Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service. It allows employees to access data and applications, such as Office 365, Exchange Online, OneDrive, and more.
An increasing number of organizations are migrating data from their on-premises AD environment to Azure AD, to take advantage of the benefits that cloud platforms provide.
However, Azure AD and your on-premise implementation of Active Directory are quite different in how they work.
While they are both designed to achieve the same goal, there are different security concerns and best practices that need to be adhered to.
Below are some of the most notable areas to focus on to ensure that your Azure AD environment is secure.
Microsoft Secure Score
Found in the Microsoft 365 security center, Microsoft Secure Score provides organizations with a way to measure their overall security posture, with a high score indicating that more work needs to be done.
Organizations can monitor their score and act according to Microsoft’s best practice recommendations, which you can find on the Improvement actions tab.
Recommendations are organized into three groups: Identity, Device, and App, with each group having its own respective score.
In addition to a trend graph, which shows how your score has changed over time, you can also view a graph that shows how your score compares to other tenants of a similar size, in the same industry.
Adopt a “Zero Trust” Approach
The zero-trust security model is particularly relevant when using cloud platforms for storing and processing sensitive data. This is because the traditional moat-castle approach is not compatible with remote, distributed environments.
With zero trust, all activity is malicious until proven otherwise. All users, devices, and processes must prove their legitimacy when accessing critical systems and resources.
An important part of the zero-trust model is the “principle of least privilege” (PoLP), which stipulates that users are only granted access to the specific resources they need to perform their role.
To enforce the least privilege access within Azure AD, you must ensure that only administrators can create and manage security groups, including Office 365 Groups.
Administrators must review all guest users and restrict their privileges accordingly, which includes ensuring that only administrators can invite guest users. Self-service group management should be disabled for non-administrator users, and the installation of third-party applications should also be restricted.
The implementation of PoLP can be done through role-based access control (Azure RBAC). Assigning users to roles with restricted access will help to avoid confusion that may result in a user being granted more access than what they need.
Enable Multi-Factor Authentication (MFA)
As with any MFA system, Azure AD MFA requires two or more of the following factors: something you know, something you have, and something you are.
With Azure AD, there’s a variety of verification methods to choose from, which include the Microsoft Authenticator app, OATH Hardware token, SMS, and Voice call.
To get started with Azure AD MFA, you will need to create a Conditional Access policy, which defines the conditions that MFA will follow. After which, you will need to assign users to these policies and remember to disable legacy authentication.
Discover and Classify Your Documents Using Azure AIP
Azure Information Protection (AIP) extends the labeling and classification functionality provided by Microsoft 365.
Data classification is an important part of data security as it enables administrators to keep track of what sensitive documents they have, and where they are located.
Additionally, the AIP on-premises scanner enables administrators to scan their on-premises file repositories for sensitive data and classify sensitive data accordingly.
Audit Your Azure AD Environment
Azure AD audit reports provide administrators with information about the state of their AD environment. This includes information about sign-in activity, application usage, and any changes that are made affecting sensitive resources.
It will provide a summary of changes relating to users, groups, roles, apps, and policies, as well as inform administrators of any users who have been flagged.
The reporting console will also provide additional information such as the date, time, category, name, initiator, and status of the event, as well as the service that logged the event.
Use Microsoft’s Attack Simulator to Identify Vulnerabilities
The Attack simulator, located under Threat management > Attack simulator in the Security & Compliance Center, allows administrators to launch spear-phishing campaigns to identify any areas of weakness.
There are two types of spear-phishing campaigns that can be initiated. The first is where users are asked to click on a URL in a message.
After clicking on the URL, they will be asked to hand over their credentials and then redirected to a default or custom page, which essentially warns them not to click on suspicious links.
The second comes in the form of a .docx or .pdf attachment, which contains a warning message and information about how to identify suspicious attachments.
In order to create a spear-phishing campaign, you need to be a member of the Organization Management or Security Administrator role groups, and you will need multi-factor authentication (MFA) enabled for your account.
As they say, it is not a question of if, but when, a data breach will occur. This understanding should serve as the keystone for your security strategy.
A zero-trust approach will ensure that you always verify the authenticity of all users and endpoints before allowing them to access a critical resource. You must ensure that you know exactly what sensitive data you have, where it is located, and who has (and should have) access to it.
Wherever possible, MFA should be enabled, and you must ensure that users are only allowed access to the resources they absolutely need to fulfill their role. You will need as much visibility as possible into “who, what, where, and when”, changes affecting your sensitive data are made, and administrators should receive real-time alerts on all suspicious activity.
Finally, you should have a tried and tested incident response plan (IRP) in place, to ensure that you are able to identify, contain and eradicate data breaches in a fast and efficient manner.