Identity Providers

IdP, manages identity information while providing auth. services to apps.

AD, set of directory services desgined for onpremises

Federation, a collection of domain that shared trust for shared access to a set of
resources.
Trust is not always bidirectional.

Common Identity Attacks

Dictionary Attacks
Brute Force
Password Spray Attacks: Attemps to match a username against a list of weak password

Phishing Attacks
Spear Phishing, target specific group of users.
Whaling, target high level excecutives.
Vishing, uses VoIP.

Azure AD Identity

Azure AD, is Microsoft identity cloud-based and access management service which
help users to sign in and access resources.

User: A representation of something that is managed by Azure AD.

Service Principal: A Security Identity used by apps or services to access specific
Azure resources.
Managed Identity: An identity automatically managed in Azure.
> System-Assigned: Created for and tied to a specific resources
> User-Assigned: as a standalone Azure resource with its own lifecycle.

Device: A piece of hardware, mobile, laptop or printer.

> Azure AD registered, devices can be Windows 10, iOS, Android or macOs (often
personal / BYOD).
> Azure AD joined, device exist only in the cloud Azure AD joined devices are owned
by an organization and signed in with their account.
> Hybrid Azure AD joined, are owned by an organization and signed in with an
ActDirectory DS account. (can exist onpremises or in the cloud)

Hybrid Identity

For onpremises to Cloud <--> Azure AD Connect <--> Cloud

User and devices --> Sign-On <--> Cloud

Azure AD Connect Cloud Sync, is new offering from Microsoft designed to meet and
accomplish your hybrid identity goals for synchronization of users, groups and
contacts to Azure AD.

External Identity Types

B2B Collaboration, allows to share your organization apps and services with guest
users from other organization, while maintaining control over your own data.
Uses and INVITATION AND REDEMPTION PROCESS, allowing external users to access your
resources with their credentials.
work (Azure AD) account

B2C, (Azure AD B2C is a customer identity access management)

Allows External Users to sign in with their preferred social, enterprise or local
account to get single sign-on to your apps.
social (personal) identities.

Core Azure Identity Service

Azure RBAC,
helps you manage who has access to Azure resources, what they can do with those
resources and which resources they have access to.

MFA

Windows Hello for Business, an auth feature buit in Windows 10, that replaces
password with strong two factor auth on PCs and mobile.

Allows to auth:
Microsoft account
an AD account
an Azure ActDirectory account
Identity provider

Conditional Access.
Used by Azure ActDirectory to bring singals together, to make decisions and enforce
organizational policies.
Improves security by enforcing conditions of access.

Azure AD Roles.
Control permissions to manage Azure AD resources
Support built-in and custom role
enable enforce of least privilege

Custome role require Azure AD Premium P1 or P2 License.

Identity Governance:
Which users should have access to which resources
What are those users doing with that access
Are effective organizational control for managing access
Can auditors verify that the control are working

Entitle Management
An identity Governance feature that enable organization to manage identity and
access lifecycle at scale.
> Add resources, like group, teams, apps to an access package
> Specify permissions by selecting a role.
> Related resources and access package are stored in a catalog.

Access Review
Ensure that only the right people have access to resources.

Privileged Identity Management (PIM)

A service in Azure ActDirectory that enables to manage, control and monitor role
access.
Mitigate the risks of excessive, unnecesary or misused access permission
> Requires Azure AD Premium P2
Azure Encrypts Data

Azure Storage Service Encryption (Encrypted by default)

Helps protect data at reset, by automatically encrypting before persisting it to
Azure manage disks, Blog Storage, Files or Queue Storage.

Azure Disk Encryption

Helps to encrypt Windows and Linux VM disks using BitLocker and dm-crypt to encrypt
OS and data disks.

Transparent Data Encryption

Helps protect Azure SQL Database and Azure Data Warehouse against threat of
malicious activitiy with real time encryption and decryption of database.

Azure Security Center

A unified infrastructure security management system that strengthens the security
posture of your data centers (cloud and onpremises)

Azure Secure Score

Analytics tool that answers the question for how secure is my workload?

Visualization of the security posture

Fast triage and suggestions to provide meaningful action to increase security
posture.
> Focused on cloud infrastructure (shown in Security Center)

> Score is based on severity and security best practices.

Azure Security Benchmark (Security Baselines for Azure)

Baselines is the implementation of the benchmark on the individual Azure service.

Control > High level description of a feature or activitiy, thats needs to be

addressed, not specific to a technology.
Benchmark > Contains security recommendations for a specific technology
Baseline > Is the implementation of the benchmark.

Azure Defender:
Two pillars of Azure Security Center

Cloud Security Posture Management: CSPM (Free Tier)

Includes CSPM features such as secure score, detection of security misconfiguration
in tour Azure workload, asset inventory.

Cloud Work Load Protection Platform. CWPP (Standard Tier)

Brings a range of security feature for advanced, intelligent, protection of your
Azure and hybrid resource and workload

SIEM (Security Information Event Management)

Collects data from many other source within the network.
Provides real-time monitoring, analysis correlation and notification of potential
attacks.
SOAR (Security Orchestration, Automation and Response)
Centralized alert and response automation with threat-specific playbooks.

with Azure Sentinel

XDR (Extended Detection and Response)

Integrates security visibility across an organization entire infrastructure.
Provides visibility into endpoints, cloud, infrastructure, mobile, apps etc.
Support threat hunting and also responde automatically.

Azure Sentinel
Provides visibility and context across silos, including apps, identities, endpoints
and data.

---

Microsoft 365 Defender Services

MS Defender for Identity

Cloud based security solution that leverages your onpremises AD signals.
Identifies, detect and investigate advanced threat, compromised identities and
malicious insiders action.

MS Defender for Office 365

Safeguards your organization against malicious threat in email, links(URL) and
collaboration tools.
Includes safe links and safe attachments for detonation of potential malicious
email content.
Anti-Phishing protection and attacks simulation

MS Defender for Endpoint

An enterprise security platform desgined to hel enterprise network prevent, detect,
investigate and respond to advanced threat.
Includes EDR attacks surface, automated investigation and advanced hunting.

MS Cloud App Security (MCAS)

A Cloud Access Security Broker designed to detect and stop shadow IT.
Provides visibility over data travel and analytics to identify threat over MS and
3rd party.

---
Microsoft 365 Security Center

Its the new home for monitoring and managing security across your Microsoft
identities, data, devices and apps.

Brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender and
MCAS data into the Microsoft 365 Security Center.

security.microsoft.com
----
Microsoft Secure Score
> Help the organization to improve security posture for Microsoft 365 services

Focused on three categories:

> Identity (Azure AD account and roles)
- Device (Microsoft Defender for Endpoint)
- Apps (email and cloud apps, including Office 365 and MCAS
---------

Incident Management in Microsoft 365 Security Center

Incident
Are a colection of correlated alerts created when a suspicious event is found.

Alerts are generated from different devices and cam come from many different
domain.

Microsoft Intune

A cloud based service that focus on MDM (mobile device management) and MAM (mobile
application management)
MAM policies enable app-centric protection on personal devices in BYOD.

Microsoft Endpoint Management Admin Center

Combine services, including Microsoft Intune, Configuration Manager, Desktop
analytics, co-management and Windows copilot.

endpoint.microsoft.com

------

Compliance Center
Integrated solution for information protection and governance, insider risk
management, discovery and more

compliance.microsoft.com

Compliance Manager
Measure your progress in completing actions that helps reduce risks around data
protection and regulatory.

Compliance Score
Provides a rollup of compliance based on the assesment items within the template.

-------

Data Classification

Content Explorer : Shows a current snapshot of items that have a sensitivity or

retention label or have been classified as sensitive information type.
(What has been labeled / classified?)

Activity Explorer : Allows you to monitor whats being done with your labeled
content through historical view of activitiies on your labeled content.
(What is being done with labeled content?)

Sensitivity Labels
Enable the labeling and protection of content.
Implement data classification.

Labels Policies
Apply protection to documents with a specific labels

Retention Policies
Used to assign the same retention settings to a site level or mailbox level.
Can be applied to multiple locations, or specific locations or users.

Retention Labels
Used to assign retention settings at a item level, such a folder, documents or
email.
An email can have only a single retention label assigned to it at a time.

Record Mangament

Record, include evidence of a particular business activitiy, requiring them to be

stored and retained over an extended period.

Record Mangament in Microsoft 365 supports disposition reviews, notification

reminders, so you can confirm deletion is appropriate.

DLP
Protect sensitive information

Insider Risk Management Solution

A solution in Microsoft 365 that helps minimize internal risks by enabling an
organization to detect, investigate and act on risky and malicious activitiies.

Communication Compliance
helps minimize communication risks by enabling organization to detect, capture, and
take remediation actions for inappropriate messages.

Privileged Access Management (PAM)

Allows granular access control over privilege admin tasks in Microsoft 365.

PIM vs PAM

PIM focuses on privilege roles in Azure and Azure AD.

PAM focuses on privilege admin tasks in Microsoft 365

-----

Lockbox (Similar to WatchGuard Remote Access)

-----

eDiscovery

The process of identifying and delivering electronic information that can be used
as evidence in legal cases.

Content Search:
Consist of searches and export, but not holds.

Core eDiscovery:
You can add sources, create holds and queries, export case results and manage the
lifecycle of your case.

Advanced eDiscovery
Add custodians, automate notifications, view jobs, additional settings.

-----

Content Search: (Content Search eDiscovery Tool)

Search for in-place content such as email, documents and instant messaging in your
organization.
Used to search for content in Exchange, SharePoint, OneDrive, Teams, M365 groups.

---
Data Governance

Azure Purview
A unified data governance service that helps you manage and gover onpremises,
multicloud and SaaS data.
Create a holistic, up to date map of your data landscape, with automated data
discovery, sensitive data classification and end to end data lineage. (timeline of
the data)

Core Audit Capabilities.

Allows organization to view user and admin activitiy through a unified audit log.

Core Audit Capabilitie of M365

Allows organization to view user and admin activitiies through a unified audit log.

Advanced Auditing
Use to conduct forensic and compliance investigation by increasing audit log
retention.
Help to determine the scope of compromise.

------

Resource Governance
Provides mechanism and process to maintain control over your resources in Azure.

Resource Lock
Prevent other users in your organization from accidentally deleting or modifying
critical resources.

------

Cloud Adoption Framework

The Cloud Adoption Framework brings together cloud adoption best practices from
Microsoft employees, partners, and customers. It provides a set of tools, guidance,
and narratives that help shape technology, business, and people strategies for
driving desired business outcomes during your cloud adoption effort.

Strategy: Define business justification and expected outcomes of adoption.

Plan: Align actionable adoption plans to business outcomes.

Ready: Prepare the cloud environment for the planned changes.

Migrate: Migrate and modernize existing workloads.

Innovate: Develop new cloud-native or hybrid solutions.

Govern: Govern the environment and workloads.

Manage: Operations management for cloud and hybrid solutions.

Organize: Align the teams and roles supporting your organization's cloud adoption
efforts.

---------

Cloud Governance

Policy: Definition of the conditions which you want to control/govern

Initiave: A collection of Azure Policies definitions that are grouped together
towards a specific goal.
Blueprint: A container for composing sets of standards, pattern and requirements
for implementation of Azure clou services, security and design.

Features:

Tags: A name and a value pair used to logically organize Azure resources, resource
group and subscriptions into a logical taxonomy.
Can bue used for applying business policies and tracking costs.
-----

Core Architecture Components:

Management Group Can contain > Subscriptions > Resource Group > Resource >

---------
Microsoft six key privacy principles:
Control: We will put you in control of your privacy with easy-to-use tools and
clear choices.
Transparency: We will be transparent about data collection and use so you can make
informed decisions.
Security: We will protect the data you entrust to us through strong security and
encryption.
Strong legal protections: We will respect your local privacy laws and fight for
legal protection of your privacy as a fundamental human right.
No content-based targeting: We will not use your email, chat, files or other
personal content to target ads to you.
Benefits to you: When we do collect data, we will use it to benefit you and to make
your experiences better.

-------
Zero Trust principles
Verify explicitly
Always authenticate and authorize based on all available data points, including
user identity, location, device health, service or workload, data classification,
and anomalies.

Use least privileged access

Limit user access with just-in-time and just-enough-access (JIT/JEA), risk-based
adaptive polices, and data protection to help secure both data and productivity.

Assume breach
Minimize blast radius and segment access. Verify end-to-end encryption and use
analytics to get visibility, drive threat detection, and improve defenses.