There is a wealth of information that is stored in AAD. Email addresses, telephone numbers, group memberships, physical contact info, job titles. It even has pictures of employees. Just some thoughts and recommendations of limiting access:
- Restrict access to the Azure AD Administration portal.
To access AAD type Azure Active Directory in the search bar.
In the left pane click on user settings and ensure that the following setting is set to yes. This will prevent anyone with a non administrative role from accessing Azure AD.
2. Setup named locations and MFA Trusted IP’s. The document below describes how to do this in conditional access.
Location condition in Azure Active Directory Conditional Access
With Azure Active Directory (Azure AD) Conditional Access, you can control how authorized users can access your cloud…
3. Restrict Access to Azure Portal Management through conditional access.
You can restrict access to allow or deny access based upon location. I highly suggest setting Microsoft Azure Management cloud apps to only be accessed inside your Corporate Network Premises. If you have done step 2 you can limit access to trusted IP’s.
Bonus: Deploy Hybrid Azure AD Join to your internally domain joined devices and add this as a conditional access requirement.
How to plan your Azure Active Directory join implementation
Azure AD join allows you to join devices directly to Azure AD without the need to join to on-premises Active Directory…
What served me well doing a AAD Join Deployment was doing a controlled validation first before turning it on for everyone.
Controlled validation of hybrid Azure AD join - Azure AD
When all of the pre-requisites are in place, Windows devices will automatically register as devices in your Azure AD…
4. Limit Administrative rights on workstations and restrict access to PowerShell.
You can deploy two separate app locker policies by file location and file hash. App Locker Policies can be found in:
Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies
App Locker Documentation:
AppLocker (Windows 10) - Windows security
Windows 10 Windows Server This topic provides a description of AppLocker and can help you decide if your organization…
5. Protect your Azure AD Connect Server
Hopefully you have separation between Azure AD Connect and your domain controllers. To lower your attack surface on both your Domain Controller and Azure AD connect, AAD Connect should never be installed on a domain controller. It should be installed on a separate server from your DC.
Access to your Azure AD Connect server should be limited to domain admins only. Varonis has an excellent blog on why you should do so.
Azure Skeleton Key: Exploiting Pass-Through Auth to Steal Credentials
EDIT: Security researcher Adam Chester had previously written about Azure AD Connect for Red Teamers, talking about…
6. Deploy Privileged Identity Management if you are an Azure AD Premium 2 customer. Deploy to all groups with Administrative functions in azure.
What is Privileged Identity Management? - Azure AD
Azure Active Directory (Azure AD) Privileged Identity Management (PIM) is a service that enables you to manage…
What I like about this is least privileged. You can have global administrators with no global admin rights until they are requested through PIM. You can request GA rights for an hour and do the work that you need to. It’s coupled with MFA. At minimum every global administrator should be enrolled into PIM.
7. Deploy Azure MFA to all end users
Deployment considerations for Azure Multi-Factor Authentication
People are connecting to organizational resources in increasingly complicated scenarios. People connect from…
8. Follow Microsoft Best Security practices for Active Directory.
Best Practices for Securing Active Directory
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012 This document provides a practitioner's…
9. Eliminate security threats by following recommendation guidance from Microsoft Secure Score. Microsoft Secure Score can be found at the following URL:
10. If you are a Microsoft Premier Customer do the Azure on Demand Assessment.