Kerberos may be considered the old-timer of authentication protocols, but Active Directory still relies heavily on it. That’s why Microsoft is now using a new strategy to address vulnerabilities. IT Pro's may operate the same way they did before but might not get the same results as they once did.
Azure & Active Directory Center
ENow Software's Azure & Active Directory blog built by Microsoft MVPs for IT/Sys Admins.
Want to learn more about Active Directory?
Active Directory Administration Cookbook, 2nd Edition
In this book, Microsoft MVP & Technical Editor of ENow's Azure & Active Directory Center, Sander Berkouwer will share the intricacies of managing Azure AD, Azure AD Connect as well as Active Directory for administration in the cloud and on Windows Server 2019.
Introduction to Identity
With organizations moving workloads to the cloud, they no longer have...
Lightweight Directory Access Protocol (LDAP) is a directory service protocol that is used to search for information within your Active Directory and a useful tool that can better assist you with Active Directory Monitoring. LDAP is used to search your active directory for information about users, computers, and groups within your Active Directory database. LDAP queries can be run from multiple different tools including PowerShell, ldapsearch, VB Scripts, and the saved queries feature in Active Directory Users and Computers.
Preparing Active Directory for the Cloud
IT departments in organizations of all sizes can expect to be moving resources to one cloud or another in the very near future. This is becoming a fact that all IT professionals are going to need to deal with in the coming years.
AAD Roles for EXO Administrators
In one of my other articles “Accessing Exchange Online Objects” I outlined how you can interact with these objects. When you need to scope apps with application permissions to a subset of mailboxes, we can use ApplicationAccessPolicies as outlined here by Microsoft.
Microsoft 365 offers a wide variety of services beyond the full stack of services like Exchange Online, Microsoft Teams, etc. In particular, you can use Azure Active Directory as your primary Identity Provider (IdP). This allows you to move authentication of your legacy applications from on-premises to Azure.
Last week I shared part one of my Microsoft 365 Security Assessment where we took a deep dive into securing things related to Azure Active Directory. If you haven’t had a chance to read through it yet, take a few minutes and read it here.
Now that we’re all on the same page, lets dive into part two, where we’ll cover security settings in the Microsoft 365 Admin Center.
Moving on to the Microsoft 365 Admin Center
Turn ON modern authenticationModern authentication is what allows you to enforce MFA and other identity based security features. Products that don’t use “modern authentication” use what we call “Legacy Authentication” (obviously) or “Basic Authentication”. It only uses username and password pairs to authenticate a user. The example shown in Figure 14: Basic authentication prompt is using legacy authentication, also known as basic authentication.
My email address is my identity
In Active Directory on-premises or Azure Active Directory (AAD), used by Office 365, our User Principal Name (UPN) is often the same as our email address. These days, we often log in with our email addresses, which means that whatever we’re “using under the hood” from an authentication point of view is the same as our email address. This convention of making our email address the same as our UPN is common practice and even advocated by Microsoft.