Checklist to protect your Microsoft 365 Identities

Photo by <a href="https://unsplash.com/@kellysikkema?utm_content=creditCopyText&utm_medium=referral&utm_source=unsplash">Kelly Sikkema</a> on <a href="https://unsplash.com/photos/six-white-sticky-notes--1_RZL8BGBM?utm_content=creditCopyText&utm_medium=referral&utm_source=unsplash">Unsplash</a>

As Microsoft 365 evolves with the integration of new features such as Microsoft Co-pilot, and Premium features spanning across different services, the threat of sophisticated cyberattacks is escalating. Hence, it is super important that we fully comprehend the security measures available within Microsoft’s ecosystem, and use these to our advantage to protect our Microsoft 365 environment.

Here is a list of tools/features you can use to further protect your environment from the ever evolving threat landscape:

Authenticate all users with MFA: Ensure that users (Including Guest users) are using MFA and disable methods like voice calls and sms that are considered as the less secure MFA methods. This ensures that even if passwords are compromised, unauthorized access is still prevented, thereby reducing the risk of  unauthorized access.

Migrate legacy MFA and SSPR policies to Authentication method Policies, ensuring all users are migrated to Microsoft Authenticator.

Create Access reviews for users and Applications in Entra ID: Entra ID offers a set of access review features that allow for the management of user access to a variety of resources, including group memberships, applications, and roles. These features are in line with the Azure Security Benchmark v3 which provides guidance on securing cloud-based resources. During the access review process, reviewers can verify whether users still require access to these resources, and if not, they can proceed to remove the access, ensuring that only authorized personnel have access to the critical assets.

Create M365 Cloud only admin Identities. Admin accounts accounts should be cloud-only accounts with no ties to on-premises Active Directory.This will reduce the attack surface for your High Privileged admin roles while simplifying management of these accounts.

Secure Admin access with Privileged Access Workstation (PAW): This is the highest security configuration designed for extremely sensitive roles. The PAW configuration includes security controls and policies that restrict local administrative access and productivity tools to minimize the attack surface to only what is absolutely required for performing sensitive job tasks. This makes the PAW device difficult for attackers to compromise because it blocks the most common vector for phishing attacks: email and web browsing. To provide productivity to these users, separate accounts and workstations must be provided for productivity applications and web browsing.

    1. A Privileged workstation provides a hardened workstation that has clear application control and application guard. The workstation uses credential guard, device guard, app guard, and exploit guard to protect the host from malicious behavior. All local disks are encrypted with BitLocker and web traffic is restricted to a limit set of permitted destinations (Deny all).

Implement Least privileged access: Implementing least privileged access reduces the attack surface, making it harder for attackers to gain unauthorized entry. It also mitigates insider threats by limiting legitimate users’ access to what’s necessary, reducing the risk of intentional or accidental harm. In the event of a compromised user account, the damage is limited due to restricted permissions, whether from external attackers or human error. Users should always be granted permissions precisely tailored to fulfill their job responsibilities, neither more nor less.

Protect Access with Conditional Access Policies (CAP): CAP allows us to set policies that determine how, when and from where users can access cloud resources. Microsoft has simplified Conditional access configuration by providing pre-designed templates that can be easily customized to meet your specific needs . In addition to templates,  Microsoft is stepping up to the plate by introducing a set of new Microsoft-managed Conditional Access policies designed to bolster your defense against potential cyberattacks. These policies are part of a broader initiative aimed at fortifying security and ensuring the protection of your user accounts.

Use Identity Lifecycle management Policies to automate offboarding of inactive users: An identity lifecycle refers to the entire process that begins when a user’s digital identity is created and assigned access to resources, and continues with authentication of that identity, updates to credentials and attributes, ending when that identity is retired. The process includes stages such as creation, verification, authentication, authorization, management, and retirement all very important stages in securing our identities,

Configure and enable risk based policies: Configure User risk and Sign in risk Policies. User risk policies focus on monitoring user behavior, controlling access, enforcing password policies, providing training, and managing privileges to mitigate security risks associated with user actions. Sign-in risk policies involve implementing measures like multi-factor authentication, anomaly detection, geo-location restrictions, device trust evaluations, and session management to enhance security during user sign-ins. Both sets of policies are important in protecting Identities.

Configure Guest users access restrictions in Entra ID

Disable Guest User Invitations in Microsoft Entra.

Remove Unused Applications in Microsoft Entra ID: Removing unused applications improves security posture and promotes good application hygiene. Unused applications can serve as an entry point for attack vectors and, additionally, deleting these applications can also be very cost-effective. Why pay for application licenses you no longer need? Removing unused applications improves security posture and promotes good application hygiene. Unused applications can serve as an entry point for attack vectors and, additionally, deleting them can also be very cost-effective. Why pay for application licenses you no longer need?

Introduce Entra Workload identity federation for your workloads: Typically, software requires an identity to authenticate and access resources or communicate with other services. When these workloads run on Azure, one can use managed identities, and the Azure platform manages credentials for users. For a workload (application) running outside of Azure, one must use application credentials (a secret or certificate) to access Azure AD-protected resources. These credentials pose a security risk and must be securely stored and rotated regularly. With the federated workload identity feature, Azure AD provides another way for an Enterprise Application/Service Principal to authenticate through federation (OpenID Connect). This means that applications can authenticate to Azure AD without any secret management. Entra Workload Identity Federation allows developers to exchange tokens issued by another (IdP) with Azure AD tokens, without needing secrets. It eliminates the need to store and manage credentials in code or store secrets to access Azure AD-protected resources like Azure and Microsoft Graph.

Consider Microsoft Entra certificate-based authentication for your applications: Microsoft Entra certificate-based authentication (CBA) lets you set up your system so that users can log in using X.509 certificates directly with their Microsoft Entra ID. This authentication method applies to both applications and browser sign-in. By using this feature, you can make your authentication process resistant to phishing attempts. Users will authenticate using an X.509 certificate against your Public Key Infrastructure (PKI). Before cloud-managed support for CBA to Microsoft Entra ID, customers had to implement federated certificate-based authentication, which requires deploying Active Directory Federation Services (AD FS) to be able to authenticate using X.509 certificates against Microsoft Entra ID. Good news right?

The above mentioned features are some of the many features we can use to safegurd Identities in our M365 environment. Feel free to comment and discuss more features you think should have been included in my checklist.

 

 

Leave a Comment