My take: Many Azure AD (AAD) environments are repeating same mistakes as they did with Active Directory.
Improve AAD Security:
1. Use PIM to control AAD roles (limit permanent members)
2. Only admin accounts in AAD roles
3. Ensure cloud admins use admin systems
Thread 1/3 https://twitter.com/rootsecdev/status/1341934008561762305
Improve AAD Security:
1. Use PIM to control AAD roles (limit permanent members)
2. Only admin accounts in AAD roles
3. Ensure cloud admins use admin systems
Thread 1/3 https://twitter.com/rootsecdev/status/1341934008561762305
4. Require MFA for admins (w/ Conditional Access/PIM)
5. Review AAD application permission consent settings
6. Review AAD application tenant permissions
7. Review application permissions to which users consented
8. Ensure the AAD Connect server is protected like a DC
Thread 2/3
5. Review AAD application permission consent settings
6. Review AAD application tenant permissions
7. Review application permissions to which users consented
8. Ensure the AAD Connect server is protected like a DC
Thread 2/3
9. Keep AAD Connect current (ensure a recent version is installed)
10. Review Guest & external collaboration settings for AAD, SharePoint Online, OneDrive, & Teams.
And yes, Trimarc can help: https://trimarc.co/MCSA
Thread 3/3
10. Review Guest & external collaboration settings for AAD, SharePoint Online, OneDrive, & Teams.
And yes, Trimarc can help: https://trimarc.co/MCSA
Thread 3/3
Updating thread with answers to questions:
No, don’t install AAD Connect on Domain Controllers. There are several reasons for this, but primarily SQL (Express) should not be installed on DCs & DCs should only host AD services.
No, don’t install AAD Connect on Domain Controllers. There are several reasons for this, but primarily SQL (Express) should not be installed on DCs & DCs should only host AD services.
#3: “admin systems” due to Twitter character limits & helps cover a few scenarios.
Not great: separate web browser on user computer
Better: RDP to admin server/VDI for all cloud admin tasks
Beat: separate computer for cloud admin tasks.
Best practice is separate system.
Not great: separate web browser on user computer
Better: RDP to admin server/VDI for all cloud admin tasks
Beat: separate computer for cloud admin tasks.
Best practice is separate system.
Microsoft strongly recommends separating cloud administration from on-prem resources meaning all cloud admin activity should be done in the cloud. This way on-prem breach doesn’t lead to cloud compromise
Protecting Microsoft 365 from on-premises attacks https://techcommunity.microsoft.com/t5/azure-active-directory-identity/protecting-microsoft-365-from-on-premises-attacks/ba-p/1751754
Protecting Microsoft 365 from on-premises attacks https://techcommunity.microsoft.com/t5/azure-active-directory-identity/protecting-microsoft-365-from-on-premises-attacks/ba-p/1751754
CrowdStrike recently released the @CrowdStrike Reporting Tool for Azure (CRT) which queries Azure AD & Exchange Online for configurations and settings that are concerning. https://www.crowdstrike.com/blog/crowdstrike-launches-free-tool-to-identify-and-help-mitigate-risks-in-azure-active-directory/