Enforce multi-factor verification for users (Best Practice 6/10)

Enabling two-factor authentication should be the standard and perhaps it should be enforced as the minimum requirements for authentication for any cloud service. Password are not safe, and users keeps making the same mistakes protection and securing their password.

I highly recommend that you require two-step verification for all of your users. This includes administrators and others in your organization who can have a significant impact if their account is compromised.

There are multiple options for requiring two-step verification. The best option for you depends on your goals, the Azure AD edition you’re running, and your licensing program. There are numerous options in Azure AD. From using the build-in option included in the regular subscription, to using Azure Multi-factor authentication server for on-premise services or using a third part solution such as DOU, VIPAccess, Okta, or RSAID with Federation.

Enabled the functionality of Conditional Access (Best Practice 3/10)

The idea of the cloud is to allow users to access the resources by using a variety of devices and apps from anywhere at any time. Since the perimeter of the network is no longer the edge but the identity, IT administrators face the challenges, therefore controlling the devices and making sure that these devices meet the standards for security and compliance, is a very effective way to protect the cloud implementation.

The trade between security and productivity here plays an important role. IT admins need to think about how a resource is accessed before they can make a decision about access control. With Azure AD Conditional Access, IT administrators can address this requirement. With Conditional Access, IT admins can make automated access control decisions based on conditions for accessing your cloud apps.

Best practice: Manage and control access to corporate resources. Configure Azure AD Conditional Access based on a group, location, and application sensitivity for SaaS apps and Azure AD–connected apps.

Best practice: Block legacy authentication protocols. Attackers exploit weaknesses in older protocols every day, particularly for password spray attacks. Configure Conditional Access to block legacy protocols. See the video Azure AD: Do’s and Don’ts for more information.

Image result for conditional access

 

 

*Image from Official Microsoft Website – Credit: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview

Types of conditions:

  • Sign-in risk: Azure AD Identity Protection detects sign-in risks. How do you restrict access if a detected sign-in risk indicates a bad actor? What if you would like to get stronger evidence that a sign-in was performed by the legitimate user? What if your doubts are strong enough to even block specific users from accessing an app?
  • Network location: Azure AD is accessible from anywhere. What if an access attempt is performed from a network location that is not under the control of your IT department? A username and password combination might be good enough as proof of identity for access attempts from your corporate network. What if you demand a stronger proof of identity for access attempts that are initiated from other unexpected countries or regions of the world? What if you even want to block access attempts from certain locations?
  • Device management: In Azure AD, users can access cloud apps from a broad range of devices including mobile and also personal devices. What if you demand that access attempts should only be performed with devices that are managed by your IT department? What if you even want to block certain device types from accessing cloud apps in your environment?
  • Client application: Today, you can access many cloud apps using different app types such as web-based apps, mobile apps, or desktop apps. What if an access attempt is performed using a client app type that causes known issues? What if you require a device that is managed by your IT department for certain app types?

Microsoft Cloud Centralize Identity Management (Best Practice 1/10)

I always recommend that you integrate your on-premises and cloud directories. Integration enables your IT team to manage accounts from one location, regardless of where an account is created. Integration also helps your users be more productive by providing a common identity for accessing both cloud and on-premises resources.

Organizations that don’t integrate their on-premises identity with their cloud identity can have more overhead in managing accounts. This overhead increases the likelihood of mistakes and security breaches.

  1. Best Practice: Establish a single Azure AD instance. Consistency and a single authoritative source will increase clarity and reduce security risks from human errors and configuration complexity. Designate a single Azure AD directory as the authoritative source for corporate and organizational accounts.
  2. Best practice: Integrate your on-premises directories with Azure AD. Use Azure AD Connect to synchronize your on-premises directory with your cloud directory. Ensure Azure AD Connect has enough capacity to keep underperforming systems from impeding security and productivity.
  3. Best practice: Don’t synchronize accounts to Azure AD that have high privileges in your existing Active Directory instance. Also, don’t change the default Azure AD Connect configuration that filters out these accounts. This configuration mitigates the risk of adversaries pivoting from cloud to on-premises assets (which could create a major incident).
  4. Best practice: Turn on password hash synchronization. Password hash synchronization is a feature used to synch user password hashes from an on-premises Active Directory instance to a cloud-based Azure AD instance. This sync helps to protect against leaked credentials being replayed from previous attacks. Even if you decide to use federation with Active Directory Federation Services (AD FS) or other identity providers, you can optionally set up password hash synchronization as a backup in case your on-premises servers fail or become temporarily unavailable. This sync enables users to sign in to the service by using the same password that they use to sign in to their on-premises Active Directory instance. It also allows Identity Protection to detect compromised credentials by comparing synchronized password hashes with passwords known to be compromised, if a user has used the same email address and password on other services that aren’t connected to Azure AD. (Other Microsoft services such as MCAS will be required for this option)
  5. Best practice: For new application development, use Azure AD for authentication. Use the correct capabilities to support authentication:
    • Azure AD for employees
    • Azure AD B2B for guest users and external partners
    • Azure AD B2C to control how customers sign up, sign in, and manage their profiles when they use your applications