# SC-300 Microsoft 身份存取和管理員 ###### tags: `Azure` `Microsoft` `SC-300` `身份存取` `Security` 2022/3/24 move content to blogspot https://bradctchen.blogspot.com/2022/03/sc-300-microsoft.html MicrosoftLearning/SC-300-Identity-and-Access-Administrator https://github.com/MicrosoftLearning/SC-300-Identity-and-Access-Administrator Link to labs (HTML format) SC-300-IDENTITY-AND-ACCESS-ADMINISTRATOR https://microsoftlearning.github.io/SC-300-Identity-and-Access-Administrator/ 驗證:確認使用者的身分 授權:授予權限角色 * 執行身分識別管理解決方案 (Implement an Identity Management Solution) * 實行驗證和存取管理解決方案 * 執行應用程式的存取管理 * 規劃和實行身分識別治理策略 ## SC-300：執行身分識別管理解決方案 * 實作 Azure Active Directory 的初始設定 * 建立、設定及管理身分識別 * 實作及管理外部身分識別 * 實作及管理混合式身分識別 Azure AD安全性功能依照License options有不同的支援 Azure AD Free Azure AD Premium P1 Azure AD Premium P2 Microsft 365 Apps(basic) | Features | Free | Microsft 365 Apps(basic) | Premium P1 | Premium P2 | | -------- | -------- | -------- | -------- | -------- | | MFA only for admin | V | V | V | V | | MFA only for user | | | V | V | | Single-sign on | V | V | V | V | | Conditional Access | | | V | V | | Identity Protection | | | | V | | Custom Role | X | | | | | self-service password reset (SSPR) | X | | | V | | Customization of the smart lockout settings | | | V | V | Licensing requirements for Azure Active Directory self-service password reset https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-licensing Custom Domain Admin access to Azure and Azure AD Azure Portal - https://portal.azure.com Azure AD Admin Portal - https://aad.portal.azure.com M365 Admin Center - https://admin.microsoft.com Cloud App Security (MCAS) Portal - https://portal.cloudappsecurity.com 條件存取原則可以控管設備 1.Azure AD join device 情境cloud-first or cloud only organization organization-owned device 先用雲端驗證後才存取內部部屬資源 只能是Windows 10 devices(not Home) 2.Hybird Azure AD joined devices 先用企業AD內部驗證，才存取雲端 或 先用Azure AD驗證在存取內部部屬資源 Active Directory machine authentication (需要有AD電腦帳號，所以必須是Windows並且是win7以上，不可以是家用版) 在Azure操作上只有兩種設定：註冊 與 加入JOIN 預設目錄 > Devices| Device settings Users may join devices to Azure AD - All/Selected/None Users may register their devices with Azure AD - All/None 委派 Administrative unit 1.create a new administrative unit 2.Assign roles ex. Authentication administrator, Cloud device administator, groups administator, Password administator..等 3.Add user or group Delegatiing app Administration *Application Administator role *Cloud Application Administrator role Delegatiing app registration *Application Developer role Delegatiing app ownership *Enterprise Application Owner role *Application Registration role 預設目錄> Properties Tenant properties > Manage Security defaults > Enable Security default: yes/no 控制以下5個設定 1.Requiring all users to register for azure ad multi-factor authentication 2.Requiring administrators to perform multi-factor authentication 3.Blocking legacy authentication protocols 4.Requiring users to perform multi-factor authentication when necessary 5.protect privileged activities like access to the azure portal 預設目錄 | User Settings Enterprise applications App registrations Restrict access to Azure AD administration portal: yes/no LinkedIn account connections Allow users to connect their work or school acount with linkedin Data... yes/no External collaboration settings Guest user access [ ] Guest users have the same access as members (most inclusive) [ ] Guest users have limited access to properties and memberships of directory objects [ ] Guest user access is restricted to ... Guest invite settings []Anyone in the .. []Member users and user assigned to .. []Only user assgined... []No one in the...  Identity Providers   * Guest users have the same access as members (most inclusive): This option gives guests the same access to Azure AD resources and directory data as member users. * Guest users have limited access to properties and memberships of directory objects: (Default) This setting blocks guests from certain directory tasks, like enumerating users, groups, or other directory resources. Guests can see membership of all non-hidden groups. * Guest user access is restricted to properties and memberships of their own directory objects (most restrictive): With this setting, guests can access only their own profiles. Guests are not allowed to see other users' profiles, groups, or group memberships.  * Anyone in the organization can invite guest users including guests and non-admins (most inclusive): To allow guests in the organization to invite other guests including those who are not members of an organization, select this radio button. * Member users and users assigned to specific admin roles can invite guest users including guests with member permissions: To allow member users and users who have specific administrator roles to invite guests, select this radio button. * Only users assigned to specific admin roles can invite guest users: To allow only those users with administrator roles to invite guests, select this radio button. The administrator roles include Global Administrator, User Administrator, and Guest Inviter. * No one in the organization can invite guest users including admins (most restrictive): To deny everyone in the organization from inviting guests, select this radio button. * If Members can invite is set to No and Admins and users in the guest inviter role can invite is set to Yes, users in the Guest Inviter role will still be able to invite guests.  * You can create either an allow list or a deny list. You can't set up both types of lists. By default, whatever domains are not in the allow list are on the deny list, and vice versa. * You can create only one policy per organization. You can update the policy to include more domains, or you can delete the policy to create a new one. * The number of domains you can add to an allow list or deny list is limited only by the size of the policy. The maximum size of the entire policy is 25 KB (25,000 characters), which includes the allow list or deny list and any other parameters configured for other features. * This list works independently from OneDrive for Business and SharePoint Online allow/block lists. If you want to restrict individual file sharing in SharePoint Online, you need to set up an allow or deny list for OneDrive for Business and SharePoint Online. * The list does not apply to external users who have already redeemed the invitation. The list will be enforced after the list is set up. If a user invitation is in a pending state, and you set a policy that blocks their domain, the user's attempt to redeem the invitation will fail. 預設目錄> Enterprise applications | User Settings Enterprise applications Users can add gallery apps to My Apps: yes/no Admin consent requests Users can request admin consent to apps they are unable to consent to : yes/no Who can review admin consent requests Reviewer Type Reviewers Office 365 Settings New user 建立後是Member類型，有兩種Source Windows Server AD Azure Active Directory New guest User 建立後是Guest類型，有多種Source，視使用者的email的不同而定 Inviter User (網域是自己組織的網域@onmicrosoft或個人微軟帳戶@outlook.com, @hotmail.com ，屬於B2C) Microsoft Account Azure Active Directory External Azure Active Directory (其他組織 @abc.com，屬於B2B) Bulk invite csv檔(必要欄位email address, Redirection url)  * Email address to invite - the user who will receive an invitation * Redirection url - the URL to which the invited user is forwarded after accepting the invitation.  Bulk create select New guest user  Next page will select invite user  select New user  Next page will select create user  when invite a microsoft account  The user will receive a invitation email  when click Accept invitation  點選接受後，會導向一個個人頁面  Create, configure, and manage groups Security groups: 有SID, 可以存取AAD 最一般會使用 管理存取資源 Microsoft 365 groups: 無SID, 可存取 M365 存取共用信箱、行事曆、Sharepoint Group type Security: Assigned/Dynamic user/Dynamic Device Microsoft 365: Assigned/Dynamic user Office 365 Group: need to collaborate using shared files, group email, and shared calendar Distribution Group: need to send communications to everyone on the list Mail-enabled Security Group: assigned permissions to a Network Folder, SharePoint site/library, shared printer Security Group: access to a resource members of Office 365 Group: Users Only members of Distribution group: Mail-enabled Security, other Distribution groups and Users members of Mail-enabled Security group: Distribution, other Mail-enabled Security groups and Users members of Security groups: Distribution, Mail-enabled Security, Security groups and Users License Azure AD Free P1 P2 O365 E3 G3 Assign Azure AD License can be a user or a group 如果user沒有設定Usage location就會license指派失敗 https://github.com/rgl/azure-content/blob/master/articles/cdn/cdn-country-codes.md 當指派license給group時: 1.Assign license時 如果透過Azure Portal建立的Microsoft 365 group會含有security屬性，此時才能指派license給這群組 如果透過Microsoft 365建立的Microsoft 365 group就沒有security屬性，此時就無法指派license給這個群組 2.只會授權給group裡面的member user，不會指派給group裡面的group裡的user Azure AD licenses FREE -------- Device Rigister / Join Azure AD Business to Businiss (B2B) -- 1.0 Endpoint Guest----->School,Work MS Account / Other ORG's Email Accounts Run Assigned Apps Azure AD Business to Consumer (B2C) -- 2.0 Endpoint User--->Personal MS Account/ Social Account Admin or Access OFFICE 365 APPS (BASIC) ----------------------------- Self-service password reset (SSPR) PREMIUM P1 --------------- Multi-Factor Authentication (MFA) Password Write-Back Conditional Acces Policy Dynamic groups Banned Password Lists Custom Roles Group-based Licensing PREMIUM P2 --------------- Privileged Identity Management (PIM) -Just in Time (JIT) Administration -Report for Admins Identity Protection (IP) Risk based Conditional Access Policy Access Reviews Entitlement Management AD Connect ## SC-300：實行驗證和存取管理解決方案 * 使用 Multi-Factor Authentication 保護 Azure Active Directory 使用者 * 管理使用者驗證 * 規劃、實作及管理條件式存取 * 管理 Azure AD Identity Protection Lab 12 ~ Lab 19 * Password complexity rules * Password expiration rules * Self-service password reset(SSPR) - Microsoft 365 Basic * Azure AD Identity Protection - P2 * Azure AD password protection - 通知不常見位置的登入通知 * Azure AD smart lockout - 依嚴重程度鎖住帳號 * Azure AD Application Proxy * Single sign-on (SSO) * Azure AD Connect * Azure AD MFA & Conditional Access Always Think Zero Trust 零信任 Always Verify - Least Access Principle - Assume Breach 明確驗證 使用最低許可權的存取權 假設違反 明確驗證 一直根據所有可用的資料點進行驗證和授權。 使用最低許可權的存取權 使用 Just-In-Time 和 Just-ENOUGH-Access (JIT/JEA) 、風險型適應策略和資料保護來限制使用者存取。 假設違反 最小化爆炸弧線和區段存取。驗證端對端加密，並流量分析來取得可見度、推動威脅偵測，並改善防護。 Azure AD MFA 1.Account password 帳戶必須有密碼 2.default 帳戶安全功能有4個至少需要啟用一個 3.additional 帳戶安全功能 Azure AD SSPR 有六個帳戶安全功能 (有一些跟MFA相同) Authentication factors something you know: 帳密 something you process: Toke device usb, cell phone.. something you are: 驗證成功 Condition Access 情境 登入風險sign-in Risk Condition Access policy - Grant - [V] require MFA 情境 使用這有中度風險(登入方式有風險)，需要修改密碼 User Risk - high/medium/low/no risk (建議最少勾選Medium) Condition Access policy - Conditions - [V] require password change MFA 預設網域>Security>MFA 驗證方法 []電話通話 []電話簡訊 []行動應用程式的通知 []來自行動應用程式或硬體Token的驗證碼 Use the search feature and search for multi-factor.  On the Getting started page, under Configure, select Additional cloud-based MFA settings    #### set up Conditional Access policy rules that would enforce MFA for users accessing specific apps on your network select Azure Active Directory > Security > Conditional access.  Users or workload identities  Cloud apps or actions  Locations  Access Controls - Grant  Enable policy to On  #### Configure Azure AD Per-User MFA At the top of the Users pane, select Per-user MFA.  You can enable or disable MFA on a user basis by selecting a user and then using the quick steps on the right side.  Read the notification popup if you get it, then select enable multi-factor auth button.  SSPR (Self service password reset) Azure Active Directory blade. Under Manage, select Password reset.   On the Password reset blade Properties page, under Self service password reset enabled, select Selected. Select Select group. In the Default password reset policy pane, select the SSPRTesters group. On the Password reset blade Properties page, select Save.  Under Manage, select and review the default values for the Authentication methods, Registration, Notifications, and Customization settings. Authentication methods  Registration  Notifications  Customization  register a mobile phone number https://aka.ms/ssprsetup     Open a different browser or open an InPrivate or Incognito browser session and then browse to https://portal.azure.com. Enter yourAzureAD_UserAccount@ <<organization-domain-name>>.onmicrosoft.com and then select Next. Note - Replace the organization-domain-name with your domain name. On the Enter password page, select Forgot my password.       What happens if you try a user not in SSPRTesters group? As a test, open a new InPrivate browser window and try to log into the Azure Portal as GradyA, and select Forgot my password option.  Lab 14 - Working with security defaults Organizations that choose to implement Conditional Access policies that replace security defaults must disable security defaults. 組織實作Contitional Access Policy必須先停安全性用預設值   Lab 15 - Implement and test a conditional access policy     Verify you are prevented from successfully access Azure Portal.  Lab 16 - Configure authentication session controls     - Conditional Access policies can be enabled in report-only mode. - During sign-in, policies in report-only mode are evaluated but not enforced. - Results are logged in the Conditional Access and Report-only tabs of the Sign-in log details. - Customers with an Azure Monitor subscription can monitor the impact of their Conditional Access policies using the Conditional Access insights workbook. Lab 17 - Manage Azure AD smart lockout values   In the Password protection settings, in the Lockout duration in seconds box, set the value to 120. Next to Mode, select Enforced.  NOTE - When the smart lockout threshold is triggered, you will get the following message while the account is locked: Your account is temporarily locked to prevent unauthorized use. Try again later, and if you still have trouble, contact your admin. 使用 Azure Active Directory 智慧鎖定防止使用者帳戶遭受攻擊 https://docs.microsoft.com/zh-tw/azure/active-directory/authentication/howto-password-smart-lockout 根據預設，智慧鎖定會在10次失敗的 Azure 公用和 Azure 中國的世紀租使用者嘗試10次失敗之後，將帳戶從登入嘗試鎖定一分鐘，且 Azure 美國政府租使用者為3。 在每次後續登入嘗試失敗之後，帳戶會再次鎖定，先鎖定一分鐘，後續嘗試鎖定時間會更長。 為了將攻擊者規避此行為的可能性降至最低，我們不會公開其他失敗登入嘗試的鎖定期間增加速度。 智慧鎖定會追蹤最後三個不正確的密碼雜湊，以避免因為相同密碼而累計鎖定計數器。 如果有人多次輸入相同的錯誤密碼，此行為不會造成帳戶鎖定。 ### Azure Identity protection (Azure IP) 風險偵測 針對有異常登入使用者，所需要採取的回應動作 Lab 18 - Enable sign in and user risk policies Azure Active Directory > Security > Identity protection > User risk policy.    Conditional Access可以控制那些使用者或條件必須使用MFA Azure Identity protection則是針對有異常登入使用者，跳出必須啟用MFA Lab 19 - Configure an Azure AD multi-factor authentication registration policy  Under Controls, notice that the Require Azure AD MFA registration is selected and cannot be changed. Under Enforce Policy, select On and then select Save.  ## SC-300：執行應用程式的存取管理 * 針對 SSO 規劃與設計企業應用程式整合 * 實作及監視企業應用程式與 SSO 的整合 * 實作應用程式註冊 Lab 20 ~ Lab 24 * Discover apps by using MCAS or ADFS app report * Design and implement access management for apps * Design and implement app management roles * Configure pre-integrated (gallery) SaaS apps how to protect cloud apps 1.MCAS(Microsoft Cloud App Security) app report CASB - Cloud Access Security Broker - An on-premises or cloud-based security policy enforcement point, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. MDCA - Microsoft Defender for Cloud Apps - Microsoft implementation of a CASB service to protect data, services, and applications with enterprise policies. It provides supplemental reporting and analytics services Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that supports various deployment modes 2.ADFS(Active Directory Federation Services) app report * App Registrations: 在雲端上的AP，透過Azure發布給使用者使用，在Azure AD上會產生一個服務主體，也會出現在Enterprise applications管理介面上 * Enterprise applications: 在雲端上的AP，透過Azure發布給使用者使用，在Azure AD沒有服務主體 * Application proxy: 內部部屬的AP， Lab 20 - Implement access management for apps Open the portal menu and then select Azure Active Directory. On the Azure Active Directory blade, under Manage, select Enterprise applications. In the Enterprise applications pane, select + New application.  In the results, select GitHub Enterprise Cloud – Enterprise Account.     Lab 21 - Create a custom role to manage app registration    最小權限提供 1.能夠設定強制application single sign-on或是service principal建立 2.能夠指派enterise application給一組使用者或群組 Why pick those two - For application provisionsing these two items are the bare mimimum permissions needed to enable and enforce single sign-on for the application or service principal being created; and be able to assign the enterise application to a set of users or groups. Other permissions could also be granted. You can get a full list of available permissions at https://docs.microsoft.com/azure/active-directory/roles/custom-enterprise-app-permissions Lab 22 - Register an application   Lab 23: Grant tenant-wide admin consent to an application ## SC-300：規劃和實行身分識別治理策略 * 規劃和實作權利管理 * 規劃、實作和管理存取權檢閱 * 規劃、實作和管理存取權檢閱 * 監視和維護 Azure Active Directory Lab 25 ~ Lab 31