Exam SC-100 topic 5 question 1 discussion

Box 1: Identity Protection https://docs.microsoft.com/en-us/defender-cloud-apps/aadip-integration#configure-identity-protection-policies Box 2: Lockout policy The case study scenario says "Azure AD Connect is used to implement pass-through authentication." The link below explains "Smart lockout can be integrated with hybrid deployments that use password hash sync or pass-through authentication to protect on-premises Active Directory Domain Services (AD DS) accounts from being locked out by attackers. By setting smart lockout policies in Azure AD appropriately, attacks can be filtered out before they reach on-premises AD DS." https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-smart-lockout#how-smart-lockout-works Any other solution relies on AD FS. Since the case study doesn't say anything about AD FS, use the lockout policy as described. That's my last comment, I'm taking the exam in 20 minutes. Thank you all and good day.

Answers should be: 1. Azure AD Identity Protection Brute Force Detection: https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection 2. Defender for Identity MDI can detect brute force attacks: ref: https://docs.microsoft.com/en-us/defender-for-identity/compromised-credentials-alerts#suspected-brute-force-attack-ldap-external-id-2004

https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection This covers leaked credential coverage for Azure AD MDI detects brute force password attacks https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts#suspected-brute-force-attack-kerberos-ntlm-external-id-2023

Box 1: Identity protection. Is the only one that can bring leaked credential detection in Entra ID among all the possible solutions in box1 and box2. This means that althought PHS is disabled, is the only option that you have to prevent leaked credentials. Box 2: Defender for Identity: It can help preventing accounts frombeing locked out due to burte force attacks by implementing enforce policies such as account lockout thresholds.

Box B is the Account Lockup Policy NOT the Smart Lockup. This will not help for satisfying the requirements https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/account-lockout-policy

Azure AD identity requirement in question ** Implement leaded credentials detection in the Azure AD tenant of Litware. Answer: Azure AD identity protection Reference: https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection Key worr: Leaked Credentials; Azure AD (Entra ID) Azure AD DS identity requirement in question ** Detect brute force attacks that directly target AD DS user accounts. ** Prevent AD DS user accounts from being locked out by brute force attacks. Answer:Azure account lockup policy in AD DS Refernce: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-password-smart-lockout Key Words/sentence: Smart lockout helps lock out bad actors that try to guess your users' passwords or use brute-force methods to get in. (Brute force) This configuration would ensure smart lockout prevents your on-premises AD DS accounts from being locked out by brute force attacks on your Microsoft Entra accounts. (Prevent being locked out by brute force)

Answers mapped to Identity Requirements as asked in the question > Implement leaked credential detection in the Azure AD tenant of Litware. > Prevent AD DS user accounts from being locked out by brute force attacks that target Azure AD user accounts. Box 1. Azure AD Password protection - offers leaked credential detection and Smart Lockout which can be combined carefully with a custom AD lockout policy to prevent the AD account from being locked in an Entra ID account attack scenario https://learn.microsoft.com/en-us/entra/identity/authentication/howto-password-smart-lockout > Detect brute force attacks that directly target AD DS user accounts. Box 2. Defender for Identity - detects and notifies of brute force attacks having happened https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts#suspected-brute-force-attack-kerberos-ntlm-external-id-2023

Box 1: is Password Protection - Using Smart Lockout that only needs PassThrough authentication or PHS... PHS isn't used in this case but PTA is! Box 2: I believe is MDI.

Case Study says " Implement leaked credential detection in the Azure AD tenant of Litware" This broad range of signals helps Identity Protection detect risky behaviors like: Password spray attacks Leaked credentials

Box 1: Azure AD Identity Protection Box 2: Microsoft Defender for Identity (the key point "Prevent AD DS user accounts from being locked out by brute force attacks that target Azure AD user accounts." , the requirement is to don't lockout their accounts from Brute-force attacks)

One of the requirements was to NOT lock out accounts, so account lockout policy won’t work. Defender for identity will detect the ddos attack and it can be configured to force an account password reset vs locking out the account, by configuring it’s remediation actions. https://learn.microsoft.com/en-us/defender-for-identity/manage-action-accounts

Block 1; Microsoft AD Identity protection Block 2 ; Microsoft Defender for Identity

Box 1: Identity Protection Box 2: Lockout policy Explanation: https://www.youtube.com/watch?v=YJqZjdzC9xE&list=PLQ2ktTy9rklhzzkSEZvDZT4QSIVUQZD-Y&index=7 SC-100 Question 91

"The solution must meet the identity requirement" Azure AD Identity Protection Defender for Identity

1. Azure AD Identity Protection 2. Microsoft Defender for Identity https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts#suspected-brute-force-attack-ldap-external-id-2004 In a brute-force attack, the attacker attempts to authenticate with many different passwords for different accounts until a correct password is found for at least one account. Once found, an attacker can log in using that account. In this detection, an alert is triggered when Defender for Identity detects a massive number of simple bind authentications. This alert detects brute force attacks performed either horizontally with a small set of passwords across many users, vertically with a large set of passwords on just a few users, or any combination of the two options. The alert is based on authentication events from sensors running on domain controller and AD FS servers.

box 1 - Microsoft defender for cloud. Identity protection also similar protection but in the requirement for this states "Some premium features of Azure AD, like Identity Protection and Azure AD Domain Services, require password hash synchronization, no matter which authentication method you choose." which is disabled in the case study. Box 2 - Smart lockout - Some premium features of Azure AD, like Identity Protection and Azure AD Domain Services, require password hash synchronization, no matter which authentication method you choose.

Although the current overview states pwd has sync is disabled, the identity requirements state: "Implement leaked credential detection in the Azure AD tenant of Litware.". Therefore, you need to implement the best controls to meet the requirements. 1: Identity Protection 2: Defender for Identity