Microsoft Cloud Centralize Identity Management (Best Practice 1/10)

I always recommend that you integrate your on-premises and cloud directories. Integration enables your IT team to manage accounts from one location, regardless of where an account is created. Integration also helps your users be more productive by providing a common identity for accessing both cloud and on-premises resources.

Organizations that don’t integrate their on-premises identity with their cloud identity can have more overhead in managing accounts. This overhead increases the likelihood of mistakes and security breaches.

  1. Best Practice: Establish a single Azure AD instance. Consistency and a single authoritative source will increase clarity and reduce security risks from human errors and configuration complexity. Designate a single Azure AD directory as the authoritative source for corporate and organizational accounts.
  2. Best practice: Integrate your on-premises directories with Azure AD. Use Azure AD Connect to synchronize your on-premises directory with your cloud directory. Ensure Azure AD Connect has enough capacity to keep underperforming systems from impeding security and productivity.
  3. Best practice: Don’t synchronize accounts to Azure AD that have high privileges in your existing Active Directory instance. Also, don’t change the default Azure AD Connect configuration that filters out these accounts. This configuration mitigates the risk of adversaries pivoting from cloud to on-premises assets (which could create a major incident).
  4. Best practice: Turn on password hash synchronization. Password hash synchronization is a feature used to synch user password hashes from an on-premises Active Directory instance to a cloud-based Azure AD instance. This sync helps to protect against leaked credentials being replayed from previous attacks. Even if you decide to use federation with Active Directory Federation Services (AD FS) or other identity providers, you can optionally set up password hash synchronization as a backup in case your on-premises servers fail or become temporarily unavailable. This sync enables users to sign in to the service by using the same password that they use to sign in to their on-premises Active Directory instance. It also allows Identity Protection to detect compromised credentials by comparing synchronized password hashes with passwords known to be compromised, if a user has used the same email address and password on other services that aren’t connected to Azure AD. (Other Microsoft services such as MCAS will be required for this option)
  5. Best practice: For new application development, use Azure AD for authentication. Use the correct capabilities to support authentication:
    • Azure AD for employees
    • Azure AD B2B for guest users and external partners
    • Azure AD B2C to control how customers sign up, sign in, and manage their profiles when they use your applications

Azure Authentication, Identity, and Access Management Best Practices (The Series)

Over the years, I have seen how authentication processes have been evolving into what it is and what we know today. My clients already in the cloud or looking into adopting the cloud are constantly asking me about the “Best Practices” to secure their Microsoft cloud adoption. This is why I have decided to write this blog post series of Microsoft Cloud authentication, Identity and Access Management.

Network firewalls used to be considered the perimeter defense of the network. But with cloud services, that perimeters keep getting more porous, and that perimeter defense can’t be as effective as it was before the explosion of BYOD devices and cloud applications.

Today, enterprises are starting to understand that identity needs to be the primary perimeter for security. This is a shift from the traditional focus on network security. Azure Active Directory (Azure AD) is the Azure solution for identity and access management. Azure AD is a multitenant, cloud-based directory and identity management service from Microsoft. It combines core directory services, application access management, and identity protection into a single solution.

Best Practice

  1. Centralized Identity Management (Best Practice 1/10)
  2. Enable single sign-on for the Microsoft Cloud (Best Practice 2/10)
  3. Enable Conditional Access (Best Practice 3/10)
  4. Enable self-service Password reset with Azure AD Premium (Best Practice 4/10)
  5. Enable Conditional Access for cloud access. (Best Practice 5/10)
  6. Enforce multi-factor verification for users (Best Practice 6/10)
  7. Use role-based access control (Best Practice 7/10)
  8. Turn on Azure AD Privileged Identity Management (Best Practice 8/10)
  9. Define at least two emergency access accounts. (Best Practice 9/10)
  10. Ensure all critical admin roles have a separate account for administrative tasks (Best Practice 10/10)