Every organization strives to reduce the attack surface of their infrastructure to make it secure and reliable.
As team members of the Microsoft Global Compromise Recovery Security Practice (CRSP), we've seen time and time again that by improving the security posture to make compromise more difficult than average, low-skill attackers usually give up quickly and move to the next target.
While talking about identities, Azure Active Directory (Azure AD), part of the Microsoft Entra product family, is a critical identity system leveraged by most of the organizations and it serves a single point for authentication and authorization of users against applications, resources and much more. It's at the heart of an organization's zero trust strategy.
In this blog we discuss some Quick Wins to reduce the attack surface of Azure AD. From a technician's standpoint, these tasks are immediate and require minimal testing to get them rolled out in production.
1. Segregate productivity and cloud administration accounts.
Identity is the new security perimeter. If there's a single key to the kingdom it would be easier for an attacker to dominate the organization —using the same account for productivity and administration tasks leaves organization security at risk. Keeping this in mind, we should segregate the productivity and management accounts. Deprivilege any identity which is used for productivity as well as cloud administration and create separate in-cloud administration accounts.
2. Securely manage Emergency access accounts
Emergency access accounts (Break-Glass accounts) are highly privileged, and their usage is limited to emergency scenarios where other administration accounts can't be used. Organizations must ensure they have at least two emergency access accounts created as per the best practices and are not associated with any individual user.
Break-glass account credentials are securely stored, never expire, and never used for regular tasks. At least one emergency access account should be excluded from phone-based multifactor authentication (MFA) and any conditional access policies which restrict/permit admins/users to access cloud applications. Sign-in and all audit activities should be monitored using Azure AD audit logs.
3. Multifactor Authentication for privilege accounts
Microsoft recommends enabling MFA for all the users. MFA can block over 99.9 percent of account compromise attacks. This requires extensive testing and blocking of legacy authentication protocols. Hence these may be considered as mid-term and long-term hardening goals.
By this time, you have separate in-cloud administration accounts. As an immediate step, let's start by enforcing MFA for all the highly privileged users. We can use Conditional Access Policies to rollout MFA for these users. Ensure break-glass administrators are excluded from the policy for emergency in case of a tenant lockdown. Using MFA and conditional access policies will increase the time and cost for hackers and will eventually help in shifting their focus.
4. Zero Trust Principal for managing SaaS (Software-as-a-Service) applications via conditional access
The Zero Trust concept helps in tightening the overall security. Safeguarding the resources and following modern authentication principles will help the organization maintain the security of the resources.
Always verify, use least privilege access, and assume breach is what Zero Trust is all about. Let's take a simple example of corporate network vs public internet in a café. A traditional approach says corporate network is secured by a lot of investment made in terms of net…. However, as per the new Zero Trust approach, we should explicitly verify all available data points like identity, location, and device compliance.
As an immediate step, organizations can start a pilot with the apps which are already integrated with Azure AD. Check deployment guidance and best practices for getting started with Conditional Access Policies and building resilient access model based on Zero Trust principles.
5. Evaluate Azure AD SSO for applications
SSO (Single sign-on) brings convenience and security to the users. If users are often prompted for credentials, it's human tendency to miss details when users deal with several authentication prompts daily and users leave traces of their credentials in all the applications.
Azure AD supports modern authentication protocols and strong authentication mechanisms. We can even integrate devices like Cisco with Azure AD for authentication.
Azure AD gallery contains thousands of business productivity applications pre-integrated. As a first step, consider new applications being introduced in the organization for integration. Additionally, utilize Azure AD user provisioning to applications for better governance over identity lifecycle.
Another quick task is evaluating the applications which are claims aware, and a bonus would be to identify applications which support multiple identity providers as they could be the first contenders for testing and rollout.
6. Enable Identity Governance in Azure AD
Identity governance is a defined way to balance your organization's security by standardizing the identity lifecycle. It helps define “who can access what” in a systematic manner. This solution doesn't have any adverse effect on the organization's productivity.
Entitlement Management allows us to create access packages that enable users to request access to groups, apps, teams, and SharePoint sites which they require when they join a new project/team, rather than manually granting it. Entitlement also supports collaboration scenarios, see Entitlement Management for B2B scenarios.
Additionally, excessive permissions make the security posture weak and vulnerable. Access reviews in Azure AD is an excellent feature to review and control permissions to organizational resources.
Organizations can start evaluating this feature for new access which is to be granted and gradually move to using access packages for all productivity businesses.
7. Detect user and sign in risks via Azure AD Identity Protection
Identity protection is a powerful feature in Azure AD that leverages intelligence gathered from Azure AD, Microsoft Accounts, and XBOX. Once identity protection processes a sign –in request, organizations can use the signals to make access decisions.
Identity protection helps in determining the user/sign in risk and then enables organizations to take appropriate decisions, e.g. force MFA for a medium or high sign in risk when a user is found to be connecting from an anonymous IP or force a user to change their password when Identity protection determines that the user credentials are leaked on the dark web.
Organizations can start evaluating Identity protection in report-only mode by simulating risk detections. Identity protection Risk Analysis workbook would be a great way to monitor the risks generated by Identity protection and understand their details.
8. Enforce least privilege via Azure RBAC
Role security planning is critical for every organization. Over privileged identities use as a vector of attack is seen often in compromise scenarios.
Privilege Identity Management (PIM) helps in providing time bound access which may be further governed by adding approval for activating privileged roles. Let's take an example of “DomainNameAdministrator,” a privilege required when registering a domain in Azure AD —a very infrequent activity. A user doesn't need to hold this privilege 24×7, instead they can activate when required, which lets them perform the activity and the user is deprivileged after a certain time, based on the policy.
PIM helps add additional controls and context when activating a role, e.g. MFA, justification for role activation, sending notifications to admins when a role is activated, enable access reviews, and audit the activities. Additionally, PIM can be used for Azure resources as well as Microsoft 365.
Deploying PIM is a critical first step where organizations can evaluate active vs eligible roles. For example, an emergency admin account should permanently hold global admin privilege, whereas other roles can be eligible when required.
9. Eliminate weak passwords using Password Protection
“Summer2022!” seems like an acceptable password with an uppercase letter, numeric, and special characters, and most likely meets the usual minimum character length requirements. However, such passwords are weak against dictionary-based password attacks. Azure AD password protection is a great feature which allows an organization to stop the use of such passwords.
Password protection provides a global and custom banned password list.
This feature can be used on domain controllers via lightweight agents. The setup is quick and supports audit mode which allows administrators to understand insecure password usage in the organization to plan improvements to their password policy and user guidance.
10. Restricting User Consent
Users can grant permissions to applications to access a protected resource using consent. Let's take an example of a ticketing system which generates incidents based on issue description received in email by support users. For this to work, the application needs permission to read the user's mailbox. By default, Azure AD doesn't grant the requested permissions to the application unless the user consents to the application.
As an administrator you may disable user consent, allow consent to verified applications, or allow user consent to any applications. Microsoft recommends to restrict user consent for verified applications only and bind consent to permissions selected by the administrators.
Quick Win: An organization can start evaluating consent requests for the administrators to understand the consent framework and the application consent experience. Once the administrators understand the need for securing consent, it will be followed by activities like user awareness and understanding which flows require admin consent and evaluate a request for tenant-wide admin consent.
11. Continuous Monitoring of Azure AD and connected systems
Monitoring is the most critical and a continuous process for all resources since Identity systems are the backbone of the infrastructure monitoring Azure AD and its supporting systems like Azure AD Connect and AD Federation Services (ADFS) is critical.
We discussed the use of Identity protection for monitoring user sign ins. As an additional step, we can integrate Identity Protection with Defender for Cloud Apps. The integration is quick and only requires enabling a toggle button. This lets Azure AD Identity Protection send the signals to Defender for Cloud Apps, which can process the information and generate alerts for the Security Operations teams.
Azure AD Connect health is another great feature for monitoring. It helps ensuring reliability of on-prem identity systems in a hybrid identity environment by providing critical health alerts like critical ADFS system issues, performance, and connectivity. Additionally, it helps security teams to identify failed sign ins and lockout trends from ADFS servers. Deployment is simple using lightweight agents.
Additional quick wins: Remediate the recommendations under Identity Security Score. Identity Security Score reflects the overall security posture of Azure AD. There are low impact and low implementation cost items that can be evaluated and remediated quickly on the side. Regularly review the Identity Security Score to get insights on the current posture, evaluate findings, and plan for remediation.
Security needs to be the utmost priority for an organization and Identity is the new Battleground. For getting started, the Security teams should identify the gaps in the Azure AD configuration as per the points mentioned in this blog post. The next step would be prioritizing the activities. While the other items may need some planning to rollout, “Segregating productivity and cloud administration accounts,” “Securely managing Emergency access accounts,” and “Enforcing least privilege via Azure RBAC,” could be the Severity 1 items to be remediated as they are quick activities with a high impact on security posture.
Learn more about Microsoft identity: