Azure AD Password Protection reduces the risk of users setting weak passwords. Azure AD Password Protection detects, and blocks known weak passwords and their variants and can also block other weak terms that are specific to your organization.

Password protection and management capabilities of Azure AD

Password Protection is a feature of Azure AD that reduces the risk of users setting weak passwords. Azure AD Password Protection detects, and blocks known weak passwords and their variants and can also block other weak terms that are specific to your organization.

With Azure AD Password Protection, default global banned password lists are automatically applied to all users in an Azure AD tenant. To support your own business and security needs, you can define entries in a custom banned password list. When users change or reset their passwords, these lists are checked to enforce the use of strong passwords.

You should use extra features like Azure Active Directory multifactor authentication, not just rely on strong passwords enforced by Azure AD Password Protection.

Global banned password list

A global banned password list with known weak passwords is automatically updated and enforced by Microsoft. This list is maintained by the Azure AD Identity Protection team, who analyze security telemetry data to find weak or compromised passwords. Examples of passwords that might be blocked are P@$$w0rd or Passw0rd1 and all variations.

Variations are created using an algorithm that transposes text case and letters to numbers such as "1" to an "l". Variations on Password1 might include Passw0rd1, Pass0rd1, and others. These passwords are then checked and added to the global banned password list and made available to all Azure AD users. The global banned password list is automatically applied and can't be disabled.

If an Azure AD user tries to set their password to one of these weak passwords, they receive a notification to choose a more secure one. The global banned list is sourced from real-world, actual password spray attacks. This approach improves the overall security and effectiveness, and the password validation algorithm also uses smart fuzzy-matching techniques. Azure AD Password Protection efficiently detects and blocks millions of the most common weak passwords from being used in your enterprise.

Custom banned password lists

Admins can also create custom banned password lists to support specific business security needs. The custom banned password list prohibits passwords such as the organization name or location. Passwords added to the custom banned password list should be focused on organizational-specific terms such as:

• Brand names

• Product names

• Locations, such as company headquarters

• Company-specific internal terms

• Abbreviations that have specific company meaning

The custom banned password list is combined with the global banned password list to block variations of all the passwords.

Banned password lists are a feature of Azure AD Premium 1 or 2.

Protecting against password spray

Azure AD Password Protection helps you defend against password spray attacks. Most password spray attacks submit a few of the known weakest passwords against each of the accounts in an enterprise. This technique allows the attacker to quickly search for an easily compromised account and avoid potential detection thresholds.

Azure AD Password Protection efficiently blocks all known weak passwords likely to be used in password spray attacks. This protection is based on real-world security telemetry data from Azure AD, which is used to build the global banned password list.

Hybrid security

For hybrid security, admins can integrate Azure AD Password Protection within an on-premises Active Directory environment. A component installed in the on-premises environment receives the global banned password list and custom password protection policies from Azure AD. Domain controllers then use them to process password change events. This hybrid approach makes sure that, wherever a user changes their password, Azure AD Password Protection is applied.

Although password protection improves the strength of passwords, you should still use best practice features like Azure Active Directory multifactor authentication. Passwords alone, even strong ones, are not as secure as multiple layers of security.

https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad

The best way for the admin to provide the temporary access to Sloan is with Azure AD and Privileged Identity Management.

Privileged Identity Management provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about.

Azure AD Privileged Identity Management

Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization. These resources include resources in Azure AD, Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft Intune. The following video introduces you to important PIM concepts and features.

https://youtu.be/f-0K7mRUPpQ

Privileged Identity Management provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about. Here are some of the key features of Privileged Identity Management:

• Provide just-in-time privileged access to Azure AD and Azure resources

• Assign time-bound access to resources using start and end dates

• Require approval to activate privileged roles

• Enforce multi-factor authentication to activate any role

• Use justification to understand why users activate

• Get notifications when privileged roles are activated

• Conduct access reviews to ensure users still need roles

• Download audit history for internal or external audit

• Prevents removal of the last active Global Administrator role assignment

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure

No – You can create one Azure Bastion per virtual network. By default, a user sees the Bastion host that is deployed in the same virtual network in which VM resides. However, in the Connect menu, a user can see multiple Bastion hosts detected across peered networks. They can select the Bastion host that they prefer to use to connect to the VM deployed in the virtual network.

https://docs.microsoft.com/en-us/azure/bastion/bastion-faq

Azure Bastion

Azure Bastion is a service you deploy that lets you connect to a virtual machine using your browser and the Azure portal. The Azure Bastion service is a fully platform-managed PaaS service that you provision inside your virtual network. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the Azure portal over TLS. When you connect via Azure Bastion, your virtual machines do not need a public IP address, agent, or special client software.

Bastion provides secure RDP and SSH connectivity to all of the VMs in the virtual network in which it is provisioned. Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the outside world, while still providing secure access using RDP/SSH.

https://docs.microsoft.com/en-us/azure/bastion/bastion-overview

No - The Jr engineer is not correct. Basic Audit retains audit records for 90 days. Advanced Audit retains all Exchange, SharePoint, and Azure Active Directory audit records for one year. This is accomplished by a default audit log retention policy that retains any audit record that contains the value of Exchange, SharePoint, or AzureActiveDirectory for the Workload property (which indicates the service in which the activity occurred) for one year.

Audit log retention policies

All audit records generated in other services that aren't covered by the default audit log retention policy (described in the previous section) are retained for 90 days. But you can create customized audit log retention policies to retain other audit records for longer periods of time up to 10 years. You can create a policy to retain audit records based on one or more of the following criteria:

• The Microsoft 365 service where the audited activities occur.

• Specific audited activities.

• The user who performs an audited activity.

You can also specify how long to retain audit records that match the policy and a priority level so that specific policies will take priority over other policies. Also note that any custom audit log retention policy will take precedence over the default audit retention policy in case you need retain Exchange, SharePoint, or Azure Active Directory audit records for less than a year (or for 10 years) for some or all users in your organization.

https://docs.microsoft.com/en-us/microsoft-365/compliance/advanced-audit?view=o365-worldwide

To on-board Azure Sentinel, you first need to connect to your security sources. Azure Sentinel comes with a number of connectors for Microsoft solutions, including Microsoft 365 Defender solutions, and Microsoft 365 sources, including Office 365, Azure AD, Microsoft Defender for Identity, and Microsoft Cloud App Security, etc.

Azure Sentinel

Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.

Azure Sentinel is your birds-eye view across the enterprise alleviating the stress of increasingly sophisticated attacks, increasing volumes of alerts, and long resolution time frames.

• Collect data at cloud scale across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds.

• Detect previously undetected threats and minimize false positives using Microsoft's analytics and unparalleled threat intelligence.

• Investigate threats with artificial intelligence, and hunt for suspicious activities at scale, tapping into years of cyber security work at Microsoft.

• Respond to incidents rapidly with built-in orchestration and automation of common tasks.

Building on the full range of existing Azure services, Azure Sentinel natively incorporates proven foundations, like Log Analytics, and Logic Apps. Azure Sentinel enriches your investigation and detection with AI and provides Microsoft's threat intelligence stream and enables you to bring your own threat intelligence.

https://docs.microsoft.com/en-us/azure/sentinel/overview

Health Insurance Portability and Accountability Act (HIPAA) introduces rules on how health-related information should be protected.

Data has become more important than ever. Organizations, institutions, and entire societies generate and rely on data to function on a day-to-day basis. Any manipulation or loss of data can damage organizations, institutions, and societies alike. The sheer scale of data generated and the increasing reliance on it, means data management has become pivotal.

Governments are working hard to protect people by creating regulations (laws) that are designed to protect data through several measures including:

• Granting individuals the right to access their data at any time.

• Granting individuals the right to correct or delete data about them if needed.

• Introducing retention periods that dictate a minimum or maximum amount of time data should be stored.

• Enabling governments and regulatory agencies the right to access and examine data when necessary.

• Defining rules for what data can be processed and how that should be done.

Some regulations also require that data remains protected even if it’s moved between geographic locations. For example, regulations in some countries require that any personal data transferred outside of their borders meets several conditions including:

• The destination country where personal data is to be transferred must be considered to have adequate protections for the data.

• Organizations must create appropriate safeguards, such as specific clauses that must be included in contracts with organizations or bodies that handle any personal data.

Common compliance regulations

Some of the regulations that organizations and institutions commonly work with include:

• Health Insurance Portability and Accountability Act (HIPAA) – introduces rules on how health-related information should be protected.

• The Family Educational Rights and Privacy Act (FERPA) – introduces rules to protect student information.

• ISO 27701 – specifies rules and guidance to manage personal information and demonstrate compliance.

Microsoft supports organizations’ compliance needs with built-in tools and capabilities to help them protect information, manage data governance, and respond to regulatory requests.

•The General Data Protection Regulation (GDPR)

Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. This text includes the corrigendum published in the OJEU of 23 May 2018.

https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en

https://docs.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance

Quentin can create a new rule to allow RDP that has a higher priority than the default rule.

Azure Network Security groups

In today’s modern work environment, where more users are working remotely from home, managing access to assets and resource on your Azure virtual network (VNet) is essential.

Here, you’ll learn how Azure network security groups can automatically allow or deny traffic to your cloud-based resources and assets.

An Azure virtual network is similar to the network you’d find in your organization. It enables different Azure resources, for instance, an Azure virtual machine (VM), to securely communicate with other VNets, the internet, or your on-premises network. A VNet can be divided into multiple subnetworks (subnets), each with specific resources assigned to them. You can secure the resources within a subnet using network security groups.

Network security groups

Network security groups (NSGs) let you allow or deny network traffic to and from Azure resources that exist in your Azure virtual network; for example, a virtual machine. An NSG consists of rules that define how the traffic is filtered. You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine. The same network security group, however, can be associated to as many different subnets and network interfaces as you choose.

NSG security rules are evaluated by priority using five information points: source, source port, destination, destination port, and protocol to either allow or deny the traffic. As a guideline, you shouldn't create two security rules with the same priority and direction.

In the above, highly simplified, diagram you can see an Azure virtual network with two subnets that are connected to the internet, and each subnet has a virtual machine. Subnet 1 has an NSG assigned to it that's filtering inbound and outbound access to VM1, which needs a higher level of access. In contrast, VM2 could represent a public-facing machine that doesn't require an NSG.

Inbound and outbound security rules

As you’ve seen, an NSG controls access to resources on your virtual network and any subnets. An NSG is made up of inbound and outbound security rules. For each rule, you can specify a source and destination, port, protocol, and the required action if it's triggered. As previously mentioned, the rules are processed based on their priority. By default, Azure creates a series of rules, three inbound and three outbound rules, to provide a baseline level of security. You can't remove the default rules, but you can override them by creating new rules with higher priorities.

Each rule specifies one or more of the following properties:

• Name: Every NSG rule needs to have a unique name that describes its purpose. For example, AdminAccessOnlyFilter.

• Priority: A number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers. When traffic matches a rule, processing stops. This means that any other rules with a lower priority (higher numbers) won't be processed.

• Source or destination: Specify either individual IP address or an IP address range, service tag (a group of IP address prefixes from a given Azure service), or application security group. Specifying a range, a service tag, or application security group, enables you to create fewer security rules.

• Protocol: What network protocol will the rule check? The protocol can be any of: TCP, UDP, ICMP or Any.

• Direction: Whether the rule should be applied to inbound or outbound traffic.

• Port range: You can specify an individual or range of ports. For example, you could specify 80 or 10000-10005. Specifying ranges enables you to be more efficient when creating security rules. You can't specify multiple ports or port ranges in the same security rule in NSGs created through the classic deployment model.

• Action: Finally, you need to decide what will happen when this rule is triggered.

There are limits to the number of security rules you can create in an NSG. Use Azure NSGs to automatically allow or deny traffic to your cloud-based resources and assets.

https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

Azure AD B2C allows external users to log in with their preferred social media account to sign in to your application, such as Facebook, Google, or Twitter.

Available Azure AD editions

Azure AD is available in four editions: Free, Office 365 Apps, Premium P1, and Premium P2.

Azure Active Directory Free. The free version allows you to administer users and create groups, synchronize with on-premises Active Directory, create basic reports, configure self-service password change for cloud users, and enable single sign-on across Azure, Microsoft 365, and many popular SaaS apps. The free version also has an upper limit of 500000 objects that can be held in Azure AD. The free edition is included with subscriptions to Office 365, Azure, Dynamics 365, Intune, and Power Platform.

Office 365 Apps. The Office 365 Apps edition allows you to do everything included in the free version, plus self-service password reset for cloud users, and device write-back, which offers two-way synchronization between on-premises directories and Azure AD. The Office 365 Apps edition of Azure Active Directory is included in subscriptions to Office 365 E1, E3, E5, F1, and F3.

Azure Active Directory Premium P1. The Premium P1 edition includes all the features in the free and Office 365 apps editions. It also supports advanced administration, such as dynamic groups, self-service group management, Microsoft Identity Manager (an on-premises identity and access management suite) and cloud write-back capabilities, which allow self-service password reset for your on-premises users.

Azure Active Directory Premium P2. P2 offers all the Premium P1 features, and Azure Active Directory Identity Protection to help provide risk-based Conditional Access to your apps and critical company data. P2 also gives you Privileged Identity Management to help discover, restrict, and monitor administrators and their access to resources, and to provide just-in-time access when needed.

Azure Active Directory Premium P1 and Premium P2 aren't currently supported in China.

There's also an option for "Pay as you go" feature licenses. You can get other feature licenses separately, such as Azure Active Directory Business-to-Customer (B2C). B2C can help you provide identity and access management solutions for your customer-facing apps.

https://docs.microsoft.com/en-us/azure/active-directory-b2c/

Roxxon is using Azure AD B2C allows external users to log in with their preferred social media account to sign into their application, such as Facebook, Google, or Twitter.

Today’s world is about collaboration, working with people both inside and outside of your organization. That means you'll sometimes need to provide access to your organization’s applications or data to external users.

Azure AD External Identities is a set of capabilities that enable organizations to allow access to external users, such as customers or partners. Your customers, partners, and other guest users can "bring their own identities" to sign in.

This ability for external users is enabled through Azure AD support of external identity providers like other Azure AD tenants, Facebook, Google, or enterprise identity providers. Admins can set up federation with identity providers so your external users can sign in with their existing social or enterprise accounts instead of creating a new account just for your application.

There are two different Azure AD External Identities: B2B and B2C.

• B2B collaboration allows you to share your apps and resources with external users.

• B2C is an identity management solution for consumer and customer facing apps.

B2B collaboration

B2B collaboration allows you to share your organization’s applications and services with guest users from other organizations, while maintaining control over your own data. B2B collaboration uses an invitation and redemption process, allowing external users to access your resources with their credentials. Developers can customize the invitation and redemption process using Azure AD business-to-business APIs.

With B2B collaboration, external users are managed in the same directory as employees but are typically annotated as guest users. Guest users can be managed in the same way as employees, added to the same groups, and so on. With B2B, SSO to all Azure AD-connected apps is supported.

B2C access management

Azure AD B2C is a customer identity access management (CIAM) solution. Azure AD B2C allows external users to sign in with their preferred social, enterprise, or local account identities to get single sign-on to your applications. Azure AD B2C supports millions of users and billions of authentications per day. It takes care of the scaling and safety of the authentication platform, monitoring, and automatically handling threats like denial-of-service, password spray, or brute force attacks.

With Azure AD B2C, external users are managed in the Azure AD B2C directory, separately from the organization's employee and partner directory. SSO to customer owned apps within the Azure AD B2C tenant is also supported.

Azure AD B2C is an authentication solution that you can customize with your brand so that it blends with your web and mobile applications.

Azure AD External Identities is a feature of Premium P1 and P2 Azure AD editions, and pricing is based on Monthly Active Users.

https://azure.microsoft.com/pricing/details/active-directory/external-identities/

Azure Active Directory is available in four editions. Each edition has different offerings.

https://www.microsoft.com/en-ca/security/business/identity-access-management/azure-ad-pricing