\n\nThis page has been machine-translated from the original page.
\n
Lately I suddenly felt like playing around with Azure, but before spinning up any machines I decided to review the security-related recommendations first.
\nThe service I checked was Identity Secure Score, and right after logging in I was surprised to see that the achievement rate was only 14%, which meant the security level was pretty low.
\nReference: What is Identity Secure Score? - Azure Active Directory | Microsoft Docs
\nSo this time, I would like to go through the best practices recommended by Identity Secure Score and improve the security level around my account.
\n\nFirst, I will start with the item that has the biggest impact.
\nIt is recommended to configure MFA for administrative roles.
\n\n\nRequiring multi-factor authentication (MFA) for all administrative roles makes it harder for attackers to access accounts.
\nAdministrative roles are granted more advanced permissions than regular users. If any of these accounts are compromised, critical devices and data become vulnerable to attack.
\n
According to the documentation below, enabling MFA reduces the risk of account compromise by more than 99.9%.
\nThe recommended way to configure MFA is to protect sign-ins with a Conditional Access policy, but unfortunately I could not configure that on my account.
\nReference: Enable Azure AD Multi-Factor Authentication | Microsoft Docs
\nReference: Azure AD Multi-Factor Authentication in your organization - Azure Active Directory | Microsoft Docs
\nIt seems that Azure MFA offers different configuration options depending on the license you are using.
\nThe Conditional Access policy mentioned above appears to be available only for accounts that have purchased Enterprise Mobility + Security E5 or Azure AD Premium P2, so this time I used Security Defaults, which is available even to Azure AD Free users.
Reference: Azure AD Multi-Factor Authentication editions and consumption plans | Microsoft Docs
\nI was able to enable MFA through Security Defaults with the following steps.
\nFirst, open Azure Active Directory from the Azure portal and select [Properties].
\nThere, enable Security Defaults.
\nNext, open Azure Active Directory from the Azure portal and select [All users].
\nFrom there, click [Per-user MFA] to open the screen below, then click [Enable] in [quick steps] to enable MFA.
\nThat seems to have configured MFA for the administrative account.
\nUnfortunately, the method recommended by the “Improvement action” is configuration through a Conditional Access policy, and I could not do that this time because of the license limitations.
\nAs in the previous section, this is configured from Azure AD Identity Protection.
\n\nEnabling the user risk policy allows Azure Active Directory to detect the possibility that a user account has been compromised.
\nAdministrators can configure Conditional Access policies based on user risk in order to respond automatically to specific risk levels.
\nFor example, they can block access to resources or require a password change to return a user account to a clean state.
\n
This one also could not be enabled, so I marked it as “Risk accepted”.
\nThis appears to be a recommendation about controlling permissions when integrating AAD with third-party applications.
\n\n\nRegulate permissions for integrated third-party applications to strengthen the security of the service.
\nAllow access only to the applications you need and that support robust security controls.
\nBecause third-party applications are not created by Microsoft, they could be used for malicious purposes, such as exfiltrating data from the tenant.
\nAttackers may be able to maintain access to the service through these integrated applications without using a compromised account.
\n
Reference: Tutorials for integrating SaaS applications with Azure AD | Microsoft Docs
\nAt the moment I am not planning to integrate any third-party services with AAD, so I skipped this.
\nThis recommendation is to prepare multiple administrators.
\n\n\nHaving multiple global administrators can help when organizational requirements or obligations cannot be met by a single person.
\nIt is important to prepare a delegate or emergency response account that someone on the team can access when needed.
\nIt also makes it possible for administrators to watch each other for signs of compromise.
\n
It is useful not only for handling absences or lost account credentials, but also for preventing abuse.
\nThis topic was also included in CISSP content.
\nSince I am using this personally, I skipped this as well.
\nIt is not recommended to use an account with the Global Administrator role as your day-to-day user account.
\n\n\nUsers with limited administrator roles have more privileges than standard users, but fewer than global administrators.
\nBy using limited administrator roles to perform the management tasks you need, you can reduce the number of users who are assigned the highly valuable and high-impact Global Administrator role.
\nAssigning roles such as Password Administrator or Exchange Online Administrator instead of Global Administrator can reduce the chance that a globally privileged account will be compromised.
\n
I added a new user from the AAD console and assigned an appropriate administrative role.
\nAnd of course I did not forget to enable MFA for it.
\nThis setting controls whether non-administrative users can reset their passwords.
\n\n\nUsing self-service password reset in Azure Active Directory means users no longer need to rely on the help desk to reset their passwords.
\nThis feature can also be used together with Azure AD’s dynamic banned passwords, which help prevent the use of easily guessed passwords.
\n
You can configure it from the screen below, but since this is for personal use, I left it set to “None”.
\nI felt like playing with Azure a bit, so as a first step I went through all of the recommendations shown in Secure Score for Identity.
I think that covers the minimum account-related best practices, so I would like to start experimenting with Azure from here.
","fields":{"slug":"/azure-setup-on-security-en","tagSlugs":["/tag/security-en/","/tag/azure-en/","/tag/備忘録/","/tag/english/"]},"frontmatter":{"date":"2022-02-08","description":"","tags":["Security (en)","Azure (en)","備忘録","English"],"title":"Checking Azure Active Directory's Identity Secure Score","socialImage":{"publicURL":"/static/5c545c1024b2178addc54de4a9c2d549/azure-setup-on-security.png"}}}},"pageContext":{"slug":"/azure-setup-on-security-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}