Today I’d like to share with you my thoughts regarding 10 steps that can help make Azure AD more secure.
We can do this partially without advanced licenses like E3 / E5

Small Intro

Before going into the details we should make sure that we know what and why we want to protect/

Why? / What?

Identity is the first asset that might be under attack. You can’t access workstations, or servers without authentication, this is why protecting identity is so crucial and it’s also exposed so much for attackers.
Nowadays with modern ways of remote work, we are using the same identity to access Azure, Office 365, Dynamics, and other applications

1 & 2 Frameworks and Benchmarks

Have you ever heard about MITRE ATT&CK or CIS Workbench?

If not, I highly recommend checking the recommendations for Identity and Access Management in both resources. You might be surprised how many recommendations are placed there.

And by the way – both are free of charge!

3 Zero Trust Model

I hope you know the Zero Trust concept. For the last year, there was a lot of useful information’s in the Internet regarding recommendations for the implementation from multiple vendors.
In a nutshell, it’s about changing the mindset

  • from VPNs, Firewalls, and all network tools are protecting us,
  • to security on every particular level.

Trust no one!

There is a great webpage showing the mind map for Zero trust and categorizing it into the following areas:

  • Identity
  • Device
  • Applications
  • Infrastructure
  • Network
  • Data

4 Basic Azure AD configuration

Below I’m listing the configuration points that I’m doing every time when I’m working on the new tenant.

App Registrations

In this case, you can protect your data (users, emails, etc.) from unauthorized data gathering using a broken application. Simply saying you can decide if applications requested by users are asking for too many permissions or not.

Preventing users from registering applications.

Tenant Creation

This settings will prevent users from creating own tenants (and becoming GA) using our tenant Identity.

Preventing users from tenant creation

Restrict Access to the Azure AD administration portal

This will prevent users without any Azure AD role assigned from reviewing the Azure AD from the portal.

Preventing users from accessing Admin Portal

Self-Service Password Reset

Have you ever been called by users to reset their passwords? I bet you have.

Try to make it simple and allow users to reset their password if needed – during the night, during public holidays, etc.

Enabling password reset.

Guest Accounts Settings

Do not forget about guest accounts. They are existing in every tenant so think about the permission that you can assign for them. As always depends on your needs and security recommendations.

Guest accounts settings.

Logs

Don’t forget about logs we need to know what is happening with our users.
Remember to set up Sign-in and Audit Logs in Azure AD to be stored on the log analytics workspace (Require at least Azure AD P1 license)

Azure AD Logs

5 Emergency Access

Have you ever lost access to the lab/test environment? I guess it was a hard time for you – pressure, time spent on preparation, and then everything has gone…

In this case, the solution would be emergency access accounts – “Break Glass Accounts” prepared for the cloud.

There are some principles that should be followed in order to configure emergency access described here.

6 Conditional Access

Using conditional access in a basic setup you can enforce MFA usage for all of your users in a simple way.

Additionally, you can also control access to cloud applications, from specific locations, session management, and many more.

As always this feature is available from at least an Azure AD P1 license.

7 Passwordless

Passwordless is another topic next to the Zero Trust Model that was making a huge noise last year.

Authentication over Windows Hello for Business, Fido Keys, Certificates, and Authenticator can help you get rid of passwords.

Fido key

8 Authentication Strengths

You may remember my series regarding Passwordless Authentication and one mail feature that was missing – unable to configure CA policy to enforce FIDO2 keys usage for privileged accounts. Of course, we were able to choose Passwordless during the login process, but we were unable to enforce it to use passwordless only.

Finally, recently Microsoft announced Authentication strength – a feature that addresses this missing piece of the puzzle.

9 JEA / JIT

When it comes to Just-in-Time access / Just-enough-Administration we can take as an example Azure AD PIM.

It can help us to assign permissions for a specific time to Azure AD Roles, Azure Resource Permissions, or membership in Privileged Access Groups.

No more permanent assignments – time-boxed assignments for the win!!

10 Education

Educate yourself and your co-workers.

Make sure that you know the most common / latest attack techniques to make sure that you can protect/prepare.

Spread the knowledge with others!

Stay safe and secure !

Comments are closed.