Hardening Azure Active Directory from Attacks and insider threats

There is a wealth of information that is stored in AAD. Email addresses, telephone numbers, group memberships, physical contact info, job titles. It even has pictures of employees. Just some thoughts and recommendations of limiting access:

  1. Restrict access to the Azure AD Administration portal.

To access AAD type Azure Active Directory in the search bar.

In the left pane click on user settings and ensure that the following setting is set to yes. This will prevent anyone with a non administrative role from accessing Azure AD.

2. Setup named locations and MFA Trusted IP’s. The document below describes how to do this in conditional access.

3. Restrict Access to Azure Portal Management through conditional access.

You can restrict access to allow or deny access based upon location. I highly suggest setting Microsoft Azure Management cloud apps to only be accessed inside your Corporate Network Premises. If you have done step 2 you can limit access to trusted IP’s.

Bonus: Deploy Hybrid Azure AD Join to your internally domain joined devices and add this as a conditional access requirement.

What served me well doing a AAD Join Deployment was doing a controlled validation first before turning it on for everyone.

4. Limit Administrative rights on workstations and restrict access to PowerShell.

You can deploy two separate app locker policies by file location and file hash. App Locker Policies can be found in:

Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies

App Locker Documentation:

5. Protect your Azure AD Connect Server

Hopefully you have separation between Azure AD Connect and your domain controllers. To lower your attack surface on both your Domain Controller and Azure AD connect, AAD Connect should never be installed on a domain controller. It should be installed on a separate server from your DC.

Access to your Azure AD Connect server should be limited to domain admins only. Varonis has an excellent blog on why you should do so.

6. Deploy Privileged Identity Management if you are an Azure AD Premium 2 customer. Deploy to all groups with Administrative functions in azure.

What I like about this is least privileged. You can have global administrators with no global admin rights until they are requested through PIM. You can request GA rights for an hour and do the work that you need to. It’s coupled with MFA. At minimum every global administrator should be enrolled into PIM.

7. Deploy Azure MFA to all end users

8. Follow Microsoft Best Security practices for Active Directory.

9. Eliminate security threats by following recommendation guidance from Microsoft Secure Score. Microsoft Secure Score can be found at the following URL:

10. If you are a Microsoft Premier Customer do the Azure on Demand Assessment.

It's 2016 and all I found was Toilets running Telnet...using shodan