Jef Kazimer Profile picture
Aug 31 14 tweets 6 min read
Just a reminder when focusing on #security for your #office365 and #azuread tenants one of the key attack vectors comes from your on-premises environment. If you have not read and implemented the guidance in aka.ms/protectm365 you should & read this thread. 1/7 #identity
"Federated trust relationships, such as Security Assertions Markup Language (SAML) authentication,are used to authenticate to Microsoft 365 through your on-premises identity infrastructure.Ifa SAML token-signing certificate is compromised, federation allows anyone who has.."2/7
certificate to impersonate any user in your cloud.

We recommend that you disable federation trust relationships for authentication to Microsoft 365 when possible."
3/7
"Account synchronization can be used to modify privileged users, including their credentials, or groups that have administrative privileges in Microsoft 365.

We recommend that you ensure that synchronized objects hold no privileges beyond a user in Microsoft 365." 4/7
"You can control privileges either directly or through inclusion in trusted roles or groups. Ensure these objects have no direct or nested assignment in trusted cloud roles or groups." 5/7
This is one reason why we recommend moving away from federated identity providers whether they are #adfs onprem, 3rd party IDP onprem, or 3rd party cloud IDP and move to cloud managed hybrid auth. 6/7 docs.microsoft.com/en-us/azure/ac…
And for accounts you will use for admin privileges, create them as cloud native, not syncing them and managing their role/group assignments natively in the cloud. Enable the CA policy template to require MFA for admin role holders at minimum and use #passwordless creds. 7/7
See CA policy template here docs.microsoft.com/en-us/azure/ac… and using #passwordless credentials in #azuread here docs.microsoft.com/en-us/azure/ac… and of course using a breakglass account Here aka.ms/breakglass
What I love about the aka.ms/protectm365 article is it gives you actionable recommendations on steps you can take TODAY to help secure your cloud environments from those attack vectors. Have you implemented them yet? How can we help you do so, if you have not? #azuread
Now if you have enabled the CA policy to require MFA for Admin role holders, I would be amazed! But that is the minimum as I said, and you should strive for MFA For ALL Users and deploy docs.microsoft.com/en-us/azure/ac…
There are many infrastructures and application-level roles and tasks done by users you may not consider "Admin". Your business org has users accessing business apps/mail are prime targets so you want to ensure you have some CA policy coverage for controls beyond just password.
Use the CA policy Gap Analyzer workbook to identify users who are accessing apps and services without any CA policy coverage. Close those gaps with the CA policy templates! docs.microsoft.com/en-us/azure/ac…
If you are still using Federated Authentication providers (See above why you want to move away from that) I do want to call out an update to the SupportsMFA flag for the federation and use federatedIdpMfaBehavior instead. See docs.microsoft.com/en-us/graph/ap…
✅ Upgrade from Federated to #azuread Managed Auth
✅ Deploy Azure MFA - Microsoft Authenticator app
✅ Enable users for #passwordless Phone Sign In & WHFB
✅ Use CA policies to require MFA for ALL users All the time
🔥 Manage your CA policy exceptions w/Entitlement Management

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Jef Kazimer

Jef Kazimer Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(