WEBVTT 0:00:03.140000 --> 0:00:10.140000 In this video, we're going to take a look at Azure Multi-Factor Authentication. 0:00:10.140000 --> 0:00:16.400000 The topics that we're going to cover include, what are the basic concepts 0:00:16.400000 --> 0:00:22.960000 of Azure Multi-Factor Authentication, and what are the options for implementing 0:00:22.960000 --> 0:00:25.740000 Azure Multi-Factor Authentication. 0:00:25.740000 --> 0:00:27.920000 What I want to do is often the case. 0:00:27.920000 --> 0:00:32.020000 I want to start out with a bit of a drawing. 0:00:32.020000 --> 0:00:37.020000 The idea here, we know what Azure AD is for. 0:00:37.020000 --> 0:00:45.100000 I've got a Cloud Application, we'll just say WA for web application. 0:00:45.100000 --> 0:00:59.960000 I've got Azure AD, I've got a user, and that user wants to connect up 0:00:59.960000 --> 0:01:03.800000 to the web app, who's going to use Azure AD for authentication. 0:01:03.800000 --> 0:01:08.060000 At that point, the user is going to present some form of credentials. 0:01:08.060000 --> 0:01:13.660000 But as is often in case in networking and modern security, we want more 0:01:13.660000 --> 0:01:16.040000 than just a single set of credentials. 0:01:16.040000 --> 0:01:18.080000 We want multi-factor authentication. 0:01:18.080000 --> 0:01:23.200000 Literally, you have to authenticate yourself with more than one factor. 0:01:23.200000 --> 0:01:29.980000 To do that, we have Azure AD, multi -factor authentication, lots and lots 0:01:29.980000 --> 0:01:37.240000 of letters. The idea being that Azure AD is associated with multi-factor 0:01:37.240000 --> 0:01:42.620000 authentication and the user is going to be challenged for additional proof 0:01:42.620000 --> 0:01:44.500000 of identification. 0:01:44.500000 --> 0:01:48.180000 In multi-factor authentication, there's a pretty cool concept. 0:01:48.180000 --> 0:01:54.000000 That concept is that there are three ways to identify yourself. 0:01:54.000000 --> 0:01:58.580000 One is something you know, and that would be like your username and password. 0:01:58.580000 --> 0:02:03.580000 Another is something you have, which could be a phone that maybe you receive 0:02:03.580000 --> 0:02:08.580000 a text on. Then the third is something you are, which would be something 0:02:08.580000 --> 0:02:12.620000 like a fingerprint or a retinal scan, etc. 0:02:12.620000 --> 0:02:17.320000 Those are the tenets of multi -factor authentication. 0:02:17.320000 --> 0:02:23.200000 We're going to say, look, we need at least two of these kinds of things 0:02:23.200000 --> 0:02:28.840000 in order for you to be fully authenticated into Azure AD and thus, giving 0:02:28.840000 --> 0:02:32.920000 you access to the Cloud applications, web applications that are using 0:02:32.920000 --> 0:02:36.120000 Azure AD for authentication. 0:02:36.120000 --> 0:02:42.320000 Certainly, multi-factor authentication is by no means unique to Azure 0:02:42.320000 --> 0:02:47.040000 AD, but it is integrated with Azure AD, which is very nice. 0:02:47.040000 --> 0:02:52.760000 In fact, it's so integrated that there's also a server version. 0:02:52.760000 --> 0:03:02.000000 If you've got an on-prem environment, and you want to extend Azure AD 0:03:02.000000 --> 0:03:11.560000 into your on-prem environment, you've got the AAD, MFA server. 0:03:11.560000 --> 0:03:22.720000 The server actually uses Azure AD MFA, but it's going to provide that 0:03:22.720000 --> 0:03:25.780000 for on-premises activities. 0:03:25.780000 --> 0:03:32.500000 Really, that's the big picture when we talk about Azure AD and what it 0:03:32.500000 --> 0:03:37.640000 does for us. Now, let's get into some of the details. 0:03:37.640000 --> 0:03:41.660000 Let me see if I can clear this out. 0:03:41.660000 --> 0:03:46.220000 There we go. Let's get into some of the details. 0:03:46.220000 --> 0:03:52.180000 First, what are some basic concepts? 0:03:52.180000 --> 0:03:56.560000 Why do we have Azure AD multi -factor authentication? 0:03:56.560000 --> 0:04:02.220000 Well, we want to protect our Azure AD logins or our on-premises logins, 0:04:02.220000 --> 0:04:04.860000 and that's really what this comes down to. 0:04:04.860000 --> 0:04:08.900000 Now, licensing for Azure AD Connect. 0:04:08.900000 --> 0:04:12.720000 There are a few different ways that you can implement. 0:04:12.720000 --> 0:04:15.080000 You can license Azure AD Connect. 0:04:15.080000 --> 0:04:18.340000 The most global would be to have Azure AD premium. 0:04:18.340000 --> 0:04:23.280000 That's going to give you all of the features of Azure AD multi-factor 0:04:23.280000 --> 0:04:27.540000 authentication. Of course, it's also going to cost money to get that premium 0:04:27.540000 --> 0:04:31.060000 level subscription per user. 0:04:31.060000 --> 0:04:35.200000 Also, your global administrators, your GA, anybody who is a GA, even if 0:04:35.200000 --> 0:04:39.900000 you're using the free tier of Azure AD, if your global administrator, 0:04:39.900000 --> 0:04:43.000000 you can be assigned multi -factor authentication. 0:04:43.000000 --> 0:04:46.740000 Now, if you're on the free tier, your global admins will not have as many 0:04:46.740000 --> 0:04:51.340000 options as you have with premium, but you will have that capability, at 0:04:51.340000 --> 0:04:52.920000 least you'll have the protection. 0:04:52.920000 --> 0:04:57.660000 The third is Office 365 or Microsoft 365. 0:04:57.660000 --> 0:05:03.720000 Any user who's got a Microsoft 365 enterprise license can also implement 0:05:03.720000 --> 0:05:07.220000 or can also be assigned multi -factor authentication. 0:05:07.220000 --> 0:05:11.020000 One thing to note, even with that, it doesn't have all of the features 0:05:11.020000 --> 0:05:12.840000 that you will have with the premium. 0:05:12.840000 --> 0:05:15.020000 I'm not going to go through all the features right now, but I absolutely 0:05:15.020000 --> 0:05:19.300000 recommend that you do look those up and understand what different tiers 0:05:19.300000 --> 0:05:20.560000 give you what features. 0:05:20.560000 --> 0:05:26.720000 Also, you may see some documentation that says you can buy Azure MFA as 0:05:26.720000 --> 0:05:30.380000 a self-standing service. 0:05:30.380000 --> 0:05:31.620000 You can no longer do that. 0:05:31.620000 --> 0:05:36.820000 So if you see pricing for Azure AD multi -factor authentication, that no 0:05:36.820000 --> 0:05:39.960000 longer applies. These are the ways that you would license it. 0:05:39.960000 --> 0:05:43.660000 And as I mentioned, this does work both for cloud users and you can also 0:05:43.660000 --> 0:05:46.300000 install the server for on-prem users. 0:05:46.300000 --> 0:05:50.180000 All the licensing, though, is exactly the same because really the on-prem 0:05:50.180000 --> 0:05:55.560000 server is leveraging the Azure AD cloud service. 0:05:55.560000 --> 0:06:00.680000 What are our options using Azure AD MFA? 0:06:00.680000 --> 0:06:03.400000 Well, as you can see, there are a number of options. 0:06:03.400000 --> 0:06:04.780000 First of all, authentication. 0:06:04.780000 --> 0:06:09.940000 You can use the mobile app authentication. 0:06:09.940000 --> 0:06:14.880000 There is a mobile app device or excuse me, device application. 0:06:14.880000 --> 0:06:20.640000 There's also a code that you can use if your application is not connecting 0:06:20.640000 --> 0:06:25.060000 right now. If you've got the Microsoft Authenticator application, then 0:06:25.060000 --> 0:06:26.460000 it can generate a code. 0:06:26.460000 --> 0:06:35.260000 My most typical, which is SMS, you also have phone calls as a capability. 0:06:35.260000 --> 0:06:40.040000 App passwords for any, and there we go. 0:06:40.040000 --> 0:06:41.000000 Let's go back there. 0:06:41.000000 --> 0:06:47.420000 There we go. App passwords for any applications that don't support cloud 0:06:47.420000 --> 0:06:53.280000 -based MFA, really what that comes down to is Office 365 applications. 0:06:53.280000 --> 0:06:57.860000 And the example that you always see is Outlook. 0:06:57.860000 --> 0:07:02.000000 There's also a public preview for hardware -based, hardware token-based 0:07:02.000000 --> 0:07:08.700000 authentication. Now, how would you apply the authentication? 0:07:08.700000 --> 0:07:12.080000 How do I make sure somebody has MFA? 0:07:12.080000 --> 0:07:16.340000 One way is just to assign it directly. 0:07:16.340000 --> 0:07:22.760000 I've got a list of users and I'm going to assign specific users to implement 0:07:22.760000 --> 0:07:27.580000 MFA. A more interesting approach and a more flexible approach is conditional 0:07:27.580000 --> 0:07:33.100000 access policy. Conditional access policy lets you set a range of conditions 0:07:33.100000 --> 0:07:38.740000 and determine what would be required to authenticate, including the requirement 0:07:38.740000 --> 0:07:41.120000 for MFA. Very flexible. 0:07:41.120000 --> 0:07:44.900000 Also, if you're using identity protection, you can set up identity protection 0:07:44.900000 --> 0:07:49.760000 and policy to require multi-factor authentication for certain levels of 0:07:49.760000 --> 0:07:53.760000 risk. These are all the concepts. 0:07:53.760000 --> 0:07:55.440000 Concepts are pretty straightforward. 0:07:55.440000 --> 0:07:59.960000 Most of us have at some point implemented multi-factor authentication. 0:07:59.960000 --> 0:08:04.000000 Really where it gets interesting is to see it and we're going to do that 0:08:04.000000 --> 0:08:04.880000 in a different video.