1/
Link via Stuart Aston @Microsoft: https://threatpost.com/microsoft-365-admins-mfa/160592/
This is absolutely nuts. I knew there was a problem with end users adopting MFA, but there's simply no excuse for administrators, who know about the risks of ransomware, to be signing in with straight username and pwd.
Link via Stuart Aston @Microsoft: https://threatpost.com/microsoft-365-admins-mfa/160592/
This is absolutely nuts. I knew there was a problem with end users adopting MFA, but there's simply no excuse for administrators, who know about the risks of ransomware, to be signing in with straight username and pwd.
2/
- Don't assign normal user accounts to privileged roles or permissions in Azure
- Use role delegation in Azure AD, try to zero your Global Admins (GA) with just a couple remaining through PIM
- Don't add synched admin ID's to GA, Privileged Auth Admins, Privileged Role Admins
- Don't assign normal user accounts to privileged roles or permissions in Azure
- Use role delegation in Azure AD, try to zero your Global Admins (GA) with just a couple remaining through PIM
- Don't add synched admin ID's to GA, Privileged Auth Admins, Privileged Role Admins
3/
- Enforce MFA for all admins, push them towards using the authenticator app (cert-based far better than SIM-based)
- Require cert-based for high-powered individuals and C-level execs
- Go for FIDO2 on the GA-level stuff.
- Enforce MFA for all admins, push them towards using the authenticator app (cert-based far better than SIM-based)
- Require cert-based for high-powered individuals and C-level execs
- Go for FIDO2 on the GA-level stuff.