SlideShare ist ein Scribd-Unternehmen logo

Azure AD - Password attacks - logging and protections

Als PPTX, PDF herunterladen
Andres Canello
Andres Canello

Logging and protections available in ADFS and Azure AD against password brute-forcing / spay.

Internet
1 von 21
Microsoft Azure Active Directory Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 1 Not authenticated Exchange Online Exchange Online accepts the connection, inserts additional metadata and proxies the authentication request to ADFS. Password Brute Forcing / Spray Denial of Service via account lockout. None Exchange Online IP Block List. Listed IP addresses will not be proxied to AD FS for authentication. Set using Set-OrganizationConfig -IPListBlocked. Exchange Online Authentication Policies. Authentication requests for users with disabled protocols will not be proxied to AD FS. A default policy can be configured to block protocols by default for new users.
Microsoft Azure Active Directory Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 2 Not authenticated AD FS AD FS accepts the connection from Exchange Online and processes the authentication request. The password is incorrect. Password Brute Forcing / Spray Denial of Service via account lockout. AD FS Auditing – WS2012R2 and above will log event 411 in the Security log containing the username and client IP forwarded by Exchange Online. This script can be used to parse the logs. Additionally, logs can be ingested into a SIEM solution for further analysis and alerting. AD FS Extranet Lockout Protection – WS2012R2 and above can be configured to stop accepting authentication requests for a user after a number of bad passwords, this helps to reduce the number of tries an attacker gets at guessing a user’s password. Additionally, it prevents Active Directory accounts getting locked out if a lockout policy has been configured. Azure AD Connect Health – The Risky IP report provides rich information about bad password attempts and Extranet Lockout events. AD FS Extranet Smart Lockout – Extranet Lockout in WS2016 has been extended to maintain a list of familiar locations (IP addresses) for users to prevent blocking legitimate users. Deploy Azure AD Password Protection to minimise the success rate of password spray attacks by banning common passwords in the organisation.
Microsoft Azure Active Directory Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 3 Authenticated AD FS AD FS successfully processes the authentication request as the attacker is in possession of the right password. This can happen due to:  Successful password brute force / spray  Social engineering (i.e.: Phishing)  Breach data re-use Unauthorised Access Azure AD Connect Health provides usage analytics, performance monitoring and alerting for AD FS. Block legacy authentication protocols using Issuance Authorization Rules in AD FS. These rules can be crafted to only block or allow access from specific locations. Due to the complexity of this method, it is recommended to implement the block using Azure AD Conditional Access (see next step). AD FS Auditing provides rich event information . This data is useful when investigating specific events. Additionally, logs can be ingested into a SIEM solution for further analysis and alerting.
Microsoft Azure Active Directory Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 4 Authenticated Azure AD Azure AD receives the token issued by AD FS from Exchange Online, evaluates Conditional Access and applies the corresponding controls. Unauthorised Access Risk events reporting in Azure AD uses machine learning algorithms to detect users’ suspicious activities. Each alert is assigned a risk that represents the severity and confidence. Risk events are accessible via Graph API. Azure AD Conditional Access can be configured to block clients using Legacy Authentication. Azure AD logs a sign-in event. Logs can be accessed via the Portal, Graph API, flown to Azure Log Analytics, a SIEM solution via Azure Event Hub or stored in Azure Storage for long-term retention.
Microsoft Azure Active Directory Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 5 Authenticated Exchange Online Exchange Online receives the authentication response from Azure AD Unauthorised Access to organization’s data (mailbox, GAL, etc.) Exchange Online mailbox auditing can be enabled to log access and actions performed against a mailbox. Client protocols can be disabled for Exchange Online mailboxes. Always disable protocols not needed like POP3, IMAP, SMTP, etc. Exchange Online Client Access Rules can be used to block access depending on different client properties like authentication type, IP address, etc.
Microsoft Azure Active Directory Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 1 Not authenticated Exchange Online Exchange Online accepts the connection, inserts additional metadata and proxies the authentication request to ADFS. Password Brute Forcing / Spray Denial of Service via account lockout. None Exchange Online IP Block List. Listed IP addresses will not be proxied to Azure AD for authentication. Set using Set-OrganizationConfig -IPListBlocked. Exchange Online Authentication Policies. Authentication requests for users with disabled protocols will not be proxied to Azure AD. A default policy can be configured to block protocols by default for new users.
Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 2 Not authenticated Azure AD Azure AD receives the authentication request from Exchange Online and processes it. The password is incorrect. Password Brute Forcing / Spray Denial of Service via account lockout. Azure AD logs a sign-in failure with error code 50126. Logs can be accessed via the Portal, Graph API, flown to Azure Log Analytics, a SIEM solution via Azure Event Hub or stored in Azure Storage for long-term retention. Azure AD Smart Lockout protects each account individually by locking out bad actors after 10 bad passwords (configurable), but lets real users continue access their accounts. It works in all cloud authentication scenarios. IP Lockout is a service-level protection to block attacks coming from specific IP addresses. Deploy Azure AD Password Protection to minimise the success rate of password spray attacks by banning common passwords in the organisation. Microsoft Azure Active Directory
Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 3 Authenticated Azure AD Azure AD successfully processes the authentication request as the attacker is in possession of the right password. This can happen due to:  Successful password brute force / spray  Social engineering (i.e.: Phishing)  Breach data re-use Azure AD evaluates Conditional Access and applies the corresponding controls. Unauthorised Access Azure AD logs a sign-in event. Logs can be accessed via the Portal, Graph API, flown to Azure Log Analytics, a SIEM solution via Azure Event Hub or stored in Azure Storage for long-term retention. Azure AD Conditional Access can be configured to block clients using Legacy Authentication. Risk events reporting in Azure AD uses machine learning algorithms to detect users’ suspicious activities. Each alert is assigned a risk that represents the severity and confidence. Risk events are accessible via Graph API. Microsoft Azure Active Directory
Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 4 Authenticated Exchange Online Exchange Online receives the authentication response from Azure AD Unauthorised Access to organization’s data (mailbox, GAL, etc.) Exchange Online mailbox auditing can be enabled to log access and actions performed against a mailbox. Client protocols can be disabled for Exchange Online mailboxes. Always disable protocols not needed like POP3, IMAP, SMTP, etc. Exchange Online Client Access Rules can be used to block access depending on different client properties like authentication type, IP address, etc. Microsoft Azure Active Directory
Microsoft Azure Active Directory Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 1 Not authenticated Exchange Online Attacker uses a browser or a Modern Authentication- capable client (i.e.: Outlook 2016) to connect to Exchange Online. Exchange Online redirects the user to Azure AD. Reconnaissance None N/A
Microsoft Azure Active Directory Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 2 Not authenticated Azure AD Azure AD presents sign in screen. Attacker enters random UPN (i.e.: random@contoso.com). Azure AD performs Home Realm Discovery and redirects to Contoso’s IDP. Reconnaissance (IDP endpoint) None None
Microsoft Azure Active Directory Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 3 Not authenticated AD FS Attacker uses a tool to perform a password brute forcing / spray against AD FS. Password Brute Forcing / Spray Denial of Service via account lockout. AD FS Auditing – WS2012R2 and above will log event 411 in the Security log containing username and client IP, event 510 provides more details. This script can be used to parse the logs. Additionally, logs can be ingested into a SIEM solution for further analysis and alerting. AD FS Extranet Lockout Protection – WS2012R2 and above can be configured to stop accepting authentication requests for a user after a number of bad passwords, this helps to reduce the number of tries an attacker gets at guessing a user’s password. Additionally, it prevents Active Directory accounts getting locked out if a lockout policy has been configured. Azure AD Connect Health – The Risky IP report provides rich information about bad password attempts and Extranet Lockout events. AD FS Extranet Smart Lockout – Extranet Lockout in WS2016 has been extended to maintain a list of familiar locations (IP addresses) for users to prevent blocking legitimate users. Deploy Azure AD Password Protection to minimise the success rate of password spray attacks by banning common passwords in the organisation. IPs or subnets can be blocked at the network layer. This method does not provide a complete solution.
Microsoft Azure Active Directory Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 4 Authenticated AD FS AD FS successfully processes the authentication request as the attacker is in possession of the right password. This can happen due to: • Successful password brute force / spray • Social engineering (i.e.: Phishing) • Breach data re-use Unauthorised Access Azure AD Connect Health provides usage analytics, performance monitoring and alerting for AD FS. Azure Multi-Factor Authentication can be integrated natively with AD FS to protect other applications (Relying Parties) configured in AD FS. However, it is recommended to move these applications to Azure AD to be able to leverage the security reporting capabilities of Azure AD and the automated responses of Identity Protection. AD FS Auditing provides rich event information. This data is useful when investigating specific events. Additionally, logs can be ingested into a SIEM solution for further analysis and alerting. Issuance Authorization Rules or Access Control Policies in AD FS can be used to deny access to applications from outside the network, however it is recommended to apply this and other controls using Azure AD Conditional Access.
Microsoft Azure Active Directory Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 5 Authenticated Azure AD Attacker gets redirected to Azure AD, which receives the token issued by AD FS, evaluates Conditional Access and applies the corresponding controls. Unauthorised Access Risk events reporting in Azure AD uses machine learning algorithms to detect users’ suspicious activities. Each alert is assigned a risk that represents the severity and confidence. Risk events are accessible via Graph API. Azure AD Conditional Access can be configured to enforce additional security controls before allowing access to applications. At a minimum, we recommend enforcing at least one of the following controls for extranet access:  MFA  Hybrid Join  Compliant Device Azure AD logs a sign-in event. Logs can be accessed via the Portal, Graph API, flown to Azure Log Analytics, a SIEM solution via Azure Event Hub or stored in Azure Storage for long-term retention. Azure AD Identity Protection can be used to automatically respond to detected suspicious actions related to organisation’s identities.
Microsoft Azure Active Directory Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 6 Authenticated Exchange Online Attacker gets redirected to Exchange Online. Unauthorised Access to organization’s data (mailbox, GAL, etc.) Exchange Online mailbox auditing can be enabled to log access and actions performed against a mailbox. Exchange Online Client Access Rules can be used to block access depending on different client properties like authentication type, IP address, etc.
Azure AD - Password attacks - logging and protections

Empfohlen

Protect Identities and Access to resources with Azure Active Directory
Protect Identities and Access to resources with Azure Active Directory Protect Identities and Access to resources with Azure Active Directory
Protect Identities and Access to resources with Azure Active Directory Vignesh Ganesan I Microsoft MVP
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Abhishek Koserwal
 
Securing your Azure Identity Infrastructure
Securing your Azure Identity InfrastructureSecuring your Azure Identity Infrastructure
Securing your Azure Identity InfrastructureVignesh Ganesan I Microsoft MVP
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Stormpath
 
7 Experts on Implementing Microsoft 365 Defender
7 Experts on Implementing Microsoft 365 Defender7 Experts on Implementing Microsoft 365 Defender
7 Experts on Implementing Microsoft 365 DefenderMighty Guides, Inc.
 
RP Phishing Awareness
RP Phishing Awareness RP Phishing Awareness
RP Phishing Awareness Marketing Ruhrpumpen
 
Acik Anahtarli Kripto Sistemler
Acik Anahtarli Kripto SistemlerAcik Anahtarli Kripto Sistemler
Acik Anahtarli Kripto SistemlerMustafa GOCMEN
 
Internal & External Attacks in cloud computing Environment from confidentiali...
Internal & External Attacks in cloud computing Environment from confidentiali...Internal & External Attacks in cloud computing Environment from confidentiali...
Internal & External Attacks in cloud computing Environment from confidentiali...iosrjce
 

Empfohlen

Protect Identities and Access to resources with Azure Active Directory
Protect Identities and Access to resources with Azure Active Directory Protect Identities and Access to resources with Azure Active Directory
Protect Identities and Access to resources with Azure Active Directory Vignesh Ganesan I Microsoft MVP
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Abhishek Koserwal
 
Securing your Azure Identity Infrastructure
Securing your Azure Identity InfrastructureSecuring your Azure Identity Infrastructure
Securing your Azure Identity InfrastructureVignesh Ganesan I Microsoft MVP
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Stormpath
 
7 Experts on Implementing Microsoft 365 Defender
7 Experts on Implementing Microsoft 365 Defender7 Experts on Implementing Microsoft 365 Defender
7 Experts on Implementing Microsoft 365 DefenderMighty Guides, Inc.
 
RP Phishing Awareness
RP Phishing Awareness RP Phishing Awareness
RP Phishing Awareness Marketing Ruhrpumpen
 
Acik Anahtarli Kripto Sistemler
Acik Anahtarli Kripto SistemlerAcik Anahtarli Kripto Sistemler
Acik Anahtarli Kripto SistemlerMustafa GOCMEN
 
Internal & External Attacks in cloud computing Environment from confidentiali...
Internal & External Attacks in cloud computing Environment from confidentiali...Internal & External Attacks in cloud computing Environment from confidentiali...
Internal & External Attacks in cloud computing Environment from confidentiali...iosrjce
 
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDE
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDETWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDE
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDECTM360
 
External collaboration with Azure B2B
External collaboration with Azure B2B External collaboration with Azure B2B
External collaboration with Azure B2B Sjoukje Zaal
 
Introduction to Azure AD and Azure AD B2C
Introduction to Azure AD and Azure AD B2CIntroduction to Azure AD and Azure AD B2C
Introduction to Azure AD and Azure AD B2CJoonas Westlin
 
Combat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesCombat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesIBM Security
 
Azure AD connect- Deep Dive Webinar PPT
Azure AD connect- Deep Dive Webinar PPTAzure AD connect- Deep Dive Webinar PPT
Azure AD connect- Deep Dive Webinar PPTRadhakrishnan Govindan
 
COSAC 2021 presentation - AWS Zero Trust
COSAC 2021 presentation - AWS Zero TrustCOSAC 2021 presentation - AWS Zero Trust
COSAC 2021 presentation - AWS Zero TrustFrans Sauermann
 
Ip Spoofing
Ip SpoofingIp Spoofing
Ip Spoofingarpit.arp
 
TOP SAILPOINT INTERVIEW QUESTION
TOP SAILPOINT INTERVIEW QUESTIONTOP SAILPOINT INTERVIEW QUESTION
TOP SAILPOINT INTERVIEW QUESTIONInfosec Train
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxAnurag Srivastava
 
Windows Azure Active Directory
Windows Azure Active DirectoryWindows Azure Active Directory
Windows Azure Active DirectoryKrunal Trivedi
 
DI Amsterdam meetup windows hello core slides 20200319
DI Amsterdam meetup windows hello core slides 20200319DI Amsterdam meetup windows hello core slides 20200319
DI Amsterdam meetup windows hello core slides 20200319Martin Sandren
 
SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure ShellPeter R. Egli
 
OSCON 2018 Getting Started with Hyperledger Indy
OSCON 2018 Getting Started with Hyperledger IndyOSCON 2018 Getting Started with Hyperledger Indy
OSCON 2018 Getting Started with Hyperledger IndyTracy Kuhrt
 
Trust No One - Zero Trust on the Akamai Platform
Trust No One - Zero Trust on the Akamai PlatformTrust No One - Zero Trust on the Akamai Platform
Trust No One - Zero Trust on the Akamai PlatformElisabeth Bitsch-Christensen
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
методи за криптиране и декриптиране на данни
методи за криптиране и декриптиране на данниметоди за криптиране и декриптиране на данни
методи за криптиране и декриптиране на данниkgospodinova89
 
Lesson 5 protecting yourself on the internet
Lesson 5 protecting yourself on the internetLesson 5 protecting yourself on the internet
Lesson 5 protecting yourself on the internetSan Diego Continuing Education
 
Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration TestingCheah Eng Soon
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Hitachi, Ltd. OSS Solution Center.
 
Azure Active Directory - An Introduction
Azure Active Directory - An IntroductionAzure Active Directory - An Introduction
Azure Active Directory - An IntroductionVenkatesh Narayanan
 
ASP.NET 13 - Security
ASP.NET 13 - SecurityASP.NET 13 - Security
ASP.NET 13 - SecurityRandy Connolly
 
M365 meetup hybrid identity well protected
M365 meetup hybrid identity well protectedM365 meetup hybrid identity well protected
M365 meetup hybrid identity well protectedKonrad Sagala
 

Weitere ähnliche Inhalte

Was ist angesagt?

TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDE
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDETWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDE
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDECTM360
 
External collaboration with Azure B2B
External collaboration with Azure B2B External collaboration with Azure B2B
External collaboration with Azure B2B Sjoukje Zaal
 
Introduction to Azure AD and Azure AD B2C
Introduction to Azure AD and Azure AD B2CIntroduction to Azure AD and Azure AD B2C
Introduction to Azure AD and Azure AD B2CJoonas Westlin
 
Combat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesCombat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesIBM Security
 
Azure AD connect- Deep Dive Webinar PPT
Azure AD connect- Deep Dive Webinar PPTAzure AD connect- Deep Dive Webinar PPT
Azure AD connect- Deep Dive Webinar PPTRadhakrishnan Govindan
 
COSAC 2021 presentation - AWS Zero Trust
COSAC 2021 presentation - AWS Zero TrustCOSAC 2021 presentation - AWS Zero Trust
COSAC 2021 presentation - AWS Zero TrustFrans Sauermann
 
TOP SAILPOINT INTERVIEW QUESTION
TOP SAILPOINT INTERVIEW QUESTIONTOP SAILPOINT INTERVIEW QUESTION
TOP SAILPOINT INTERVIEW QUESTIONInfosec Train
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxAnurag Srivastava
 
Windows Azure Active Directory
Windows Azure Active DirectoryWindows Azure Active Directory
Windows Azure Active DirectoryKrunal Trivedi
 
DI Amsterdam meetup windows hello core slides 20200319
DI Amsterdam meetup windows hello core slides 20200319DI Amsterdam meetup windows hello core slides 20200319
DI Amsterdam meetup windows hello core slides 20200319Martin Sandren
 
OSCON 2018 Getting Started with Hyperledger Indy
OSCON 2018 Getting Started with Hyperledger IndyOSCON 2018 Getting Started with Hyperledger Indy
OSCON 2018 Getting Started with Hyperledger IndyTracy Kuhrt
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
методи за криптиране и декриптиране на данни
методи за криптиране и декриптиране на данниметоди за криптиране и декриптиране на данни
методи за криптиране и декриптиране на данниkgospodinova89
 
Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration TestingCheah Eng Soon
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Hitachi, Ltd. OSS Solution Center.
 
Azure Active Directory - An Introduction
Azure Active Directory - An IntroductionAzure Active Directory - An Introduction
Azure Active Directory - An IntroductionVenkatesh Narayanan
 

Was ist angesagt? (20)

TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDE
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDETWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDE
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDE
 
External collaboration with Azure B2B
External collaboration with Azure B2B External collaboration with Azure B2B
External collaboration with Azure B2B
 
Introduction to Azure AD and Azure AD B2C
Introduction to Azure AD and Azure AD B2CIntroduction to Azure AD and Azure AD B2C
Introduction to Azure AD and Azure AD B2C
 
Combat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesCombat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion Techniques
 
Azure AD connect- Deep Dive Webinar PPT
Azure AD connect- Deep Dive Webinar PPTAzure AD connect- Deep Dive Webinar PPT
Azure AD connect- Deep Dive Webinar PPT
 
COSAC 2021 presentation - AWS Zero Trust
COSAC 2021 presentation - AWS Zero TrustCOSAC 2021 presentation - AWS Zero Trust
COSAC 2021 presentation - AWS Zero Trust
 
Ip Spoofing
Ip SpoofingIp Spoofing
Ip Spoofing
 
TOP SAILPOINT INTERVIEW QUESTION
TOP SAILPOINT INTERVIEW QUESTIONTOP SAILPOINT INTERVIEW QUESTION
TOP SAILPOINT INTERVIEW QUESTION
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
 
Windows Azure Active Directory
Windows Azure Active DirectoryWindows Azure Active Directory
Windows Azure Active Directory
 
DI Amsterdam meetup windows hello core slides 20200319
DI Amsterdam meetup windows hello core slides 20200319DI Amsterdam meetup windows hello core slides 20200319
DI Amsterdam meetup windows hello core slides 20200319
 
SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure Shell
 
OSCON 2018 Getting Started with Hyperledger Indy
OSCON 2018 Getting Started with Hyperledger IndyOSCON 2018 Getting Started with Hyperledger Indy
OSCON 2018 Getting Started with Hyperledger Indy
 
Trust No One - Zero Trust on the Akamai Platform
Trust No One - Zero Trust on the Akamai PlatformTrust No One - Zero Trust on the Akamai Platform
Trust No One - Zero Trust on the Akamai Platform
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
методи за криптиране и декриптиране на данни
методи за криптиране и декриптиране на данниметоди за криптиране и декриптиране на данни
методи за криптиране и декриптиране на данни
 
Lesson 5 protecting yourself on the internet
Lesson 5 protecting yourself on the internetLesson 5 protecting yourself on the internet
Lesson 5 protecting yourself on the internet
 
Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration Testing
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
 
Azure Active Directory - An Introduction
Azure Active Directory - An IntroductionAzure Active Directory - An Introduction
Azure Active Directory - An Introduction
 

Ähnlich wie Azure AD - Password attacks - logging and protections

M365 meetup hybrid identity well protected
M365 meetup hybrid identity well protectedM365 meetup hybrid identity well protected
M365 meetup hybrid identity well protectedKonrad Sagala
 
Azure Global Bootcamp 2017 Azure AD Deployment
Azure Global Bootcamp 2017 Azure AD DeploymentAzure Global Bootcamp 2017 Azure AD Deployment
Azure Global Bootcamp 2017 Azure AD DeploymentAnthony Clendenen
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular jsBixlabs
 
CTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App FabricCTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App FabricSpiffy
 
70 346 Managing office 365 identities
70 346 Managing office 365 identities70 346 Managing office 365 identities
70 346 Managing office 365 identitiesclounoud
 
Office 365 MCSA TechEd
Office 365 MCSA TechEdOffice 365 MCSA TechEd
Office 365 MCSA TechEdRobert Gabos
 
Design Practices for a Secure Azure Solution
Design Practices for a Secure Azure SolutionDesign Practices for a Secure Azure Solution
Design Practices for a Secure Azure SolutionMichele Leroux Bustamante
 
Why Cant I Access The Portal
Why Cant I Access The PortalWhy Cant I Access The Portal
Why Cant I Access The PortalDan Usher
 
I1 - Securing Office 365 and Microsoft Azure like a rockstar (or like a group...
I1 - Securing Office 365 and Microsoft Azure like a rockstar (or like a group...I1 - Securing Office 365 and Microsoft Azure like a rockstar (or like a group...
I1 - Securing Office 365 and Microsoft Azure like a rockstar (or like a group...SPS Paris
 
Azure Incident Response Cheat Sheet.pdf
Azure Incident Response Cheat Sheet.pdfAzure Incident Response Cheat Sheet.pdf
Azure Incident Response Cheat Sheet.pdfChristopher Doman
 
Securing Your .NET Application
Securing Your .NET ApplicationSecuring Your .NET Application
Securing Your .NET ApplicationIron Speed
 
Magento security best practices magento's approach to pci compliance
Magento security best practices magento's approach to pci complianceMagento security best practices magento's approach to pci compliance
Magento security best practices magento's approach to pci complianceRitwik Das
 
How to Find and Fix Broken Authentication Vulnerability
How to Find and Fix Broken Authentication VulnerabilityHow to Find and Fix Broken Authentication Vulnerability
How to Find and Fix Broken Authentication VulnerabilityAshKhan85
 
SPSLisbon 2017 Office 365 Multi-factor Authentication with Microsoft Azure Ac...
SPSLisbon 2017 Office 365 Multi-factor Authentication with Microsoft Azure Ac...SPSLisbon 2017 Office 365 Multi-factor Authentication with Microsoft Azure Ac...
SPSLisbon 2017 Office 365 Multi-factor Authentication with Microsoft Azure Ac...Nuno Árias Silva
 
Introduccion a la seguridad Windows 7
Introduccion a la seguridad Windows 7Introduccion a la seguridad Windows 7
Introduccion a la seguridad Windows 7EAE
 
Building a chat app with windows azure mobile services
Building a chat app with windows azure mobile servicesBuilding a chat app with windows azure mobile services
Building a chat app with windows azure mobile servicesFlavius-Radu Demian
 
TugaIT 2017 Office 365 Multi-factor authentication with Microsoft Azure Activ...
TugaIT 2017 Office 365 Multi-factor authentication with Microsoft Azure Activ...TugaIT 2017 Office 365 Multi-factor authentication with Microsoft Azure Activ...
TugaIT 2017 Office 365 Multi-factor authentication with Microsoft Azure Activ...Nuno Árias Silva
 
SPIntersection 2016 - MICROSOFT CLOUD IDENTITIES IN AZURE AND OFFICE 365
SPIntersection 2016 - MICROSOFT CLOUD IDENTITIES IN AZURE AND OFFICE 365SPIntersection 2016 - MICROSOFT CLOUD IDENTITIES IN AZURE AND OFFICE 365
SPIntersection 2016 - MICROSOFT CLOUD IDENTITIES IN AZURE AND OFFICE 365Scott Hoag
 

Ähnlich wie Azure AD - Password attacks - logging and protections (20)

ASP.NET 13 - Security
ASP.NET 13 - SecurityASP.NET 13 - Security
ASP.NET 13 - Security
 
M365 meetup hybrid identity well protected
M365 meetup hybrid identity well protectedM365 meetup hybrid identity well protected
M365 meetup hybrid identity well protected
 
Azure Global Bootcamp 2017 Azure AD Deployment
Azure Global Bootcamp 2017 Azure AD DeploymentAzure Global Bootcamp 2017 Azure AD Deployment
Azure Global Bootcamp 2017 Azure AD Deployment
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
 
CTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App FabricCTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App Fabric
 
70 346 Managing office 365 identities
70 346 Managing office 365 identities70 346 Managing office 365 identities
70 346 Managing office 365 identities
 
Office 365 MCSA TechEd
Office 365 MCSA TechEdOffice 365 MCSA TechEd
Office 365 MCSA TechEd
 
Design Practices for a Secure Azure Solution
Design Practices for a Secure Azure SolutionDesign Practices for a Secure Azure Solution
Design Practices for a Secure Azure Solution
 
Why Cant I Access The Portal
Why Cant I Access The PortalWhy Cant I Access The Portal
Why Cant I Access The Portal
 
I1 - Securing Office 365 and Microsoft Azure like a rockstar (or like a group...
I1 - Securing Office 365 and Microsoft Azure like a rockstar (or like a group...I1 - Securing Office 365 and Microsoft Azure like a rockstar (or like a group...
I1 - Securing Office 365 and Microsoft Azure like a rockstar (or like a group...
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
 
Azure Incident Response Cheat Sheet.pdf
Azure Incident Response Cheat Sheet.pdfAzure Incident Response Cheat Sheet.pdf
Azure Incident Response Cheat Sheet.pdf
 
Securing Your .NET Application
Securing Your .NET ApplicationSecuring Your .NET Application
Securing Your .NET Application
 
Magento security best practices magento's approach to pci compliance
Magento security best practices magento's approach to pci complianceMagento security best practices magento's approach to pci compliance
Magento security best practices magento's approach to pci compliance
 
How to Find and Fix Broken Authentication Vulnerability
How to Find and Fix Broken Authentication VulnerabilityHow to Find and Fix Broken Authentication Vulnerability
How to Find and Fix Broken Authentication Vulnerability
 
SPSLisbon 2017 Office 365 Multi-factor Authentication with Microsoft Azure Ac...
SPSLisbon 2017 Office 365 Multi-factor Authentication with Microsoft Azure Ac...SPSLisbon 2017 Office 365 Multi-factor Authentication with Microsoft Azure Ac...
SPSLisbon 2017 Office 365 Multi-factor Authentication with Microsoft Azure Ac...
 
Introduccion a la seguridad Windows 7
Introduccion a la seguridad Windows 7Introduccion a la seguridad Windows 7
Introduccion a la seguridad Windows 7
 
Building a chat app with windows azure mobile services
Building a chat app with windows azure mobile servicesBuilding a chat app with windows azure mobile services
Building a chat app with windows azure mobile services
 
TugaIT 2017 Office 365 Multi-factor authentication with Microsoft Azure Activ...
TugaIT 2017 Office 365 Multi-factor authentication with Microsoft Azure Activ...TugaIT 2017 Office 365 Multi-factor authentication with Microsoft Azure Activ...
TugaIT 2017 Office 365 Multi-factor authentication with Microsoft Azure Activ...
 
SPIntersection 2016 - MICROSOFT CLOUD IDENTITIES IN AZURE AND OFFICE 365
SPIntersection 2016 - MICROSOFT CLOUD IDENTITIES IN AZURE AND OFFICE 365SPIntersection 2016 - MICROSOFT CLOUD IDENTITIES IN AZURE AND OFFICE 365
SPIntersection 2016 - MICROSOFT CLOUD IDENTITIES IN AZURE AND OFFICE 365
 

Kürzlich hochgeladen

20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdfMatthew Sinclair
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Balliameghakumariji156
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiMonica Sydney
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样ayvbos
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...kumargunjan9515
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...meghakumariji156
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查ydyuyu
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查ydyuyu
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtrahman018755
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查ydyuyu
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdfMatthew Sinclair
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsMonica Sydney
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdfMatthew Sinclair
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理F
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsMonica Sydney
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsPriya Reddy
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoilmeghakumariji156
 

Kürzlich hochgeladen (20)

20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 

Azure AD - Password attacks - logging and protections

  • 1.
  • 2.
  • 3.
  • 4. Microsoft Azure Active Directory Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 1 Not authenticated Exchange Online Exchange Online accepts the connection, inserts additional metadata and proxies the authentication request to ADFS. Password Brute Forcing / Spray Denial of Service via account lockout. None Exchange Online IP Block List. Listed IP addresses will not be proxied to AD FS for authentication. Set using Set-OrganizationConfig -IPListBlocked. Exchange Online Authentication Policies. Authentication requests for users with disabled protocols will not be proxied to AD FS. A default policy can be configured to block protocols by default for new users.
  • 5. Microsoft Azure Active Directory Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 2 Not authenticated AD FS AD FS accepts the connection from Exchange Online and processes the authentication request. The password is incorrect. Password Brute Forcing / Spray Denial of Service via account lockout. AD FS Auditing – WS2012R2 and above will log event 411 in the Security log containing the username and client IP forwarded by Exchange Online. This script can be used to parse the logs. Additionally, logs can be ingested into a SIEM solution for further analysis and alerting. AD FS Extranet Lockout Protection – WS2012R2 and above can be configured to stop accepting authentication requests for a user after a number of bad passwords, this helps to reduce the number of tries an attacker gets at guessing a user’s password. Additionally, it prevents Active Directory accounts getting locked out if a lockout policy has been configured. Azure AD Connect Health – The Risky IP report provides rich information about bad password attempts and Extranet Lockout events. AD FS Extranet Smart Lockout – Extranet Lockout in WS2016 has been extended to maintain a list of familiar locations (IP addresses) for users to prevent blocking legitimate users. Deploy Azure AD Password Protection to minimise the success rate of password spray attacks by banning common passwords in the organisation.
  • 6. Microsoft Azure Active Directory Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 3 Authenticated AD FS AD FS successfully processes the authentication request as the attacker is in possession of the right password. This can happen due to:  Successful password brute force / spray  Social engineering (i.e.: Phishing)  Breach data re-use Unauthorised Access Azure AD Connect Health provides usage analytics, performance monitoring and alerting for AD FS. Block legacy authentication protocols using Issuance Authorization Rules in AD FS. These rules can be crafted to only block or allow access from specific locations. Due to the complexity of this method, it is recommended to implement the block using Azure AD Conditional Access (see next step). AD FS Auditing provides rich event information . This data is useful when investigating specific events. Additionally, logs can be ingested into a SIEM solution for further analysis and alerting.
  • 7. Microsoft Azure Active Directory Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 4 Authenticated Azure AD Azure AD receives the token issued by AD FS from Exchange Online, evaluates Conditional Access and applies the corresponding controls. Unauthorised Access Risk events reporting in Azure AD uses machine learning algorithms to detect users’ suspicious activities. Each alert is assigned a risk that represents the severity and confidence. Risk events are accessible via Graph API. Azure AD Conditional Access can be configured to block clients using Legacy Authentication. Azure AD logs a sign-in event. Logs can be accessed via the Portal, Graph API, flown to Azure Log Analytics, a SIEM solution via Azure Event Hub or stored in Azure Storage for long-term retention.
  • 8. Microsoft Azure Active Directory Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 5 Authenticated Exchange Online Exchange Online receives the authentication response from Azure AD Unauthorised Access to organization’s data (mailbox, GAL, etc.) Exchange Online mailbox auditing can be enabled to log access and actions performed against a mailbox. Client protocols can be disabled for Exchange Online mailboxes. Always disable protocols not needed like POP3, IMAP, SMTP, etc. Exchange Online Client Access Rules can be used to block access depending on different client properties like authentication type, IP address, etc.
  • 9.
  • 10. Microsoft Azure Active Directory Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 1 Not authenticated Exchange Online Exchange Online accepts the connection, inserts additional metadata and proxies the authentication request to ADFS. Password Brute Forcing / Spray Denial of Service via account lockout. None Exchange Online IP Block List. Listed IP addresses will not be proxied to Azure AD for authentication. Set using Set-OrganizationConfig -IPListBlocked. Exchange Online Authentication Policies. Authentication requests for users with disabled protocols will not be proxied to Azure AD. A default policy can be configured to block protocols by default for new users.
  • 11. Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 2 Not authenticated Azure AD Azure AD receives the authentication request from Exchange Online and processes it. The password is incorrect. Password Brute Forcing / Spray Denial of Service via account lockout. Azure AD logs a sign-in failure with error code 50126. Logs can be accessed via the Portal, Graph API, flown to Azure Log Analytics, a SIEM solution via Azure Event Hub or stored in Azure Storage for long-term retention. Azure AD Smart Lockout protects each account individually by locking out bad actors after 10 bad passwords (configurable), but lets real users continue access their accounts. It works in all cloud authentication scenarios. IP Lockout is a service-level protection to block attacks coming from specific IP addresses. Deploy Azure AD Password Protection to minimise the success rate of password spray attacks by banning common passwords in the organisation. Microsoft Azure Active Directory
  • 12. Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 3 Authenticated Azure AD Azure AD successfully processes the authentication request as the attacker is in possession of the right password. This can happen due to:  Successful password brute force / spray  Social engineering (i.e.: Phishing)  Breach data re-use Azure AD evaluates Conditional Access and applies the corresponding controls. Unauthorised Access Azure AD logs a sign-in event. Logs can be accessed via the Portal, Graph API, flown to Azure Log Analytics, a SIEM solution via Azure Event Hub or stored in Azure Storage for long-term retention. Azure AD Conditional Access can be configured to block clients using Legacy Authentication. Risk events reporting in Azure AD uses machine learning algorithms to detect users’ suspicious activities. Each alert is assigned a risk that represents the severity and confidence. Risk events are accessible via Graph API. Microsoft Azure Active Directory
  • 13. Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 4 Authenticated Exchange Online Exchange Online receives the authentication response from Azure AD Unauthorised Access to organization’s data (mailbox, GAL, etc.) Exchange Online mailbox auditing can be enabled to log access and actions performed against a mailbox. Client protocols can be disabled for Exchange Online mailboxes. Always disable protocols not needed like POP3, IMAP, SMTP, etc. Exchange Online Client Access Rules can be used to block access depending on different client properties like authentication type, IP address, etc. Microsoft Azure Active Directory
  • 14.
  • 15. Microsoft Azure Active Directory Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 1 Not authenticated Exchange Online Attacker uses a browser or a Modern Authentication- capable client (i.e.: Outlook 2016) to connect to Exchange Online. Exchange Online redirects the user to Azure AD. Reconnaissance None N/A
  • 16. Microsoft Azure Active Directory Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 2 Not authenticated Azure AD Azure AD presents sign in screen. Attacker enters random UPN (i.e.: random@contoso.com). Azure AD performs Home Realm Discovery and redirects to Contoso’s IDP. Reconnaissance (IDP endpoint) None None
  • 17. Microsoft Azure Active Directory Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 3 Not authenticated AD FS Attacker uses a tool to perform a password brute forcing / spray against AD FS. Password Brute Forcing / Spray Denial of Service via account lockout. AD FS Auditing – WS2012R2 and above will log event 411 in the Security log containing username and client IP, event 510 provides more details. This script can be used to parse the logs. Additionally, logs can be ingested into a SIEM solution for further analysis and alerting. AD FS Extranet Lockout Protection – WS2012R2 and above can be configured to stop accepting authentication requests for a user after a number of bad passwords, this helps to reduce the number of tries an attacker gets at guessing a user’s password. Additionally, it prevents Active Directory accounts getting locked out if a lockout policy has been configured. Azure AD Connect Health – The Risky IP report provides rich information about bad password attempts and Extranet Lockout events. AD FS Extranet Smart Lockout – Extranet Lockout in WS2016 has been extended to maintain a list of familiar locations (IP addresses) for users to prevent blocking legitimate users. Deploy Azure AD Password Protection to minimise the success rate of password spray attacks by banning common passwords in the organisation. IPs or subnets can be blocked at the network layer. This method does not provide a complete solution.
  • 18. Microsoft Azure Active Directory Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 4 Authenticated AD FS AD FS successfully processes the authentication request as the attacker is in possession of the right password. This can happen due to: • Successful password brute force / spray • Social engineering (i.e.: Phishing) • Breach data re-use Unauthorised Access Azure AD Connect Health provides usage analytics, performance monitoring and alerting for AD FS. Azure Multi-Factor Authentication can be integrated natively with AD FS to protect other applications (Relying Parties) configured in AD FS. However, it is recommended to move these applications to Azure AD to be able to leverage the security reporting capabilities of Azure AD and the automated responses of Identity Protection. AD FS Auditing provides rich event information. This data is useful when investigating specific events. Additionally, logs can be ingested into a SIEM solution for further analysis and alerting. Issuance Authorization Rules or Access Control Policies in AD FS can be used to deny access to applications from outside the network, however it is recommended to apply this and other controls using Azure AD Conditional Access.
  • 19. Microsoft Azure Active Directory Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 5 Authenticated Azure AD Attacker gets redirected to Azure AD, which receives the token issued by AD FS, evaluates Conditional Access and applies the corresponding controls. Unauthorised Access Risk events reporting in Azure AD uses machine learning algorithms to detect users’ suspicious activities. Each alert is assigned a risk that represents the severity and confidence. Risk events are accessible via Graph API. Azure AD Conditional Access can be configured to enforce additional security controls before allowing access to applications. At a minimum, we recommend enforcing at least one of the following controls for extranet access:  MFA  Hybrid Join  Compliant Device Azure AD logs a sign-in event. Logs can be accessed via the Portal, Graph API, flown to Azure Log Analytics, a SIEM solution via Azure Event Hub or stored in Azure Storage for long-term retention. Azure AD Identity Protection can be used to automatically respond to detected suspicious actions related to organisation’s identities.
  • 20. Microsoft Azure Active Directory Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 6 Authenticated Exchange Online Attacker gets redirected to Exchange Online. Unauthorised Access to organization’s data (mailbox, GAL, etc.) Exchange Online mailbox auditing can be enabled to log access and actions performed against a mailbox. Exchange Online Client Access Rules can be used to block access depending on different client properties like authentication type, IP address, etc.