Gabriel Paraschiv on Jun 25, 2024 0

Azure AD Security: Key Configurations and Recommendations for a Secure Environment

Reading Time: 3 minutes

To enhance the security of your Azure Active Directory (Azure AD), now known as Microsoft Entra ID, here are some specific recommendations along with the necessary steps to implement them. These recommendations are designed to reduce the attack surface and ensure robust security for your tenant.

1. Create Break Glass Accounts

Risk:

Without break glass accounts, you risk being locked out of the tenant in case of Conditional Access (CA) policy issues.

Recommendations:

  • Create two cloud-only Global Administrator (GA) accounts: These accounts should not be linked to on-premises Active Directory.
  • Exclude from CA policies: Ensure these accounts are excluded from all Conditional Access policies.
  • Set strong passwords and use FIDO2 keys: Use long, complex passwords and enroll FIDO2 keys for secure login.
  • Monitor sign-ins: Set up alerts for successful sign-ins from these accounts.

Steps:

  1. Go to Azure AD > Users > New user.
  2. Create two new users with the domain *.onmicrosoft.com.
  3. Assign the Global Administrator role to these users.
  4. Exclude these accounts from all CA policies.
  5. Set strong passwords and configure FIDO2 keys.
  6. Set up monitoring and alerts for sign-ins.

2. Send AAD Logs to Log Analytics Workspace (LAW)

Risk:

Limited log retention can hinder the ability to identify potential attacks and evaluate the impact of new features.

Recommendations:

  • Configure log forwarding: Store logs for a longer period in a Log Analytics workspace.

Steps:

  1. Go to Azure AD > Diagnostic settings.
  2. Click on “+ Add diagnostic setting”.
  3. Select the log categories (e.g., SignInLogs) to store.
  4. Set the destination to “Send to Log Analytics workspace”.
  5. Select or create a Log Analytics workspace.

3. Enable Multi-Factor Authentication (MFA)

Risk:

Leaked credentials can allow attackers to take over accounts.

Recommendations:

  • Gradually enable MFA: Implement MFA in batches to avoid disruption.

Steps:

  1. Go to Azure AD > Security > Conditional Access.
  2. Create a new policy to require MFA for specific user groups.
  3. Gradually expand the policy to include all users.
  4. Exclude break glass accounts from MFA requirements.

4. Enable Identity Protection (IdP)

Risk:

Identity compromise can lead to unauthorized access.

Recommendations:

  • Implement IdP policies: Use Sign-in Risk and User Risk policies to protect against malicious actors.

Steps:

  1. Go to Azure AD > Security > Identity Protection.
  2. Configure Sign-in Risk Policy and User Risk Policy.
  3. Set appropriate risk levels and actions (e.g., require MFA, password change).

5. Manage Application Consents

Risk:

Users might consent to malicious applications.

Recommendations:

  • Restrict user consent: Configure user consent settings to prevent unauthorized application access.

Steps:

  1. Go to Azure AD > Enterprise applications > User settings.
  2. Set “Users can consent to apps accessing company data on their behalf” to “No”.
  3. Configure admin consent settings as per organizational needs.

6. Restrict Tenant Creation

Risk:

Unauthorized tenant creation can lead to security breaches.

Recommendations:

  • Restrict non-admin users from creating tenants: Prevent users from creating new tenants.

Steps:

  1. Go to Azure AD > User settings.
  2. Set “Restrict non-admin users from creating tenants” to “Yes”.
  3. Optionally, restrict access to the Microsoft Entra admin center.

7. Check Identity Secure Score

Risk:

Unaddressed security issues can lead to identity compromise.

Recommendations:

  • Review and improve Identity Secure Score: Regularly check and act on recommendations.

Steps:

  1. Go to Azure AD > Identity Secure Score.
  2. Review the recommendations and implement suggested actions.

8. Enable Antivirus Scanning for SharePoint Online (SPO)

Risk:

Malware can spread through infected files in SPO. (unfortunately disabled by default by Microsoft)

Recommendations:

  • Enable antivirus scanning: Configure antivirus settings for SharePoint Online.

Steps:

  1. Follow the detailed steps in the Microsoft documentation to enable antivirus scanning for SPO.

9. Monitor Public IP Usage

Risk:

Public IPs can be entry points for attacks.

Recommendations:

  • Monitor and control Public IPs: Regularly check and manage public IP addresses.

Steps:

  1. Use Azure Monitor/Public IP addresses to track public IP addresses.
  2. Implement policies to restrict or monitor the creation of public IPs.

10. Implement Naming Conventions

Risk:

Inconsistent naming can lead to a disorganized environment.

Recommendations:

  • Adopt a consistent naming convention: Ensure all resources follow a standardized naming scheme.

Steps:

  1. Define a naming convention for all Azure resources.
  2. Enforce the convention through policies and guidelines.

By following these recommendations and steps, you can significantly enhance the security of your Azure AD environment, ensuring a robust defense against potential threats.

Feel free to let me know your perspective on my proposal.

Leave a Reply