Rules to Better Cloud Security

Effective management of Microsoft Entra ID (formerly Azure Active Directory) is crucial for maintaining the security and efficiency of your organisation's IT infrastructure. Neglecting best practices can lead to unauthorised access, data breaches, and operational disruptions.

1. Enforce Strong Authentication

• Implement Multi-Factor Authentication (MFA): Require MFA for all users, especially administrators, to add an extra layer of security
• Adopt Passwordless Authentication: Utilize methods like Windows Hello for Business or FIDO2 security keys to enhance security and user experience

To check if your users are still typing passwords, use the Get-MgBetaAuditLogSignIn cmdlet - for example:

Connect-MgGraph

Import-Module Microsoft.Graph.Beta.Reports

$startDate = (Get-Date).AddDays(-30).ToString("yyyy-MM-ddTHH:mm:ssZ")
$endDate   = (Get-Date).ToString("yyyy-MM-ddTHH:mm:ssZ")

$Output = @()

$signIns = Get-MgBetaAuditLogSignIn -Filter "createdDateTime ge $startDate and createdDateTime le $endDate" -All

foreach ($signIn in $signIns) {
    $authMethods = $signIn.AuthenticationDetails | ForEach-Object { $_.AuthenticationMethod -join "," }
    $authMethodsString = $authMethods -join "; "

    if ($signIn.Status.errorCode -eq 0 -and $authMethodsString -contains "Password" -and !($authMethodsString -contains "Passwordless")) {
        $Output += [PSCustomObject]@{
            UserDisplayName    = $signIn.UserDisplayName
            UserPrincipalName  = $signIn.UserPrincipalName
            CreatedDateTime    = $signIn.CreatedDateTime
            AppDisplayName     = $signIn.AppDisplayName
            AuthenticationMethod = $authMethodsString
        }
    }
}

$Output | Export-Csv -Path C:\temp\password-use.csv -NoTypeInformation

2. Apply the Principle of Least Privilege

• Use Role-Based Access Control (RBAC): Assign users the minimum permissions necessary for their roles to reduce the risk of unauthorized access
• Implement Just-In-Time Access: Utilize Privileged Identity Management (PIM) to grant temporary access to resources only when needed

3. Regularly Review and Audit Access

• Conduct Access Reviews: Periodically review user access to ensure that only authorized individuals have access to resources
• Monitor Sign-In Activity: Keep track of user sign-ins to detect unusual or suspicious activities promptly

4. Secure Application Registrations

• Use Certificates Over Secrets: Always use certificate credentials for app authentication instead of client secrets, as certificates are more secure
• Limit API Permissions: Assign the least privileged permissions necessary for applications to function

5. Enable Security Features

• Activate Security Defaults: Enable security defaults in Microsoft Entra ID to enforce a basic level of security across your organization
• Implement Conditional Access Policies: Define policies that grant or block access based on conditions like user location, device state, or risk level

6. Plan for Emergency Access

• Create Break Glass Accounts: Establish at least two emergency access accounts that are not protected by MFA to ensure access during critical situations
• Monitor and Secure Emergency Accounts: Regularly audit these accounts to ensure they are not misused and are only accessed during emergencies

7. Use Clear Access Group Naming Conventions

Clear and consistent naming conventions for access groups make management simpler and ensure clarity across the organization

Why are naming conventions important?

Without clear naming conventions, it becomes difficult to understand the purpose or scope of access groups, leading to confusion and potential security risks.

Best practices

1. Follow a Standard Structure: Include key details in the group name, such as department, function, and access level
   • Example: [Department]-[Resource]-[Level]
   • HR-Payroll-ReadOnly or IT-SharePoint-Admin
2. Use Prefixes for Type Indication: Add a prefix to indicate the type of group
   • DL- for Distribution List, SEC- for Security Group, O365- for Office 365 Group 'Intune-' for Intune policies
3. Avoid Ambiguity: Ensure names are descriptive but concise. Avoid generic terms like "Admin" or "Users" that lack specific context
4. Adopt Case Conventions: Use consistent casing, such as PascalCase or lowercase, for easy readability. Kebab-case is recommended.

Common naming conventions examples

By adhering to these best practices, including clear naming conventions for access groups, you can strengthen your organization's security posture and streamline the management of Microsoft Entra ID.

Once your environment is secured sufficiently you need to configure some alerting. This will ensure that any changes either due to changes in your Azure deployment or more importantly improved scanning in Security Center result in you being alerted so that your infrastructure can be better secured.

As things change, you should schedule a regular review of security posture. This should involve reviewing whether the current policy is appropriate. Consider the following: