This document will help you get a more secure posture using the capabilities of Azure Active Directory by using a five-step checklist to improve your organization's protection against cyber-attacks.
This checklist will help you quickly deploy critical recommended actions to protect your organization immediately by explaining how to:
Strengthen your credentials
Reduce your attack surface area
Automate threat response
Utilize cloud intelligence
Enable end-user self-service
The recommendations in this document are aligned with the Identity Secure Score, an automated assessment of your Azure AD tenant’s identity security configuration. Organizations can use the Identity Secure Score page in the Azure AD portal to find gaps in their current security configuration to ensure they follow current Microsoft best practices for security. Implementing each recommendation in the Secure Score page will increase your score and allow you to track your progress, plus help you compare your implementation against other similar size organizations.
Before you begin: Protect privileged accounts with MFA
Before you begin this checklist, make sure you don't get compromised while you're reading this checklist. In Azure Active Directory we observe 50 million password attacks daily, yet only 20% of users and 30% of global admins are using strong authentications such as multi-factor authentication (MFA). These statistics are based on data as of August 2021. In Azure AD, users who have privileged roles, such as administrators, are the root of trust to build and manage the rest of the environment. Implement the following practices to minimize the effects of a compromise.
Attackers who get control of privileged accounts can do tremendous damage, so it's critical to protect these accounts before proceeding. Enable and require Azure AD Multi-Factor Authentication (MFA) for all administrators in your organization using Azure AD Security Defaults or Conditional Access. It's critical.
Step 1 - Strengthen your credentials
Although other types of attacks are emerging, including consent phishing and attacks on nonhuman identities, password-based attacks on user identities are still the most prevalent vector of identity compromise. Well-established spear phishing and password spray campaigns by adversaries continue to be successful against organizations that haven’t yet implemented multi-factor authentication (MFA) or other protections against this common tactic.
As an organization you need to make sure that your identities are validated and secured with MFA everywhere. Azure Active Directory (Azure AD) Multi-Factor Authentication (MFA) helps safeguard access to data and applications, providing another layer of security by using a second form of authentication. Organizations can enable multi-factor authentication with Conditional Access to make the solution fit their specific needs.
Make sure your organization uses strong authentication
To easily enable the basic level of identity security, you can use the one-click enablement with Azure AD security defaults. Security defaults enforce Azure AD MFA for all users in a tenant and blocks sign-ins from legacy protocols tenant-wide.
If your organization has Azure AD P1 or P2 licenses, then you can also use the Conditional Access insights and reporting workbook to help you discover gaps in your configuration and coverage. From these recommendations, you can easily close this gap by creating a policy using the new Conditional Access templates experience. Conditional Access templates are designed to provide an easy method to deploy new policies that align with Microsoft's recommended best practices, making it easy to deploy common policies to protect your identities and devices.
Start banning commonly attacked passwords and turn off traditional complexity, and expiration rules.
Many organizations use traditional complexity and password expiration rules. We recommend you use Azure AD password protection a dynamic banned password feature using current attacker behavior to prevent users from setting passwords that can easily be guessed. This capability is always on when users are created in the cloud, but is now also available for hybrid organizations when they deploy Azure AD password protection for Windows Server Active Directory. In addition, we recommend you remove expiration policies. Password change offers no containment benefits as cyber criminals almost always use credentials as soon as they compromise them.
Protect against leaked credentials and add resilience against outages
The simplest and recommended method for enabling cloud authentication for on-premises directory objects in Azure AD is to enable password hash synchronization (PHS). If your organization uses a hybrid identity solution with pass-through authentication or federation, then you should enable password hash sync for the following two reasons:
The Users with leaked credentials report in Azure AD warns of username and password pairs, which have been exposed publically. An incredible volume of passwords is leaked via phishing, malware, and password reuse on third-party sites that are later breached. Microsoft finds many of these leaked credentials and will tell you, in this report, if they match credentials in your organization – but only if you enable password hash sync or have cloud-only identities.
If an on-premises outage happens, like a ransomware attack, you can switch over to using cloud authentication using password hash sync. This backup authentication method will allow you to continue accessing apps configured for authentication with Azure Active Directory, including Microsoft 365. In this case, IT staff won't need to resort to shadow IT or personal email accounts to share data until the on-premises outage is resolved.
Passwords are never stored in clear text or encrypted with a reversible algorithm in Azure AD. For more information on the actual process of password hash synchronization.
Implement AD FS extranet smart lockout
Smart lockout helps lock out bad actors that try to guess your users' passwords or use brute-force methods to get in. Smart lockout can recognize sign-ins that come from valid users and treat them differently than ones of attackers and other unknown sources. Attackers get locked out, while your users continue to access their accounts and be productive. Organizations, which configure applications to authenticate directly to Azure AD benefit from Azure AD smart lockout. Federated deployments that use AD FS 2016 and AD FS 2019 can enable similar benefits using AD FS Extranet Lockout and Extranet Smart Lockout.
Step 2 - Reduce your attack surface area
Given the pervasiveness of password compromise, minimizing the attack surface in your organization is critical. Disabling the use of older, less secure protocols, limiting access entry points, moving to cloud authentication, and exercising more significant control of administrative access to resources and embracing Zero Trust security principles.
Use Cloud Authentication
Credentials are a primary attack vector. The practices in this blog can reduce the attack surface by using cloud authentication, deploy MFA and use passwordless authentication methods. You can deploy password less methods such as Windows Hello for Business, Phone Sign-in with the Microsoft Authenticator App or FIDO.
Block legacy authentication
Apps using their own legacy methods to authenticate with Azure AD and access company data, pose another risk for organizations. Examples of apps using legacy authentication are POP3, IMAP4, or SMTP clients. Legacy authentication apps authenticate on behalf of the user and prevent Azure AD from doing advanced security evaluations. The alternative, modern authentication, will reduce your security risk, because it supports multi-factor authentication and Conditional Access.
We recommend the following actions:
1. Discover legacy authentication in your organization with Azure AD Sign-In logs and Log Analytic workbooks.
2. Setup SharePoint Online and Exchange Online to use modern authentication.
3. If you have Azure AD Premium licenses, use Conditional Access policies to block legacy authentication. For Azure AD free tier, use Azure AD Security Defaults.
4. Block legacy authentication if you use AD FS.
5. Block Legacy Authentication with Exchange Server 2019.
6. Disable legacy authentication in Exchange Online.
Block invalid authentication entry points
Using the verify explicitly principle, you should reduce the impact of compromised user credentials when they happen. For each app in your environment, consider the valid use cases: which groups, which networks, which devices, and other elements are authorized – then block the rest. With Azure AD Conditional Access, you can control how authorized users access their apps and resources based on specific conditions you define.
Review and govern admin roles
Another Zero Trust pillar is the need to minimize the likelihood a compromised account can operate with a privileged role. This control can be accomplished by assigning the least amount of privilege to an identity. If you’re new to Azure AD Roles, this article will help you understand Azure AD Roles.
Privileged roles in Azure AD should be cloud only accounts in order to isolate them from any on-premises environments and don’t use on-premises password vaults to store the credentials.
Implement Privilege Access Management
Privileged Identity Management (PIM) provides a time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions to important resources. These resources include resources in Azure Active Directory (Azure AD), Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft Intune.
Azure AD Privileged Identity Management (PIM) helps you minimize account privileges by helping you:
Identify and manage users assigned to administrative roles.
Understand unused or excessive privilege roles you should remove.
Establish rules to make sure privileged roles are protected by multi-factor authentication.
Establish rules to make sure privileged roles are granted only long enough to accomplish the privileged task.
Enable Azure AD PIM, then view the users who are assigned administrative roles and remove unnecessary accounts in those roles. For remaining privileged users, move them from permanent to eligible. Finally, establish appropriate policies to make sure when they need to gain access to those privileged roles, they can do so securely, with the necessary change control.
Azure AD built-in and custom roles operate on concepts similar to roles found in the role-based access control system for Azure resources (Azure roles). The difference between these two role-based access control systems is:
Azure AD roles control access to Azure AD resources such as users, groups, and applications using the Microsoft Graph API
Azure roles control access to Azure resources such as virtual machines or storage using Azure Resource Management
Both systems contain similarly used role definitions and role assignments. However, Azure AD role permissions can't be used in Azure custom roles and vice versa. As part of deploying your privileged account process, follow the best practice to create at least two emergency accounts to make sure you still have access to Azure AD if you lock yourself out.
Restrict user consent operations
It’s important to understand the various Azure AD application consent experiences, the types of permissions and consent, and their implications on your organization’s security posture. While allowing users to consent by themselves does allow users to easily acquire useful applications that integrate with Microsoft 365, Azure, and other services, it can represent a risk if not used and monitored carefully.
Microsoft recommends restricting user consent to allow end-user consent only for apps from verified publishers and only for permissions you select. If end-user consent is restricted, previous consent grants will still be honored but all future consent operations must be performed by an administrator. For restricted cases, admin consent can be requested by users through an integrated admin consent request workflow or through your own support processes. Before restricting end-user consent, use our recommendations to plan this change in your organization. For applications you wish to allow all users to access, consider granting consent on behalf of all users, making sure users who haven’t yet consented individually will be able to access the app. If you don’t want these applications to be available to all users in all scenarios, use application assignment and Conditional Access to restrict user access to specific apps.
Make sure users can request admin approval for new applications to reduce user friction, minimize support volume, and prevent users from signing up for applications using non-Azure AD credentials. Once you regulate your consent operations, administrators should audit app and consent permissions regularly.
Step 3 - Automate threat response
Azure Active Directory has many capabilities that automatically intercept attacks, to remove the latency between detection and response. You can reduce the costs and risks, when you reduce the time criminals use to embed themselves into your environment. Here are the concrete steps you can take.
Implement sign-in risk policy
A sign-in risk represents the probability that a given authentication request isn't authorized by the identity owner. A sign-in risk-based policy can be implemented through adding a sign-in risk condition to your Conditional Access policies that evaluates the risk level to a specific user or group. Based on the risk level (high/medium/low), a policy can be configured to block access or force multi-factor authentication. We recommend that you force multi-factor authentication on Medium or above risky sign-ins.