By Kaushal Saraf, Lead Engineer at Atomus
Microsoft Azure Active Directory (AD) provides businesses with a cloud-based identity and access management service for safeguarding their resources, applications and services from unauthorized access. As such, it is an integral part of any organization’s security infrastructure. This post will discuss two simple but effective items to take into account when configuring Azure AD. For more in-depth knowledge on the features included, please see this official Microsoft link.
Introduction to Microsoft Azure Active Directory
Microsoft Azure Active Directory (AD) is a cloud-based identity and access management service that helps businesses protect their data and resources from unauthorized access. Azure AD also allows businesses to control access to their applications and services, making it an essential part of a robust security baseline. In this blog post, we’ll introduce you three things to consider when setting up an Azure AD. Read more from Microsoft in details as what are the different features present on this official Microsoft link.
You can view all the different levels of controls and features based on different licenses on this link by Microsoft.
Consideration 1: Set up Security Defaults available to all organizations on Microsoft
☝ Time Effort: 2 minutes License: Works with free tier license for Azure Active Directory
Today, setting up security for a small business is not easy but it does not mean that the business is completely left out. The time effort for this consideration is very cheap to enable the following features.
Out-of-the-box features:
- It completes the setup of MFA required for all users and admins using the Microsoft Authenticator app or any third-party application.
- Most of the situations arouse when a user performs an action that is not very common for that user, for example the device they are using, or the location they are logging in from, and that creates an anomaly. That anomaly forces the users to get challenges with MFA, mostly when they show up on a new device or app, but more often for critical roles and tasks.
- Disabling authentication from legacy authentication clients that can’t do MFA.
- Protecting admins by requiring extra authentication every time they sign in.
Check eligibility on the current licensing:
- Sign in to the Azure portal as a security administrator, Conditional Access administrator, or Global administrator. (Also, if you are not sure if you are one of these administrators, ask the person who set up your organization to provide you access from the Azure Portal)
- Browse to Azure Active Directory and check the section as per the screenshot below
Enable security defaults in your directory:
- Sign in to the Azure portal as a security administrator, Conditional Access administrator, or Global administrator. (Also, if you are not sure if you are one of these administrators, ask the person who set up your organization to provide you access from the Azure Portal)
- Browse to Azure Active Directory > Properties.
- Select Manage security defaults.
- Set the Enable security defaults toggle to Yes.
- Select Save.
Referenced from Official Microsoft Documentation
Consideration 2: Use Role-Based Access Control and Groups
☝ Time Effort: 15 minutes License: Works with free tier license for Azure Active Directory
User roles and permissions should be configured to limit what users can do within your Azure AD tenant. By default, all users have the same level of access, but this can be changed by assigning different roles to different groups of users. For example, you may want to give administrators full control over the tenant, while limiting other users to specific tasks such as resetting passwords or creating new accounts.
☝ Industry-Standard: Least Privilege i.e. do not provide any access by default, only when provided explicitly
The goal of least privilege is to reduce the exposure and attack surface of your environment by granting users only the permissions they need to perform their job duties. In Azure Active Directory (Azure AD), this can be accomplished by configured role-based access control (RBAC). RBAC allows you to granularly control what actions a user can perform within Azure AD, as well as what resources they have access to.
The principle of least privilege should be considered when configuring RBAC. That is, a user should be given only the permissions they need to perform their job duties, and no more. As fewer permissions can be exploited by an attacker, this reduces your environment’s vulnerability and attack surface.
RBAC in Azure AD can be configured in multiple ways, with the most popular being built-in roles. These roles come pre-packaged with a series of permissions that can be assigned to users, groups, or service principals. Over 50 such roles are available, each serving a particular purpose. For more details on these roles, please refer to the official Microsoft documentation. Another way to manage RBAC is through custom roles; these allow one to construct their own role with specific permissions for their needs.
Use the following steps to configure the security baseline for least privilege on Azure AD:
- Open the Azure portal and select Azure Active Directory from the left navigation panel.
- Select Users from the left navigation panel, then click All users at the top of the page.
- Select a user from the list of users, then click Manage Roles in the details pane.
- In the Manage roles blade, select Add role at the top of the page.
- In the Add role blade, select a role from the list of available roles, then click OK at the bottom of the blade.
- Repeat steps 3-5 for each user that needs to be assigned a role.
Common Pitfalls to watch out for when configuring Azure AD
When configuring Azure AD, one must make sure to avoid potential pitfalls. For instance, taking the time to properly configure Azure AD Connect is essential in order to prevent issues with authentication, authorization, and auditing. Additionally, be sure that multi-factor authentication is enabled for all users to protect against brute force attacks. Lastly, plan ahead when considering how many Azure AD licenses you’ll need — having too few can lead to costly licensing problems.
Conclusion
In conclusion, Azure Active Directory is a powerful security solution for small businesses. It can provide a robust security baseline to protect business data and ensure that employees have access to the right applications and services they need. With its features such as multi-factor authentication, single sign-on, and automated provisioning, it can help keep your business secure from cyber threats. Additionally, using Azure AD will save time and money by simplifying identity management processes so you can focus on running your business with confidence.
Kaushal Saraf is currently the Lead Engineer at Atomus – a cybersecurity compliance platform for small businesses in the Aerospace and Defense who want to sell their products and services to the DoD. Before Atomus, Kaushal worked at Goldman Sachs and WeWork, as well as won DoD contracts for cybersecurity products.
.
Follow Brilliance Security Magazine on Twitter and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.