Top Microsoft Azure AD Security Best Practices (After Deploying MFA in your Dynamics 365 Tenant)

The Microsoft Azure AD Portal can best be thought of as the cloud nerve center for all the identity and access management of your organization. Multi-Factor Authentication (MFA) has become common practice, and you’ve probably already deployed it in your tenant. In addition to using MFA to protect your systems and employees against remote attacks, there are other best practices for Microsoft Dynamics 365, Windows Azure and Microsoft Cloud Services that can tighten up your cloud security and reduce the risk of a breach. 

Eric Raff, Cloud Practice Director at JourneyTEAM, in a presentation hosted by buckleyPLANET to the Utah SharePoint User Group (UTSPUG) and Microsoft User Group (MUGUT), shared the top 10 security tips and considerations after you’ve rolled out MFA in your Microsoft Dynamics 365 tenant. Raff is a 25+ year expert in Identity and Access Management in Microsoft 365 and Windows Azure. 

IT guys

This is a two-part blog. Here we share the first five of Raff’s top 10 security tips after MFA 

  1. Check Your Security Defaults

Let’s just put this out in the open: As good of a baseline as they provide, the Microsoft Security Defaults aren’t the best solution for everyone.  

Security Defaults are only suggested if:  

  • You do not have Conditional Access policies enabled in your environment, and/or you do not need fine-grained control over access and authentication policies. 
  • Your organization is relatively small.  

If the above applies to you, read on! If not, you can skip to #2.  

In 2020, Microsoft released Security Defaults, which are their basic identify security mechanisms recommendations. When enabled, these defaults are automatically enforced to better protect your organization against common identity related attacks.  

Top 10 welcome

First, what Security Defaults activate or enforce: 

  • Requires all users register for Azure MFA.  
  • Administrators will have to perform MFA. 
  • Legacy authentication protocols will be blocked. 
  • Users will have to perform MFA when risky activity is detected. 
  • Privileged activities will be protected, like access to the Azure portal.  

To ensure defaults are turned on: 

  • From the Azure AD Portal (portal.azure.com) go to Properties. 
  • Make sure that Security Defaults is set to “Yes. 
  • “Users can use the combined security information registration experience” should be turned on.  

If you’re considering using Security Defaults, it would still be wise to confirm with an expert if it is right for your organization. 

  1. Block Legacy Protocols 

Spray attacks hit frequently and target legacy protocols including SMTP, IMAP, POP, Active Sync, Outlook Anywhere (RPC over HTTP), and older Office clients, such as 2010 and 2013. 

Here’s how to identify who is using legacy protocols in the environment: 

  • From the Azure AD portal, go to “Sign-Ins” > “Monitoring” (The new experience should be turned on). 
  • Click “Add Filter” > “Client App” > “Apply. 
  • Review the client apps and see a list of Legacy Authentication as well as successful and failed attempts. 

A Conditional Access (CA) policy can block access.  

  • Go to “Security” > “Conditional Access” > “Classic Policies. Here you can create a new policy that blocks legacy protocols. Make sure this targets all users (an exception may be your break glass account). 
  • Go to “Conditions” > “Client Apps” > “Legacy Authentical Clients. 
  • Set access controls to “Block Access. 

  1. Set Restrictions on Guest Access

The External Sharing Setting is by default to “Allow guests to share items they don’t own,” meaning content can be shared anonymously. However, “Restrict access to the Azure AD Administration portal” is set to “no” by default. 

You can leverage the Identity Governance solution in Azure AD P2 to set restrictions on guest accounts with Access Packages and Access Reviews as described below. 

Govern Access with an Access Package: 

  • In the Azure AD Portal, go to “Identity Governance” and select “Settings. 
  • Under “Manage the lifecycle of external users, you can select what happens when an external user that was added to your directory through an Access Package request loses their last assignment. 
  • This allows you to block external users from signing into the directory and remove an external user after a set number of days (this only works if the guest account came into your directory through an Access Package). 

Create an Access Review Policy: 

  • From the Azure AD Portal, go to “Identity Governance” > “Access Review. 
  • Create a new Access Review: Select what to review by Teams + Groups, or by Applications.” 
  • Select a specific group, preferably “All Guests” (recommended group if you don’t have already) 
  • Select a review scope: “Guest Users Only. 
  • Adjust the settings to your preference. Worthwhile settings may be to set it up so users review their own access, or, if the guest user doesn’t respond to a request, they will be blocked for 30 days, then removed from the tenant.  

A final note on guest accounts: At myaccount.microsoft.com you can manage your own guest accounts. Go to “Organizations” and “Leave Organizationto delete accounts you no longer need 

  1. Manage Consent and Permissions for Enterprise Apps

Cyber criminals don’t just phish for credentials or guess passwords anymore. They use fake enterprise apps as another way to gain access to your data by trying to convince you to give consent. There is new functionality in the Azure Active Directory Microsoft 365 environment for consent governance.  

  • Go to “Enterprise Apps” > “Consent and Permissions. 
  • Here you can manage user consent from verified publishers including the allowable permissions. Once an app is a verified publisher, users will only be able to consent to the actions you’ve permitted. 
  • Next, check the user settings under “Admin consent requests (Preview).” 
  • Change “Users can request admin consent to apps they are unable to consent to,” to “Yes.” 
  • Click “Select users to review admin consent requests” and select the appropriate Admin (must be Global, Application or Cloud Application Admin) who will be notified to decide whether to allow or reject consent.  

NOTE: If you as a Global or an Enterprise App Administrator ever see a “permissions requested” box with the option to consent on behalf of your organization, proceed with caution. You will be consenting for everyone in the tenant and should be sure about this decision.  

  1. Must-have Azure Portal Settings

Be aware of these two Azure Settings:  

  • Under User Settings, restrict access to the Azure AD Administration Portal by setting this to “Yes.” 
  • The name of your tenant will show up whenever there is a OneDrive sync integration. Make sure it is relevant. 

Click here to read the full article.

 

Ready for more tips? Click here to continue and read up on tips 6 – 10!  

 

 

NEXT STEPS:

  1. Join a free consultation and ask all the questions you wish.
  2. Plan your Deep Dive meeting – Get your organization’s Customized Solutions presentation.

Jenn_Alba_JourneyTEAMArticle by:Jenn Alba - Marketing Manager - 801.938.7816

JourneyTEAM is an award-winning consulting firm with proven technology and measurable results. They take Microsoft products; Dynamics 365, SharePoint intranet, Office 365, Azure, CRM, GP, NAV, SL, AX, and modify them to work for you. The team has expert level, Microsoft Gold certified consultants that dive deep into the dynamics of your organization and solve complex issues. They have solutions for sales, marketing, productivity, collaboration, analytics, accounting, security and more. www.journeyteam.com

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Show Buttons
Hide Buttons
72