Azure Active Directory holds the keys to your Microsoft 365 kingdom. Responsible for vital functions such as authentication and authorization, Azure AD is ultimately responsible for managing access across the Microsoft cloud ecosystem. For that reason, is the target of many cyberattacks.
In this blog post, we will detail the top 5 security best practices to follow to secure your Azure Active Directory and protect your business.
1. Limit administrative privileges.
Admin accounts are the #1 target for attackers because they provide access to more sensitive data and systems across an organization’s ecosystem. While these accounts are necessary for both business and IT functions, they represent a significant risk to your organization.
Accordingly, experts emphasize that it’s critical to not only secure these accounts but to limit the number of them as well. Achieving that goal requires a comprehensive understanding of all of your organization’s administrative accounts — both those that are obvious and those that are not. Therefore, in addition to enumerating the membership of known groups or roles that provide administrative access, be sure to audit individual access rights to uncover shadow admins that might be lurking around and take steps to reduce the opportunities for privilege escalation through non-standard means.
2. Review access and application permissions regularly.
Azure AD goes beyond the provisioning powers of on-prem Active Directory — it is responsible for authenticating and granting access to not only users and groups, but also applications using modern authentication methods such as SAML or OAuth. Over time, these applications might no longer require the access they have been granted. Indeed, without oversight and consistent review, significant access sprawl can occur, greatly increasing the organization’s attack surface area.
3. Enable Azure AD Multi-Factor Authentication (MFA).
Azure AD MFA mitigates the risk of password-only authentication by requiring users to provide a combination of two or more factors: “something they know “ (e.g., a password), “something they have” (e.g., a trusted device like a phone) and “something they are” (e.g., a fingerprint). In general, it is recommended to enable MFA not just for administrators but for all users — especially accounts that can pose a significant threat if compromised.
Microsoft provides several methods to enable MFA:
- Azure AD security defaults — This option enables organizations to streamline MFA deployment and apply policies to challenge administrative accounts, require MFA via Microsoft Authenticator for all users, and restrict legacy authentication protocols. This method is available across all licensing tiers.
- Conditional Access policies — These policies provide flexibility to require MFA under specific conditions, such as sign-in from unusual locations, untrusted devices or risky applications. This approach lessens the burden on users by requiring additional verification only when extra risk is identified.
- Modifying user state on a user-by-user basis — This option works with both Azure AD MFA in the cloud and the Azure MFA Authentication server. It requires users to perform two-step verification with every sign-in and overrides Conditional Access policies.
4. Audit activity in Azure AD.
It’s extremely important to audit what is going in your Azure AD environment, including what sign-ins are occurring, changes that are being made and how applications are being used. Organizations should deploy tools that can not only monitor the events that are occurring but also detect and flag when something unusual or threatening is afoot, such as:
- Privilege changes, such as modifications to application permissions, application certificate or key generation, and changes to sensitive roles (e.g., Global Admin) or groups
- Suspicious activity, such as unrealistic or abnormal geo-location logins or anomalous behavior based on historical activity trends
- Signs of known attacks, such as failed sign-in attempts that can indicate a password spraying attack
5. Secure on-prem Active Directory.
While some brand-new organizations are deployed solely in the cloud, most companies today utilize a combination of on-prem systems and cloud-based platforms and applications. In those hybrid AD deployments, the importance of monitoring and securing both Azure AD and Active Directory cannot be stressed enough. With identities being synced between on-prem and online using tools like Azure AD Connect, a breached AD user account easily becomes a breached Azure AD user account— which provides the attacker with access beyond the borders of the on-prem infrastructure.
Where to get help
Now that you know these key best practices for hardening your Azure Active Directory environment, it’s time to put them to use. While it may feel like a daunting challenge to understand all of your administrative accounts, secure them using MFA, review access to them regularly, and monitor changes in a productive manner, have no fear — Netwrix provides tools to help! Learn more about how you can audit administrative privileges, spot malicious activity across your hybrid ecosystem and replace vulnerable standing administrative accounts with just-in-time access using our broad portfolio of products.
