Prévia do material em texto
<p>SC-300T00A: Microsoft Identity and Access Administrator</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Plan and Implement an Identity Governance Strategy</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>© Microsoft Corporation</p><p>2</p><p>Outline</p><p>Plan and implement entitlement management</p><p>Plan, implement, and manage access reviews</p><p>Plan and implement privileged access</p><p>Monitor and maintain Azure Active Directory</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.</p><p>3/28/2023 9:45 AM</p><p>3</p><p>Plan and implement entitlement management</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Objectives</p><p>Define catalogs</p><p>Define access packages</p><p>Plan, implement, and manage entitlements</p><p>Implement and manage terms of use</p><p>Manage the lifecycle of external users in Azure AD</p><p>Entitlement Management</p><p>Configure and manage connected organization</p><p>Review per-user entitlements</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.</p><p>3/28/2023 9:45 AM</p><p>5</p><p>Entitlement management</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>© Microsoft Corporation</p><p>6</p><p>Governance and Identity Lifecycle Management</p><p>New user added</p><p>User leaves</p><p>Governance is the process of overseeing and managing a system.</p><p>Identity Lifecycle Management is the creation to deletion of accounts</p><p>Placed here to show the lifecycle and management of new users and how Entitlement helps.</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Provisioning</p><p>Configure / Grant access</p><p>Authentication / Authorization</p><p>Usage / Monitoring</p><p>De-provisioning</p><p>What is entitlement management?</p><p>Azure Active Directory (Azure AD) entitlement management is an identity governance feature that enables organizations to manage identity and access lifecycle at scale, by automating access request workflows, access assignments, reviews, and expiration.</p><p>Azure AD entitlement management can help you more efficiently manage access to groups, applications, and SharePoint Online sites for internal users, and also for users outside your organization who need access to those resources.</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>What is entitlement management? - Azure AD | Microsoft Docs</p><p>Azure Active Directory (Azure AD) entitlement management is an identity governance feature that enables organizations to manage identity and access lifecycle at scale, by automating access request workflows, access assignments, reviews, and expiration.</p><p>Employees in organizations need access to various groups, applications, and sites to perform their job. Managing this access is challenging, as requirements change - new applications are added or users need additional access rights. This scenario gets more complicated when you collaborate with outside organizations - you may not know who in the other organization needs access to your organization's resources, and they won't know what applications, groups, or sites your organization is using.</p><p>Azure AD entitlement management can help you more efficiently manage access to groups, applications, and SharePoint Online sites for internal users, and also for users outside your organization who need access to those resources.</p><p>Why use entitlement management?</p><p>Enterprise organizations often face challenges when managing employee access to resources such as:</p><p>Users may not know what access they should have, and even if they do, they may have difficulty locating the right individuals to approve their access</p><p>Once users find and receive access to a resource, they may hold on to access longer than is required for business purposes</p><p>These problems are compounded for users who need access from another organization, such as external users that are from supply chain organizations or other business partners. For example:</p><p>No one person may know all of the specific individuals in other organization's directories to be able to invite them</p><p>Even if they were able to invite these users, no one in that organization may remember to manage all of the users' access consistently</p><p>Azure AD entitlemen</p><p>© Microsoft Corporation</p><p>8</p><p>Why is it important?</p><p>Users may not know what access they need or how to get it</p><p>Users may hold on to access longer than needed</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Entitlement management also helps companies delegate to non-administrators the ability to create access packages and provide users from a connected organization the ability to request access.</p><p>© Microsoft Corporation</p><p>9</p><p>Summary of terminology</p><p>Term Description</p><p>resource An asset, such as a Microsoft 365 group, a security group, an application, or a SharePoint Online site, with a role that a user can be granted permissions to.</p><p>policy A set of rules that defines the access lifecycle, such as how users get access, who can approve, and how long users have access through an assignment. A policy is linked to an access package. For example, an access package could have two policies: one for employees to request access and</p><p>B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Management for Privileged Access Groups</p><p>In Privileged Identity Management (PIM), you can now assign eligibility for membership or ownership of privileged access groups. You can assign Azure Active Directory (Azure AD) built-in roles to cloud groups and use PIM to manage group member and owner eligibility and activation. With the privileged access groups preview, you can give workload-specific administrators quick access to multiple roles with a single just-in-time request.</p><p>Example:</p><p>Your Tier 0 Office Admins might need just-in-time access to the Exchange Admin, Office Apps Admin, Teams Admin, and Search Admin roles to thoroughly investigate incidents daily.</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Require different policies for each role assignable group</p><p>Some organizations use tools like Azure AD business-to-business (B2B) collaboration to invite their partners as guests to their Azure AD organization. Instead of a single just-in-time policy for all assignments to a privileged role, you can create two different privileged access groups with their own policies. You can enforce less strict requirements for your trusted employees, and stricter requirements like approval workflow for your partners when they request activation into their assigned role.</p><p>Activate multiple role assignments in a single request</p><p>With the privileged access groups preview, you can give workload-specific administrators quick access to multiple roles with a single just-in-time request. For example, your Tier 0 Office Admins might need just-in-time access to the Exchange Admin, Office Apps Admin, Teams Admin, and Search Admin roles to thoroughly investigate incidents daily. You can create a role-assignable group called “Tier 0 Office Admins”, and make it eligible for assignment to the four roles previously mentioned (or any Azure AD built-in roles) and enable it for Privileged Access in the group’s Activity section. Once enabled for privileged access, you can assign your admins and owners to the group. When the admins elevate the group into the roles, your staff will have permissions from all four Azure AD roles.</p><p>© Microsoft Corporation</p><p>67</p><p>Example – How to implement</p><p>Create a new group</p><p>Check the role-assignable box.</p><p>Add the roles</p><p>Exchange Admin</p><p>Office Apps Admin</p><p>Teams Admin</p><p>Search Admin</p><p>Add the members and owners of the group.</p><p>Using PIM – make eligible for assignment.</p><p>Set the duration.</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Note – you cannot add roles to an existing group that was not configured for Role Assignable. You may have to create new groups to use this feature.</p><p>© Microsoft Corporation</p><p>68</p><p>Configure Privileged Identity Management for Azure resources</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Assign Azure resource roles</p><p>Azure Active Directory (Azure AD) Privileged Identity Management (PIM) can manage the built-in Azure resource roles, as well as custom roles, including (but not limited to):</p><p>Owner</p><p>User Access Administrator</p><p>Contributor</p><p>Security Admin</p><p>Security Manager</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Exercise: Assign Azure resource roles in PIM</p><p>This exercise teaches the student how to manage the built-in Azure resource roles, as well as custom roles.</p><p>Launch this Exercise in GitHub</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Configure Privileged Identity Management for Azure AD roles</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Configure PIM for Azure AD roles</p><p>A Privileged role administrator can customize Privileged Identity Management (PIM) in their Azure Active Directory (Azure AD) organization, including changing the experience for a user who is activating an eligible role assignment</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Exercise: Configure PIM for Azure AD roles</p><p>This exercise teaches the student how to configure PIM for Azure AD and for Azure roles.</p><p>Launch this Exercise in GitHub</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Analyze PIM audit history and reports</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Analyze PIM audit history and reports</p><p>Reasons to use</p><p>Minimize access to secure information or resources and give users just-in-time privileged access to Azure resources and Azure AD, while maintaining oversight of admin privileges.</p><p>What does it do?</p><p>PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about.</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Create and manage break-glass accounts</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>What is a Break-Glass Account and Why use?</p><p>Prevent being accidentally locked out of your Azure AD organization because you can't sign in or activate another user's account as an administrator</p><p>Emergency access accounts are limited to emergency or "break glass"' scenarios where normal administrative accounts can't be used. We recommend that you maintain a goal of restricting emergency account use to only the times when it is absolutely necessary</p><p>Implement strict security controls - ALWAYS</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Why use an emergency access account</p><p>An organization might need to use an emergency access account in the following situations:</p><p>The user accounts are federated, and federation is currently unavailable because of a cell-network break or an identity-provider outage. For example, if the identity provider host in your environment has gone down, users might be unable to sign in when Azure AD redirects to their identity provider.</p><p>The administrators are registered through Azure AD Multi-Factor Authentication, and all their individual devices are unavailable or the service is unavailable. Users might be unable to complete Multi-Factor Authentication to activate a role. For example, a cell network outage is preventing them from answering phone calls or receiving text messages, the only two authentication mechanisms that they registered for their device.</p><p>The person with the most recent Global Administrator access has left the organization. Azure AD prevents the last Global Administrator account from being deleted, but it does not prevent the account from being deleted or disabled on-premises. Either situation might make the organization unable to recover the account.</p><p>Unforeseen circumstances such as a natural disaster emergency, during which a mobile phone or other networks might be unavailable.</p><p>Strict Security Controls</p><p>As part of your security planning and posture, set up Procedural Controls to create, maintain, and store your Break Glass Accounts. Common practices:</p><p>For one set of eyes only.</p><p>Stored at an offsite location.</p><p>Distributed secrets that have to be combined</p><p>Etc</p><p>© Microsoft Corporation</p><p>78</p><p>Considerations for creating Break-Glass Accounts</p><p>Create Emergency</p><p>Accounts</p><p>Create two or more emergency access accounts. These accounts should be cloud-only accounts that use the *.onmicrosoft.com domain and that are not federated or synchronized from an on-premises environment.</p><p>Exclude Multi-factor authentication</p><p>At least one of your emergency access accounts should not have the same multi-factor authentication mechanism as your other non-emergency accounts.</p><p>Exclude from Conditional Access</p><p>During an emergency, you do not want a policy to potentially block your access to fix an issue. At least one emergency access account should be excluded from all Conditional Access policies.</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Validate Break-Glass Accounts</p><p>When you train staff members to use emergency access accounts and validate the emergency access accounts, at minimum do the following steps at regular intervals:</p><p>Notify of the account-check</p><p>Ensure accounts are documented and current</p><p>Train security officers who might need emergency are trained on the process</p><p>Update the account credentials, in particular any passwords</p><p>Then validate that the emergency access accounts can sign-in and perform administrative tasks</p><p>Ensure that multifactor authentication or self-service password reset (SSPR) is not registered to any individual user’s device or details</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Notify security-monitoring staff of the account-check</p><p>Ensure that the process to use these accounts is documented and current</p><p>Ensure that administrators and security officers who might need to perform these steps during an emergency are trained on the process</p><p>Update the account credentials, in particular any passwords, for your emergency access accounts, and then validate that the emergency access accounts can sign-in and perform administrative tasks</p><p>Ensure that Multi-Factor Authentication or self-service password reset (SSPR) is not registered to any individual user’s device or details</p><p>If the accounts are registered for Multi-Factor Authentication to a device, for use during sign-in or role activation, ensure that the device is accessible to all administrators who might need to use it during an emergency. Also verify that the device can communicate through at least two network paths that do not share a common failure mode such as a facility's wireless network or a cell provider network</p><p>© Microsoft Corporation</p><p>80</p><p>Frequency of Break-Glass Accounts verification</p><p>Account verifications should be performed at regular intervals and for key changes:</p><p>At least every 90 days</p><p>When there has been a recent change in IT staff, such as a job change, a departure, or a new hire</p><p>When the Azure AD subscriptions in the organization have changed</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Summary</p><p>Define a privileged access strategy for administrative users (resources, roles, approvals, thresholds)</p><p>Configure Privileged Identity Management for Azure AD roles</p><p>Configure Privileged Identity Management for Azure resources</p><p>Assign roles</p><p>Manage PIM requests</p><p>Analyze PIM audit history and reports</p><p>Create and manage break-glass accounts</p><p>In this section you learned how to:</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.</p><p>3/28/2023 9:45 AM</p><p>82</p><p>Monitor and maintain Azure Active Directory</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>© Microsoft Corporation</p><p>83</p><p>Objectives</p><p>Analyze and investigate sign-in logs to troubleshoot access issues</p><p>Review and monitor Azure AD audit logs</p><p>Enable and integrate Azure AD diagnostic logs with Log Analytics/Microsoft Sentinel</p><p>Export sign-in and audit logs to a third-party SIEM</p><p>Review Azure AD activity by using Log Analytics/Microsoft Sentinel, excluding KQL use</p><p>Analyze Azure Active Directory workbooks/reporting</p><p>Monitor security posture with Identity Secure Score in Azure AD</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.</p><p>3/28/2023 9:45 AM</p><p>84</p><p>Analyze and investigate sign-in logs to troubleshoot access issues</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Troubleshoot access issues</p><p>Activity</p><p>Sign-ins: review sign-in activities</p><p>Audit logs: review system activity</p><p>Provisioning logs: monitor activity by the provisioning service</p><p>Security</p><p>Risky sign-ins: indicator of odd sign-in behavior</p><p>Users flagged for risk: indicator an account might be compromised</p><p>Access this information by going to:</p><p>Azure Portal Azure AD Monitoring menu</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Analyze and investigate sign-in logs to troubleshoot access issues</p><p>Activity</p><p>Sign-ins - Information about the usage of managed applications and user sign-in activities.</p><p>Audit logs - Audit logs provide system activity information about users and group management, managed applications, and directory activities.</p><p>Provisioning logs - Provisioning logs enable customers to monitor activity by the provisioning service, such as creating a group in ServiceNow or a user imported from Workday.</p><p>Security</p><p>Risky sign-ins - A risky sign-in is an indicator for a sign-in attempt by someone who isn't the legitimate owner of a user account.</p><p>Users flagged for risk - A risky user is an indicator for a user account that might have been compromised.</p><p>© Microsoft Corporation</p><p>86</p><p>Sign-ins report</p><p>First, narrow down the reported data to a level that works for you. Second, filter sign-in data using date field as default filter.</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>© Microsoft Corporation</p><p>87</p><p>Download sign-in activities</p><p>The user sign-ins report provides answers to the following questions:</p><p>What is the sign-in pattern of a user?</p><p>How many users have signed in over a week?</p><p>What’s the status of these sign-ins?</p><p>File formats available:</p><p>CSV or JSON</p><p>Available records:</p><p>Most recent 100,000 records</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Request ID - The ID of the request you care about.</p><p>User - The name or the user principal name (UPN) of the user you care about.</p><p>Application - The name of the target application.</p><p>Status - The sign-in status you care about:</p><p>Success</p><p>Failure</p><p>Interrupted</p><p>IP address - The IP address of the device used to connect to your tenant.</p><p>Location - The location the connection was initiated from:</p><p>City</p><p>State/Province</p><p>Country/Region</p><p>Resource - The name of the service used for the sign-in.</p><p>Resource ID - The ID of the service used for the sign-in.</p><p>Client app - The type of the client app used to connect to your tenant:</p><p>© Microsoft Corporation</p><p>88</p><p>Filter sign-in activities</p><p>Get more targeted data:</p><p>Filter content specific to your needs</p><p>Reporting APIs</p><p>Export Data to:</p><p>Storage account or SIEM or Log Analytics</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>© Microsoft Corporation</p><p>89</p><p>Sign-In Activity for Managed Applications</p><p>With an application-centric view of your sign-in data, you can answer questions such as:</p><p>Who is using my applications?</p><p>What are the top three applications in my organization?</p><p>How is my newest application doing?</p><p>The entry point to this data is the top three applications in your organization. The data is contained within the last 30 days report in the Overview section under Enterprise applications</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>© Microsoft Corporation</p><p>90</p><p>Review and monitor Azure AD audit logs</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Audit logs</p><p>The Azure AD audit logs provide records of system activities for compliance. To access the audit report, select Audit logs in the Monitoring section of Azure Active Directory</p><p>An audit log has a default list view that shows the:</p><p>Date and time of the occurrence</p><p>Service that logged the occurrence</p><p>Category and name of the activity (what)</p><p>Status of the activity (success or failure)</p><p>Target</p><p>Initiator/actor (who) of an activity</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>This information can only be accessed by users in the Security Administrator, Security Reader, Report Reader, Global Reader, or Global Administrator roles.</p><p>© Microsoft Corporation</p><p>92</p><p>Filtering audit-logs</p><p>Service filter</p><p>AAD Management UX</p><p>Access Reviews</p><p>Account Provisioning</p><p>Application Proxy</p><p>Authentication Methods</p><p>B2C</p><p>Conditional Access</p><p>Core Directory</p><p>Entitlement Management</p><p>Hybrid Authentication</p><p>Identity Protection</p><p>Invited Users</p><p>And more…</p><p>Category filter</p><p>AdministrativeUnit</p><p>ApplicationManagement</p><p>Authentication</p><p>Authorization</p><p>Contact</p><p>Device</p><p>DeviceConfiguration</p><p>DirectoryManagement</p><p>EntitlementManagement</p><p>GroupManagement</p><p>KerberosDomain</p><p>KeyManagement</p><p>And more…</p><p>Activity filter</p><p>You can select a specific activity you want to see or choose all</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>User and group audit logs</p><p>With user and group-based audit reports, you can get answers to questions such as:</p><p>What types of updates have been applied to users?</p><p>How many users were changed?</p><p>How many passwords were changed?</p><p>What has an administrator done in a directory?</p><p>What are the groups that have been added?</p><p>Are there groups with membership changes?</p><p>Have the owners of a group been changed?</p><p>What licenses have been assigned to a group or a user?</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Enterprise Application Audit logs</p><p>With application-based audit reports, you can get answers to questions such as:</p><p>What applications have been added or updated?</p><p>What applications have been removed?</p><p>Has a service principal for an application changed?</p><p>Have the names of applications been changed?</p><p>Who gave consent to an application?</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Microsoft 365 activity logs</p><p>Logs can be viewed from the Microsoft 365 admin center. Only the Microsoft 365 admin center provides a full view of the Microsoft 365 activity logs</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>You can also access the Microsoft 365 activity logs programmatically by using the Office 365 Management APIs.</p><p>© Microsoft Corporation</p><p>96</p><p>Enable and integrate Azure AD diagnostic logs with Log Analytics / Microsoft Sentinel</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>What is Log Analytics</p><p>Log Analytics is a tool in the Azure portal to edit and run log queries from data collected by Azure Monitor Logs and interactively analyze their results. You can use Log Analytics queries to retrieve records matching criteria, identify trends, analyze patterns, and provide a variety of insights into your data.</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Azure Monitor Alerts</p><p>Alerts proactively notify you when issues are found with your infrastructure or application using your monitoring data in Azure Monitor.</p><p>Watch virtual machines, storage accounts, and other sources for events or thresholds.</p><p>Possible early warning of an attack</p><p>Set actions and alert to trigger when conditions are met.</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Target Resource - Defines the scope and signals available for alerting. A target can be any Azure resource. Example targets:</p><p>Virtual machines.</p><p>Storage accounts.</p><p>Log Analytics workspace.</p><p>Application Insights.</p><p>For certain resources (like virtual machines), you can specify multiple resources as the target of the alert rule.</p><p>Signal - Emitted by the target resource. Signals can be of the following types: metric, activity log, Application Insights, and log.</p><p>Criteria - A combination of signal and logic applied on a target resource. Examples:</p><p>Percentage CPU > 70%</p><p>Server Response Time > 4 ms</p><p>Result count of a log query > 100</p><p>Alert Name - A specific name for the alert rule configured by the user.</p><p>Alert Description - A description for the alert rule configured by the user.</p><p>Severity - The severity of the alert after the criteria specified in the alert rule is met. Severity can range from 0 to 4.</p><p>Sev 0 = Critical</p><p>Sev 1 = Error</p><p>Sev 2 = Warning</p><p>Sev 3 = Informational</p><p>Sev 4 = Verbose</p><p>Action - A specific action taken when the alert is fired. For more information, see Action Groups.</p><p>© Microsoft Corporation</p><p>99</p><p>What is Microsoft Sentinel</p><p>Microsoft Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Microsoft Sentinel is your birds-eye view across the enterprise alleviating the stress of increasingly sophisticated attacks, increasing volumes of alerts, and long resolution time frames.</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Microsoft Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Microsoft Sentinel is your birds-eye view across the enterprise alleviating the stress of increasingly sophisticated attacks, increasing volumes of alerts, and long resolution time frames.</p><p>Collect data at cloud scale across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds</p><p>Detect previously undetected threats, and minimize false positives using Microsoft's analytics and unparalleled threat intelligence</p><p>Investigate threats with artificial intelligence, and hunt for suspicious activities at scale, tapping into years of cyber security work at Microsoft</p><p>Respond to incidents rapidly with built-in orchestration and automation of common tasks</p><p>© Microsoft Corporation</p><p>100</p><p>Connecting Azure AD logs into Log Analytics</p><p>Azure Monitor Logs Queries</p><p>Select your Subscription</p><p>Use an existing query</p><p>Build you own in query window</p><p>AAD license required</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>When you start Log Analytics, the first thing you'll see is a dialog box with example queries. These are categorized by solution, and you can browse or search for queries that match your particular requirements. You may be able to find one that does exactly what you need, or load one to the editor and modify it as required. Browsing through example queries is actually a great way to learn how to write your own queries.</p><p>Of course, if you want to start with an empty script and write it yourself, you can close the example queries. Just click the Queries at the top of the screen if you want to get them back.</p><p>© Microsoft Corporation</p><p>101</p><p>Connecting Azure AD logs into Microsoft Sentinel</p><p>Microsoft Sentinel Data Connectors</p><p>Set up or use a Workspace</p><p>Azure Active Directory</p><p>Sign-in Logs and Audit Logs</p><p>Azure AD license required</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>To on-board Microsoft Sentinel, you first need to connect to your security sources. Microsoft Sentinel comes with a number of connectors for Microsoft solutions, available out of the box and providing real-time integration, including Microsoft 365 Defender (formerly Microsoft Threat Protection) solutions, and Microsoft 365 sources, including Office 365, Azure AD, Microsoft Defender for Identity (formerly Azure ATP), and Microsoft Cloud App Security, and more. In addition, there are built-in connectors to the broader security ecosystem for non-Microsoft solutions. You can also use common event format, Syslog or REST-API to connect your data sources with Microsoft Sentinel as well.</p><p>© Microsoft Corporation</p><p>102</p><p>Exercise: Connect data from Azure AD to Microsoft Sentinel</p><p>This exercise teaches the student how to connect Azure AD and Microsoft Sentinel.</p><p>Launch this Exercise in GitHub</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Export sign-in and audit logs to a third-party SIEM</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Introduction to SIEM</p><p>Security information and event management (SIEM) is a subsection within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by applications and network hardware.</p><p>Most of the top Azure services can be accessed through a single logging pipeline, including Azure Resource Manager and Microsoft Defender for Cloud. These services have onboarded to Azure Monitor and produce relevant security logs to ease setup and management of log routing across large Azure environments.</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Example of a few 3rd Party SIEM tools</p><p>SIEM Tool Currently using log integrator</p><p>Splunk Begin migrating to the Azure Monitor Add-On for Splunk.</p><p>IBM QRadar Begin migrating to the Microsoft Azure DSM and Microsoft Azure Event Hub Protocol, available from the IBM support website.</p><p>ArcSight The ArcSight Azure Event Hub smart connector is available as part of the ArcSight smart connector collection.</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Analyze Azure Active Directory workbooks / reporting</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Analyze Azure AD with Usage and Insights</p><p>Explore effects of Conditional Access policies on your users' sign-in</p><p>Troubleshoot sign-in issues and check sign-in health</p><p>Find legacy authentication sign-in attempts</p><p>Many other items</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Do you want to:</p><p>Understand the effect of your Conditional Access policies on your users' sign-in experience?</p><p>Troubleshoot sign-in failures to get a better view of your organization's sign-in health and to resolve issues quickly?</p><p>Know who's using legacy authentications to sign in to your environment? (By blocking legacy authentication, you can improve your tenant's protection.)</p><p>Do you need to understand the impact of Conditional Access policies in your tenant?</p><p>© Microsoft Corporation</p><p>108</p><p>Analyze Azure Active Directory usage and insights reporting</p><p>With the usage and insights report, you can get an application-centric view of your sign-in data. You can find answers to the following questions:</p><p>What are the most used applications in my organization?</p><p>What applications have the most failed sign-ins?</p><p>What are the top sign-in errors for each application?</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Usage report</p><p>Usage and insights report:</p><p>Shows the number of sign-in attempts and the success rate</p><p>Clicking load more at the bottom of the list allows you to view additional applications on the page. You can select the date range to view all applications that have been used within the range</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Monitor your security posture with Identity Secure Score</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>What is Identity Secure Score in Azure AD</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>The score helps you to:</p><p>Objectively measure your identity security posture</p><p>Plan identity security improvements</p><p>Review the success of your improvements</p><p>You can access the score and related information on the identity secure score dashboard. On this dashboard, you find:</p><p>Your identity secure score</p><p>A comparison graph showing</p><p>how your Identity secure score compares to other tenants in the same industry and similar size</p><p>A trend graph showing how your Identity secure score has changed over time</p><p>A list of possible improvements</p><p>By following the improvement actions, you can:</p><p>Improve your security posture and your score</p><p>Take advantage the features available to your organization as part of your identity investments</p><p>© Microsoft Corporation</p><p>112</p><p>Using the Identity Secure Score</p><p>How are controls scored? How should I interpret my score?</p><p>Controls can be scored in two ways. Some are scored in a binary fashion - you get 100% of the score if you have the feature or setting configured based on our recommendation. Other scores are calculated as a percentage of the total configuration. For example, if the improvement recommendation states you’ll get a maximum of 10.71% if you protect all your users with MFA and you only have 5 of 100 total users protected, you would be given a partial score around 0.53% (5 protected / 100 total * 10.71% maximum = 0.53% partial score). Your score improves for configuring recommended security features or performing security-related tasks (like reading reports). Some actions are scored for partial completion, like enabling multi-factor authentication (MFA) for your users. Your secure score is directly representative of the Microsoft security services you use. Remember that security must be balanced with usability. All security controls have a user impact component. Controls with low user impact should have little to no effect on your users' day-to-day operations.</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Summary</p><p>In this section you learned how to:</p><p>Analyze and investigate sign-in logs to troubleshoot access issues</p><p>Review and monitor Azure AD audit logs</p><p>Enable and integrate Azure AD diagnostic logs with Log Analytics/Microsoft Sentinel</p><p>Export sign-in and audit logs to a third-party SIEM</p><p>Review Azure AD activity by using Log Analytics/Microsoft Sentinel, excluding KQL use</p><p>Analyze Azure Active Directory workbooks/reporting</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.</p><p>3/28/2023 9:45 AM</p><p>114</p><p>Summary</p><p>Entitlement Management</p><p>Catalogs</p><p>Access Packages</p><p>Assign entitlements</p><p>Manage using Identity Governance</p><p>Manage Access Reviews</p><p>Design an access review plan</p><p>Access reviews for groups and apps</p><p>Monitor access review findings</p><p>Remediate and automate access review issues</p><p>Privileged Access Management</p><p>Define privileged access strategy</p><p>Configure PIM for roles</p><p>Configure PIM for resources</p><p>Audit and manage PIM</p><p>Break-glass accounts</p><p>Monitor and maintain Azure AD</p><p>Use sign-in logs</p><p>Monitor Azure audit logs</p><p>Configure Log Analytics and Sentinel</p><p>Configure alerts</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Labs</p><p>Lab Brief description Length</p><p>22. Create and Manage catalogs Create and manage catalogs for use with Entitlement Management in Azure AD. 15 minutes</p><p>23. Implement terms-of-use Create and manage terms of use for Azure AD. 5 minutes</p><p>24. Manage external user lifecycle Manage the lifecycle of external users in Azure AD. 5 minutes</p><p>25. Access Reviews Create and access for internal and external users 15 minutes</p><p>26. Enable and Configure PIM Configure PIM for Azure AD and for Azure roles. 5 minutes</p><p>27. Kusto Query Use a simple Kusto Query in Microsoft Sentinel to review Azure AD data sources 15 minutes</p><p>28. Identity Secure Score Monitor and manage your security posture with Identity Secure Score 10 minutes</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>End of presentation</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>image2.png</p><p>image3.jpeg</p><p>image1.png</p><p>image22.png</p><p>image23.svg</p><p>image16.png</p><p>image17.svg</p><p>image18.png</p><p>image19.svg</p><p>image20.png</p><p>image21.svg</p><p>image4.jpeg</p><p>image24.png</p><p>image25.svg</p><p>image26.png</p><p>image27.svg</p><p>image28.png</p><p>image29.svg</p><p>image30.png</p><p>image31.svg</p><p>image13.png</p><p>image32.png</p><p>image33.svg</p><p>image34.png</p><p>image35.svg</p><p>image5.jpeg</p><p>image36.png</p><p>image37.png</p><p>image38.png</p><p>image39.png</p><p>image46.png</p><p>image47.svg</p><p>image40.png</p><p>image41.svg</p><p>image42.png</p><p>image43.svg</p><p>image44.png</p><p>image45.svg</p><p>image48.png</p><p>image49.png</p><p>image50.png</p><p>image51.png</p><p>image8.png</p><p>image52.png</p><p>image53.png</p><p>image10.png</p><p>image54.png</p><p>image55.png</p><p>image56.png</p><p>image63.png</p><p>image64.svg</p><p>image65.png</p><p>image66.svg</p><p>image57.png</p><p>image58.svg</p><p>image59.png</p><p>image60.svg</p><p>image61.png</p><p>image62.svg</p><p>image67.png</p><p>image68.png</p><p>image73.png</p><p>image74.svg</p><p>image75.png</p><p>image76.svg</p><p>image77.png</p><p>image78.svg</p><p>image69.png</p><p>image70.svg</p><p>image71.png</p><p>image72.svg</p><p>image85.png</p><p>image86.svg</p><p>image87.png</p><p>image88.svg</p><p>image89.png</p><p>image90.svg</p><p>image79.png</p><p>image80.svg</p><p>image81.png</p><p>image82.svg</p><p>image83.png</p><p>image84.svg</p><p>image91.png</p><p>image92.svg</p><p>image93.png</p><p>image94.svg</p><p>image95.png</p><p>image96.png</p><p>image97.png</p><p>image98.png</p><p>image99.png</p><p>image100.png</p><p>image103.png</p><p>image104.svg</p><p>image105.png</p><p>image106.svg</p><p>image107.png</p><p>image108.svg</p><p>image109.png</p><p>image110.svg</p><p>image101.png</p><p>image102.svg</p><p>image111.png</p><p>image112.png</p><p>image113.png</p><p>image114.png</p><p>image115.png</p><p>image116.png</p><p>image117.png</p><p>image118.png</p><p>image119.png</p><p>image120.png</p><p>image121.png</p><p>image122.png</p><p>image123.png</p><p>image1230.png</p><p>image124.png</p><p>image125.png</p><p>image126.png</p><p>image15.png</p><p>a second for external users to request access.</p><p>access package A bundle of resources that a team or project needs and is governed with policies. An access package is always contained in a catalog. You would create a new access package for a scenario in which users need to request access.</p><p>catalog A container of related resources and access packages. Catalogs are used for delegation so non-administrators can create their own access packages. Catalog owners can add resources they own to a catalog.</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Define access packages</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>© Microsoft Corporation</p><p>11</p><p>What are access packages? What can I manage with them?</p><p>An access package is list of resources like Groups, Apps, and Sites, along with the roles a user needs for those resources.</p><p>There is a policy included in the access package with rules for who can access the package.</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>An access package is a bundle of resources with the access a user needs to work on a project or perform their task.</p><p>With an access package, you can manage:</p><p>Membership of Azure AD security groups.</p><p>Membership of Microsoft 365 Groups and Teams.</p><p>Assignment to Azure AD enterprise applications, including SaaS applications and custom-integrated applications that support federation/single sign-on and/or provisioning.</p><p>Membership of SharePoint Online sites.</p><p>You can also control access to other resources that rely upon Azure AD security groups or Microsoft 365 Groups. For example, you can provide:</p><p>Licenses for Microsoft 365 by using an Azure AD security group in an access package and configuring group-based licensing for that group.</p><p>Access to manage Azure resources by using an Azure AD security group in an access package and creating an Azure role assignment for that group.</p><p>Access to manage Azure AD roles by using groups assignable to Azure AD roles in an access package and assigning an Azure AD role to that group.</p><p>© Microsoft Corporation</p><p>12</p><p>When should I use access packages?</p><p>Manager approval</p><p>-or-</p><p>Delegated Role / Identity</p><p>Time-limited access</p><p>Manage access without IT</p><p>Cross organization collaboration</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Access packages do not replace other mechanisms for access assignment. They are most appropriate in situations such as when:</p><p>Employees need time-limited access for a particular task. For example, you might use group-based licensing and a dynamic group to ensure all employees have an Exchange Online mailbox, and then use access packages for situations in which employees need additional access, such as to read departmental resources from another department.</p><p>Access requires the approval of an employee's manager or other designated individuals.</p><p>Departments wish to manage their own access policies for their resources without IT involvement.</p><p>Two or more organizations are collaborating on a project, and as a result, multiple users from one organization will need to be brought in via Azure AD B2B to access another organization's resources.</p><p>© Microsoft Corporation</p><p>13</p><p>How do I control who gets access?</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>In Access package 1, there is only one single group as a resource. Access is defined with a policy that enables a set of users in the directory to request access. Access package 2 includes a group, an application, and a SharePoint Online site as resources. Access is defined with two different policies. The first policy enables a set of users in the directory to request access. The second policy enables users in an external directory to request access.</p><p>© Microsoft Corporation</p><p>14</p><p>Define Catalogs</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>© Microsoft Corporation</p><p>15</p><p>What is a catalog?</p><p>Catalog is container of:</p><p>Resources</p><p>Access packages</p><p>Group related resources together.</p><p>Catalog creator is the default owner.</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>A catalog is a container of resources and access packages. You create a catalog when you want to group related resources and access packages. Whoever creates the catalog becomes the first catalog owner. A catalog owner can add additional catalog owners.</p><p>Resource – some application, website, or other item that a user would need to access.</p><p>Access Package – the rules and rights needed to access a given resource</p><p>© Microsoft Corporation</p><p>16</p><p>Creating a catalog</p><p>Log into Azure as Global administrator</p><p>Open Azure Active Directory and the select Identity Governance</p><p>Select Catalogs and then +New Catalog</p><p>Enter a Name and Description</p><p>Adjust other settings as needed</p><p>Select Create</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>A catalog is a container of resources and access packages. You create a catalog when you want to group related resources and access packages. Whoever creates the catalog becomes the first catalog owner. A catalog owner can add additional catalog owners.</p><p>© Microsoft Corporation</p><p>17</p><p>How do I add resources to a catalog?</p><p>On the Identity Governance blade, if necessary, select Catalogs.</p><p>In the Catalogs list, select Marketing.</p><p>In the left navigation, under Manage, select Resources.</p><p>On the menu, select + Add resources.</p><p>In the Add resources to catalog, review the available options.</p><p>When finished, click Add.</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47</p><p>B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>A catalog is a container of resources and access packages. You create a catalog when you want to group related resources and access packages. Whoever creates the catalog becomes the first catalog owner. A catalog owner can add additional catalog owners.</p><p>© Microsoft Corporation</p><p>18</p><p>Entitlement Owners and Process</p><p>Delegate</p><p>Users in your org</p><p>Users outside your org</p><p>Daily management</p><p>Assignments and reports</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>There are several ways that you can configure entitlement management for your organization. However, if you're just getting started, it's helpful to understand the common scenarios for administrators, catalog owners, access package managers, approvers, and requestors.</p><p>Delegate</p><p>Administrator: Delegate management of resources.</p><p>Catalog creator: Delegate management of resources.</p><p>Catalog owner: Delegate management of resources.</p><p>Catalog owner: Delegate management of access packages.</p><p>Govern access for users in your organization</p><p>Access package manager: Allow employees in your organization to request access to resources.</p><p>Requestor: Request access to resources.</p><p>Approver: Approve requests to resources.</p><p>Requestor: View the resources you already have access to.</p><p>Govern access for users outside your organization</p><p>Administrator: Collaborate with an external partner organization.</p><p>Access package manager: Collaborate with an external partner organization.</p><p>Requestor: Request access to resources as an external user.</p><p>Approver: Approve requests to resources.</p><p>Requestor: View the resources your already have access to.</p><p>Day-to-day management</p><p>Access package manager: Update the resources for a project.</p><p>Access package manager: Update the duration for a project.</p><p>Access package manager: Update how access is approved for a project.</p><p>Access package manager: Update the people for a project.</p><p>Access package manager: Directly assign specific users to an access package.</p><p>Assignments and reports</p><p>Administrator: View who has assignments to an access package.</p><p>Administrator: View resources assigned to users.</p><p>Programmatic administration</p><p>You can also manage access packages, catalogs, policies, requests, and assignments using Microsoft Graph. A user in an appropriate role with an application that has the delegated EntitlementManagement.ReadWrite.All permission can call the entitlement management API.</p><p>© Microsoft Corporation</p><p>19</p><p>Create a catalog of resources in Azure AD</p><p>This exercise teaches students to create and manage catalogs for use with Entitlement Management in Azure AD.</p><p>Launch this Exercise in GitHub</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Implement and manage terms of use</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>© Microsoft Corporation</p><p>21</p><p>What are Terms of Use in Entitlement Management</p><p>Terms-of-use stored as a PDF</p><p>PDF can contain any content, including contracts - EULA</p><p>Can enforce compliance</p><p>24pt Font recommended</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Azure AD terms of use policies use the PDF format to present content. The PDF file can be any content, such as existing contract documents, allowing you to collect end-user agreements during user sign-in. To support users on mobile devices, the recommended font size in the PDF is 24 point.</p><p>Terms-of-Use can and often are used to set and measure compliance activities. They can notify users of specific compliance rules, and have them acknowledge that they have read and will operate under those rules. Organization can change the terms as compliance goals are updated, and the user can be forced to reaccept the Terms-of-Use.</p><p>© Microsoft Corporation</p><p>22</p><p>Implement and manage terms of use</p><p>This exercise teaches students to create and manage terms of use for Azure AD.</p><p>Launch this Exercise in GitHub</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Manage the lifecycle of external users in Azure AD</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>© Microsoft Corporation</p><p>24</p><p>Manage the lifecycle of external users in Azure AD Identity Governance settings</p><p>You can select what happens when an external user, who was invited to your directory through an access package request being approved, no longer has any access package assignments. This can happen if the user relinquishes all their access package assignments, or their last access package assignment expires. By default, when an external user no longer has any access package assignments, they are blocked from signing into your directory. After 30 days, their guest user account is removed from your directory.</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>You can select what happens when an external user, who was invited to your directory through an access package request being approved, no longer has any access package assignments. This can happen if the user relinquishes all their access package assignments, or their last access package assignment expires. By default, when an external user no longer has any access package assignments, they are blocked from signing into your directory. After 30 days, their guest user account is removed from your directory.</p><p>© Microsoft Corporation</p><p>25</p><p>Manage the lifecycle of external users</p><p>This exercise teaches students how to manage the lifecycle of external users in Azure AD.</p><p>Launch this Exercise in GitHub</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Configure and manage connected organizations</p><p>© Copyright</p><p>Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>What is a connected organization</p><p>A connected organization is another organization that you have a relationship with. In order for the users in that organization to be able to access your resources, such as your SharePoint Online sites or apps, you'll need a representation of that organization's users in that directory. Because in most cases the users in that organization aren't already in your Azure AD directory, you can use entitlement management to bring them into your Azure AD directory as needed.</p><p>There are three ways that entitlement management lets you specify the users that form a connected organization. It could be</p><p>users in another Azure AD directory (from any Microsoft cloud),</p><p>users in another non-Azure AD directory that has been configured for direct federation, or</p><p>users in another non-Azure AD directory, whose email addresses all have the same domain name in common.</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Add a connected organization in Azure AD entitlement management - Azure Active Directory - Microsoft Entra | Microsoft Docs</p><p>With Azure Active Directory (Azure AD) entitlement management, you can collaborate with people outside your organization. If you frequently collaborate with users in an external Azure AD directory or domain, you can add them as a connected organization. This article describes how to add a connected organization so that you can allow users outside your organization to request resources in your directory.</p><p>© Microsoft Corporation</p><p>28</p><p>Scenario – Woodgrove Bank and Contoso</p><p>For example, suppose you work at Woodgrove Bank and you want to collaborate with two external organizations. These two organizations have different configurations:</p><p>Graphic Design Institute uses Azure AD, and their users have a user principal name that ends with graphicdesigninstitute.com.</p><p>Contoso does not yet use Azure AD. Contoso users have a user principal name that ends with contoso.com.</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>In this case, you can configure two connected organizations. You create one connected organization for Graphic Design Institute and one for Contoso. If you then add the two connected organizations to a policy, users from each organization with a user principal name that matches the policy can request access packages. Users with a user principal name that has a domain of contoso.com would match the Contoso-connected organization and would also be allowed to request packages. Users with a user principal name that has a domain of graphicdesigninstitute.com would match the Graphic Design Institute-connected organization and be allowed to submit requests. And, because Graphic Design Institute uses Azure AD, any users with a principal name that matches a verified domain that's added to their tenant, such as graphicdesigninstitute.example, would also be able to request access packages by using the same policy. If you have email one-time passcode (OTP) authentication turned on, that includes users from those domains that aren't yet part of Azure AD directories who'll authenticate using email OTP when accessing your resources.</p><p>© Microsoft Corporation</p><p>29</p><p>Add a connected organization</p><p>In the Azure portal, select Azure Active Directory, and then select Identity Governance.</p><p>In the left pane, select Connected organizations, and then select + Add connected organization.</p><p>Select the Basics tab, and then enter a display name and description for the organization.</p><p>Select the Directory + domain tab, and then select Add directory + domain.</p><p>In the search box, enter a domain name to search for the Azure AD directory or domain. Be sure to enter the entire domain name.</p><p>Select Add to add the Azure AD directory or domain. Currently, you can add only one Azure AD directory or domain per connected organization.</p><p>After you've added the Azure AD directory or domain, select Select.</p><p>Select the Sponsors tab, and then add optional sponsors for this connected organization.</p><p>Sponsors are internal or external users already in your directory. Sponsors are the point of contact for the relationship with this connected organization.</p><p>Select the Review + create tab, review your organization settings, and then select Create.</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>In the Azure portal, select Azure Active Directory, and then select Identity Governance.</p><p>In the left pane, select Connected organizations, and then select + Add connected organization.</p><p>Select the Basics tab, and then enter a display name and description for the organization.</p><p>The state will automatically be set to Configured when you create a new connected organization. For more information about state properties, see State properties of connected organizations</p><p>Select the Directory + domain tab, and then select Add directory + domain.</p><p>The Select directories + domains pane opens.</p><p>In the search box, enter a domain name to search for the Azure AD directory or domain. Be sure to enter the entire domain name.</p><p>Confirm that the organization name and authentication type are correct.</p><p>Select Add to add the Azure AD directory or domain. Currently, you can add only one Azure AD directory or domain per connected organization.</p><p>After you've added the Azure AD directory or domain, select Select.</p><p>The organization appears in the list.</p><p>Select the Sponsors tab, and then add optional sponsors for this connected organization.</p><p>Sponsors are internal or external users already in your directory. Sponsors are the point of contact for the relationship with this connected organization.</p><p>When you select Add/Remove, a pane opens in which you can choose internal or external sponsors. The pane displays an unfiltered list of users and groups in your directory.</p><p>Select the Review + create tab, review your organization settings, and then select Create.</p><p>© Microsoft Corporation</p><p>30</p><p>Review per-user Entitlements</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Who has an entitlement – Azure portal</p><p>Following the rules of zero trust you review your entitlement packages regularly.</p><p>There are tools built into the system to support this review.</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Follow these steps to review assignments:</p><p>In the Azure portal, select Azure Active Directory and then select Identity Governance.</p><p>In the left menu, select Access packages and then open the access package.</p><p>select Assignments to see a list of active assignments.</p><p>select a specific assignment to see additional details.</p><p>To see a list of assignments that did not have all resource roles properly provisioned, select the filter status and select Delivering.</p><p>You can see additional details on delivery errors by locating the user's corresponding request on the Requests page.</p><p>To see expired assignments, select the filter status and select Expired.</p><p>To download a CSV file of the filtered list, select Download.</p><p>Remove an assignment</p><p>If you find an assignment that is out of date, take action. You can remove an assignment that a user or an administrator had previously requested.</p><p>In the Azure portal, select Azure Active Directory and then select Identity Governance.</p><p>In the left menu, select Access packages and then open the access package.</p><p>In the left menu, select Assignments.</p><p>select the check box next to the user whose assignment you want to remove from the access package.</p><p>select the Remove button near the top of the left pane.</p><p>© Microsoft Corporation</p><p>32</p><p>Review the assignments with PowerShell</p><p>Connect-MgGraph -Scopes "EntitlementManagement.Read.All"</p><p>Select-MgProfile -Name "beta"</p><p>$accesspackage = Get-MgEntitlementManagementAccessPackage -DisplayNameEq "Marketing Campaign"</p><p>$assignments = Get-MgEntitlementManagementAccessPackageAssignment -AccessPackageId $accesspackage.Id -ExpandProperty target -All -ErrorAction Stop</p><p>$assignments | ft Id,AssignmentState,TargetId,{$_.Target.DisplayName}</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>You can perform a query in PowerShell to get the per-user list of assignments. This can help with scripting and automation of the management tasks.</p><p>© Microsoft Corporation</p><p>33</p><p>Summary</p><p>In this section you learned how to:</p><p>Define catalogs</p><p>Define access packages</p><p>Plan, implement, and manage entitlements</p><p>Implement and manage terms of use</p><p>Manage the lifecycle of external users in Azure AD</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.</p><p>3/28/2023 9:45 AM</p><p>34</p><p>References</p><p>Frequently Asked Questions</p><p>https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/terms-of-use#frequently-asked-questions</p><p>Add a connected organization in Azure AD entitlement management - Azure Active Directory - Microsoft Entra | Microsoft Docs</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>It is good practice to tie back your ILT deliveries to role-based learning materials on Microsoft Learn. What is listed here should supplement your delivery and the role-based training your course is affiliated with. It is important to give the learners continued education opportunities for growth.</p><p>Steps:</p><p>1. Insert the page title here along with the url to other Microsoft resources</p><p>2. It is only necessary to duplicate this slide if there are more than 6 references that need to be shared with the students.</p><p>© Microsoft Corporation</p><p>35</p><p>Plan, implement, and manage access reviews</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Objectives</p><p>Plan for access reviews</p><p>Create access reviews for groups and apps</p><p>Create and configure access review programs</p><p>Manage licenses for access reviews</p><p>Automate access review management tasks</p><p>Configure recurring access reviews</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Plan for Access Review</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>© Microsoft Corporation</p><p>38</p><p>What is an Access Review</p><p>Access Reviews help users ensure that the right people have the right access to the right resources</p><p>They mitigate access risk by protecting, monitoring, and auditing access to critical assets—while ensuring employee and business partner productivity</p><p>Performed in Azure AD Identity Governance</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Planning a pilot</p><p>What resources to review</p><p>Who will review</p><p>Test access</p><p>Adjust, the test again</p><p>Pilot access reviews with a small group and target non-critical resources. Piloting can help you adjust processes and increase users’ and reviewers’ ability to meet security and compliance requirements</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>We encourage customers to initially pilot access reviews with a small group and target non-critical resources. Piloting can help you adjust processes and communications as needed and increase users’ and reviewers’ ability to meet security and compliance requirements.</p><p>In your pilot, we recommend that you:</p><p>· Start with reviews where the results are not automatically applied, and you can control the implications.</p><p>· Ensure that all users have valid email addresses listed in Azure AD and that they receive email communication to take the appropriate action.</p><p>· Document any access removed as a part of the pilot in case you need to quickly restore it.</p><p>· Monitor audit logs to ensure all events are properly audited.</p><p>What resource types can be reviewed?</p><p>Once you integrate your organization’s resources with Azure AD (such as users, applications, and groups), they can be managed and reviewed.</p><p>Who will create and manage access reviews?</p><p>The administrative role required to create, manage, or read an Access Review depends on the type of resource being reviewed.</p><p>Who will review the</p><p>access to the resource?</p><p>The creator of the access review decides at the time of creation who will perform the review. This setting can't be changed once the review is started. Reviewers are represented by three personas:</p><p>· Resource Owners, who are the business owners of the resource.</p><p>· A set of individually selected delegates, as selected by the access reviews administrator.</p><p>· End users who will each self-attest to their need for continued access.</p><p>Components of an Access Review</p><p>Before implementing your access reviews, you should plan the types of reviews relevant to your organization. To do so, you will need to make business decisions about what you want to review and the actions to take based on those reviews</p><p>© Microsoft Corporation</p><p>40</p><p>Who will create and manage access reviews?</p><p>Resource type Create and manage access reviews (Creators) Read Access Review results</p><p>Group or application Global Administrator</p><p>User Administrator</p><p>Identity Governance Administrator Global administrator / reader</p><p>User administrator</p><p>Identity Governance administrator</p><p>Azure AD roles Global Administrator</p><p>Privileged Role Administrator Global administrator</p><p>Global reader</p><p>User administrator</p><p>Azure Resources (privileged roles) Global Administrator</p><p>User Administrator</p><p>Resource Owner User Access Administrator</p><p>Resource Owner</p><p>Access package Global Administrator</p><p>User Administrator Global Administrator</p><p>Global Reader</p><p>Subset listed. See Notes or Content page.</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Access Review for Groups or Applications</p><p>Who can Create / Manager</p><p>Global administrator</p><p>User administrator</p><p>Identity Governance administrator</p><p>Privileged Role administrator (only does reviews for Azure AD role-assignable groups)</p><p>Group owner (if enabled by an admin)</p><p>Who can Read the Results</p><p>Global administrator</p><p>Global reader</p><p>User administrator</p><p>Identity Governance administrator</p><p>Privileged Role administrator</p><p>Security reader</p><p>Group owner (if enabled by an admin)</p><p>Access Reviews for Azure AD Roles</p><p>Who can Create / Manage</p><p>Global administrator</p><p>Privileged Role administrator</p><p>Who can Read the results</p><p>Global administrator</p><p>Global reader</p><p>User administrator</p><p>Privileged Role administrator</p><p>Security reader</p><p>Azure resource roles Access Review</p><p>Who can Create / Manage</p><p>User Access Administrator (for the resource)</p><p>Resource owner</p><p>Who can Read the results</p><p>User Access Administrator (for the resource)</p><p>Resource owner</p><p>Reader (for the resource)</p><p>Access Package Access Reviews</p><p>Who can Create / Manage</p><p>Global administrator</p><p>User administrator</p><p>Identity Governance administrator</p><p>Who can Read the results</p><p>Global administrator</p><p>Global reader</p><p>User administrator</p><p>Identity Governance administrator</p><p>Security reader</p><p>© Microsoft Corporation</p><p>41</p><p>Components of an Access Review</p><p>Before implementing your access reviews, you should plan the types of reviews relevant to your organization. To create an access review policy, you must have the following information.</p><p>What resource(s) must be reviewed?</p><p>Whose access is being reviewed?</p><p>How often should the review occur?</p><p>Who will perform the review?</p><p>How will they be notified to review?</p><p>What are the timelines to be enforced for review?</p><p>What automatic actions should be enforced based on the review?</p><p>What happens if the reviewer doesn't respond in time?</p><p>What manual actions will be taken as a result based on the review?</p><p>What communications should be sent based on actions taken?</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Plan for access reviews for applications</p><p>When you review access to an application, you're reviewing the access for employees and external identities to the information and data within the application. Choose to review an application when you need to know who has access to a specific application, instead of an Access Package or a group.</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Plan for access reviews</p><p>Review access packages</p><p>Review groups and apps</p><p>Review Azure AD roles</p><p>Review Azure resource roles</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Plan communications</p><p>Communication is critical to the success of any new business process. Proactively communicate to users how and when their experience will change and how to gain support if they experience issues.</p><p>Communicate changes in accountability</p><p>Customize email communication:</p><p>Include a personal message to reviewers, so they understand it is sent by your Compliance or IT department.</p><p>Include a hyperlink or reference to internal information on what the expectations of the review are and additional reference or training material.</p><p>Include a link to instructions on how to perform a self-review of access.</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Communication is critical to the success of any new business process. Proactively communicate to users how and when their experience will change and how to gain support if they experience issues.</p><p>Communicate changes in accountability: Access Reviews shift the responsibility of reviewing and acting on continued access to business owners and decouples access decisions from IT to make decisions more accurate.</p><p>Customize email communication: When you schedule a review, you nominate users who will perform this review. These reviewers then receive an email notification of new reviews assigned to them, as well as reminders before a review assigned to them expires. The email sent to reviewers can be customized to include a custom short message that encourages them to act on the review. We recommend you use the additional text to:</p><p>© Microsoft Corporation</p><p>45</p><p>Create access reviews for groups and apps</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>© Microsoft Corporation</p><p>46</p><p>Create access reviews for groups and apps</p><p>Prevent stale access assignments by creating access reviews for group members or application access</p><p>If you need to routinely review access, you can also create recurring access reviews</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark</p><p>Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>To locate Access Reviews go to Azure Portal Identity Governance Access Reviews</p><p>LICENSING: Azure AD Identity Governance is a licensed feature that requires a P2 license for any usage</p><p>Access to groups and applications for employees and guests changes over time. To reduce the risk associated with stale access assignments, administrators can use Azure Active Directory (Azure AD) to create access reviews for group members or application access. If you need to routinely review access, you can also create recurring access reviews</p><p>© Microsoft Corporation</p><p>47</p><p>Monitor access review findings</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>© Microsoft Corporation</p><p>48</p><p>View an Access Review</p><p>The reviewer is notified when a review is ready to perform</p><p>To check out the Access Review findings, follow the link in the email</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Review the access review findings</p><p>Perform access reviews manually</p><p>Review the list of users and decide whether to approve or deny their continued access</p><p>Click Approve or Deny</p><p>If required, provide a reason for the decision</p><p>Once you have specified the action to take, click Save</p><p>Recommendations are generated based on the user's sign-in activity.</p><p>In the blue bar at the bottom of the page, click Accept recommendations. You see a summary of the recommended actions.</p><p>Click Ok to accept the recommendations.</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Create and configure access review programs</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>© Microsoft Corporation</p><p>51</p><p>Programs for Access Review</p><p>Azure Active Directory (Azure AD) access reviews is a feature of Azure AD Identity Governance. Access reviews help to ensure that the right identities have the right access to the right resources in the organization. Access reviews can be implemented programmatically using the access reviews API in Microsoft Graph.</p><p>Azure AD access review resource types:</p><p>accessReview – container for the access review</p><p>businessFlowTemplate – defines the resources on which an access review can be performed</p><p>program – defines an access review program</p><p>programControl – links access review to a program</p><p>programControlType – type of access review being performed</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Resource type Description</p><p>accessReview The container represents an access review. Can be a one-time review, a recurring review series, or an instance of a recurring review.</p><p>businessFlowTemplate Template for business flow determines the type resource on which an access review is to be performed. The identifier of a template, such as to review guest members of a group, is supplied by the caller when creating an access review. (The business flow template objects are read only, they're automatically generated when the global administrator onboards the tenant to use the access reviews feature. No other business flow templates can be created.)</p><p>program represents an Azure AD access review program. A program is a container, holding program controls. A tenant can have one or more programs. Each control links an access review to a program, to make it easier to locate related access reviews. Each tenant that has onboarded Azure AD access reviews has one program, Default program. A global administrator can create other programs, for example to represent compliance initiatives.</p><p>programControl represents a control, which links an access review to a particular program</p><p>programControlType the program control type is used when associating a control to a program, to indicate the type of access review the control is for. (The program control type objects are read only, they're automatically generated when the global administrator onboards the tenant to use the access reviews feature. No other program control types can be created.)</p><p>© Microsoft Corporation</p><p>52</p><p>Register Azure AD application to call Microsoft Graph API</p><p>Navigate to the Azure AD extension, and select App registrations in the Manage section, to land at the page register apps</p><p>Select the New application registration button at the top of the page.</p><p>Provide a name for the application that is different from any other application in your tenant’s directory (example = graphsample).</p><p>Change the Application type to Native, and provide the following as the Redirect URI:</p><p>urn:ietf:wg:oauth:2.0:oob</p><p>Select “Create”.</p><p>When the application is registered, copy the Application ID value, and save the value for later.</p><p>Select Settings, then select Required permissions.</p><p>Select Add. Choose Select an API, select Microsoft Graph, and then choose Select.</p><p>Put a check in the box by those two permissions, and choose Select.</p><p>Select “Done”.</p><p>Azure AD access-reviews uses the following delegated permissions:</p><p>Read all access reviews that user can access</p><p>Manage all access reviews that user can access</p><p>Read all programs that user can access</p><p>Manage all programs that user can access.</p><p>This example application requires only the permissions: Read all access reviews that user can access and Read all programs that user can access</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Building blocks of the access review API</p><p>The access reviews API is structured logically and is composed of the following building blocks.</p><p>Access reviews schedule definition</p><p>This is the logical blueprint that contains the settings of an access review and its instances. These settings include:</p><p>The resources being accessed.</p><p>The principals that access the resource.</p><p>The reviewers who attest to the need for the principals to maintain access to resources.</p><p>The frequency of the access review.</p><p>The stages of the access review (for a multi-stage access review).</p><p>Access review instance</p><p>Represents a single review activity, or occurrence, against which reviewers make decisions. An access review definition may have multiple instances as is the case in recurring reviews. One-off reviews have exactly one instance. For a multi-stage access review, each instance contains up to three stages.</p><p>Decision item recorded for a review</p><p>Represents a decision that a reviewer made on an instance, including the</p><p>time stamp and justification for the decision. Each review instance has as many decisions as the number of principals under review. If there are no decisions taken, that is, reviewers haven't responded to the review, there will be no decision objects for the instance.</p><p>© Microsoft Corporation</p><p>53</p><p>Automate access review management tasks</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>© Microsoft Corporation</p><p>54</p><p>Automate access review management tasks</p><p>Take recommendations</p><p>Recommendations can be created to suggest changing permissions based on user behavior. For example, if a user is inactive for 30 days, it will recommend that the user be removed.</p><p>Review guest user access</p><p>Review and clean up collaboration partners’ access</p><p>You can choose to have access removal automated by setting the Auto apply results to resource option to Enable. Once the review is completed and has ended, users who were not approved by the reviewer will automatically be removed from the resource—or kept with continued access. This could mean removing their group membership, their application assignment, or revoking their right to elevate to a privileged role.</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Take recommendations</p><p>The recommendations are displayed to reviewers as part of the reviewer experience and indicate a person’s last sign-in to the tenant or last access to an application. This information helps reviewers make the right access decision. Selecting "Take recommendations" will follow Access Review’s recommendations. At the end of an Access Review, the system will apply these recommendations automatically for users who reviewers have not responded for.</p><p>Recommendations are based on the criteria in the access review. For example, if you configure the review to remove access with no interactive sign-in for 30 days, it will recommend that all users who fit that criteria be removed. Microsoft is continually working on enhancing recommendations.</p><p>Review guest user access</p><p>Use Access Reviews to review and clean up collaboration partners’ identities from external organizations. Configuration of a per-partner review may satisfy compliance requirements.</p><p>External identities can be granted access to company resources through one of the following actions:</p><p>Added to a group.</p><p>Invited to Teams.</p><p>Assigned to an enterprise application or access package.</p><p>Assigned a privileged role in Azure AD or in an Azure subscription.</p><p>This sample script shows where external identities invited into the tenant are used. You can see external users' group membership, role assignments, and application assignments in Azure AD. The script won't show any assignments outside of Azure AD, such as direct rights assignment to SharePoint resources, without the use of groups.</p><p>When creating an Access Review for groups or applications, you can choose to let the reviewer focus on Everyone with access, or Guest users only. By selecting Guest users only, reviewers are given a focused list of external identities from Azure AD B2B that have access to the resource.</p><p>This will NOT include external members who have a userType of member. This will also not include users invited outside of Azure AD B2B collaboration, for example those who have access to shared content directly through SharePoint.</p><p>© Microsoft Corporation</p><p>55</p><p>Configure recurring access reviews</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>© Microsoft Corporation</p><p>56</p><p>Configure recurring access reviews</p><p>Access reviews can be set to occur on a recurring basis</p><p>Name your Access Review, select a start date, frequency, duration, end date, and you're ready to go. Reviewers will be notified at the start of each review</p><p>Reviewers can approve or deny access with a friendly interface and with the help of smart recommendations</p><p>Why Recurring Access Reviews?</p><p>Doing an Access Review once and never again, there is no value. So set up reviews to occur on a regular schedule.</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Why do we do recurring? Because of lifecycle management. Everything that starts need to have an end date and in between we need to ensure permissions are what we need them to be. Not too much, not too little. And we regularly ask an owner if everything is still what they want it to be. With recurrence we make sure this checking will be done regularly.</p><p>In the field is works quite well to auto apply results, e.g. remove permissions when the reviewer does not respond. Next time a reviewer will have an incentive to do the review (and we ensure they get control back of a responsibility that is theirs anyway).</p><p>© Microsoft Corporation</p><p>57</p><p>Summary</p><p>In this section you learned how to:</p><p>Plan for access reviews</p><p>Create access reviews for groups and apps</p><p>Monitor access review findings</p><p>Manage licenses for access reviews</p><p>Automate access review management tasks</p><p>Configure recurring access reviews</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.</p><p>3/28/2023 9:45 AM</p><p>58</p><p>Plan and implement privileged access</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Objectives</p><p>Define a privileged access strategy for administrative users (resources, roles, approvals, thresholds)</p><p>Configure Privileged Identity Management for Azure Roles</p><p>Configure Privileged Identity Management for Azure resources</p><p>Assign roles</p><p>Manage PIM requests</p><p>Analyze PIM audit history and reports</p><p>Create and manage break-glass accounts</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.</p><p>3/28/2023 9:45 AM</p><p>60</p><p>Define a privileged access strategy for administrative</p><p>users</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>What is Privileged identity management?</p><p>PIM is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization. Such resources include those in Azure AD, Azure, and other Microsoft Online Services, such as Microsoft 365 or Microsoft Intune</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>© Microsoft Corporation</p><p>62</p><p>What does PIM do?</p><p>PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about. Key features of PIM include:</p><p>Provide just-in-time privileged access to Azure AD and Azure resources</p><p>Assign time-bound access to resources using start and end dates</p><p>Require approval to activate privileged roles</p><p>Enforce multifactor authentication to activate any role</p><p>Use justification to understand why users activate</p><p>Get notifications when privileged roles are activated</p><p>Conduct access reviews to ensure users still need roles</p><p>Download audit history for internal or external audit</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>© Microsoft Corporation</p><p>63</p><p>Define a privileged access strategy for administrative users</p><p>Identify stakeholders</p><p>Start using PIM</p><p>Enforce principle of least privilege</p><p>Decide which roles to protect with PIM</p><p>Decide whether to use a group to assign roles</p><p>Decide which should be permanent or eligible</p><p>Draft your PIM settings</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>Identify stakeholders</p><p>It is important to identify all the stakeholders who are involved in the project and need to sign off, review, or stay informed.</p><p>Start using PIM</p><p>As part of the planning process, prepare PIM by following our "Start using Privileged Identity Management" article. PIM gives you access to some features that are designed to help with your deployment.</p><p>Only owners of subscriptions and management groups can bring these resources under management by PIM.</p><p>After it is under management, the PIM functionality is available for owners at all levels, including management group, subscription, resource group, and resource.</p><p>Enforce principle of least privilege</p><p>Plan least privilege delegation</p><p>For Azure AD roles, it is common for organizations to assign the Global Administrator role to a number of administrators when most administrators only need one or two specific and less-powerful administrator roles. With a large number of Global Administrators or other high-privilege roles, it's hard to track your privileged role assignments closely enough.</p><p>Plan Azure resource role delegation</p><p>For Azure subscriptions and resources, you can set up a similar Access review process to review the roles in each subscription or resource. The goal of this process is to minimize Owner and User Access Administrator assignments attached to each subscription or resource and to remove unnecessary assignments. However, organizations often delegate such tasks to the owner of each subscription or resource because they have a better understanding of the specific roles (especially custom roles).</p><p>Decide which roles to protect with PIM</p><p>After cleaning up privileged role assignments in your organization, you'll need to decide which roles to protect with PIM.</p><p>If a role is protected by PIM, eligible users assigned to it must elevate to use the privileges granted by the role. The elevation process might also include obtaining approval, using multifactor authentication, and providing the reason they're activating. PIM can also track elevations through notifications and the PIM and Azure AD audit event logs.</p><p>Azure AD roles</p><p>It's important to prioritize protecting Azure AD roles that have the most permissions.</p><p>Azure roles</p><p>When deciding which role assignments should be managed using PIM for Azure resources , you must first identify the subscriptions/resources that are most vital for your organization. Right?</p><p>Decide whether to use a group to assign roles</p><p>Whether to assign a role to a group instead of to individual users is a strategic decision. When planning, consider assigning a role to a group to manage role assignments when:</p><p>Many users are assigned to a role.</p><p>You want to delegate assigning the role.</p><p>Decide which should be permanent or eligible</p><p>Once you have decided the list of roles to be managed by PIM, you must decide which users should get the eligible role versus the permanently active role.</p><p>Permanently active roles are the normal roles assigned through Azure AD and Azure resources, while eligible roles can only be assigned in PIM.</p><p>Draft your PIM settings</p><p>Before you implement your PIM solution, it is good practice to draft your PIM settings for every privileged role your organization uses.</p><p>Privileged Identity Management settings for Azure AD roles</p><p>Privileged Identity Management settings for Azure roles</p><p>© Microsoft Corporation</p><p>64</p><p>Principle of least privilege</p><p>The principle of least privilege states that every process, user, or program should only be able to access the information and resources necessary for its legitimate purpose</p><p>Developer</p><p>Financial analyst</p><p>Just enough access – Just in time</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120 B212</p><p>Hex #0078D4</p><p>Dark Gray</p><p>R80 G80 B80</p><p>Hex #505050</p><p>Light Gray</p><p>R235 G235 B235</p><p>Hex #EBEBEB</p><p>For example, a software developer needs to have the ability to access and change code but does not need to view the company’s financial information. On the other hand, a financial analyst has no use for the permissions to change code but needs to see financial information to do their job.</p><p>This of this in terms of Just Enough Access (to do the job) and Just In Time. If you have an admin that needs to manually do a data validation exercise once a week on Friday, and they only work from 8am-noon; why do you need to give them 24-hour access, 7-days a week. Since your data is so critical, why not give them access when they need it Friday from 8am-noon? Why leave the account able to access the data when has no need to. Treat these accounts / roles as toxic; and only access when you have a specific need, then do the job you need to do, then get out and stop access to role.</p><p>© Microsoft Corporation</p><p>65</p><p>Plan and configure Privileged Access Groups</p><p>© Copyright Microsoft Corporation. All rights reserved.</p><p>Closed captioning</p><p>space demarcation</p><p>Blue-Gray</p><p>R36 G58 B94</p><p>Hex #243A5E</p><p>Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>White</p><p>R255 G255 B255</p><p>Hex #FFFFFF</p><p>Extra Dark Gray</p><p>R47 G47 B47</p><p>Hex #2f2f2f</p><p>Rich Black</p><p>R0 G0 B0</p><p>Hex #000000</p><p>Blue</p><p>R0 G120</p>Mais conteúdos dessa disciplina
Ameaças e Segurança- Efeitos do uso topical de insulina em feridas cutAneas em pacientes com diabetes RevisAo sistemAtica (1)
- Assinatura Eletrônica de Documentos
- What Makes a Verified Airbnb Account Essential for Hosts and Guests
- How to Buy a Verified GitHub Account Safely for Developers
- Marco Civil da Internet - Resumo
- How to Buying Verified PayPal Accounts Safely and Quickly
- How to Buy Verified PayPal Accounts
- Easiest Ways to Buy Verified KuCoin Accounts_Secure Your Crypto Trading Today
- The Easiest Way to Buy Verified Coinbase Account(Mention Adviser)
- Buy Verified Kraken Accounts Secure Transactions (Partner With Us)
- Em fóruns e redes sociais, é comum encontrar internautas que solicitam ajuda com problemas técnicos de acesso a plataformas digitais. Em um desses ...
- Time left 1:40:33 Question 8 Not yet answered Marked out of 5.00 Not flaggedFlag question Question text Sobre a cadeia de valor no âmbito do Minist...
- Questão 9 I CIENCIA DOS MATERIAIS Código da questão: 284410 Ao projetar componentes metálicos que exigem segurança contra deformações irreversíveis...
- Questão 4/10 - Legislação, Ética e Conformidade Ler em voz alta Paralelo às facilidades propiciadas pelas TICs, surgiram novas maneiras de criminalida
- 0:00:05 Questão 1/10 - Legislação, Ética e Conformidade Ler em voz alta Acerca do aperfeiçoamento das estruturas de atuação do Estado, notadamente dos
- O estabelecimento e a implantação da segurança da informação requer 0 uso de diferentes mecanismos e recursos para atender os atributos de segurança d
- Questão 2) No contexto da segurança da informação, a certificação digital tem como objetivo garantir alguns aspectos de segurança. Considere os seguin
- E) (a (o B) A Questão 1) testabilidade integridade. disponibilidade. desempenho. confidencialidade Dentre os objetivos ou requisitos da segurança da i
- UNIP EAD CONTEÚDOS ACADÊMICOS BIBLIOTECAS MURAL DO ALUNO TUTORIAIS Menu global Fazer teste: QUESTIONÁRIO UNIDADE I MARKETING PESSOAL (OPTATIVA) (6...
- A fase de busca de evidências pode ser dividida em três etapas, são elas: Coleta de evidências, Network Analysis, Post Mortem Analysis. Coleta de evid
- Com as transformações atuais da sociedade, é necessário que profissionais se adaptem às novas metodologias, que se capacitem e que visem a orientaç...
- É característica da criptografia com chave simétrica, EXCETO: Usar uma mesma chave no remetente e no destinatário (chave compartilhada). Possuir a cha
- Sobre as orientações do CSA Cloud Security Alliance, leia as afirmações e assinale a alternativa que completa as lacunas corretamente.
I - CSA esta...
- PROJETO INTEGRADO 3
- 1 2
