Today I’d like to share with you my thoughts regarding 10 steps that can help make Azure AD more secure.
We can do this partially without advanced licenses like E3 / E5
- Small Intro
- 1 & 2 Frameworks and Benchmarks
- 3 Zero Trust Model
- 4 Basic Azure AD configuration
- 5 Emergency Access
- 6 Conditional Access
- 7 Passwordless
- 8 Authentication Strengths
- 9 JEA / JIT
- 10 Education
Before going into the details we should make sure that we know what and why we want to protect/
Why? / What?
Identity is the first asset that might be under attack. You can’t access workstations, or servers without authentication, this is why protecting identity is so crucial and it’s also exposed so much for attackers.
Nowadays with modern ways of remote work, we are using the same identity to access Azure, Office 365, Dynamics, and other applications
1 & 2 Frameworks and Benchmarks
Have you ever heard about MITRE ATT&CK or CIS Workbench?
If not, I highly recommend checking the recommendations for Identity and Access Management in both resources. You might be surprised how many recommendations are placed there.
And by the way – both are free of charge!
3 Zero Trust Model
I hope you know the Zero Trust concept. For the last year, there was a lot of useful information’s in the Internet regarding recommendations for the implementation from multiple vendors.
In a nutshell, it’s about changing the mindset
- from VPNs, Firewalls, and all network tools are protecting us,
- to security on every particular level.
Trust no one!
There is a great webpage showing the mind map for Zero trust and categorizing it into the following areas:
4 Basic Azure AD configuration
Below I’m listing the configuration points that I’m doing every time when I’m working on the new tenant.
In this case, you can protect your data (users, emails, etc.) from unauthorized data gathering using a broken application. Simply saying you can decide if applications requested by users are asking for too many permissions or not.
This settings will prevent users from creating own tenants (and becoming GA) using our tenant Identity.
Restrict Access to the Azure AD administration portal
This will prevent users without any Azure AD role assigned from reviewing the Azure AD from the portal.
Self-Service Password Reset
Have you ever been called by users to reset their passwords? I bet you have.
Try to make it simple and allow users to reset their password if needed – during the night, during public holidays, etc.
Guest Accounts Settings
Do not forget about guest accounts. They are existing in every tenant so think about the permission that you can assign for them. As always depends on your needs and security recommendations.
Don’t forget about logs we need to know what is happening with our users.
Remember to set up Sign-in and Audit Logs in Azure AD to be stored on the log analytics workspace (Require at least Azure AD P1 license)
5 Emergency Access
Have you ever lost access to the lab/test environment? I guess it was a hard time for you – pressure, time spent on preparation, and then everything has gone…
In this case, the solution would be emergency access accounts – “Break Glass Accounts” prepared for the cloud.
There are some principles that should be followed in order to configure emergency access described here.
6 Conditional Access
Using conditional access in a basic setup you can enforce MFA usage for all of your users in a simple way.
Additionally, you can also control access to cloud applications, from specific locations, session management, and many more.
As always this feature is available from at least an Azure AD P1 license.
Passwordless is another topic next to the Zero Trust Model that was making a huge noise last year.
Authentication over Windows Hello for Business, Fido Keys, Certificates, and Authenticator can help you get rid of passwords.
8 Authentication Strengths
You may remember my series regarding Passwordless Authentication and one mail feature that was missing – unable to configure CA policy to enforce FIDO2 keys usage for privileged accounts. Of course, we were able to choose Passwordless during the login process, but we were unable to enforce it to use passwordless only.
Finally, recently Microsoft announced Authentication strength – a feature that addresses this missing piece of the puzzle.
9 JEA / JIT
When it comes to Just-in-Time access / Just-enough-Administration we can take as an example Azure AD PIM.
It can help us to assign permissions for a specific time to Azure AD Roles, Azure Resource Permissions, or membership in Privileged Access Groups.
No more permanent assignments – time-boxed assignments for the win!!
Educate yourself and your co-workers.
Make sure that you know the most common / latest attack techniques to make sure that you can protect/prepare.
Spread the knowledge with others!
Stay safe and secure !
Comments are closed.