All Microsoft Security SC-900 certification exam dumps, study guide, training courses are Prepared by industry experts. PrepAway's ETE files povide the SC-900 Microsoft Security, Compliance, and Identity Fundamentals practice test questions and answers & exam dumps, study guide and training courses help you study and pass hassle-free!

Module 2 Describe the concepts & capabilities of Microsoft identity and access

17. Security defaults and MFA

In about 2012, Microsoft started their identity security and protection team for their consumer accounts. For example, OneDrive, Skype, Xbox, and such accounts And they started doing things, for example, by putting metrics in place for everything and establishing a security standard or bare minimum security standard for all the consumer accounts. And this includes measures like registering a second factor, challenging accounts when a risk is seen on a login, and forcing people to change their passwords when they are found to be in the hands of criminals.

The results have been very good since then. And then in 2014, a lot of changes, specifically technology changes, happened in Azure Active Directory. So these changes that they made on consumer accounts were then incorporated into Azure Active Directory, and later on, they found some telemetry information, which is that 99.9% of the organization's account compromises could be stopped by using multifactor authentication, and another part of it is by disabling any kind of legacy authentication. So doing just these two things—multifactor authentication and disabling legacy authentication—completely stopped password spray attacks. Thereafter, Microsoft introduced security defaults. What that means is that there are certain settings or security settings that are onboarded with Azure ActiveDirectory, and they are preconfigured security settings. So things like Azure multifactor authentication, things like administrators performing MFA on themselves, blocking legacy authentication, users doing MFA when necessary, and protecting privileged activities on the Azure Portal are part of the security defaults. So what is the security default? A security default is a bare minimum set of identity security mechanisms that are recommended by Microsoft. and you need to enable that. And these recommendations will be automatically enforced across your organization's identities.

What is the goal here? Well, the goal here is to ensure that all organisations have some basic level of security enabled at no extra cost. You get it? Now these defaults enable some of the most common security features and controls. As I just mentioned, multifactor authentication registration is required for all users, MFA is required for all administrators, and all users can perform MFA when required. So when I say it's required for the users and sometimes it's not required for the users, what I mean is that sometimes users login from within the premises, so they are authenticating from land, environment, or known IP addresses. At that time, you can configure and say, "Hey, they do not need multifactor authentication." Or when a person is authenticating from a hotel, probably from the subway, is having lunch, there are probably getting in to a train, and that's when they need multifactor authentication because they are out there on the public network. So, security defaults are a great option for organisations that want to increase their security posture but don't know where to start. The best part is that these security defaults are included with your free tier of Azure ad licensing. Security defaults may not be appropriate all the time.

So for example, organisations that already have Azure Ad Premium licenses will have much more complex security requirements. We will talk more about the complex security requirements so far, but in this lesson, I just want to stress that Azure Active Directory free licencing has a lot of free security features that can be enabled on the fly. And you are on it to protect your environment against password attacks and from those malicious attackers sitting out there preying on your data.

18. MFA in Azure AD - Part 1

Let's talk about multifactor authentication for a bit. You also know the different factors in multifactor authentication. For example, there's this password and additional verification, and that additional verification could be a phone or even a Microsoft Authenticator app. This Microsoft Authenticator app is available for Android and iOS. So when a user chooses an authenticator as their additional authentication method, a push notification is received on the phone or tablet. If the notification is legitimate, the user will select, approve, or just deny it. There's one more thing that I want to talk about, and that's Oath, which stands for Open Authentication. Oath open authentication is an open standard that will specify how time-based one-time passwords, or TOTP codes, are generated. One-time password codes can be used to authenticate a user.

So there is this TP that can be implemented either using software or hardware to generate the codes. The software OAuth tokens are typically used by applications such as Microsoft Authenticator or even other authenticator apps. There are hardware tokens that will come with a secret key that is pre-programmed in the token and must be input into an Azure Active Directory. Users are associated with a specific hardware token, and the hardware token does a refresh of the code every 30 or 60 seconds. We must also know about passwordless authentication, which is one of the best methods to authenticate. Now, password-less authentication is based on something you are. For example, a biometric facial scan, which is used in Windows Hello for Business, is something you are. It's not based on something you know, like your password. Let's go ahead and talk about Biometrics Feed Two and also Windows Hello in the upcoming sessions. Thank you.

19. MFA in Azure AD - Part 2

A quick recap about passwordless authentications Now, users are allowed to login without needing to remember a password. Instead, users can just enter their mobile phone number or email address and then receive a one-time code. That code can then be used to log into the application. So when the user authenticates via passwordless, the user is attached to the connection using something called an "identity provider." Passwordless authentication with Azure Active Directory, such as with the Microsoft Authenticator App or Feeder Keys, is particularly applicable for shared PCs, where a mobile phone is not a viable option. So it could be in scenarios where you have a help desk, an environment, a public kiosk, or a hospital team. Now, let's continue with our discussion about biometrics and Feed 2. Biometrics and Just mean the measurement of your biological traits, and it uses human characteristics such as the hand, iris, face, or even fingerprints. Windows Hello uses facial recognition or fingerprint biometric data to authenticate a user.

You'll learn more about Windows Hello in the next topic, but think about the Windows Authenticator App, which can be configured in passwordless mode using biometric data such as a fingerprint scan or a facial scan. Two is an abbreviation. It's an acronym that stands for "Fast Identity Online." So feeder two is an alliance that promotes open authentication standards and aims to reduce the reliance on passwords as a form of authentication. Azure Active Directory supports feeder two because that's a password-less authentication method that can come in different forms. So Feed 2 allows users to sign in using an external security key, and that external key might be a USB device, a Lightning connector, Bluetooth, or NFC. In whatever form Feeder 2 is implemented, the user never has to enter a password. Users can also register and select a Feed 2 Security key as their main means of authentication. Sign in with a Feed 2 security key is currently in the preview for Azure Active Directory, talking about multifactor authentication, biometrics, and Feed 2. We also need to talk about what's built into Windows 10. Windows hello. Right? So let's talk about this feature in the next lesson. Thanks for watching so far. I'll see you in the next lesson.

20. Windows Hello

Windows Hello is an authentication feature that's built into your Windows 10 operating system. It's supposed to replace your passwords, and it's going to replace them with strong two-factor authentication for your PCs as well as for your mobile devices. The authentication here with Windows Hello will consist of a new type of user credential that is tied to a device and uses a biometric or a PIN. Windows Hello lets users authenticate to, say, a Microsoft account, an Active Directory account, and an Azure Active Directory account as well.

And then it can also authenticate with your identity provider services or relying party services that are supporting feeder version 2 authentication. But that's in preview. Now, how does that work? How does the initial verification and enrollment happen? Let's talk about that. So after your initial verification of the user during enrollment, Windows Hello is set up on the user's device, and Windows asks the user to set a gesture. This can be a biometric gesture like a fingerprint or a PIN. The user provides a gesture to verify their identity. Windows from here on will use Windows Hello to authenticate the users. Windows stores the pin and the biometric data securely on the local device. It's never sent to external devices or servers, and that means that there is no single collection point that an attacker might compromise. Now, how do you configure it on your Windows devices? There are two configurations for Windows. Hello? There's a window saying "hello." And windows say hello for business.

So let's talk about the differences here. Windows Hello is configured by a user on their personal device and is referred to as "Windows Hello for Convenience Pin." It uses a PIN or a biometric gesture and is unique to that device. Windows Hello Convenience Pin is not backed by asymmetric or certificate-based authentication, so it does not use a public and a private key. Look at the other side of Windows Hello for Business, which is configured using group policies or something called Mobile Device Management, or MDMs. An example of MDM is Windows Intune or Microsoft Intune. And this always uses key-based authentication or certificate-based authentication. So this will make it much more secure than the Windows Hello Convenience Pin. By default, Windows Hello Convenience Pin is disabled on all domain-joined computers. So why do you think Windows Hello is safer than a password, right? So let's talk about that in the next lesson.

21. Why is Windows Hello safer than a password

Windows Hello in Windows 10 will enable the user to sign in to the device using a pin. A pin looked much more like a password. And a Windows Hello pin is more secure because it's tied to a specific device on which it was originally set up. Without the hardware, the pin is useless. A regular password is transmitted to a server, where it can be intercepted during transmission or stolen from the server. A pin is local to the device. It's not transmitted anywhere. It's not stored on the server. The Windows Hello pin is backed up by a trusted platform module. It's called a TPM chip. Now, this is a super-secure crypto processor that is designed to carry out cryptographic operations. And that means that for you to use the Windows Hello pin, you need to have the TPM chip embedded on your motherboard. So the TPM module must be there.

And today's devices, most of which are five, seven, and ten devices, all have the TPM chip. Now, what's special about the chip? This chip includes multiple physical security mechanisms to make it tamper-resistant. And the malicious software would be unable to tamper with the security functions of the TPM. Today, most modern phones and laptops have the TPM chip in it. And that's how windows work. Hello. is safer than a password. OK, that's enough said and done. With Windows Hello and other multifactor authentication mechanisms, let's talk about some of the wonderful features that Azure Active Directory brings in. For example, a self-service password reset. Thanks for watching so far, and I'll see you in the next lesson. So we learn about self-service password reset, an important feature of Azure Active Directory.

Microsoft Security SC-900 practice test questions and answers, training course, study guide are uploaded in ETE Files format by real users. Study and Pass SC-900 Microsoft Security, Compliance, and Identity Fundamentals certification exam dumps & practice test questions and answers are to help students.