MS-102 GĐ6 Module 38

Secure User Access

Passwordless (FIDO2, WHfB, Passkey), MFA qua Conditional Access, Authentication Strength, SSPR và Number Matching chống MFA fatigue.

Tình huống – VinaCorp

CISO yêu cầu: tắt per-user MFA cũ → chuyển Conditional Access MFA; bật Number Matching chống fatigue; FIDO2 Security Key cho 50 IT admin; bật SSPR toàn bộ user.

So sánh phương thức MFA

Phương thứcPhishing-ResistantYêu cầuUse case
FIDO2 Security Key✅ Cao nhấtYubiKey / FeitianAdmin, privileged
Windows Hello for BusinessWin10/11 + TPM 2.0Corporate devices
Authenticator PasskeyAuthenticator v6.2+BYOD / mobile
Authenticator push + Number Match⚠️ Tốt hơnAuthenticator appStandard users
OATH TOTP (6-digit)Authenticator/tokenLegacy fallback
SMS OTP❌ SIM swap riskPhone numberKhông khuyến nghị

Lab A – Bật FIDO2 & Number Matching (Graph PowerShell)

Portal: entra.microsoft.com → Protection → Authentication methods → Policies

Bật FIDO2 cho IT Admins

Connect-MgGraph -Scopes "Policy.ReadWrite.AuthenticationMethod" $groupId = (Get-MgGroup -Filter "displayName eq 'GRP_IT_Admins'").Id $fido2Config = @{ "@odata.type" = "#microsoft.graph.fido2AuthenticationMethodConfiguration" State = "enabled" IsAttestationEnforced = $true IncludeTargets = @(@{TargetType="group"; Id=$groupId}) } Update-MgPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration ` -AuthenticationMethodConfigurationId "fido2" -BodyParameter $fido2Config Write-Host "FIDO2 enabled for GRP_IT_Admins"
FIDO2 enabled for GRP_IT_Admins

Bật Number Matching cho Authenticator (chống MFA fatigue)

# Bật số matching + thông tin ngữ cảnh (app name + location) $authConfig = @{ "@odata.type" = "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration" State = "enabled" FeatureSettings = @{ DisplayAppInformationRequiredState = @{ State = "enabled" IncludeTarget = @{TargetType="group"; Id="all_users"} } DisplayLocationInformationRequiredState = @{ State = "enabled" IncludeTarget = @{TargetType="group"; Id="all_users"} } NumberMatchingRequiredState = @{ State = "enabled" IncludeTarget = @{TargetType="group"; Id="all_users"} } } } Update-MgPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration ` -AuthenticationMethodConfigurationId "MicrosoftAuthenticator" ` -BodyParameter $authConfig Write-Host "Number Matching + context info enabled"
Number Matching + context info enabled

Lab B – Conditional Access MFA Policy

Tắt per-user MFA (legacy) trước khi bật CA MFA để tránh double-prompt. Portal: entra.microsoft.com → Users → Per-user MFA → Disable all.

Tạo CA Policy: Require MFA for All Users

Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess" $policy = @{ DisplayName = "CA001 - Require MFA All Users" State = "enabledForReportingButNotEnforced" # Report-only trước khi enforce Conditions = @{ Users = @{IncludeUsers = @("All"); ExcludeGroups = @("BREAK_GLASS_ACCOUNTS_GROUP_ID")} Applications = @{IncludeApplications = @("All")} ClientAppTypes = @("all") } GrantControls = @{ Operator = "OR" BuiltInControls = @("mfa") } } New-MgIdentityConditionalAccessPolicy -BodyParameter $policy Write-Host "CA001 created (report-only mode)"
CA001 created (report-only mode) Monitor sign-in logs 1 week → switch to 'enabled'

Authentication Strength – Phishing-Resistant MFA cho Admins

# Tạo CA Policy riêng cho admin: chỉ chấp nhận FIDO2 / WHfB / Passkey $adminPolicy = @{ DisplayName = "CA002 - Require Phishing-Resistant MFA for Admins" State = "enabled" Conditions = @{ Users = @{IncludeRoles = @( "62e90394-69f5-4237-9190-012177145e10", # Global Admin "f28a1f50-f6e7-4571-818b-6a12f2af6b6c" # Security Admin )} Applications = @{IncludeApplications = @("All")} } GrantControls = @{ Operator = "OR" AuthenticationStrength = @{Id = "00000000-0000-0000-0000-000000000004"} # Phishing-resistant built-in } } New-MgIdentityConditionalAccessPolicy -BodyParameter $adminPolicy
CA002 created - Phishing-Resistant MFA for Admins

Lab C – Self-Service Password Reset (SSPR)

Bật SSPR via Portal

1entra.microsoft.com → Protection → Password reset → Properties → All
2Authentication methods → Number of methods: 2 → Enable: Mobile app notification, Mobile app code, Email
3Registration → Require registration at sign-in: Yes → Days to confirm: 180
4Notifications → Notify users on reset: Yes → Notify all admins when any admin resets: Yes
5On-premises integration → Write back passwords to on-premises AD: Yes (cần Entra Connect + Password Writeback)
# Kiểm tra SSPR config Get-MgPolicyAuthorizationPolicy | Select-Object AllowedToResetPassword, SelfServiceSignUpEnabled
AllowedToResetPassword : True SelfServiceSignUpEnabled: False

Audit SSPR Activity

# Xem log SSPR (reset và registration) Get-MgAuditLogSignIn -Filter "resourceDisplayName eq 'Azure Active Directory'" | Where-Object {$_.Status.FailureReason -like "*password reset*"} | Select-Object CreatedDateTime, UserPrincipalName, Status | Format-Table -AutoSize

Windows Hello for Business (WHfB)

DeploymentPhù hợpKey Trust vs Cert Trust
Cloud-only (Entra-joined)Môi trường cloud hoàn toànKey Trust (đơn giản hơn)
Hybrid Key TrustEntra Connect + AD FS hoặc Kerberos ExtensionKey Trust — cần Entra Kerberos
Hybrid Cert TrustCần cert-based auth, PKICertificate Trust — phức tạp hơn
# Bật WHfB qua Intune (Settings Catalog) # Device Configuration → Settings Catalog → Windows Hello for Business # Key settings: # Use Windows Hello for Business: Enabled # Require PIN: Enabled (min 8 chars) # Use TPM: Required # Allow biometrics: Enabled # Require anti-spoofing for facial recognition: Enabled

Tổng kết M38

Kiến thức cốt lõi
  • ✅ FIDO2 > WHfB > Passkey = phishing-resistant tốt nhất
  • ✅ Number Matching ngăn MFA fatigue attack hiệu quả
  • ✅ CA MFA thay thế per-user MFA (linh hoạt hơn)
  • ✅ Authentication Strength bắt buộc phishing-resistant cho admin
  • ✅ SSPR + Password Writeback = user tự reset cả on-prem AD
Lab đã thực hành
  • 🔬 Lab A: FIDO2 Graph API, Number Matching config
  • 🔬 Lab B: CA MFA policy (report-only → enforce), phishing-resistant CA
  • 🔬 Lab C: SSPR portal config + password writeback + audit
M37 M39: Zero Trust