How to Secure Azure AD Against Cyber Threats. In 2022, Mandiant discovered UNC3944-related malicious behavior focused on Microsoft Azure. According to research conducted by Mandiant, the attacker used the Serial Console on Azure VMs in an attempt to install malicious remote management software.
This is just the latest addition to a long list of cyberthreats to Azure.
Fortunately, Microsoft has recognized the growing threats of cyberattacks and has ensured that Azure has built-in threat protection features via services such as Azure Active Directory (Azure AD), Microsoft Defender for Cloud, and Azure Monitor logs. This set of security services and capabilities makes it easy to monitor Azure deployments.
This article is a well detailed guide of how to secure your Azure AD against cyberthreats. However, before delving into the best practices to secure your Azure AD, let’s have a quick overview of these services. Shall we?
Azure Active Directory Identity Protection
Azure Identity Protection employs Azure AD Anomalous Activity Reports and adds additional risk detection categories to detect real time anomalies. What’s more, is that it assists in securing your accounts and identities in the following ways:
- It helps with risk detection, risky account identification, and notification.
- Highlights weaknesses and provides customized recommendations to improve the overall security posture.
- Uses relevant and contextual information to investigate risk detections.
- Provides foundational workflows for tracking investigations.
- Reduces risky sign-ins by restricting them or mandating multi factor authentication.
- Helps to block or secure risky user accounts.
Azure Monitor Logs
Image source: vmware
Primarily, Azure Monitor Logs is a cloud based IT management tool from Microsoft that assists you in managing and protecting your on-premises and cloud infrastructure. Also, it helps to secure your Azure AD by enhancing your holistic security and compliance posture and by providing you with helpful insights and analytics. For example, from the portal, you can:
- Use log searches to examine data.
- Utilize customizable dashboards for a graphical representation of your most valuable searches.
- View solutions for additional functionality and analysis tools.
Try our Active Directory & Office 365 Reporting & Auditing Tools
Try us out for Free. 100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.
Microsoft Defender for Cloud
Simply put, Microsoft Defender uses the intelligence to:
- Harness the power of machine learning to detect threats targeting your Azure deployments.
- Streamline brute force detection.
- Enable easy outbound DDoS and botnet detection.
- Provide Azure SQL Database Threat Detection.
Microsoft Defender for cloud utilizes behavioural analytics to identify key patterns of:
- Suspicious process execution.
- Hidden malware and exploitation attempts.
- Lateral movement and internal reconnaissance.
- Malicious PowerShell scripts.
- Outgoing attacks.
Up next with (How to Secure Azure AD Against Cyber Threats) is to learn about best practices to secure Azure AD from cyber attacks.
Best Practices to secure Azure AD from Cyber Threats
Carry out Regular Monitoring
Activity on emergency access accounts
Remember, to Keep an eye on the activity coming from “emergency access” accounts. These actions must be included in this monitoring:
- Any management of credentials.
- Changes in group membership status.
- Application tasks.
- Performing a privileged function.
Also, review and configure Azure Active Directory Privileged Identity Management security alerts (PIM). Additionally, monitor direct role assignment outside of PIM by creating notifications anytime a user is assigned directly.
Tenant-wide settings in Azure Active Directory
Ensure that system alarms are triggered if tenant wide settings are modified. These modifications comprise—but are not limited to—the following changes:
- Custom domains that have been updated.
- Risk policy or Conditional Access changes.
- Application and service principal objects.
- Risk policy or Conditional Access changes.
- Azure AD B2B modifications to permitted identity providers.
- New applications or service principals that may need Conditional Access.
- Added credentials for service principals.
- Activity involving application consent.
- Customized roles.
- Modifications to custom role definitions.
- Custom roles that have recently been created.
Analytics of User and Entity behaviour (UEBA) Warnings
Monitor for any suspicious activity in Azure AD risk events and employ UEBA to gain insights into anomaly detection. Cloud-based UEBA is available through Microsoft Defender for Cloud Applications.
Additionally, Azure Advanced Threat Prevention is used to integrate on-premises UEBA (ATP) as signals from Azure AD Identity Protection are read by Microsoft Defender for Cloud Applications.
Isolate Privileged Identities
Users with privileged roles, such as admins, provide the foundation of trust for building and managing the rest of the environment in Azure AD. Therefore, the following procedures need to be implemented to lessen the impact of a compromise.
- For privileged roles in Azure AD, use accounts that exist solely in the cloud.
- Use privileged access devices to administer Azure Active Directory.
- Configure Azure AD Privileged Identity Management (PIM) to provide just-in-time access to all privileged human accounts.
- Make sure that activating roles require strong authentication.
- Provide users the admin roles they need with the bare minimum of access rights to get their tasks done.
- Consider utilizing Azure AD security groups or Microsoft 365 Groups to facilitate a rich role assignment experience that includes delegation and multiple roles concurrently.
- Enable role based access control as well. Restrict the purview of roles to a portion of the organization using admin units.
- Implement emergency access accounts. Avoid storing credentials in on-premises password repositories.
Deploy Authentication Methods
Credentials are the most common attack vector. To make credentials more secure, implement the following practices:
Implement Passwordless Authentication
Use password-less credentials to minimize the need for passwords. The cloud manages and verifies these credentials natively.
So, perhaps pick from the following authentication methods: FIDO2 security keys, Windows Hello for Business, or the Microsoft Authenticator app.
Implement Two Factor Authentication
Worth noting, is that several, secure credentials are created with Azure Active Directory’s multi factor authentication feature.
In this manner, in addition to an on-premises password, users need an Azure AD managed credential in order to gain access to cloud services.
Set up Cloud based User Access
Image source: Researchgate
Provisioning is the process of making new users and groups accessible in software or identity providers. I recommend setting up the following provisioning methods:
Azure AD provisioning from cloud HR applications. This allows for the isolation of an on-premises compromise. This separation ensures that your joiner-mover-leaver cycle from cloud HR apps to Azure AD remains uninterrupted.
For cloud applications. Instead of using an on-premises solution, you should use Azure Active Directory’s app provisioning features whenever possible. Using this strategy, you safeguard certain SaaS applications from on-premises attacks.
For external identities. Use Azure AD B2B to collaborate externally with partners, customers, and suppliers while reducing reliance on on-premises accounts.
Please, restrict B2B guest accounts in the following ways:
- Restrict guests from searching through lists of members and other directory properties. Set appropriate permissions in the external collaboration settings.
- Restrict Azure portal access.
- Make sure all visitors and outsiders are covered by a Conditional Access policy and then, implement a policy to restrict access.
For disconnected forests. Well, use Azure AD cloud provisioning. By using this approach, you won’t have to set up cross-forest connections or trusts, both of which might increase the scope of damage from an attack on your own premises.
Utilize Cloud based Groups
Cloud groups enable you to separate collaboration and access from on-premises infrastructure.
Access- to Azure AD apps with Azure AD security groups.
Deploy group-based licensing- to manage licensing for Azure AD resources. This approach isolates group membership management from on-premises infrastructure, thereby preventing attacks that may emanate from there.
So, to prevent membership takeover in an on-premises breach, owners of access groups should be privileged identities. A takeover would involve direct manipulation of group membership on-premises or manipulation of on-premises features that affect dynamic Azure AD group membership.
Configure appropriate Conditional Access Policies
Use Azure AD Conditional Access to analyse signals and to make authentication decisions. When possible, disable support for legacy authentication methods using Conditional Access. Moreover, turn off legacy authentication methods with an application-level option.
Also make sure to apply the recommended settings for user identities and access devices. Finally use the Azure AD security defaults, if your deployment of Azure Active Directory does not support Conditional Access.
Implement proper Log Management Procedures
Define a strategy, design, and implementation for log storage and retention. For instance, use tools like Microsoft Sentinel’s SIEM system, as well as standard queries, investigative playbooks, and forensics playbooks.
Logs from Azure AD: Follow industry standards for diagnostics, log retention, and SIEM intake when ingesting generated logs and signals.
Include the following Azure Active Directory logs in your logging strategy:
Sign-in activity. The sign-in activity log and audit logs are made available by Azure AD and integrated with Azure Monitor.
Logs from the operating system of a hybrid environment should be saved and properly monitored like tier-0 systems.
Additionally, use the Microsoft Graph API to analyse risk events and send logs from Azure Active Directory directly to Azure Monitor.
Thank you for reading How to Secure Azure AD Against Cyber Threats. We shall now conclude.
How to Secure Azure AD Against Cyber Threats Conclusion
Finally, Azure Active Directory, is a crucial identity system used for user authentication and authorisation across a wide range of domain resources. It is fundamental to the concept of “zero trust” in the workplace.
Improving the security posture to make it more difficult than average has been shown time and time again to be effective in prompting less-skilled attackers to move on to an easier target. Therefore, a secure Azure is increasingly your best bet against compromises in today’s ever-evolving threat landscape.
And this security comes as a result of the diligent and religious application of best practices to make sure that your guard is always up against even the most tenacious security threats.
Try InfraSOS for FREE
Invite your team and explore InfraSOS features for free