JourneyTEAM

Azure AD Security Tips (After MFA Rollout) for Frictionless Teamwork in Sharepoint

Email | Print

Let’s face it, most of the everyday Microsoft SharePoint users at your organization aren’t fixated on security. They’re not thinking about if they’re sharing documents securely, the security of the cloud systems or apps they access or how they interact with other applications. Their focus in SharePoint is usually accessing company information, collaboration and getting the job done. Setting up Multi-Factor Authentication (MFA) with Microsoft Azure AD is a great way to, in a sense, automate secure practices. Without proving their identity, users are denied access. But there are other best practices for Microsoft Dynamics 365, Windows Azure and Microsoft Cloud Services that can be set up to maximize your organization’s security while keeping the front-end user experience friction-less. 

Eric Raff, Cloud Practice Director at JourneyTEAM, in a presentation hosted by buckleyPLANET to the Utah SharePoint User Group (UTSPUG) and Microsoft User Group (MUGUT), shared the top 10 security tips and considerations after you’ve rolled out MFA in your Microsoft Dynamics 365 tenant. Raff is a 25+ year expert in Identity and Access Management in Microsoft 365 and Windows Azure.  

This is a two-part series. This blog covers the first five of Raff’s top 10 security tips along with some step-by-step instructions. These tips assume you already have MFA deployed in your tenant as that would be your first point of action. Note that many of these security steps require that you have Azure ADP2 or the Microsoft Enterprise Mobility + Security (EM+S) mobility management and security platform. 

1. Select Security Defaults (Applicable Only in Rare Cases) 

As good of a baseline as they provide, you should note that the Microsoft Security Defaults aren’t the best solution for everyone. Using Security Defaults are only suggested if: you do NOT have Conditional Access policies enabled in your environment; you do not need fine-grained control over access and authentication policies; and/or your organization is relatively small. If Security Defaults may be helpful in your case, read on! If not, you can skip ahead to #2.  

When enabled, Security Defaults are automatically enforced to protect your organization against common identity related attacks.  

Here’s what Security Defaults activate or enforce: 

  • Blocks legacy authentication protocols. 
  • Users must perform MFA when risky activity is detected. 
  • Access to the Azure Portal and other “privileged” activities will be protected.  

To ensure defaults are turned on: 

  • From the Azure AD Portal, go to Properties. 
  • Security Defaults need to be set to Yes. 

Be sure that “Users can use the combined security information registration experience” is turned on. 

 2. Block Legacy Protocols with a Conditional Access Policy 

Hundreds of spray attacks can happen every hour that target legacy protocols such as SMTP, IMAP, POP, Active Sync, Outlook Anywhere (RPC over HTTP), and older Office clients, such as 2010 and 2013. You can build a Conditional Access (CA) Policy to block access.  

First, identify who is using legacy protocols in the environment.  

  • Log into the Azure AD portal (portal.azure.com) 
  •  “Sign-Ins” > “Monitoring” (Make sure you have the new experience turned on.) 
  •  “Add Filter” > “Client App” > “Apply. 
  • You can then review the client apps and see a list of Legacy Authentication as well as review the successful and failed attempts. 

Now you can build your CA Policy 

  • Navigate to “Security” > “Conditional Access” > “Classic Policies. 
  • Here you can create a new policy that blocks legacy protocols. This should target all users, except your break glass account. 
  • Go to “Conditions” > “Client Apps” > “Legacy Authentical Clients. 
  • Set access controls to “Block Access. 

3. Restrict Guest User Access 

Do you know how many guest users have access to your tenant? You should at least be aware of where you can find out, and how to govern their access. The default External Sharing Setting is “Allow guests to share items they don’t own,” meaning sharing content with anyone can be done anonymously, including guests. Guests can also invite other guests.  This is where it’s worthwhile to set some restrictions.  

The Identity Governance solution in Azure AD P2 can set restrictions on guest accounts with Access Packages and Access Reviews.   

Govern Access with an Access Package: 

  • In the Azure AD Portal, go to “Identity Governance” > “Settings. 
  • Select what happens when an external user that was added to your directory through an Access Package request loses their last assignment under “Manage the lifecycle of external users.” 
  • This allows you to block external users from signing into the directory and remove an external user after a set number of days. (This only works if the guest account came into your directory through an Access Package.)  

Create an Access Review Policy: 

  • Select what to review by Teams + Groups, or Applications.” 
  • Select a specific group, e.g., “All Guests” (recommended that you set up this group if you don’t have it) 
  • Select a review scope: “Guest Users Only. 
  • At myaccount.microsoft.com you can self-manage your guest account in other directories as well as completely delete guest accounts you don’t use. Go to “Organizations” and click “Leave Organization.”  

4. Manage Consent and Permissions for Enterprise Apps  

Cyber criminals now use fake enterprise apps to gain access by convincing you into consent. New functionality in the Azure Active Directory Microsoft 365 environment allows for greater consent governance.  

  • Go to “Enterprise Apps” > “Consent and Permissions. Here you can manage user consent from verified publishers and decide upon the allowable permissions. 
  • Once an app is a verified publisher and you set up the permissions, users will only be able to consent to those actions. 

Next, check the user settings under “Admin consent requests (Preview).” 

  • Change “Users can request admin consent to apps they are unable to consent to,” to “Yes.” 
  • Click “Select users to review admin consent requests” and select an appropriate Admin (should be Global, Application or Cloud Application Administrator) who will be notified and make the decision to allow or reject consent.  

Note that if you as a Global or an Enterprise App Administrator ever see a “permissions requested” box with the option to consent on behalf of your organization, proceed with caution. You will be consenting for everyone in the tenant and should be sure about this decision. 

5. Suggested Azure Portal Settings  

Log into portal.azure.com to make sure you have two settings in place:  

  • Under “User Settings,” restrict access to the Azure AD Administration Portal by making sure that this is set to “Yes.” 
  • The name of your tenant will show up whenever there is a OneDrive sync integration, so make sure it is relevant! 

Read the full article.

Click here for tips 6 – 10 in part 2! 

Microsoft 365 | Azure | Cloud | Office 365

NEXT STEPS:

1. Join a free consultation and ask all the questions you wish.

2. Plan your Deep Dive meeting – Get your organization’s Customized Solutions presentation.


Jenn_Alba_JourneyTEAM

Article by: Jenn Alba – Marketing Manager – 801.938.7816

JourneyTEAM is an award-winning consulting firm with proven technology and measurable results. They take Microsoft products; Dynamics 365, SharePoint intranet, Office 365, Azure, CRM, GP, NAV, SL, AX, and modify them to work for you. The team has expert level, Microsoft Gold certified consultants that dive deep into the dynamics of your organization and solve complex issues. They have solutions for sales, marketing, productivity, collaboration, analytics, accounting, security and more. www.journeyteam.com

Related Posts



Ask This Expert a Question or Leave a Comment