Taking Control of Your Cloud’s Control Plane en

Microsoft introduced the Enterprise Access Model, as an evolution of ESAE, in December 2020. Core principles (e.g., tiered administration) have not been changed but the practical implementation can be still a challenge for many organizations and is much different between cloud and on-premises infrastructure. However, the concept should be an important part of your privileged access strategy to avoid unauthorized pathways which leads to lateral movements and also applies for cloud administration.

In this session, I will share my experiences in designing, managing and monitoring privileged access based on Enterprise Access Model. We will look at a practical approach to design a classification model for tiered administration. The real-world challenges in adopting the privileged access design in enterprise environments and current technical limitations will be one the topics in this talk. We will also discuss some fundamental design questions, for example using a dedicated tenant to host an administrative environment (”Red Tenant”) for privileged assets. Integration of security operations to identify breach of tiered administration and practical guidance on daily operations will be covered in the live demos.

Zero Trust - Zero Gap? Spotlight on (new) uncovered aspects of your CA design en

Conditional Access is the heart of Microsoft's Zero Trust implementation as its policy enforcement engine and Microsoft introduces constantly new features to cover more and more use cases and integrations. This includes granular conditions and controls for specific authentication methods, restricted sessions and authentication flows but also new capabilities to re-trigger a policy evaluation.

In this session, we will discuss the latest features and their use cases and also challenges that you may not address in your current ruleset. Starting from automation for deployment, exclusion handling and gap monitoring, up to missing strong policy design to prevent rogue devices or protect privileged users.

Fantastic tokens in Microsoft Entra ID and how to protect them... en

Post-authentication attacks are on the rise and offer attackers the opportunity to satisfy strong security controls (such as MFA or compliant device requirements). Token artifacts take the essential role in the process of verifying identity of the user and obtaining an access to resources in Microsoft Entra. Therefore, it's important to consider token theft scenarios which allow to steal those artifacts and use them elsewhere.

Monitoring of anomaly and threat signals to enforce re-authentication but also timely response to policy violations are just a few defense aspects which should apply to your ITDR and Security Operations.

In this session, I will give an overview about the different types of token artifacts and how to protect them from token replay attacks.

- How and when does TPM help us to protect keys?
- Which detection sources and signals are important?
- What type of tokens are particularly vulnerable?
- Why Continuous Access Evaluation becomes an essential part for tackling abuse of tokens?

Empowering Identity Threat Detection & Response with Microsoft Security en de

Identities are still one of the main attack scenarios and many different threats and attack techniques will be used to gain credentials and access. Microsoft security products offers many capabilities to detect those threats and risks on identities by using built-in ML-based signals but also implementing custom detections.

But which integrations between the individual products (such as Microsoft Defender XDR, Sentinel and Entra ID Protection) are essential? How can you take advantage of "User and Entity Behavior Analytics" to detect suspicious activities? Which practical use cases and solutions are available to fine-tune or enrich built-in detections?

In this talk, I would like to give a practical view on the implementation of the Microsoft Security stack for Identity Threat Detection & Response with notes from the field. This will cover also advanced multi-stage attack scenarios and custom detections.

Identity Detection & Response mit Microsoft Security en de

Identitäten von Mitarbeiter sind heutzutage das Angriffsziel Nr. 1 und dabei einer Vielzahl von unterschiedlichen Angriffsmethoden ausgesetzt. Innerhalb des Microsoft Security Portfolio gibt es verschiedene Produkte, die zum Schutz sowie Überwachung von Benutzerkonten in Microsoft Entra ID genutzt werden können.

Aber welche Integration gibt es zwischen den einzelnen Produkten, wie z.B. Microsoft Defender XDR und Entra ID Protection? Wie können "User and Entity Behavior Analytics" helfen, ungewöhnliche Aktivitäten festzustellen? Welche automatische Reaktionen auf Incidents sollten unbedingt berücksichtigt werden?

In dieser Session werfen wir einen praxisnahen Blick auf wichtige Integrationen und Funktionen von Microsoft Defender XDR und Microsoft Sentinel, die für Identity und Security Admins sehr hilfreich sind.

Protect Your Privileged Identities and DevOps Pipelines In Microsoft Azure! en

Privileged identities but also DevOps pipelines with privileged access needs particular attention in a cloud environment.

Over the last years Microsoft releases many design principles, best practices and security concepts for securing privileged access in Microsoft Azure.

This includes the new "Enterprise Access Model" (as evolution from the AD tier model) but also best practices from the Cloud Adoption Framework (CAF) to design identity and access for Azure workloads and management.

In my session I will speak about security considerations and solution approaches from my research work. This includes answers to the following questions:

- Which key points should be included in desgning a secure foundation for privileged identities?
- How can I prevent privilege escalation by implementing a well-designed and delegated Azure RBAC model?
- Which aspects should be considered in securing privileged Azure DevOps release pipelines?

EntraOps: Deploying and Managing Conditional Access at Scale en

Conditional Access is an essential component of "Azure Active Directory" and assumes the role of the "Zero Trust Policy Engine" in Microsoft 365 environments.

Therefore, configuration management of the policies has become a critical and important part for Identity Administrators and Security Operations.

Microsoft Graph API offers programmatic access to Conditional Access which is the foundation to configure policies "as code".

In this session we will do a walkthrough of automation solutions to manage deployment and operations of Conditional Access at scale across the DevOps lifecycle.
During the hands-on demos we will discuss my PoC project "AADOps" which shows the capabilities in automation and lifeycle management by using Azure DevOps (Repos and CI/CD pipelines), PowerShell and Microsoft Graph.

1. Overview of Microsoft Graph & Conditional Access
- Existing automation and workflow solutions
- Considerations of "Policies as Code"

2. Introduction of "AADOps" project
- Advantages of "IdentityOps" approach
- Security design and RBAC of Azure DevOps project

3. Coding & deployment of policies
- Plan and code policies in "Azure Repos"
- Defined policy templates and variables
- Governance by automated validation and approval workflow
- Pull/Push Pipeline to manage desired state
- Safe rollout of policies across intra- and inter-tenant stages

4. Operationalization of policies in Azure AD management
- Operational Insights and Exclusion Management
- Security Monitoring of Policy management

Azure Governance Best Practices and Enterprise-Scale en

In the past, Microsoft published many documentations and white papers for the adoption of Azure in enterprise environments. This includes Cloud Adoption Framework (CAF) and the Well-Architected Framework. Alongside of an overview of those whitepapers, we will show some hands-on demos to manage your cloud environment. In particular, Azure Policy, Defender for Cloud and Azure Advisor will help you to enforce your policies across compliance and security. In this session, we like also to introduce you to the "Enterprise-scale" architecture, and some of the included aspects, considerations, or approaches. A particular focus will be on security best practices with Entra ID and RBAC. Protecting DevOps pipelines and designing a delegated role model will be one of the topics as well.

Topics of this session:
- Cloud Adopting Framework
- Well-Architected Framework
- Azure Policy and Defender for Cloud
- Azure Advisory

- Overview and requirements of Azure Landing Zones
- Deployment of Enterprise-Scale reference implementation
- Policy-driven governance ("Azure Policy")
- Critical design areas and core principals of securing Azure environments

Securing and monitoring your Azure AD identities en

Azure Active Directory is one of the keys for implementing a "Zero Trust" approach. The perimeter is moving from network to identity (as the new control plane).

During my session I will talk about several aspects to secure and monitor hybrid identities and (cloud-only) privileged accounts.

The session includes overview, recommendation and considerations of the following topics:

- Plan, draft and test Conditional Access Policies
- Automated response to address user and sign-in risk with Azure AD Identity protection
- Detect suspicious user activities and protect cloud app sessions with MCAS
- Auditing and insights of accounts and (suspicious) authentication attempts with Azure Sentinel

Introduction and Security Recommendations of Azure Enterprise-scale Architecture en de

In the past, Microsoft published many documentations and white papers for the adoption of Azure in enterprise environments. One of the key source is the Cloud Adoption Framework (CAF).

In the session, I like to give an overview of the „Enterprise-Scale“ reference architecture. This enables you to build landing zone(s) that represents the strategic design path and follows design principles of critical design for shared services (e.g. identity, network,..).

Furthermore, it includes learnings from previous engineering engagements and provide architecture design pattern from Microsoft.

Various reference implementations allows to deploy (modular) templates depending on customer needs such as kind of connectivity (cloud-only, Hub/Spoke, vWAN).

You will learn more about implementation of the "Enterprise-scale" architecture, and some of the included aspects, considerations or approaches.
A particular focus will be on security best practices:

- Overview and requirements of Azure Landing Zones
- Deployment of Enterprise-Scale reference implementation
- Policy-driven governance ("AzOps")
- Critical design areas and core principals of securing Azure environments with Azure AD

Level 300 Session
including Hands-On Demo

Einführung in "Enterprise-Scale" Architektur für Microsoft Azure en de

In der Vergangenheit hat Microsoft bereits einige Dokumente und Whitepapers veröffentlicht, die Unternehmen bei der Einführung von Microsoft Azure unterstützen sollen. Einer der wichtigsten Quellen ist hierbei das Cloud Adoption Framework (CAF).

In dieser Session möchte ich einen Überblick zu der "Enterprise-Scale" Referenz-Architektur geben.

Diese beinhaltet u.a. einen Leitfaden und Referenz-Implementierung zum Aufbau von Azure "Landing zones".
Dabei wird auf strategische und technischen Aspekte zu den notwendigen und übergreifenden Diensten (wie z.B. Konnektivität, Identitäten und Monitoring) eingegangen.

Wichtige Ansätze zur Implementierung und kritische Design-Entscheidungen sind hier auf Basis der Microsoft Design Pattern aber auch aus Erfahrungen mit Kundenprojekten eingeflossen.

Unter anderem werden auf folgende Themen während des Vortrages und der Demo eingegangen:

- Übersicht und Anforderungen an Landing Zones
- Richtlinien-gesteuerte Governance mit "AzOps"
- Kritische Bereiche bei dem Design und Architektur
- Kernpunkte zur Absicherung von Azure-Umgebungen mit Azure AD

Level 300 Session
including Hands-On Demo

Delegated and secured management of Azure environments with Microsoft Entra en de

Most organizations have implemented (internal or customer) Azure workloads in the same Microsoft Entra ID tenant environment as their corporate production environment for Microsoft 365 and other SaaS solutions. Delegate access and managing separated Azure environments in a single-tenant environment could be challenging.

In this context, various other questions come to mind:
Which aspects should be considered in securing identities or access as part of privileged DevOps pipeline and assigned permissions to Azure Resources? How can I delegate or separate objects such as service principals or test users within one Azure AD tenant? When should I start to isolate my resources in multiple tenants and what are the disadvantages?

Microsoft implemented new features and published white papers that address this need recently. In my session we will go into details about the subjects:

- Microsoft Entra ID Tenant Boundary and multi tenant scenarios
- Limitations and differences of Azure and Entra ID RBAC delegation
- Custom Azure RABC roles and scopes (UX and RBAC-as-Code)
- Delegated permissions on level of Administrative Units
- Approval process to gain scoped access to Entra ID objects
- Azure PIM Privileged Access Groups for Azure DevOps roles

Level 300 session
including Live-Demos

Delegierung und Absicherung der Verwaltung von Azure-Umgebung mit Microsoft Entra en de

Viele Organisationen haben interne- oder kundenbezogene Azure Workloads im gleichen Microsoft Entra ID Tenant implementiert, wo auch die produktiven Unternehmensdienste wie Microsoft 365 oder andere SaaS-Applikationen laufen.

In diesem Zusammenhang, kommen aber einige Fragen auf:
Welche Aspekte sollten berücksichtigt werden bei der Absicherung von Identitäten oder Zugriff als Teil einer privilegierten DevOps pipeline und zugewiesenen Berechtigungen zu Azure Ressourcen?
Wann sollte ich anfangen meine Ressourcen in mehreren Tenants zu isolieren und welche Nachteile entstehen?

Microsoft hat neue Features eingeführt und Whitepapers veröffentlicht, die diese Themen adressieren. In meinem Vortrag werden wir über folgende Punkte sprechen:

- Microsoft Entra ID Tenant Boundary and "Multi-Tenant" Szenarien
- Limitierungen und Unterschiede von Azure and Entra ID RBAC Delegierung
- Erstellung von eingeschränkten Azure RABC Rollen und Umfang
- Just-in-Time und eingeschränkten Zugriff auf Entra ID Objekten
- Azure PIM Privileged Access Groups mit Azure DevOps

Level 300 session
beinhaltet auch Live-Demos

Hybrid identity design and security considerations in Microsoft Entra en de

Azure Active Directory is the core identity service of Azure- and Microsoft 365. Many companies around the world connected Active Directory to Microsoft's cloud-based IAM service for synchronization and authentication of identities.
During the session I will talk about design and security considerations in a hybrid Azure AD environment.
What approaches could be used in securing hybrid identity components (Azure AD Connect, PTA,...) or delegate administrative permissions?
This session includes also some hands-on demos (e.g. hardening of default tenant settings or identity protection) and notes from the field.

Level 300 Session
including Hands-on Demo

Design und Security eines hybriden Azure AD en de

Azure Active Directory ist der zentrale Identitätsdienst für Azure- and Microsoft 365. Viele Unternehmen weltweit haben ihr lokales Active Directory mit Microsoft's cloud-basierenden IAM-Services verbunden, um Identitäten zu synchronisieren und Authentifizierungen durchzuführen.
Während meiner Session werde ich auf einige Design- aber auch Sicherheitsthemen eingehen, die bei einer Implementierung von hybriden Azure AD-Umgebung betrachtet werden sollten.
Welche Ansätze können genutzt werden um Azure AD Connect oder hybride Identitäten abzusichern?
In der Session werden auch Live-Demos (z.B.Default Tenant-Einstellungen oder Identitätsschutz) gezeigt.

Level 300 Session
beinhaltet Live-Demo

Securing your privileged identity and access in Microsoft Entra en de

Privileged accounts and access needs particular attention alongside of the regular protection of user accounts in Microsoft Entra. Over the last years Microsoft releases many design principles, best practices and security concepts for securing privileged access in Microsoft Azure (such as "Enterprise Access Model" as evolution of the ESAE approach).

In my session I will speak about the latest aspects, considerations and solution approaches to protecting privileged identities and access in Microsoft Azure:

- Customizing and Designing of Azure and Entra ID RBAC concept
(Custom roles, security considerations of built-in roles)
- Adoption of Enterprise Access Model in Microsoft Entra
- Reduce the exposure time of privileges (Identity Governance)
- Managed Access Package for Privileged Access Groups and Roles
- Protecting privileged accounts with advanced Conditional Access and MFA (including passwordless options)
- Access to Azure resources from a secure admin workstation

Level 300 session (including hands-on/live demos and notes from the field)

Wie schütze ich meine Administrativen Konten und Zugriffe in Microsoft Azure? en de

Die Absicherung von privilegierte Konten und deren Zugriffe in Microsoft Entra benötigen, zusätzlich zu den normalen Benutzerkonten, eine besondere Aufmerksamkeit.

In den letzten Jahren hat Microsoft einige Konzepte und Sicherheitsfunktionen für administrative Konten im On-Premises Umfeld (wie z.B. ESAE/Admin-Foerst) aber auch für die Azure Cloud Plattform veröffentlicht.

In meinem Vortrag werde ich über die aktuellen Ansätze und möglichen Lösungen zum Schutz von privilegierten Konten und Zugriffe sprechen, wie z.B.:

- Schutz von privilegierten Konten mit erweiterten Conditional Access Richtlinien und MFA (sowie passwortloser Authentifizierung)
- Adaptierung von ESAE Design-Ansätzen in Entra ID
- Design und „Considerations“ von Azure und Entra ID Rollen
(Custom roles, Limitierungen und Permission Scope von Built-in Roles)
- Angriffspfade und „Privileged Escalation“ für Azure-Administratoren
- Zeitliche Begrenzung der administrativen Berechtigungen und Freigabeprozesse durch Identity Governance-Features
- Zugriffes auf Azure Ressourcen über einer gesicherten Admin Workstation (PAW/SAW-Konzept)
- Auditing und Risiken von privilegierten DevOps (CD) Pipelines

Level 300 session (Hands-on/Live-Demos, Erfahrungen aus der Praxis)

Manage and Secure Your Customer Identities with Azure AD B2C! en de

Microsoft’s Azure AD B2C enables companies and organizations to manage identities and access of customers in the cloud. It’s built on the strong foundation of Azure AD and the powerful identity engine “Microsoft Identity Experience Framework”. Developers are able to easily integrate apps based on the Microsoft Identity platform and customize the B2C tenant (e.g. branding of UI) .

In this session I will talk about architecture and operation-related topics:

- Architecture of Azure AD B2C
- Use cases and examples of CIAM solutions
- Design and configuration of B2C tenant
- Configuration of User flows (Built-in)
- Deployment of Custom Policies
- Auditing and Monitoring
- Securing local user accounts in B2C

This session includes hands-on and experiences from the field. It aims to reach a wide audience, including DevOps to get an overview of use cases and implementation of Microsoft's identity platform in B2C scenarios.

Verwalten von Kundenidentitäten mit Azure AD B2C! en de

Microsoft’s cloudbasierte Customer-Identitätsverwaltung (“Azure AD B2C”) ermöglicht es Unternehmen und Organisationen die Zugriffe und Identitäten von Kunden in der Cloud zu verwalten. Basis hierfür bildet das Azure AD und die Identity Engine “Microsoft Identity Experience Framework".

Entwickler sind in der Lage die Anwendung auf Basis der Microsoft Identity Platform einfach zu integrieren und den B2C Tenant entsprechend anzupassen (z.B. Anpassung der UI/UX).

In meinem Vortrag werde ich über die Architektur- und Betriebsrelevante Themen sprechen:

- Architektur des Azure AD B2C
- Anwendungsfälle und Beispiele von CIAM Lösungen
- Konfiguration des B2C Tenants und User Flows
- Bereitstellung von Custom Policies
- Auditing und Monitoring
- Absicherung von lokalen Identitäten in B2C

Der Vortrag beinhaltet Live-Demos und Erfahrungen aus der praktischen Umsetzung. Die Zielgruppe ist sehr breit gefasst und richtet sich auch an DevOps die einen Überblick bzgl. der Implementierung von Microsoft's Identitätsplattform für B2C-Szenarien suchen.

Deep Dive into Microsoft Entra Conditional Access en

Conditional Access Policies in Microsoft Entra allows to empower users to be productive wherever and whenever but also protect the organization's assets. It's an essential component of the identity-driven security approach in Azure Active Directory. It also plays an important role as "Policy Engine" in Zero Trust implementations to "always verify" access by context and control.

Deep integration with Azure AD Identity Protection, Microsoft Cloud App Security but also 3rd Party allows extension of conditions and controls.

In this session we will do a walkthrough including hands-on demos, known limitations and notes from the field:

1. Overview of Conditional Access Policies
- Security Defaults vs. Custom Policies
- Principals of Signal, Decision and Enforcement

2. Design and Implementation
- Naming Convention
- Policies As Code
- Management of Exclusions

3. Common use cases and policies

4. Extension of Conditions and Controls
- User and Sign-In Risk with Azure Identity Protection
- App Control to Microsoft Cloud App Security

5. Monitoring and Reporting
- Insights and Workbooks
- Azure Sentinel

Avoid privilege escalation of pipelines in Azure DevOps! en

Automated deployment of cloud infrastructure by using Azure Pipelines and definition of "infrastructure as code" in Azure Repos has become popular in many organization.

But this also requires to implement security and compliance settings to protect privileged assets which will be used to automate your cloud environment.

Security considerations, such as privilege escalation paths, needs to be considered across various related RBAC systems in Azure AD, Azure and Azure DevOps.

In my session I will speak about security considerations and solution approaches from my research work. This includes answers to the following questions:

- Which key points should be considered to secure and manage privileged access to Azure DevOps organization?
- How can I prevent and detect abuse of service principals and connections in privileged pipelines?
- Which aspects should be considered in securing privileged Azure DevOps release pipelines?
- What benefits offers the usage of self-hosted agent for isolation and security in Azure Resource deployment?

Demystify Microsoft Entra ID workload identities en

Identities of apps and services (workloads) are gaining privileged access and are used on a wide scale (especially in DevOps or large high-automated environments).
Attack techniques (for example, in case of NOBELIUM attacks) has shown that service principals will be used for initial and persistent access (to create a "backdoor" in Microsoft Entra ID).
Securing credentials, limit and detecting suspicious access or managing lifecycle of workload identities can be a challenge.

Security concepts of privileged user account can not be (fully) applied to non-human identities and would be limited applicable.
Strictly monitoring and classification of this types of identities are often neglected in the past.

In this session, I like to give an overview about the different types of workload identities, common (sensitive) use cases and how attacks or abuse can be mitigated of the different phases in the lifecycle.

- What is a workload identity?
- Different types of workload identities in Entra ID
- Common and real-world use cases
- Management of lifecycle and visibility
- Securing delegated management by Entra ID RBAC
- Monitoring and detection to prevent privilege escalation
- Securing access and protection of workload identities
(by Entra Conditional Access and Identity Protection)

Effective measures to improve your identity security posture in Microsoft Entra en de

Microsoft Entra ID has become an essential part of the "Identity & Access Management" in many organizations. Critical business applications and cloud services are integrated to Microsoft's cloud-based identity platform but also components to support hybrid identity scenarios in Active Directory (on-premises) have been implemented.

On the other hand, the "new control plane" is a growing target for cybercriminals. Microsoft Entra offers many security features and integration to other (Microsoft) security solutions to protect (hybrid) identities. But what are security considerations that should be considered in the design and implementation of a modern identity infrastructure? How can you track posture management changes and their impact in your environment?

In this session, I will talk and demonstrate a few usual examples of "misconfiguration" or weak implementations regarding the following four subject areas:

- Identity Security Posture and usual misconfiguration of security-related tenant settings
- Weakness in Conditional Access Policy Designs and risks of Token replay attacks
- Privileged Identity and Access in Microsoft Entra ID and "overlooked" privileged access paths
- App Integration and abuse by overprivileged workload identities

Effektive Maßnahmen für mehr Sicherheit in Azure Active Directory en de

Microsoft Azure Active Directory ist für viele Unternehmen zu einem essentiellen Bestandteil des Identitäts- und Zugriffsmanagement geworden. Geschäftskritische Anwendungen und Infrastruktur-Komponenten wurden angebunden, aber auch Komponenten und Dienste zur Integration von hybriden Identitäten mit dem bestehenden Active Directory wurden implementiert.

Allerdings rückt der cloudbasierte Identitätsdienst auch in das Interesse von Angreifern.

Azure AD bietet einige Sicherheitsfunktionen und auch umfangreiche Integrationen in Microsoft Sicherheitslösungen an.
Aber welche Features sollten berücksichtigt werden und was ist bei dem Design sowie deren Implementierung zu beachten?

In dieser Session möchte ich einen Überblick zu möglichen Schwachstellen bei der Standard-Konfiguration aber auch dem Monitoring im Azure AD geben. Dies beinhaltet folgende Themenbereiche:

- Identity Security Posture Management und "Privilege Escalation" von Azure AD Connect
- Design von Richtlinien im Conditional Access und Sicherheit von ausgestellten Tokens
- Unterschätzte Berechtigungen und Rollen im Azure AD RBAC
- Integrationen von Apps und Schutz von Workload Identities bzw. Service Principals

Control Plane under Control: Securing Privileged Access by Microsoft Enterprise Access Model en

Over the last years, Microsoft has released many design principles, best practices and security concepts for securing privileged access in a Microsoft Cloud environment. This includes also the "Enterprise Access Model" as an evolution of the previously known (Active Directory) ESAE approach.

But what are real-world experiences and examples of implementing those reference architecture? Which security controls should be applied? Who and what should be defined as "Tier0" or "Control Plane"? Which privilege escalation paths should be considered even in a tiered administration model?

In this demo-drive session, I will share my learnings and practical approach to identify, protect and monitor the high-privileged assets in Microsoft Entra. We will go through related features and monitoring capabilities but also limitations to implement a tiered administration model in a cloud environment. In addition, I will show insights of my free commmunity tool "EntraOps" which allows to automate classification and protection of privileged assets in your environment.