Identity and Access Management Baseline

Identities are the gateway into your network and services so should have controls in place to secure them. Security controls that should be tightened once privilege is assigned. There should be an automated process around this so that no privilege is missed. 

Restrict access to Azure AD administration portal

By default, all accounts will have read only access to Azure AD. It’s important that this is removed. Although no changes can be made with read only access, an attacker could profile your environment and search for privileged targets. They can also run tasks that can download your AD structure which will include usernames, email address and job titles.

Under Azure Active Directory > Users > User Settings, you will see the following setting. Make sure it’s set to yes.

Enabling Multi-Factor Authentication

MFA should be enabled by default nowadays and all users should be using it both in their work and personal life. This makes thing easier as users become accustom to it. The users can use multiple methods to authenticate however I would recommend using the Authentication application on your phone. Microsoft have their own and it’s very easy to setup.

SMS can be attacked and there are vulnerabilities around the service which an attacker could exploit. Take the CEO of Twitter who’s 2FA was SMS. This was exploited and the malicious parties got in. Attackers could also use burner phones to setup MFA on accounts which has been missed. This won’t provide any traceability to find out who it was.

It’s important to be aware that MFA isn’t full proof. It should be considered a minimum requirement but don’t put 100% trust in it. More info

To Enable go to: AAD > Users > All Users > Multi-Factor Authentication

It’s important to remember that even if you enforce MFA, if you haven’t setup a MFA method for an account, an attacker can do it once they’ve compromised an account. They would just go here (https://aka.ms/mfasetup) and add a burner phone for example. They can then pass the MFA stage.

Block “Remember MFA On Trusted Devices” (Optional)

This really depends on the business as if you just enable this, there will be some push back for sure. This is one of those settings which requires balance (Security/ usability).

To a security person this makes sense. If you “remember me” on your devices, and attacker will try and abuse this. It’s not just attackers but insider threats as well. If a disgruntled employee is aware that they won’t need to pass MFA on their colleagues’ machine, they can use this to their advantage should this wish to cause harm.

There are a lot of attack scenarios where this feature becomes the downfall but essentially the message is, that If a device or account is compromised, MFA will be hindered and therefore not authenticate the user. 

To enable go to: Azure Active Directory > Users > All Users > MFA > Users > Manage User Settings

Then enable Restore multi-factor authentication on all remembered devices:

Guest Accounts

Make sure that no Guest Accounts are in use. Guest accounts bring risk as they use the personals work, school or social media account to authenticate. If you want to manage your identities yourself, this should be disabled. Guests can be Global Admins.

To view guests: Azure Active Directory > Users > All Users and filter on users:

To control guest accounts, go to: Azure Active Directory > Users > Use Settings and click on External Users

On the next screen, you will see the following:

If needed, you can allow admins to send invites to users but if you don’t need them at all, I would set everything to “No”. If you are keeping this, it’s important that you block Members from sending invites. Enabling this setting will allow non-admins to invite whoever they wish.

At the bottom, you will see the following options:

By default, the most inclusive option will be selected. It’s recommended that you either chose to Deny or specify the domains you wish to manage. This adds a layer of control to guest accounts.

Help: https://docs.microsoft.com/en-us/azure/active-directory/b2b/allow-deny-list

Password Options

Allowing users to reset their passwords may empower your users to use more complex passwords. If they forget, they know they can easily reset it. If you make the process impossible, they will most likely use something that is easy and that they can remember. The reason why could be to avoid the whole reset password process. Ringing the service desk to say that “I’ve forgot my password” has some embarrassment around it. Going through a portal removes this.

It’s preferred that you set multiple methods to allow a user to reset their password.

To set this, go to: Azure Active Directory > Users and select Password Reset.

Here you can choose your settings:

Establish an interval to reconfirm methods. Under the Registration tab, you will see the following:

It’s recommended that this is set and that you configure an interval period. A long interval period is better than none.

Users To Create And Manage Security Groups (Optional)

If this is enabled all users within your tenant can create security groups. This should be a big no both from a security and structure side of things.

To disabled, go to: Azure Active Directory > Groups > General Settings. Then select the following:

Whilst you are here, it’s also recommended that you disable the setting above:

Allow Users To Register Apps (Optional)

Administrators should be the only ones registering apps in your tenant. The reason being is that these “apps” can interact with your identity platform and may exposure data. Integration should always have some administrative oversight. Disabling this may force your users to follow the correct process.

To disable this, go to: Azure Active Directory > Users > User Settings and select No