- 19
- 44 839
John Craddock Identity and Access Training
United Kingdom
Приєднався 23 чер 2009
John Craddock Identity and Access Training
Hello, I am John Craddock, an Identity and Security Architect and also a Microsoft MVP
Find out about the channel and my background:
ua-cam.com/video/xMJfHz-iR7s/v-deo.html
I’ve worked with both on-premise Active Directory and Azure AD since they were first released. I work extensively with Microsoft Product Development teams and have deep insights into the products.
My desire is to build a community of Identity Geeks.
I promise you great technical content explained in awesomely simple ways.
SUBSCRIBE and KEEP LEARNING
Join me for an intense 5-day masterclass on Azure AD Identity
learn.xtseminars.co.uk
Every effort has been made to make these videos as complete and accurate as possible, but no warranty or fitness is implied. The presenter, authors, publisher and distributor will not be liable for errors or omissions or for damages resulting from the use of the information presented and contained herein
Hello, I am John Craddock, an Identity and Security Architect and also a Microsoft MVP
Find out about the channel and my background:
ua-cam.com/video/xMJfHz-iR7s/v-deo.html
I’ve worked with both on-premise Active Directory and Azure AD since they were first released. I work extensively with Microsoft Product Development teams and have deep insights into the products.
My desire is to build a community of Identity Geeks.
I promise you great technical content explained in awesomely simple ways.
SUBSCRIBE and KEEP LEARNING
Join me for an intense 5-day masterclass on Azure AD Identity
learn.xtseminars.co.uk
Every effort has been made to make these videos as complete and accurate as possible, but no warranty or fitness is implied. The presenter, authors, publisher and distributor will not be liable for errors or omissions or for damages resulting from the use of the information presented and contained herein
Configuring Microsoft Entra Custom authentication extensions
Configuring Microsoft Entra Custom authentication extensions
In my first video on Microsoft Entra Custom Authentication Extensions, I showed you how external claims can be added to a Microsoft Entra Identity token.
Deep dive into configuring all the required components in this video.
You learn how to request a token, call out to a workflow before the token is issued, create an API and workflow using Pipedream and add the appropriate claims to the token.
I am showing you a lot of tips and tricks in this video.
You can find the code and other supporting files here:
github.com/xtseminars/CustomAuthenticationExtensions
Security considerations:
learn.microsoft.com/en-gb/entra/identity-platform/jwt-claims-customization#security-considerations
Please support my channel and subscribe.
Add comments, and let's build a community of Identity Geeks together.
Join me for an intense 5-day masterclass on Azure AD Identity
learn.xtseminars.co.uk
In my first video on Microsoft Entra Custom Authentication Extensions, I showed you how external claims can be added to a Microsoft Entra Identity token.
Deep dive into configuring all the required components in this video.
You learn how to request a token, call out to a workflow before the token is issued, create an API and workflow using Pipedream and add the appropriate claims to the token.
I am showing you a lot of tips and tricks in this video.
You can find the code and other supporting files here:
github.com/xtseminars/CustomAuthenticationExtensions
Security considerations:
learn.microsoft.com/en-gb/entra/identity-platform/jwt-claims-customization#security-considerations
Please support my channel and subscribe.
Add comments, and let's build a community of Identity Geeks together.
Join me for an intense 5-day masterclass on Azure AD Identity
learn.xtseminars.co.uk
Переглядів: 782
Відео
Introducing Microsoft Entra Custom Authentication Extensions
Переглядів 6867 місяців тому
Originally in Entra ID or as it was then Azure Active Directory, the information contained in an Identity token was limited. Now you can add custom claims, with the claim values coming from the Entra directory. However, until now there has been no easy way to add claims with values from external sources. In this video I am going to introduce you to Microsoft Entra Custom Authentication Extensio...
Understanding Microsoft Entra Protected Actions
Переглядів 5857 місяців тому
Understanding Microsoft Entra Protected Actions In this video I am going to introduce you to Microsoft Entra Protected Actions and show how they can be used to trigger the evaluation of Conditional Access policies when a particular task is performed within the directory This allows you to specify additional security measures when an administrator executes a specific task This video is demo orie...
Microsoft Entra Global Secure Access Q&A with Thomas Detzner August 2023
Переглядів 1,3 тис.11 місяців тому
Microsoft Entra Global Secure Access Q&A with Thomas Detzner August 2023 This recording I made with Thomas Detzner who is a Principal Product Manager with the Microsoft Identity and Network Access division. Thomas is involved in the development of Microsoft Entra Global Secure Access and has profound technical insights. See the timeline below for the topics we discussed. There are a number of p...
Techie introduction to Microsoft Entra Internet Access & Microsoft Entra Private Access
Переглядів 10 тис.Рік тому
Techie introduction to Microsoft Entra Internet Access & Microsoft Entra Private Access I have been actively involved in the Microsoft private preview of Microsoft Entra Internet Access and Microsoft Entra Private Access components of which were released into public preview on the 11th of July. The umbrella name is Global Secure Access which embodies Zero Trust Network Access to M365 services, ...
Understanding Azure AD Conditional Access Authentication Contexts
Переглядів 2,5 тис.Рік тому
Understanding Azure AD Conditional Access Authentication Contexts This session is all about Authentication Contexts. An application can use Authentication Contexts to trigger the evaluation of a Azure AD Conditional Access policy. This allows the policy to match the requirements for individual components of an app. For instance a website could require MFA or Terms of Use to be agreed when a par...
Understanding Azure AD Conditional User and Sign-in Risk
Переглядів 4,3 тис.Рік тому
Understanding Azure AD Conditional User and Sign-in Risk This session is all about managing user and sign-in risk with Azure AD Conditional Access policies. I explain how user and sign-in risk are evaluated through Identity Protect and the reasons for using conditional access policies to remediate risk rather than using the policies that are part of Identity Protection. In demos you will see ho...
Understanding Azure AD Conditional Access Workload Identities
Переглядів 1,1 тис.Рік тому
Understanding Azure AD Conditional Access Workload Identities This Session is all about Azure AD Conditional Access and Workload identities. I explain exactly what workload identities are how they can authenticate to Azure AD using a shared secret or signed assertion. We then go on to look at how workloads can be secured through Conditional Access. If you want an introduction to setting up Cond...
Understanding Azure AD Conditional Access configuration
Переглядів 1,6 тис.Рік тому
Understanding Azure AD Conditional Access configuration In this session I explain how Conditional Access policies are configured. I started putting together this video with detail description of all the settings, but it got way too long. To provide the best possible learning experience, this video covers the core configuration of Conditional Access and subsequent videos will go into more detail...
When is Azure AD Conditional Access evaluated? - Deep-dive
Переглядів 1,9 тис.Рік тому
When is Azure AD Conditional Access evaluated? - Deep-dive Join me for this video and learn about the triggers that cause Azure AD conditional access to be evaluated. The triggers originate when a user signs-in, session tokens (cookies) are used to prove authentication to Azure AD, or a refresh token is used to obtain a new access token. Azure AD Continuous Access Evaluation (CAE) further enhan...
Azure AD Custom Security Attributes and Conditional Access
Переглядів 2,3 тис.Рік тому
Azure AD Custom Security Attributes and Conditional Access You may have seen the mention of Custom Security Attributes in Conditional Access. In this session, you will learn all about these new attributes. You will discover how to create attribute sets, add attributes and assign attribute sets and values to users and service principals. Using the security attributes and associated values, you w...
Azure AD Mastery with AI, Supercharge your Cloud Skills!
Переглядів 402Рік тому
Azure AD Mastery with AI, Supercharge your Cloud Skills! There is so much hype around AI at the moment that I decided to look at how ChatGPT could help in the administration of Azure AD. I discovered a new AI buddy that could help me learn and resolve problems. It's an ideal buddy situation, providing a sounding board to exchange ideas and mature a solution. Just like a human buddy, sometimes t...
Azure AD Certificated Based Authentication Deep-Dive
Переглядів 5 тис.Рік тому
Azure AD Certificated Based Authentication Deep-Dive This session will teach you how to set up certificate-based authentication in your Azure AD tenant. You will learn the following: 00:37 How CBA works and why it is phishing resistant 09:15 How to create and store certificates 24:45 How to enable Azure AD to trust our certificates 27:40 How to configure the certificate user mapping and authent...
The path towards Zero Trust Network Access with Azure AD / M365
Переглядів 673Рік тому
The path towards Zero Trust Network Access with Azure AD / M365 Once upon a time, in a land far, far away, we built castles with solid walls and a single entrance to protect our assets. We originally built IT systems like this, and for on-premises Active Directory, we created walls through a combination of our building, network and domain/forest boundaries. As with the castle, once inside the p...
Azure AD, Fido2, Temporary Access Pass and Phishing
Переглядів 1,4 тис.Рік тому
Azure AD, Fido2, Temporary Access Pass and Phishing In this session, you will learn how FIDO2 keys work. We'll then go on to provision the FIDO2 Keys in Azure AD. Strong Authentication is required for a user to register a key. You will see how an administrator can create a Temporary Access Pass (TAP) and how the user uses the TAP to add their keys. You will also discover how FIDO2 keys are phis...
Understanding and using Microsoft Entra Verified ID
Переглядів 1,1 тис.Рік тому
Understanding and using Microsoft Entra Verified ID
Introducing John Craddock - Deep-dives on Azure AD Identity
Переглядів 1,5 тис.Рік тому
Introducing John Craddock - Deep-dives on Azure AD Identity
Azure AD Authentication Methods and Policies
Переглядів 7 тис.Рік тому
Azure AD Authentication Methods and Policies
A comprehensive Introduction to Computer Network Security
Переглядів 426Рік тому
A comprehensive Introduction to Computer Network Security
nice video sir
Excellent!
Hi can you please explain the workflow for the identity protection..how the detection work,how investigation work and how remediation work and how the policies are framed..what is the use of conditional access policies and device compliance... please explain in detail
Hi John, great introduction. One comment to bypassing protected actions - admins could just delete protected Action to circumvent it and nothing prevents it.
Really nice video! Greetings from Brazil!
You ROCK! Your guide is better than the doc. Thanks a lot!
Very well done! I can't wait to up my CA skills with your other videos in the series!
Thank you for this useful video, but when will this feature be released out of preview mode ?
I learnt ADFS watching your videos many years ago :) (I can tell by your voice that you was the instructor behind the slides). Thank you very much for another great video.
One of my Favorite channels. Thanks so Much!!
subscribed! great stuff, thank you so much for not just reading the settings like some other youtube trainers but providing context and behind the scenes info, hugely appreciated!
Hi John, Thank you for this crystal clear insight into Authentication methods. My question is this: How to migrate legacy MFA/authentication methods to the new Entra/Azure AD Authentication method policies for multiple tenants at once? Thanks for your insights in advance!
With the SKI the smartcards could be anonymous and even pre-issued, that’s quite neat in addition to the high affinity. Is there an drawback if you don’t have attributes (for this specific Entra ID Login case)
When using windows Keystore, it should use the cryptong rsa provider, as it uses credential isolation. And potential even tpm, but I am not sure how to enforce this.
Even better than the last one. Thank you! Curious as to why you opted to use Pipedream instead of an Azure Function, especially since you did not validate the token in Pipedream.
Phenomenal. Thank you very much!
Nice video.
Thanks Reginaldo, it's great to get your feedback
hi, after 5 months seems that UDP and private dns feature for private access is still not present. Do you have any idea of when will be ready ?
Hello, they are in private preview at the moment and will be released into public preview in the coming months
please do this for .net web core api with entity framework
Short of pausing the access client, is there any way to keep traffic from routing through the proxies when the PC is actually on the on-prem network?
I assume you are just referring to Private Access where the resource you want to access is on the on-prem network. All I can say is keep your eyes open and you will see something rather smart in the future.
I love the way you explained this in a way that is easily understandable. Subscribed.
Thanks for the feedback!
These videos are great! Very clear concise explanations. I am learning alot from your vids. Thank so much!
That's great to hear! Thanks for the feedback
Great content again, John! Thanks.
Hi Eric, Thanks for the feedback. Always appreciated
Thanks John. It's a shame the protected actions list is a little small right now but it's a good start. I would love to see adding a federated domain isn't included as a protected action.
Joshua, thanks for leaving the comment. I am hoping more permissions will come into scope.
Happy Christmas 🎄 and Happy December to you and your family Sir , Best wishes for everyone from Kolkata, West Bengal, India 🇮🇳
Happy holidays!
Awesome video - Thank you very much for sharing and explaining!
Your welcome Robert, thanks for taking the time to comment
Great video John 👌
Thanks Andy!
Thanks John, As per your commitment in one of the videos to make one video per week but I didn't see many uploaded recently. Can you please clarify when you gonna upload videos on other Authentication and Authorization methods. Thank you 😊
Hi Abdul, That was an ambitious commitment and now I'm embarrassed! Unfortunately I got completely committed to a customer project. However, I am now trying to get back on-track with the videos. I already have a video on authentication methods ua-cam.com/video/lajeFoCr2KM/v-deo.html. What content are you looking for?
Thanks John for replying on my message. I want to have some series on Application Registration and Enterprise Application.
@@abdulmananclasses.7793 It's on my list, Hopefully in the next couple of months!
Your videos are amazing because you explain what you are doing.
Glad you like them! Thanks for leaving a comment.
Thank you for the video!
Glad it was helpful! Thanks for taking the time to leave a comment.
So informative. Thank you.
I'm glad it was helpful! Thanks for leaving a comment.
What a great video! I struggled with my understanding of modern authentication on some points. This helped me a lot.
Hi, thanks for the feedback - it is great to hear that it helped.
Wow, Thanks for making it .
Hi, thanks for leaving a comment. I am pleased you found it useful
This was just ... well ... fantastic! Thanks a lot, I learnt a lot from this.
Thank for letting me know - I am glad you found it useful
This content was so very helpful, your lab setup to see and test the token information is phenomenal. I wish I could duplicate this, to get a much better understanding of the authorization myself! Thanks John
Thanks for your feedback, I am pleased you found it useful
Nice Work
Thanks for the feedback!
What if you have users in an Azure Only environment without any server?
You will require a PKI to issue your certificates
@@john_craddock does Microsoft intune not provide a way to issue Cert from my own ROOT certificate?
@@john_craddock does Microsoft offer a private pki for intune ?
You bet John! Keep up the good work. Appreciate it! 👍
Thanks, will do!
Hi John, thank you so much for you video. Can you explain how to create the other certificate templates, like CBAUserSetName and others, I'm a little confused in that step. Thank you so much.
Sorry for the late reply. Please give me time on the video that you are asking about
I like anyone who goes back and edits in missing information afterwards (e.g. 'along with their public key' comment at 2:50). That shows thorough attention to detail and an awareness of the perspective of learners. Thanks very much.
Thank for the comments Eric! I always try and make the videos as clear as possible - so it's great to hear when I have succeeded.
John, I followed your steps to the letter but as soon as I test my pilot user , I put in the OTP and the it says Great job done. Then it loops repeatedly. I think this may be due to the Ssrp perhaps? This user doesn’t have a cell phone .. not kidding 😢 . how can I get around this or exclude them from forces to register a cell number . Thanks
After further digging, I believe this has to do with SSRP being enabled for All Users. I can't register Password reset for a keyonly user, did you need to apply some exclusions to your v-john user in the demo?
Hi @Doctair, sorry for the slow response, it's been a very busy few weeks! Can you provide a few more details of what you are attempting and also the video time for the demo you are referring to and I will take a look. Thanks John
@@john_craddock Hi John, , just had time to circle back on this. There is no problem with setting up the TAP and FIDO2 Keys. your Vid was perfect! My issue, was that my version of the "real" v- john, had been in a loop after the OTP is put in. I could not register the KEY in the "adding Fido key to your Account" section until I disabled SSRP for the entire Tenant. In your demo environment, did you already have SSRP disabled or selected to a specific Group, that perhaps v-john was not a part of ? Are there additional settings you had before your demo was recorded. I hope that makes sense? thanks again for the great vids. been learning a lot.
This is completely irrelevant for modern cloud based Microsoft 365 Entra
I am not quite sure why you say that. I agree if you don't want to use CBA, then it may not be relevant to you, but it is certainly not irrelevant to everyone.
On-prem is going away. @@john_craddock
Thank you for the interesting video. Maybe you know, how I can handle the MFA via Postman?
Hi, Thanks for your feedback. If you are signing on as a user, you will be prompted for MFA when you request the access token. MFA should just work.
@@john_craddock , thank you for the quick answer. The API response is 401 Unauthorized. P.S. I have been successfully using this api authorization before enabling the MFA.
Amazing ! I like it ! Thank you so much ! Please could you share with us the url of your azure ad application for open id connect and oauth2.0 demo ?
Thanks for the feedback. The app is given away to attendees of my Identity Masterclass. Otherwise, I am sorry to say that it is nota available.
thank you for sharing; it is very insightful and appreciated conversation. Absolutely, deep dive into the integration of on protocols like: kerberos, ntlm, ipsec, ikev1 how they fit in end to end in the Micrsoft Entra Architecture, would be edifying.
Hi, sorry for the delay in replying to your comment. Thanks for leaving it. We a planning to do the deep dive this coming month. I will do one on Kerberos in the next couple of weeks.
• Microsoft Entra (formerly Azure AD) Global Secure Access allows secure access to on-premises apps and resources through the cloud. It combines networking and identity. • It is currently in public preview, released on July 11, 2022. It will go through feedback and feature additions before general availability. • The components are Entra Internet Access and Entra Private Access. • Licensing will likely be a per user per month model, similar to other Microsoft 365 licenses. It may be included in E3/E5 or a separate premium SKU. • UDP support is planned for Q3/Q4 2022 calendar year. • More features and capabilities ("more goodness") are planned for release over the next weeks/months. • Private Access currently uses a proxy connector, separate from the App Proxy connector. In the future they will merge into one connector. • Multi-cloud support allows deploying connectors in Azure, AWS, GCP etc to bridge those environments. • It supports multi-session Windows Virtual Desktop, with some limitations currently. • It respects the native authentication protocol of the app, e.g. Kerberos or NTLM. • Private DNS resolution is on the roadmap but not supported yet. Traffic acquisition profiling allows accessing private resources for now. • Integration with SD-WAN solutions is planned further down the roadmap.
Thank you very much. It is easy to understand and learn.
Thanks for your feedback, it's really appreciated
Great Video..Expecting more
Many thanks for the feedback - there are definitely more to come!
Very informative
Glad it was helpful!
Beautifully explained. Thx for taking your time to explain me this CA feature, I haven't been able to cover yet. P.S. The groove at the end of the video sounds like UB40, isn't it?
Thanks for the feedback - I appreciate it. The groove has gone through the copyright police, so I don't think it can be UB40 derived.