Multi-factor authentication is an example of defence in-depth at the identity and access layer.

Defence in depth

Defence in depth uses a layered approach to security, rather than relying on a single perimeter. A defence in-depth strategy uses a series of mechanisms to slow the advance of an attack. Each layer provides protection so that, if one layer is breached, a subsequent layer will prevent an attacker getting unauthorized access to data.

Example layers of security might include:

• Physical security such as limiting access to a datacentre to only authorized personnel.

• Identity and access security controls, such as multi-factor authentication or condition-based access, to control access to infrastructure and change control.

• Perimeter security including distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for users.

• Network security, such as network segmentation and network access controls, to limit communication between resources.

• Compute layer security such as securing access to virtual machines either on-premises or in the cloud by closing certain ports.

• Application layer security to ensure applications are secure and free of security vulnerabilities.

• Data layer security including controls to manage access to business and customer data and encryption to protect data.

Confidentiality, Integrity, Availability (CIA)

Confidentiality, Integrity, Availability, or CIA, is a way to think about security trade-offs. This is not a Microsoft model, but is common to all security professionals.

Confidentiality refers to the need to keep confidential sensitive data such as customer information, passwords, or financial data. You can encrypt data to keep it confidential, but then you also need to keep the encryption keys confidential. Confidentiality is the most visible part of security; we can clearly see need for sensitive data, keys, passwords, and other secrets to be kept confidential.

Integrity refers to keeping data or messages correct. When you send an email message, you want to be sure that the message received is the same as the message you sent. When you store data in a database, you want to be sure that the data you retrieve is the same as the data you stored. Encrypting data keeps it confidential, but you must then be able to decrypt it so that it's the same as before it was encrypted. Integrity is about having confidence that data hasn't been tampered with or altered.

Availability refers to making data available to those who need it. It's important to the organization to keep customer data secure, but at the same time it must also be available to employees who deal with customers. While it might be more secure to store the data in an encrypted format, employees need access to decrypted data.

While all sides of the CIA model are important, they also represent trade-offs that need to be made.

https://docs.microsoft.com/en-us/azure/azure-sql/database/security-overview

Federation is a collection of domains that have established trust.

Federation with Azure AD

Federation is a collection of domains that have established trust. The level of trust may vary, but typically includes authentication and almost always includes authorization. A typical federation might include a number of organizations that have established trust for shared access to a set of resources.

You can federate your on-premises environment with Azure AD and use this federation for authentication and authorization. This sign-in method ensures that all user authentication occurs on-premises. This method allows administrators to implement more rigorous levels of access control. Federation with AD FS and PingFederate is available.

Tip: If you decide to use Federation with Active Directory Federation Services (AD FS), you can optionally set up password hash synchronization as a backup in case your AD FS infrastructure fails.

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed

Yes – Is this feasible to apply conditional access policies which can trigger multi-factor authentication if a user attempts to access a specific application.

Conditional Access

The modern security perimeter now extends beyond an organization's network to include user and device identity. Organizations can utilize these identity signals as part of their access control decisions.

https://www.microsoft.com/en-us/videoplayer/embed/RE4MwZs

Conditional Access is the tool used by Azure Active Directory to bring signals together, to make decisions, and enforce organizational policies. Conditional Access is at the heart of the new identity driven control plane.

Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. Example: A payroll manager wants to access the payroll application and is required to perform multi-factor authentication to access it.

Administrators are faced with two primary goals:

• Empower users to be productive wherever and whenever

• Protect the organization's assets

By using Conditional Access policies, you can apply the right access controls when needed to keep your organization secure and stay out of your user's way when not needed.

Important: Conditional Access policies are enforced after first-factor authentication is completed. Conditional Access isn't intended to be an organization's first line of defence for scenarios like denial-of-service (DoS) attacks, but it can use signals from these events to determine access.

Conditional Access policies are enforced after first-factor authentication is completed. Conditional Access isn't intended to be an organization's first line of defence for scenarios like denial-of-service (DoS) attacks, but it can use signals from these events to determine access.

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview

Azure Bastion doesn't move or store customer data out of the region it is deployed in.

Azure Bastion

Azure Bastion is a service you deploy that lets you connect to a virtual machine using your browser and the Azure portal. The Azure Bastion service is a fully platform-managed PaaS service that you provision inside your virtual network. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the Azure portal over TLS. When you connect via Azure Bastion, your virtual machines do not need a public IP address, agent, or special client software.

Bastion provides secure RDP and SSH connectivity to all of the VMs in the virtual network in which it is provisioned. Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the outside world, while still providing secure access using RDP/SSH.

https://docs.microsoft.com/en-us/azure/bastion/bastion-overview

Privileged Identity Management is a feature of Azure AD Premium P2 and is not available on all editions of Azure AD.

Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization. These include resources in Azure AD, Azure, and other Microsoft online services such as Microsoft 365 or Microsoft Intune. PIM mitigates the risks of excessive, unnecessary, or misused access permissions. It requires justification to understand why users want permissions and enforces multifactor authentication to activate any role.

PIM is:

• Just in time, providing privileged access only when needed, and not before.

• Time-bound, by assigning start and end dates that indicate when a user can access resources.

• Approval-based, requiring specific approval to activate privileges.

• Visible, sending notifications when privileged roles are activated.

• Auditable, allowing a full access history to be downloaded.

Privileged Identity Management is a feature of Azure AD Premium P2.

Why use PIM?

PIM reduces the chance of a malicious actor getting access by minimizing the number of people who have access to secure information or resources. By time-limiting authorized users, it reduces the risk of an authorized user inadvertently affecting sensitive resources. PIM also provides oversight for what users are doing with their administrator privileges.

https://www.microsoft.com/en-ca/videoplayer/embed/RE4ILbu?postJsllMsg=true&autoCaptions=en-ca

The core audit capabilities of Microsoft 365

The audit functionality in the Microsoft 365 compliance centre allows organizations to view user and administrator activity through a unified audit log.

For example, did an administrator reset a password? Did a user change a setting for a team in Microsoft Teams? A unified audit log supports the search of many users and/or admin activities across Microsoft 365 services, Dynamics 365, Microsoft Power Apps, Microsoft Power Automate, Power BI, Azure Active Directory, and more. For a detailed listing, visit Search the audit log in the compliance centre.

When an audited activity is performed by a user or admin, an audit record is generated and stored in the audit log for the organization. The length of time that an audit record is kept (and searchable in the audit log) depends on the Office 365 or Microsoft 365 Enterprise subscription, and specifically the type of the license that's assigned to specific users. For core audit capability, the audit record is kept and searchable for 90 days.

Searching the audit log requires the search capability to be turned on, and for the user doing the search to be assigned the appropriate role. The search criteria can be configured based on:

• Activities

• Start date and end date

• Users

• File, folder, or site

The results of the audit log search, which can be filtered and exported to a CSV file, contain the following information about each event returned by the search:

• Date: The date and time (in UTC format) when the event occurred.

• IP address: The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address.

• User: The user (or service account) who completed the action that triggered the event.

• Activity: The activity completed by the user. This is based on activities configured.

• Item: The object that was created or modified because of the corresponding activity. For example, the file that was viewed or modified, or the user account that was updated. Not all activities have a value in this column.

• Detail: Additional information about an activity. Again, not all activities have a value.

It can take up to 30 minutes or up to 24 hours after an event occurs for the corresponding audit log record to be returned in the results of an audit log search.

https://docs.microsoft.com/en-us/microsoft-365/compliance/microsoft-365-compliance-center?view=o365-worldwide

Yes - Azure Security Centre is a unified infrastructure security management system that strengthens the security posture of your data centres and provides advanced threat protection across your hybrid workloads in the cloud - whether they're in Azure or not - as well as on premises.

Azure Security Centre

Azure Security Centre is a unified infrastructure security management system that strengthens the security posture of your data centres and provides advanced threat protection across your hybrid workloads in the cloud - whether they're in Azure or not - as well as on premises.

Keeping your resources safe is a joint effort between your cloud provider, Azure, and you, the customer. You have to make sure your workloads are secure as you move to the cloud, and at the same time, when you move to IaaS (infrastructure as a service) there is more customer responsibility than there was in PaaS (platform as a service), and SaaS (software as a service). Azure Security Centre provides you the tools needed to harden your network, secure your services and make sure you're on top of your security posture.

Azure Security Centre addresses the three most urgent security challenges:

• Rapidly changing workloads – It's both a strength and a challenge of the cloud. On the one hand, end users are empowered to do more. On the other, how do you make sure that the ever-changing services people are using and creating are up to your security standards and follow security best practices?

• Increasingly sophisticated attacks - Wherever you run your workloads, the attacks keep getting more sophisticated. You have to secure your public cloud workloads, which are, in effect, an Internet facing workload that can leave you even more vulnerable if you don't follow security best practices.

• Security skills are in short supply - The number of security alerts and alerting systems far outnumbers the number of administrators with the necessary background and experience to make sure your environments are protected. Staying up-to-date with the latest attacks is a constant challenge, making it impossible to stay in place while the world of security is an ever-changing front.

To help you protect yourself against these challenges, Security Centre provides you with the tools to:

• Strengthen security posture: Security Centre assesses your environment and enables you to understand the status of your resources, and whether they are secure.

• Protect against threats: Security Centre assesses your workloads and raises threat prevention recommendations and security alerts.

• Get secure faster: In Security Centre, everything is done in cloud speed. Because it is natively integrated, deployment of Security Centre is easy, providing you with auto provisioning and protection with Azure services.

https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction

Both your organization and Microsoft work together to implement these controls.

Compliance Manager

Microsoft Compliance Manager is a feature in the Microsoft 365 compliance centre that helps admins to manage an organization’s compliance requirements with greater ease and convenience. Compliance Manager can help organizations throughout their compliance journey, from taking inventory of data protection risks, to managing the complexities of implementing controls, staying current with regulations and certifications, and reporting to auditors.

https://www.microsoft.com/en-us/videoplayer/embed/RE4FGYZ?postJsllMsg=true

Compliance Manager helps simplify compliance and reduce risk by providing:

• Prebuilt assessments based on common regional and industry regulations and standards. Admins can also use custom assessment to help with compliance needs unique to the organization.

• Workflow capabilities that enable admins to efficiently complete risk assessments for the organization.

• Step-by-step improvement actions that admins can take to help meet regulations and standards relevant to the organization. Some actions will also be managed for the organization by Microsoft. Admins will get implementation details and audit results for those actions.

• Compliance score, which is a calculation that helps an organization understand its overall compliance posture by measuring how it's progressing with improvement actions.

The Compliance Manager dashboard shows the current compliance score, helps admins to see what needs attention, and guides them to key improvement actions.

Compliance Manager uses several data elements to help manage compliance activities. As admins use Compliance Manager to assign, test, and monitor compliance activities, it’s helpful to have a basic understanding of the key elements: controls, assessments, templates, and improvement actions.

Controls

A control is a requirement of a regulation, standard, or policy. It defines how to assess and manage system configuration, organizational process, and people responsible for meeting a specific requirement of a regulation, standard, or policy.

Compliance Manager tracks the following types of controls:

• Microsoft-managed controls: controls for Microsoft cloud services, which Microsoft is responsible for implementing.

• Your controls: sometimes referred to as customer-managed controls, these are implemented and managed by the organization.

• Shared controls: responsibility for implementing these controls is shared by the organization and Microsoft.

Compliance Manager continuously assesses controls by scanning through your Microsoft 365 environment and detecting your system settings, continuously and automatically updating your technical action status.

Assessments

An assessment is a grouping of controls from a specific regulation, standard, or policy. Completing the actions within an assessment helps to meet the requirements of a standard, regulation, or law. For example, an organization may have an assessment that, when the admin completes all actions within it, it helps to bring the organization’s Microsoft 365 settings in line with ISO 27001 requirements.

Assessments have several components:

• In-scope services: the specific set of Microsoft services applicable to the assessment.

• Microsoft-managed controls: controls for Microsoft cloud services, which Microsoft implements for the organization.

• Your controls: these controls, sometimes referred to as customer-managed controls, are implemented and managed by the organization.

• Shared controls: responsibility for implementing these controls is shared by the organization and Microsoft.

• Assessment score: shows the progress in achieving total possible points from actions within the assessment that are managed by the organization and by Microsoft.

When creating assessments, an admin will assign them to a group. The admin can configure groups in whatever way is most logical for the organization. For example, they might group assessments by audit year, region, solution, teams within the organization, or some other way. Once the admin has created groups, the admin can filter the Compliance Manager dashboard to view the score by one or more groups.

Templates

Compliance Manager provides templates to help admins to quickly create assessments. They can modify these templates to create an assessment optimized for their needs. Admins can also build a custom assessment by creating a template with their own controls and actions. For example, the admin may want a template to cover an internal business process control, or a regional data protection standard that isn’t covered by one of Microsoft’s 150-plus prebuilt assessment templates.

Improvement actions

Improvement actions help centralize compliance activities. Each improvement action provides recommended guidance that's intended to help organizations to align with data protection regulations and standards. Improvement actions can be assigned to users in the organization to do implementation and testing work. Admins can also store documentation, notes, and record status updates within the improvement action.

Benefits of Compliance Manager

Compliance Manager provides many benefits, including:

• Translating complicated regulations, standards, company policies, or other control frameworks into a simple language.

• Providing access to a large variety of out-of-the-box assessments and custom assessments to help organizations with their unique compliance needs.

• Mapping regulatory controls against recommended improvement actions.

• Providing step-by-step guidance on how to implement the solutions to meet regulatory requirements.

• Helping admins and users to prioritize actions that will have the highest impact on their organizational compliance by associating a score with each action.

https://docs.microsoft.com/en-us/microsoft-365/compliance/compliance-manager?view=o365-worldwide

Network security group (NSG) - You can use an Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network.

Network security groups

You can use an Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.

Security rules

A network security group contains zero, or as many rules as desired, within Azure subscription limits. Each rule specifies the following properties:

Network security group security rules are evaluated by priority using the 5-tuple information (source, source port, destination, destination port, and protocol) to allow or deny the traffic. You may not create two security rules with the same priority and direction. A flow record is created for existing connections. Communication is allowed or denied based on the connection state of the flow record. The flow record allows a network security group to be stateful. If you specify an outbound security rule to any address over port 80, for example, it's not necessary to specify an inbound security rule for the response to the outbound traffic. You only need to specify an inbound security rule if communication is initiated externally. The opposite is also true. If inbound traffic is allowed over a port, it's not necessary to specify an outbound security rule to respond to traffic over the port.

Existing connections may not be interrupted when you remove a security rule that enabled the flow. Traffic flows are interrupted when connections are stopped and no traffic is flowing in either direction, for at least a few minutes.

There are limits to the number of security rules you can create in a network security group.

https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

Sign-in risk is the real-time calculation that a given authentication request isn't authorized by the identity owner.

Conditional Access and its benefits

Conditional Access is a feature of Azure AD that provides an extra layer of security before allowing authenticated users to access data or other assets. Conditional Access is implemented through policies that are created and managed in Azure AD. A Conditional Access policy analyses signals including user, location, device, application, and risk to automate decisions for authorizing access to resources (apps and data).

A Conditional Access policy might state that if a user belongs to a certain group, then they're required to provide multifactor authentication to sign into an application.

https://www.microsoft.com/en-ca/videoplayer/embed/RE4INyI?postJsllMsg=true&autoCaptions=en-ca

Conditional Access signals

Conditional Access can use the following signals:

• User or group membership. Policies can be targeted to all users, specific groups of users, directory roles, or external guest users, giving administrators fine-grained control over access.

• Named location information. Named location information can be created using IP address ranges, and used when making policy decisions. Also, administrators can opt to block or allow traffic from an entire country's IP range.

• Device. Users with devices of specific platforms or marked with a specific state can be used.

• Application. Users attempting to access specific applications can trigger different Conditional Access policies.

• Real-time sign-in risk detection. Signals integration with Azure AD Identity Protection allows Conditional Access policies to identify risky sign-in behaviour - the probability that a given sign-in, or authentication request, isn't authorized by the identity owner. Policies can then force users to perform password changes or multifactor authentication to reduce their risk level or be blocked from access until an administrator takes manual action.

• Cloud apps or actions. Cloud apps or actions can include or exclude cloud applications or user actions that will be subject to the policy.

• User risk. For customers with access to Identity Protection, user risk can be evaluated as part of a Conditional Access policy. User risk represents the probability that a given identity or account is compromised. User risk can be configured for high, medium, or low probability.

When creating a conditional access policy, admins can determine which signals to use through assignments. The assignments portion of the policy controls the who, what, and where of the Conditional Access policy. All assignments are logically ANDed. If you have more than one assignment configured, all assignments must be satisfied to trigger a policy.

Access controls

When the Conditional Access policy has been applied, an informed decision is reached on whether to grant access, block access, or require extra verification. The decision is referred to as the access controls portion of the Conditional Access policy and defines how a policy is enforced. Common decisions are:

• Block access

• Grant access

• Require one or more conditions to be met before granting access:

• Require multifactor authentication.

• Require device to be marked as compliant.

• Require hybrid Azure AD joined device.

• Require approved client app.

• Require app protection policy.

• Require password change.

• Control user access based on session controls to enable limited experiences within specific cloud applications. As an example, Conditional Access App Control uses signals from Microsoft Cloud App Security (MCAS) to block, download, cut, copy and print sensitive documents, or to require labelling of sensitive files. Other session controls include sign-in frequency and application enforced restrictions that, for selected applications, use the device information to provide users with a limited or full experience, depending on the device state.

Conditional Access policies can be targeted to members of specific groups or guests. For example, you can create a policy to exclude all guest accounts from accessing sensitive resources. Conditional Access is a feature of paid Azure AD editions.

https://edxinteractivepage.blob.core.windows.net/edxpages/Security%20fundamentals/LP02M04%20-%20Create%20a%20Conditional%20Access%20Policy/index.htm