Multifactor Authentication – Gaining the Azure Data Engineer Associate Certification
Using only user IDs and passwords to protect a resource is no longer considered secure. People have a habit of using the same set of credentials on numerous locations, so if one location is compromised, then all of them are. This is where multifactor authentication (MFA) can help. User IDs and passwords are something a person knows, but when you implement MFA, it requires an object that a person has. This object is typically a mobile device, but it can also be a fingerprint, retina, thumb drive, or RFID card. When configuring your Azure Active Directory security policies, you enable this by simply selecting a check box; the platform does the rest for you.
Conditional Access
In addition to restricting access to your resources based on an authenticated identity or group affiliation, you can control access on the following common signals:
- IP location
- Device
In most corporate scenarios, you know where your employees will be connecting to your network from. Keep in mind that the context here is not a scenario where you have a website on the Internet being accessed all over the world; rather, the context is to an intranet or internal/private network. In this case you know all your users because they would have an account in the Azure AD. Every device connected to a network has an IP address, and IP addresses are grouped by country. Therefore, you can easily identify a range of IP addresses that would be requesting access to your resources, monitor them, and trigger an alert or action when not within the range. Many organizations also enforce which devices can connect to their networks. If the device is not recognized, again, an alert can be sent and an action taken.
If access is attempted and fails one or more of the conditions, you can configure the Azure AD to deny access by default. That is a bit restrictive, however, so you can instead apply an additional authentication step, such as MFA. If a user tried to authenticate from an unknown location or an unknown device, it makes sense not to, by default, deny their access. Instead, have Azure AD act on that information and ask for some additional information, like a code sent to a mobile device or email account. Once that information is successfully entered, the user can access as expected.
Azure Managed Identity
An Azure Managed Identity (MI) is the Azure AD implementation of a service principal. MI is an account that can be granted access to your Azure resources or any application that supports Azure AD authentication. It is like a service principal, but instead of using an account linked to a human, the account is linked to a resource.
Using only user IDs and passwords to protect a resource is no longer considered secure. People have a habit of using the same set of credentials on numerous locations, so if one location is compromised, then all of them are. This is where multifactor authentication (MFA) can help. User IDs and passwords are something a…
