What You’re Missing in Your Azure Active Directory Configuration

When implementing Microsoft 365, the Azure Active Directory is automatically set up. Basically, by virtue of being a Microsoft 365 tenant, you automatically become an Azure AD tenant. This can easily be ignored in smaller businesses without much detriment. However, there are a number of administrative tasks that can increase the security and resilience of your ADD environment. Here are a few that you should consider.

Company Branding With Azure Active Directory

Your branding goes beyond just giving your business a personalized look that catches the attention of your target audience. Specifically, you can utilize your business’s logo and custom color scheme to provide a consistent look and feel on your sign-in pages. Your logos and background images create a signature that threat actors cannot mirror. Thus, these increase your security, as normal phishing attempts incline towards a generic login experience.

Alerts and Monitoring 

Alerts come in handy when it comes to detecting and addressing issues before site visitors notice them. These proactively notify the account manager or administrator of any problems within the infrastructure or application.  You want to start by determining the desired notification methods used for the alert configuration. Prior to setting up logs and alerts, you should determine what types of alerts need to be configured, who should get them, and have a procedure for responding to them. Additionally, consider setting up Azure Monitor or Log Analytics workspace. The latter is a unique environment for logging data from Azure Monitor and other Azure services. Each of these workspaces has its individual repository and configuration, but it has the ability to combine data from multiple services. To ensure security and compliance across all Azure environments, consider Azure Active Directory audit and sign-in logs. This should come in handy when it comes to user authentication and activity logging. You also have available to you Azure Activity logs, which provide up-to-date insights on subscription-level events. Think of this as your subscription resource operations hub. Further, with Azure resources logs, you have platform logs that provide insight into operations performed within an Azure resource. You can incorporate diagnostic settings that would require each Azure resource to send its resource logs to a consolidated platform. Having the per resource diagnostic details should provide you with the ability to perform complex analysis on log queries. The result is deeper insights into log data. Consider creating a diagnostic setting to send resource logs to a Log Analytics workspace.  Moreover, deploy Azure Monitor alerts rules to generate alerts and notifications on sensitive actions and events. This platform allows you to identify and address any issues in your system before your customer notices them.

User Authentication 

The first step to user authentication is planning. Essentially, prior to making changes to authentication methods, you should consider properly planning your rollout. A simple means to better protect your networks and systems have to be implementing multifactor authentication (MFA). Get the leadership at the organization to buy into the idea of MFA by helping them understand the value proposition. Further, educate the staff in advance on why you’re making the change and what is needed of everyone within the organization. To execute the deployment, you may need a staggered rollout, including pilot, alpha, and beta phases. The final step will be to move to a company-wide posture for your deployment. For this organization-wide rollout, you will need to choose the most logical progression for the team. Learn more about planning an MFA deployment.

To ensure that user authentication runs smoothly and your IT department not burdened by password rest request, consider Self-Service Password Reset (SSPR). The latter enables users to trigger a password reset operation without engaging the IT staff. Further, consider passwordless authentication. There are three passwordless authentication methods that can integrate with AAD. These include Windows Hello for Business, Microsoft Authenticator, and Fido 2 Security Keys. Overall, these simplify the sign-in experience and reduce the risk of attack.

Conditional Access

Consider streamlining your Conditional Access baseline policies as part of your user authentication efforts. Note that there is no “proper” initial configuration for Conditional Access. Note that how you need it set up will vary based on your business. You must determine your user personas. Admins and accounts with access to sensitive information receive the strictest policies. Determine which conditional access policies you want configured for each persona. For the first day or two, run conditional access rules in Report-Only mode to block people from performing normal duties. This helps you avoid unneeded disruptions and allows you to make sure your policies and configured correctly prior to fully enforcing them. Additionally, ensure that you apply the Conditional Access baseline policies to privileged users like IT administrators. You can enforce your CA/MFA rules to your IT admin roles which should help you hold the keys to the kingdom while ensuring that you are well capable of identifying any issues. With standard users, once confident that your conditional policies are configured correctly, you can roll them out to the company at large.

Break Glass Accounts

Suppose MFA fails due to a natural disaster, cell phone outages, or a provider issue. In that case, having a break glass account configured in Azure AD that does not have MFA so that administrators can quickly log in and turn off MFA will reduce downtime. The break glass account should be tied into your alert and notification workflow so that anytime it is used everyone knows. This will be the most insecure account in your system, and is specifically built to bypass MFA for an entire organization. rather than relying on typical MFA, Break glass accounts are often managed in a way that the two factor portion is maintained by having two people hold different parts of the password. Find out more about Managing Break Glass Accounts in Azure Active Directory.

Privileged Account Management

Consider getting a Privileged Account Management (PAM) system to lock privileged admin credentials in a highly secure vault. Suppose your IT ecosystem has distributed denial of service (DDoS) attack, and everyone stays out forcefully. Having an emergency break glass protocol should provide you with an alternative means to gain access back into the system. Overall, any business that uses Azure AD should devise a foolproof plan for accessing global account admin roles during an MFA failure.

Learn More About Azure Active Directory

Agile IT offers a fast and convenient assessment, remediation, and implementation service for Azure Active Directory, as well as in-depth reviews, services, and ongoing guidance to keep your environment in top health. To find out more, request a quote.