Kerberos may be considered the old-timer of authentication protocols, but Active Directory still relies heavily on it. That’s why Microsoft is now using a new strategy to address vulnerabilities. IT Pro's may operate the same way they did before but might not get the same results as they once did.
With organizations moving workloads to the cloud, they no longer have the traditional network security boundaries to manage access to applications and data. Therefore, identity is now the primary control plane in the cloud. This means that organizations control capabilities based on either the user identity or the device identity or a combination of both, using controls such as conditional access policies, compliance policies, self-service, single sign-on and automatic account provisioning and deprovisioning to cloud software as a services (SaaS).
Lightweight Directory Access Protocol (LDAP) is a directory service protocol that is used to search for information within your Active Directory and a useful tool that can better assist you with Active Directory Monitoring. LDAP is used to search your active directory for information about users, computers, and groups within your Active Directory database. LDAP queries can be run from multiple different tools including PowerShell, ldapsearch, VB Scripts, and the saved queries feature in Active Directory Users and Computers.
IT departments in organizations of all sizes can expect to be moving resources to one cloud or another in the very near future. This is becoming a fact that all IT professionals are going to need to deal with in the coming years.
There is no doubt that Microsoft has fully embraced The Cloud. While “Mobile first, cloud first” might be a silly statement, there is no doubt that Microsoft means it. There are very few on-premises products that Microsoft has much interest in selling at all. If there is a cloud-based option for any solution, Microsoft is going to push that cloud version at the expense of the on-premises version.
In one of my other articles “Accessing Exchange Online Objects” I outlined how you can interact with these objects. When you need to scope apps with application permissions to a subset of mailboxes, we can use ApplicationAccessPolicies as outlined here by Microsoft.
Microsoft 365 offers a wide variety of services beyond the full stack of services like Exchange Online, Microsoft Teams, etc. In particular, you can use Azure Active Directory as your primary Identity Provider (IdP). This allows you to move authentication of your legacy applications from on-premises to Azure.
Last week I shared part one of my Microsoft 365 Security Assessment where we took a deep dive into securing things related to Azure Active Directory. If you haven’t had a chance to read through it yet, take a few minutes and read it here.
Now that we’re all on the same page, lets dive into part two, where we’ll cover security settings in the Microsoft 365 Admin Center.
As a Microsoft 365 certified Security Administrator, and Microsoft certified Azure Security Engineer I have recently done a number of Microsoft 365 security assessments. Some of them have been post-breach assessments. A lot of companies had to enable remote workers in a hurry at the start of the COVID-19 pandemic, and as a result have realized security configuration and protection is more critical than ever.
In Active Directory on-premises or Azure Active Directory (AAD), used by Office 365, our User Principal Name (UPN) is often the same as our email address. These days, we often log in with our email addresses, which means that whatever we’re “using under the hood” from an authentication point of view is the same as our email address. This convention of making our email address the same as our UPN is common practice and even advocated by Microsoft.
