Credential Management
Credentials confirm a user’s identity during the sign-in process. Besides a password, AAD supports different types of authentication challenges, such as MFA with certificates, security keys, and one-time passcodes. AAD already includes a password policy that is adjusted to fit a company’s requirements. Using Azure AD Connect to configure hybrid identity, administrators can synchronize password requirements from an on-premises AD as well. An organization may also be interested in a Self-Service Password Reset (SSPR) for its end users.
From a zero-trust perspective, you want to ensure that credentials are being used appropriately.
Credentials shouldn’t be stored in text files or embedded in applications.
Password Policy
A password policy can define a password’s minimum length, when and if the password expires, and the password strength. The password expiration policy, located in the Microsoft 365 admin center under Settings | Org settings | Security & privacy, as shown in Figure 7.9, determines the days before passwords expire and days before a user is notified about expiration settings:
Figure 7.9 – Password expiration policy
The number of days before a password expires can range from 14 to 730, and the number of days before a user is notified can range from 1 to 30.
When an organization decides to sync user passwords from an on-premises AD to AAD using AAD Connect, the following existing on-premises password policies will govern the cloud requirements:
- Length
- History
- Expiration time
- Complexity
Setting a simple password policy can help reduce user confusion and helpdesk support tickets within an organization.
Self-Service Password Reset
Another common request from organizations regarding credential management is to allow users to reset their passwords without needing to open a support ticket. AAD provides a feature called SSPR that allows users to confirm their identities and reset their passwords.
The AAD SSPR conf rmation is validated based on a combination of the following methods:
- Mobile phone
- Office phone
- Security questions
In addition, if configured, passwords that have been reset in AAD can be written back to a local AD using AAD Connect. You can check the status of SSPR in the Azure portal by performing the following steps:
- Open https://portal.azure.com.
- Click on Azure Active Directory.
- Choose Password reset. The Password reset page is displayed, as shown in Figure 7.10:
Figure 7.10 – Azure SSPR
Note
You can read more on Azure password management and policies at https://learn. microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations.
Password writeback, configured through AAD Connect, is recommended to ensure users maintain the same password on-premises that they do in AAD.
Next, you will explore zero-trust security and compliance concepts for endpoints within an organization.
