Just a reminder when focusing on #security for your #office365 and #azuread tenants one of the key attack vectors comes from your on-premises environment. If you have not read and implemented the guidance in aka.ms/protectm365 you should & read this thread. 1/7 #identity
"Federated trust relationships, such as Security Assertions Markup Language (SAML) authentication,are used to authenticate to Microsoft 365 through your on-premises identity infrastructure.Ifa SAML token-signing certificate is compromised, federation allows anyone who has.."2/7
certificate to impersonate any user in your cloud.
We recommend that you disable federation trust relationships for authentication to Microsoft 365 when possible."
3/7
We recommend that you disable federation trust relationships for authentication to Microsoft 365 when possible."
3/7
"Account synchronization can be used to modify privileged users, including their credentials, or groups that have administrative privileges in Microsoft 365.
We recommend that you ensure that synchronized objects hold no privileges beyond a user in Microsoft 365." 4/7
We recommend that you ensure that synchronized objects hold no privileges beyond a user in Microsoft 365." 4/7
"You can control privileges either directly or through inclusion in trusted roles or groups. Ensure these objects have no direct or nested assignment in trusted cloud roles or groups." 5/7
This is one reason why we recommend moving away from federated identity providers whether they are #adfs onprem, 3rd party IDP onprem, or 3rd party cloud IDP and move to cloud managed hybrid auth. 6/7 docs.microsoft.com/en-us/azure/ac…
And for accounts you will use for admin privileges, create them as cloud native, not syncing them and managing their role/group assignments natively in the cloud. Enable the CA policy template to require MFA for admin role holders at minimum and use #passwordless creds. 7/7
See CA policy template here docs.microsoft.com/en-us/azure/ac… and using #passwordless credentials in #azuread here docs.microsoft.com/en-us/azure/ac… and of course using a breakglass account Here aka.ms/breakglass
What I love about the aka.ms/protectm365 article is it gives you actionable recommendations on steps you can take TODAY to help secure your cloud environments from those attack vectors. Have you implemented them yet? How can we help you do so, if you have not? #azuread
Now if you have enabled the CA policy to require MFA for Admin role holders, I would be amazed! But that is the minimum as I said, and you should strive for MFA For ALL Users and deploy docs.microsoft.com/en-us/azure/ac…
There are many infrastructures and application-level roles and tasks done by users you may not consider "Admin". Your business org has users accessing business apps/mail are prime targets so you want to ensure you have some CA policy coverage for controls beyond just password.
Use the CA policy Gap Analyzer workbook to identify users who are accessing apps and services without any CA policy coverage. Close those gaps with the CA policy templates! docs.microsoft.com/en-us/azure/ac…
If you are still using Federated Authentication providers (See above why you want to move away from that) I do want to call out an update to the SupportsMFA flag for the federation and use federatedIdpMfaBehavior instead. See docs.microsoft.com/en-us/graph/ap…
✅ Upgrade from Federated to #azuread Managed Auth
✅ Deploy Azure MFA - Microsoft Authenticator app
✅ Enable users for #passwordless Phone Sign In & WHFB
✅ Use CA policies to require MFA for ALL users All the time
🔥 Manage your CA policy exceptions w/Entitlement Management
✅ Deploy Azure MFA - Microsoft Authenticator app
✅ Enable users for #passwordless Phone Sign In & WHFB
✅ Use CA policies to require MFA for ALL users All the time
🔥 Manage your CA policy exceptions w/Entitlement Management
• • •
Missing some Tweet in this thread? You can try to
force a refresh
