When it comes to rolling out security strategies to protect your organization’s systems and employees against remote attacks, you may immediately think of Multi-Factor Authentication (MFA). Using only a password to authenticate cannot prove whether a legitimate user at your organization is logging in, or an attacker. Microsoft Azure AD MFA requires two or more authentication methods, providing an extra layer of security…but is this the only measure you can take? Is it enough?
April 2, 2021
Recently the Utah SharePoint User Group (UTSPUG) and Microsoft User Group (MUGUT) gathered for a presentation hosted by buckleyPLANET, featuring guest speaker Eric Raff, Cloud Practice Director at JourneyTEAM to discuss the top 10 tips and security considerations after you’ve rolled out MFA in your tenant. Raff has over 25 years of experience in IT, and almost seven at JourneyTEAM. He has first-hand experience helping organizations overcome their business challenges, primarily with Identity and Access Management in Microsoft Dynamics 365.
These tips assume you already have MFA turned on. A quick prerequisite: many of these security steps require that you have Azure ADP2 or the Microsoft Enterprise Mobility + Security (EM+S) mobility management and security platform.
Without further delay, here are the first five (5) of Raff’s top 10 Microsoft Dynamics 365, Windows Azure and Microsoft Cloud Services security tips along with some step-by-step instructions.
1. Check Your Security Defaults
Before reading too far into this tip, be aware that using Security Defaults are only suggested if: you do NOT have Conditional Access policies enabled in your environment; you do not need fine-grained control over access and authentication policies; and/or your organization is relatively small. While a great baseline of security features, getting by on the defaults settings alone is rare. If Security Defaults may be helpful in your case, read on! If not, you can skip to #2.
In 2020, Microsoft released Security Defaults, which are their basic identify security mechanisms recommendations. When enabled, these will be automatically enforced to better protect your organization against common identity related attacks.
How to ensure defaults is turned on:
From the Azure AD Portal, go to “Properties.”
Make sure that Security Defaults is set to “Yes.”
Just what will Security Defaults activate or enforce?
It will require all users to register for Azure MFA.
Administrators will have to perform MFA.
Legacy authentication protocols will be blocked.
Users will have to perform MFA when risky activity is detected.
Privileged activities will be protected, like access to the Azure portal.
With the Security Default setting, be sure that “Users can use the combined security information registration experience” is turned on.
2. Block Legacy Protocols
Hundreds of spray attacks can happen every hour that target legacy protocols. This includes SMTP, IMAP, POP, Active Sync, Outlook Anywhere (RPC over HTTP), and older Office clients, such as 2010 and 2013.
First, you need to identify who is using legacy protocols in the environment.
Log into the Azure AD portal
Go to “Sign-Ins” > “Monitoring.”
Make sure you have the new experience turned on.
Click “Add Filter” > “Client App” > “Apply.”
You can then drill into the client apps and see a list of Legacy Authentication Clients (e.g., POP, SMTP, IMAP, “Other Clients” i.e., the old Office Suite).
Here you should be able to review the successful and failed attempts and filter as you need.
Now that you have the information you need, you can build a Conditional Access (CA) policy to block access.
Navigate to “Security” > “Conditional Access” > “Classic Policies.”
Here you can create a new policy that blocks legacy protocols.
Make sure this targets all users (an exception may be your “break glass” account).
Go to “Conditions” > “Client Apps” > “Legacy Authentical Clients.”
Set access controls to “Block Access.”
3. Set Restrictions on Guest Access
Ideally you would know up front how many guest accounts you have in your tenant. By default, the External Sharing Setting is “Allow guests to share items they don’t own,” meaning sharing content with anyone can be done anonymously, including guests. Guests can also invite other guests. However, “Restrict access to the Azure AD Administration portal” is set to “no” by default. You can leverage the Identity Governance solution in Azure AD P2 to set restrictions on guest accounts with Access Packages and Access Reviews.
Use an Access Package to govern access:
In the Azure AD Portal, go to “Identity Governance” and select “Settings.”
Under “Manage the lifecycle of external users,” you can select what happens when an external user that was added to your directory through an Access Package request loses their last assignment.
This allows you to block external users from signing into the directory and remove an external user after a set number of days.
This only works if the guest account came into your directory through an Access Package.
Create an Access Review Policy:
From the Azure AD Portal, click “Identity Governance” > “Access Review.”
Create a new Access Review:
Select what to review by “Teams + Groups,” or by “Applications.”
Select a specific group, preferably “All Guests” (recommended that you set this group up if you don’t have it already)
Select a review scope: “Guest Users Only.”
Now you adjust the settings to your preference. For example, you could set it up so that users can review their own access. You can adjust the frequency, e.g., monthly, or quarterly, as well as set it up so that if users don’t respond, they are blocked from signing in for 30 days, then removed from the tenant.
A final note on guest accounts: You can always self-manage your own guest account in other directories by visiting myaccount.microsoft.com to completely delete your guest account. Go to “Organizations” and click “Leave Organization” for your own guest accounts that you no longer use or want to delete for any other reason.
4. Manage Consent and Permissions for Enterprise Apps Cyber criminals now use fake enterprise apps as another way to gain access to your data. No phishing for credentials or guessing passwords — they just need to be convincing enough to get your consent. Thankfully, there is new functionality in the Azure Active Directory Microsoft 365 environment for consent governance.
Go to “Enterprise Apps” > “Consent and Permissions.”
Here you can manage user consent from verified publishers and decide upon the allowable permissions.
Once an app is a verified publisher and you set up the permissions, users will only be able to consent to those actions.
Next, check the user settings under “Admin consent requests (Preview).”
It is recommended that you change “Users can request admin consent to apps they are unable to consent to,” to “Yes.”
Click “Select users to review admin consent requests” and select the appropriate Admin who will be notified and make the decision to allow or reject consent. You must be a Global, Application, or Cloud Application Administrator role to grant consent, and you must have that role at the time of the request, or you will not receive the request.
Note: If you ever see a “permissions requested” box with the option to consent on behalf of your organization, proceed with caution. You will only see the consent request box for the organization if you are a Global or an Enterprise App Administrator that can consent for everyone in the tenant.
5. Must-have Azure Portal Settings
Make sure you have two settings in place:
Under “User Settings,” restrict access to the Azure AD Administration Portal by making sure that this is set to “Yes.”
Be mindful of the name of your tenant, as it will show up whenever there is a OneDrive sync integration. Make sure it is relevant.
Ready for more tips? Click here for part 2!
1. Join a free consultation and ask all the questions you wish.
2. Plan your Deep Dive meeting – Get your organization’s Customized Solutions presentation.
GET STARTED. Click the form below:
JourneyTEAM is an award-winning consulting firm with proven technology and measurable results.
As a Microsoft Gold Partner, we have extensive knowledge of each of Microsoft’s products including Dynamics 365, SharePoint intranet, Office 365, Azure, CRM, GP, NAV, SL, AX, and can help you tailor the software to fit the exact needs of your organization. We have solutions for solutions for sales, marketing, productivity, collaboration, analytics, accounting, security and more. JourneyTEAM specializes in the industries of Finance, Media & Communications, Capital Equipment, Manufacturing, Installation, and Service. Whether you’re looking for total project support or someone to help you along the way, JourneyTEAM will provide the exact level of support you need. Contact us today to get started. www.journeyteam.com
Some of Our Awards:
2019 and 2020 Microsoft US Partner of the Year for Business Central and Media & Communications
Microsoft awarded us the 2020 Crystal Eagle Award (Top 5 in the world) for Business Central
Okta Certified Professionals
VARS Stars 2019 and 2020 Winner
2020 Inc Magazine Best Places to Work