Best practices for Microsoft Azure Active Directory
Transitioning business IT from a primarily hardware based infrastructure to a high-performing cloud environment is compelling for most enterprises. Cloud computing has the power to streamline organizational processes and offers a reliable solution for data storage, access, management, business continuity, and analysis. IT teams stand to benefit from implementing a cost effective and scalable solution that is, in principle, simpler to manage than a traditional data center comprised of disparate hardware components. There are important challenges to consider when adopting cloud, such as vendor lock-in, security management, and redefining the organization’s culture.
Microsoft Azure has been adopted by the vast majority of IT teams globally. The cloud based platform allows IT managers to build, test, deploy and oversee applications on a global network of Microsoft data centers. The scalable as-a-service solution has proved extremely popular: by the year 2020, Gartner believes that 90 percent of organizations will adopt hybrid infrastructure management and that Azure, along with its larger counterpart Amazon Web Services, will dominate this market. However, while the pace of cloud adoption shows no sign of abating, migrating to, and managing data within a cloud environment comes with a set of unique challenges around accessibility, data protection and security. So how should organizations set about putting in place an effective Azure Active Directory?
Even for those organizations that have a great deal of experience administering and securing a traditional on premise Active Directory environment, moving to the cloud throws up a new set of challenges, as Azure Active Directory is very different from other platforms in how privilege delegation, authentication and group management are performed. So what are some of the key best practices that IT managers need to consider?
Asses the security risks
A security breach in Azure can be catastrophic for business as it is the principal authentication authority for cloud services both in Azure and externally. Azure AD relies on AD where changes are replicated from AD on premise to the Azure in the cloud. Therefore, it is vitally important to ensure you have an effective AD lifecycle methodology established in ensuring that changes in one do not have an adverse effect in the other.
Continual assessment, the process of knowing the current state of security in Azure Active Directory, is critical to the health and security of an Azure AD environment. Database administrators can perform these assessments -- to some degree -- using native tools and services, such as PowerShell and the Microsoft Privileged Identity Management service. However, these manual processes are time-consuming, error-prone and often incomplete. Third-party solutions that automate monitoring and reporting make it easy to incorporate the best practice of continual assessment into your Azure AD management routine and often deliver more comprehensive functionality.
To have a current understanding of who can do what and get a clearer picture of potential security risks, IT managers and database administrators need to regularly assess the following:
- Role membership
- Security verification methods
- Groups
In Azure Active Directory and across the Microsoft Office 365 Suite, roles are the means by which administrative capabilities are delegated. This means that it is critical to understand and control which roles are assigned to which users. By exercising proper oversight, organizations can significantly reduce the ability of well-intentioned users to make mistakes, as well as the ability of malicious users to cause damage.
The second aspect of Azure AD that requires continual assessment of security verification methods. Azure Active Directory is the authentication and access control directory for the Microsoft Office 365 platform, including Exchange Online, Skype for Business Online and SharePoint Online. Azure Active Directory can also be integrated with non-Microsoft solutions such as Salesforce and Workday, and therefore becoming a key security component for those systems. Securing Azure Active Directory is critical. Organizations need to ensure that users who access the critical resources that Azure AD protects are who they claim to be, and that they have only the rights that they require.
It is a best practice to enable Azure multifactor authentication (MFA) for users with Global Administrator role. As part of the on-boarding process for accounts subject to MFA, you will need to gather information about personal contact information and methods used for MFA.
It is important to regularly assess this information to ensure that everyone who should be using MFA is actually using it and that they have valid contact information. To perform these assessments, you have three options:
- PowerShell
- Azure AD Identity Protection (requires the Azure AD Premium P2 edition)
- Third-party tools
It is critical to be able to audit and alert on direct changes to group membership as well. Group membership changes are audited in Azure AD and can be viewed in the Azure AD audit logs. The Office 365 Security and Compliance Center can alert on group membership changes, but it lacks the ability to filter so that only a certain group’s membership changes are alerted on. It also lacks the ability to target alerts to the group owners.
Consider investing in a third-party solution that can granularly target alerts to specific groups, send those alerts to group owners, and retain audit information for group membership changes for as long as necessary.
A core objective for anyone using Azure AD should be to correlate disparate IT data from numerous systems and devices into an interactive search engine for fast security incident response and forensic analysis. This includes the ability to easily manage user entitlements and activity, event trends, suspicious patterns and more, with rich visualizations and event timelines enabling important information to stand out.
IT managers wishing to transition to the cloud to make use of Azure will need to identify a solution that adequately allows them to meet rigorous compliance requirements and secure hybrid environments from potential threats. IT professionals face the daunting task of having to use an ever increasing number of tools to manage security over a hybrid environment. This situation comes with the potential that important information may be masked or missed because it was not clearly visible in the solution being used or was not properly understood when viewed in isolation.
As such, it is vitally important to have a solution that enables IT and security professional view all information from a single and simply interface that allows dynamic investigation paths and processes. A good security and compliance solution will present a correlated view across both on premise and cloud infrastructures, with built-in reporting and visibility, including users, groups, permissions, and other configurations, thereby giving IT administrators the power to react quickly to potential threats and improve security across the enterprise.
Alistair Holmes, software sales engineering manager for the Platform Management Business Unit, Quest.
Published under license from ITProPortal.com, a Future plc Publication. All rights reserved.