional Access to make access decisions or fed back to a security information and event management (SIEM) tool for further investigation and correlation.
What is Sign-in Risk and User Risk?
Microsoft Entra ID Protection Risk detections reports any suspicious or anomalous activity related to a user account in the directory. ID Protection risk detections can be linked to a sign-in event (sign-in risk) or an individual user (user risk).
Sign-in risk. The sign-in risk policy detects suspicious actions that come along with the sign-in. It’s focused on the sign-in activity itself and analyzes the probability that the sign-in was performed by some other than the user. Examples include a sign-in from an anonymous IP address, atypical travel (two sign-ins originating from geographically distant locations), unfamiliar sign-in properties, and more.
User risk. A user risk represents the probability that a given identity or account is compromised. Examples include leaked credentials, user reported suspicious activity, suspicious sending patterns, and more.
What are the main features of group-based licensing?
Below are the key features of Group-based licensing
Licenses can be assigned to any security group in Microsoft Entra ID. Security groups can be synced from on-premises or the security groups directly created in Microsoft Entra ID or automatically via the Microsoft Entra dynamic group feature.
When a product license is assigned to a group, the administrator can disable one or more service plans in the product.
All Microsoft cloud services that require user-level licensing are supported. This support includes all Microsoft 365 products, Enterprise Mobility + Security, and Dynamics 365.
Group-based licensing is currently available only through the Microsoft 365 admin center.
Microsoft Entra ID automatically manages license modifications that result from group membership changes within minutes of a membership change.
What will happen if a user member of multiple group based license assignment group?
A user can be a member of multiple groups with license policies specified. A user can also have some licenses that were directly assigned, outside of any groups. The resulting user state is a combination of all assigned product and service licenses. If a user is assigned same license from multiple sources, the license is consumed only once.
In some cases, licenses can’t be assigned to a user. For example, there might not be enough available licenses in the tenant, or conflicting services are assigned at the same time. Administrators have access to information about users for whom Microsoft Entra ID couldn’t fully process group licenses. They can then take corrective action based on that information.
You are assigned with a Task to plan conditional access policy for a new organization. What are the common policies that you will plan and implement?
You can mention that below are the common policies that you will plan and implement.
Require MFA. Common use cases include requiring MFA by admins, to specific apps, for all users, or from network locations you don’t trust.
Respond to potentially compromised accounts. Three default policies can be enabled: require all users to register for MFA, require a password change for users who are high-risk, and require MFA for users with medium or high sign-in risk.
Require managed devices. You probably don’t want certain resources in your environment to be accessed by devices with an unknown protection level. For those resources, require that users can only access them using a managed device.
Require approved client applications. Employees use their mobile devices for both personal and work tasks. For BYOD scenarios, you must decide whether to manage the entire device or just the data on it. If managing only data and access, you can require approved cloud apps that can protect your corporate data.
Block access. Blocking access overrides all other assignments for a user and has the power to block your entire organization from signing on to your tenant. It can be used, for example, when you’re migrating an app to Microsoft Entra ID, but you aren’t ready for anyone to sign in to it yet. You can also block certain network locations from accessing your cloud apps or block apps using legacy authentication from accessing your tenant resources.
What are the license requirements for Conditional Access Policy?
Below are the license requirements for CA.
- Free Microsoft Entra ID – No Conditional Access
- Free Office 365 subscription – No Conditional Access
- Microsoft Entra ID Premium 1 (or Microsoft 365 E3 and up) – Conditional access work based on standard rules
- Microsoft Entra ID Premium 2 – Conditional Access, and you get the ability to use Risky sign-in, Risky Users, and risk-based sign-in options as well (from Identity Protection)
How will you plan and do the test case for CA Policy implementation in production?
When new CA policies are planned, I will deploy them in phases in the production environment:
- Provide internal change communication to end users.
- I will start with a small set of users, and verify that the policy behaves as expected.
- When policy expanded to include more users, continue to exclude all administrators. Excluding administrators ensures that someone still has access to a policy if a change is required.
- Apply a policy to all users only after it’s thoroughly tested. Ensure you have at least one administrator account to which a policy doesn’t apply.
This Content Is Only For Subscribers
You are select All User and All Apps on Conditional Access Policies, what are the things you will take into consideration?
Organizations should avoid the following configurations:
For all users, all cloud apps:
- Block access - This configuration blocks your entire organization.
- Require Hybrid Microsoft Entra domain joined device - This access-blocking policy also has the potential to block access for all users in your organization if they don’t have a hybrid Microsoft Entra joined device.
- Require app protection policy - This access-blocking policy also has the potential to block access for all users in your organization if you don’t have an Intune policy. If you’re an administrator without a client application that has an Intune app protection policy, this policy blocks you from getting back into portals such as Intune and Azure.
For all users, all cloud apps, all device platforms:
- Block access - This configuration blocks your entire organization.
What is Conditional Access App Control?
Conditional Access App Control enables user app access and sessions to be monitored and controlled in real time based on access and session policies.
Microsoft Entra Conditional Access allows you to enforce access controls on your organization’s apps based on certain conditions. The conditions define who (user or group of users) and what (which cloud apps) and where (which locations and networks) a Conditional Access policy is applied to. After you’ve determined the conditions, you can route users to Microsoft Defender for Cloud Apps where you can protect data with Conditional Access App Control by applying access and session controls.
Access and session policies are used within the Microsoft Defender for Cloud Apps portal to further refine filters and set actions to be taken on a user.
What are the actions that we can perform using Actions and Session Policy?
Access and Session policies we can perform the following actions.
Prevent data exfiltration: You can block the download, cut, copy, and print sensitive documents on, for example, unmanaged devices.
Protect on download: Instead of blocking the download of sensitive documents, you can require documents to be labeled and protected with Azure Information Protection. This action ensures the document is protected and user access is restricted in a potentially risky session.
Prevent upload of unlabeled files: Before a sensitive file is uploaded, distributed, and used by others, it’s important to make sure that the file has the right label and protection. You can ensure that unlabeled files with sensitive content are blocked from being uploaded until the user classifies the content.
Monitor user sessions for compliance: Risky users are monitored when they sign into apps and their actions are logged from within the session. You can investigate and analyze user behavior to understand where, and under what conditions, session policies should be applied in the future.
Block access: You can granularly block access for specific apps and users depending on several risk factors. For example, you can block them if they’re using client certificates as a form of device management.
Block custom activities: Some apps have unique scenarios that carry risk, for example, sending messages with sensitive content in apps like Microsoft Teams or Slack. In these kinds of scenarios, you can scan messages for sensitive content and block them in real time.
What is an App Protection Policy?
App protection policies (APP) are rules that ensure an organization’s data remains safe or contained in a managed app. A policy can be a rule that is enforced when the user attempts to access or move “corporate” data, or a set of actions that are prohibited or monitored when the user is inside the app. A managed app has app protection policies applied to it, and it can be managed by Intune.
Mobile Application Management (MAM) app protection policies allow you to manage and protect your organization’s data within an application. With MAM without enrollment (MAM-WE), a work or school-related app that contains sensitive data can be managed on almost any device, including personal devices.
What is Continuous Access Evaluation (CAE)
Token expiration and refresh are a standard mechanism in the industry. When a client application like Outlook connects to a service like Exchange Online, the API requests are authorized using OAuth 2.0 access tokens. By default, access tokens are valid for one hour, when they expire, the client is redirected to Microsoft Entra ID to refresh them. That refresh period provides an opportunity to reevaluate policies for user access. For example: we might choose not to refresh the token because of a Conditional Access policy, or because the user has been disabled in the directory.
However, there is lag between when conditions change for a user, and when policy changes are enforced. Timely response to policy violations or security issues really requires a “conversation” between the token issuer, and the relying party (enlightened app). This two-way conversation gives us two important capabilities. The relying party can see when properties change, like network location, and tell the token issuer. It also gives the token issuer a way to tell the relying party to stop respecting tokens for a given user because of account compromise, disablement, or other concerns. The mechanism for this conversation is continuous access evaluation (CAE).
What is smart lockout?
Smart lockout helps prevent bad actors who try to guess your users’ passwords or use brute-force methods to get in. Smart lockout can recognize sign-ins that come from valid users and treat them differently than ones of attackers and other unknown sources. Attackers get locked out, while your users continue to access their accounts and be productive
