Hardening Azure Active Directory from Attacks and insider threats

There is a wealth of information that is stored in AAD. Email addresses, telephone numbers, group memberships, physical contact info, job titles. It even has pictures of employees. Just some thoughts and recommendations of limiting access:

1. Restrict access to the Azure AD Administration portal.

To access AAD type Azure Active Directory in the search bar.

In the left pane click on user settings and ensure that the following setting is set to yes. This will prevent anyone with a non administrative role from accessing Azure AD.

2. Setup named locations and MFA Trusted IP’s. The document below describes how to do this in conditional access.

Location condition in Azure Active Directory Conditional Access

3. Restrict Access to Azure Portal Management through conditional access.

You can restrict access to allow or deny access based upon location. I highly suggest setting Microsoft Azure Management cloud apps to only be accessed inside your Corporate Network Premises. If you have done step 2 you can limit access to trusted IP’s.

Bonus: Deploy Hybrid Azure AD Join to your internally domain joined devices and add this as a conditional access requirement.

How to plan your Azure Active Directory join implementation

What served me well doing a AAD Join Deployment was doing a controlled validation first before turning it on for everyone.

Controlled validation of hybrid Azure AD join - Azure AD

4. Limit Administrative rights on workstations and restrict access to PowerShell.

You can deploy two separate app locker policies by file location and file hash. App Locker Policies can be found in:

Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies

App Locker Documentation:

AppLocker (Windows 10) - Windows security

5. Protect your Azure AD Connect Server

Hopefully you have separation between Azure AD Connect and your domain controllers. To lower your attack surface on both your Domain Controller and Azure AD connect, AAD Connect should never be installed on a domain controller. It should be installed on a separate server from your DC.

Access to your Azure AD Connect server should be limited to domain admins only. Varonis has an excellent blog on why you should do so.

Azure Skeleton Key: Exploiting Pass-Through Auth to Steal Credentials

6. Deploy Privileged Identity Management if you are an Azure AD Premium 2 customer. Deploy to all groups with Administrative functions in azure.

What is Privileged Identity Management? - Azure AD

What I like about this is least privileged. You can have global administrators with no global admin rights until they are requested through PIM. You can request GA rights for an hour and do the work that you need to. It’s coupled with MFA. At minimum every global administrator should be enrolled into PIM.

7. Deploy Azure MFA to all end users

Deployment considerations for Azure Multi-Factor Authentication

8. Follow Microsoft Best Security practices for Active Directory.

Best Practices for Securing Active Directory

9. Eliminate security threats by following recommendation guidance from Microsoft Secure Score. Microsoft Secure Score can be found at the following URL:

Sign in to your account

10. If you are a Microsoft Premier Customer do the Azure on Demand Assessment.

Getting Started with the Microsoft Azure On-Demand Assessment