In this series of blogs, we are reviewing the best practices in hardening your Microsoft 365 tenant against malicious attacks. Many attacks can be block by making zero-costs changes to your tenant. A compromised identity credential, even one with low-level privileges, is all hackers need to gain entry into an organization to begin moving laterally, undetected, to gain access to mission-critical systems and data. Azure AD Identity Protection uses heuristics and adaptive machine learning to detect anomalous behavior and suspicious incidents that indicate potentially compromised identities.
Microsoft recommends four requirements for implementing strong identity for a Zero Trust security model:
- Multi-factor Authentication (MFA) – Read more
- Policy-based access – Read more
- Identity Protection
- Secure access to SaaS and on-premises apps
To Start, let’s review Zero Trust Model.
What is Zero Trust?
Instead of believing everything inside the organization’s firewall is safe, the Zero Trust model assumes breach and a “never trust, always verify” access approach. Every request, regardless of whether it originated internally or externally, is strongly authenticated, authorized, and inspected for anomalies.
There are countless cases of documented data breaches in which a payload was delivered through a compromised user login and then used to sniff out other username/password combinations, over the course of months or even years, to eventually gain administrator privileges and access to critical systems and data.
To implement strong identity, organizations need a way to rapidly detect compromised identities and proactively prevent them from being misused. Azure AD Identity Protection uses heuristics and adaptive machine learning to detect anomalous behavior and suspicious incidents that indicate potentially compromised identities. It generates alerts and reports that enable administrators to evaluate detected issues and take the appropriate action to remediate or mitigate the issue.
How to Implement Strong Identity?
Administrators can configure risk-based policies within Azure AD to automatically respond to detected risks. Policies can be configured to automatically block access when a specified risk threshold has been reached or to require MFA, a password reset, or other adaptive remediation actions. Administrators also can set policies for responding to suspicious user activity or risky sign-ins such as those from an anonymous IP address or unfamiliar location.
Azure AD can proactively detect vulnerabilities that impact user identities, such as users without MFA registration, unmanaged cloud apps, users with unnecessary privileged access, and weak authentication for role activation. Identity Protection also enables timely investigations of detected risks through alerts and notifications and by providing administrators with contextual information on detected risks.
The dashboard provides access to settings for configuring security policies and MFA registration.
Azure AD supports three directory roles for managing an Identity Protection implementation:
- A Global Administrator role with full access to Identity Protection and rights to onboard Identity Protection
- A Security Administrator role with full access to Identity Protection but no rights to onboard Identity Protection or to reset user passwords
- A Directory Reader role with read-only access and no ability to onboard Identity Protection, configure policies, or reset passwords
Read more from Microsoft about Identity Protection.
In part four, we will discuss securing access to SaaS and on-premises apps.