Exam SC-100 topic 2 question 39 discussion

Box1: Azure AD Password Protection Box2: Password hash syncronization

Box1: Azure AD Password Protection Box2: Password hash syncronization As Azure AD Password Protection support "Custom smart lockout" Customize your smart lockout threshold (number of failures until the first lockout) and duration (how long the lockout period lasts).

Box1: Azure AD Password Protection Box2: Password hash synchronization There is no ADFS so no Extranet Smart Lockout for the first box.

"Extranet Smart Lockout" is for ADFS, AAD PWd Protection help to prevent utilization of common password.

Entra Smart Lockout https://learn.microsoft.com/en-us/entra/identity/authentication/howto-password-smart-lockout Password Hash Sync https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/whatis-phs

Given Answer is wrong. A: Brute Force Attack => SmartLock B: Leaked Credentials => Password Hash

For Leaked Credentials, Microsoft recommends Password Hashing. See: https://learn.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity#protect-against-leaked-credentials-and-add-resilience-against-outages The simplest and recommended method for enabling cloud authentication for on-premises directory objects in Microsoft Entra ID is to enable password hash synchronization (PHS). If your organization uses a hybrid identity solution with pass-through authentication or federation, then you should enable password hash sync

I agree with Luffysan91x, for Bruteforce attack, Smart Lockout is recommended by Microsoft. See: https://learn.microsoft.com/en-us/azure/active-directory-b2c/threat-management Credential attacks lead to unauthorized access to resources. Passwords that are set by users are required to be reasonably complex. Azure AD B2C has mitigation techniques in place for credential attacks. Mitigation includes detection of brute-force credential attacks and dictionary credential attacks. By using various signals, Azure Active Directory B2C (Azure AD B2C) analyzes the integrity of requests. Azure AD B2C is designed to intelligently differentiate intended users from hackers and botnets. How smart lockout works Azure AD B2C uses a sophisticated strategy to lock accounts. The accounts are locked based on the IP of the request and the passwords entered. The duration of the lockout also increases based on the likelihood that it's an attack

I chose ESL for the Second Option. https://learn.microsoft.com/en-us/entra/identity/authentication/howto-password-smart-lockout Smart lockout can be integrated with hybrid deployments that use password hash sync or pass-through authentication to protect on-premises Active Directory Domain Services (AD DS) accounts from being locked out by attackers

Smart lockout can be integrated with hybrid deployments that use password hash sync or pass-through authentication to protect on-premises Active Directory Domain Services (AD DS) accounts from being locked out by attackers. By setting smart lockout policies in Azure AD appropriately, attacks can be filtered out before they reach on-premises AD DS. https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-password-smart-lockout

based on the article ... https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-password-smart-lockout ESL is not possible when using PTA - "Hash tracking functionality isn't available for customers with pass-through authentication enabled as authentication happens on-premises not in the cloud" Azure AD Password Protection seem to be the answer based on these recommendations: When using pass-through authentication, the following considerations apply:* *The Azure AD lockout threshold is less than the AD DS account lockout threshold. Set the values so that the AD DS account lockout threshold is at least two or three times greater than the Azure AD lockout threshold. * The Azure AD lockout duration must be set longer than the AD DS account lockout duration. The Azure AD duration is set in seconds, while the AD duration is set in minutes.

For brute force password attacks: Extranet Smart Lockout (ESL) For Leaked Credentials: Password Hash Sync. PHS needs to be enabled so Microsoft can compare Password hash' for cloud and hybrid identities to those available on the black market.

For brute force password attacks: Extranet Smart Lockout (ESL) For leaked Credentials: Azure AD Password Protection Smart lockout helps lock out bad actors that try to guess your users' passwords or use brute-force methods to get in. Smart lockout can recognize sign-ins that come from valid users and treat them differently than ones of attackers and other unknown sources. Attackers get locked out, while your users continue to access their accounts and be productive. https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-password-smart-lockout

Looks correct: 1. https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-deploy 2. https://learn.microsoft.com/en-us/azure/active-directory/hybrid/connect/whatis-phs