Account/Authentication - Azure Active Directory - Ensure Administrative Accounts are Separate and Cloud-Only

By Ashwin Venugopal -

 








Summary

Administrative accounts are known to have special privileged accounts that could have varying levels of access to data, users and settings. Whereas in the case of a hybrid environment, regular user accounts should not be utilized for Administrative tasks and should be cared for, to keep Administrative accounts separated from on-prem accounts. Applications are not assigned to administrative accounts so that they have no access to potentially vulnerable services (for example, Teams, SharePoint, etc.) and can only access perform tasks as required for Administrative purposes. 

Reason

Ensuring Administrative accounts are clouds-only, without applications assigned to them will reduce the attack surface of high privileged identities in the environment. In order to participate in Microsoft 365 security services such as Identity Protection, PIM and Conditional Access, an Administrative account will require a license attached to it. This license should not have any application with potentially vulnerable services by using either Azure Premium P1 or Azure Premium P2 for the cloud-only account with administrator roles.

However, hybrid environment with separate accounts ensures that in an event of breach in the cloud, the on-prem environment will not be affected and vice versa.

What If?

If the passwords are set not to expire, then, the other controls should be in place to supplement this setting. The following steps are recommended to be taken:

  1. Ban common passwords
  2. Educate users to not reuse organization passwords anywhere else
  3. Enforce MFA registration for all users
  4. Enforce MFA registration

How to?

To create licensed separate Administrative accounts for Administrative users, use the Microsoft 365 Admin Center:
  1. Login to https://admin.microsoft.com as a Global Administrator.
  2. Go to Admin centers and choose Azure AD.
  3. Select Users > Active users then click Add a user.
  4. Now, fill out the appropriate fields for Name, user, etc.
  5. When prompted to assign licenses select as needed Azure Premium P1 or Azure Premium P2, then click Next.
  6. After that, you may choose from several types of Administrative access roles below the Option settings screen. Select Admin center access followed by the appropriate role then click Next.
  7. Select Finish adding.

Monitor:

To verify appropriately licensed separate Administrative accounts are being utilized, use the Microsoft 365 Admin Center:
  1. Login to https://admin.microsoft.com as a Global Administrator.
  2. Select Users > Active users then sort by the Licenses column.
  3. Now, fill out the appropriate fields for Name, user, etc.
  4. After that, for each user account in an Administrative role verify the following:
  • The account is cloud-only (not synced).
  • The account is assigned a license that is not associated with applications (Azure Premium P1, Azure Premium P2).










































Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different groups of computers, re
Read more

Project Resourcing (Part 2)

By Ashwin Venugopal -
Image
  To read part 1, please click  here Engineering - SIEM The SIEM engineers configures Microsoft Sentinel, including Log Analytics, Logic Apps, workbooks, and playbooks. They are also responsible for the following high-level tasks: Initial configuration of Azure tenant, including provisioning required resources, assigning access roles, and configuring workspace parameters like log retention, resource tagging, and blueprints.  Deployment and configuration of syslog/CEF log collection agents in appropriate locations to collect logs from on-premises devices. Generally, it will be joint effort of both system engineer and SIEM engineer, involving configuration and potential troubleshooting.  Working with system owners to enable log forwarding and configuring any required parsing of log data in Log Analytics.  Working with security operations to create and deploy KQL analytic rules to offer detections for SOC/Computer Security Incident Response Team (CSRIT) use. Tuning of alert rule parameter
Read more

Design Planning (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Complex Organizational Structures SIEM can be an expensive security control, hence, it is common multiple businesses to contribute to the overall expense. Various organizational units may require a level of access to specific dashboards or sets of data. Microsoft Sentinel offers the ability to assign table-level permissions and limit the level of access to the minimum required to perform requisite job functions.  Role-based Access Control (RBAC) Requirements Microsoft Sentinel offers an extensive list of Azure built-in roles that can be used to provide granular access according to the job requirements and permitted level of access. Some of them are various Microsoft Sentinel dedicated roles: Microsoft Sentinel Contributor- Can perform all engineering-related configuration, such as creating alert rules, configuring data connectors, and additional similar tasks.  Microsoft Sentinel Reader- Can query the log data stor
Read more