If it is not your job to ensure that your organization’s Microsoft Azure AD security measures are up to par, you may not be aware of the sheer amount or complexities of the cybersecurity attack attempts on your Microsoft Dynamics 365 tenant that happen every day.
But guaranteed, when a security breach happens, everyone takes notice.
Security policies are critical to protect your sensitive ERP data. A well-known practice to handle those pesky and opportunistic cyber-attacks is to take advantage of Multi-Factor Authentication (MFA) to verify identities before allowing access to data. While this is a great start, there are other measures that can maximize cloud security for your organization and still allow frictionless operations.
Eric Raff, Cloud Practice Director at JourneyTEAM and 25+ year IT expert in Identity and Access Management in Microsoft Dynamics 365 presented the top 10 tips and security considerations after you have rolled out MFA in your tenant. His presentation to the Utah SharePoint User Group (UTSPUG) and Microsoft User Group (MUGUT) hosted by buckleyPLANET reflected on his first-hand experience helping organizations overcome business challenges and ensure the most secure access with Microsoft Azure identity and cloud access management solutions.
1. SECURITY DEFAULTS
Utilizing Security Defaults may be for you if:
- No Conditional Access policies are enabled in your environment.
- No need for fine-grained control over access and authentication.
- Your organization is relatively small.
Some exceptions may apply here, so consult an expert to confirm if Security Defaults is the right choice for your organization. Microsoft’s Security Defaults are their basic identify security mechanisms recommendations and are a great baseline of features — if right for you.
To turn on defaults:
- From the Azure AD Portal, go to “Properties.”
- Make sure that Security Defaults is set to “Yes.”
Security Defaults activate and/or enforce the following:
- Requires all users to register for Azure MFA.
- Administrators must perform MFA.
- Blocks legacy authentication protocols.
- Users must perform MFA when risky activity is detected.
- Access to the Azure Portal and other “privileged” activities will be protected.
Be sure that “Users can use the combined security information registration experience” is turned on.
2. LEGACY PROTOCOLS
Spray attacks frequently target legacy protocols such as SMTP, IMAP, POP, Active Sync, Outlook Anywhere (RPC over HTTP), and older Office clients, such as 2010 and 2013.
- Log into the Azure AD portal (portal.azure.com).
- Go to “Sign-Ins” > “Monitoring.”
- “Add Filter” > “Client App” > “Apply.”
You can then review the client apps and see a list of Legacy Authentication as well as review the successful and failed attempts.
Now you can build a Conditional Access (CA) policy to block access.
- “Security” > “Conditional Access” > “Classic Policies.”
- (Make sure this targets all users, except your “break glass” account)
- Go to “Conditions” > “Client Apps” > “Legacy Authentical Clients.”
- Set access controls to “Block Access.”
3. GUEST ACCESS
The External Sharing Setting is by default “Allow guests to share items they don’t own,” meaning anonymous content sharing including guests. “Restrict access to the Azure AD Administration portal” is set to “no” by default.
Access Packages and Access Reviews in the Identity Governance solution in Azure AD P2 allows you to set restrictions on guest accounts.
- In the Azure AD Portal, go to “Identity Governance” > “Settings.”
- Under “Manage the lifecycle of external users,” you can select what happens when an external user that was added to your directory through an Access Package request loses their last assignment.
This allows you to block external users from signing into the directory and remove an external user after a set number of days. This only works if the guest account came into your directory through an Access Package.
Access Review Policy
From the Azure AD Portal
“Create a new Access Review”:
- Select review by “Teams + Groups,” or “Application.”
- Select a specific group, preferably something like “All Guests.”
- Select a review scope: “Guest Users Only.”
Now you adjust the settings to your preference. Examples of helpful settings may be:
- Users review their own access.
- If no response, user blocked for 30 days, then removed from the tenant.
At myaccount.microsoft.com you can manage your guest accounts in other directories as well as completely delete access that you don’t need anymore.
Go to “Organizations” and click “Leave Organization” to remove access.
4. ENTERPRISE APPS
Cyber criminals now use fake enterprise apps to gain access by convincing you into consent. New functionality in the Azure Active Directory Microsoft 365 environment allows for greater consent governance.
- Head to “Enterprise Apps” > “Consent and Permissions.” Here you can manage user consent and allowable permissions from verified publishers. Once an app is a verified publisher and you set up the permissions, users will only be able to consent to those actions.
- Next, check the user settings under “Admin consent requests (Preview).”
- Change “Users can request admin consent to apps they are unable to consent to,” to “Yes.”
- Click “Select users to review admin consent requests” and select the appropriate Admin (must be Global, Application or Cloud Application Admin) who will be notified and make the decision to allow or reject consent.
5. AZURE PORTAL SETTINGS
Here are two settings you should have in place in the Azure Portal.
Under “User Settings,” restrict access to the Azure AD Administration Portal by setting this to “Yes.”
Be aware that the name of your tenant shows up whenever there is a OneDrive sync integration, so make sure it is relevant.
Click here to continue and read up on tips 6 – 10!
Note: These tips assume you already have MFA turned on. Also, many of these security steps require that you have Azure ADP2 or the Microsoft Enterprise Mobility + Security (EM+S) mobility management and security platform.
- Join a free consultation and ask all the questions you wish.
- Plan your Deep Dive meeting – Get your organization’s Customized Solutions presentation.
JourneyTEAM is an award-winning consulting firm with proven technology and measurable results. They take Microsoft products; Dynamics 365, SharePoint intranet, Office 365, Azure, CRM, GP, NAV, SL, AX, and modify them to work for you. The team has expert level, Microsoft Gold certified consultants that dive deep into the dynamics of your organization and solve complex issues. They have solutions for sales, marketing, productivity, collaboration, analytics, accounting, security and more.