8 Things to Avoid In Azure Active Directory

Azure Active Directory simplifies IT infrastructure management by providing a single place to store information about digital identities. But this convenient Identity and Access Management (IAM) system comes pre-configured with only basic features and security settings. For example, the default setting for Azure storage accounts allows access from anywhere, including the internet.

 

Organizations that don’t put in the extra effort needed to secure their Azure Active Directory leave themselves vulnerable and open to data leaks, unauthorized data access, and cyberattacks targeting their infrastructure.

Cybercriminals can decrypt user passwords and compromise administrator accounts by hacking into Azure AD Connect, the service that synchronizes Azure AD with Windows AD servers. Once inside the system, the attackers can exfiltrate and encrypt an organization’s most sensitive data.

Azure AD users often overlook crucial steps, such as implementing multi-factor authentication for all users joining the Active Directory with a device. Failure to require MFA makes it easier for an attacker to join a malicious device to an organization using the credentials of a compromised account.

Increased security risk isn’t the only consequence of a poorly set up AD. Misconfigurations can cause process bottlenecks leading to poor performance. The following guide was created by CQURE’s cybersecurity expert – Michael Graffneter specialized in securing Azure Active Directory, to help you detect and remedy some of the most common Azure AD misconfiguration mistakes.

8 Things to Avoid In Azure Active Directory

 

1. Production Tenants Used for Tests

During security assessments, we often see production tenants being used by developers for testing their “Hello World” apps. We recommend that companies have standalone tenants for testing new apps and settings. Needless to say, the amount of PII accessible through such tenants should be minimized.

2. Overpopulated Global Admins

User accounts that are assigned the Global Admin’s role have unlimited control over your Azure AD tenant and in many cases also over your on-prem AD forest. Consider using less privileged roles to delegate permissions. As an example, security auditors should be fine with the Security Reader or Global Reader role.

3. Not Enforcing MFA

Company administrators tend to create “temporary” MFA exclusions for selected accounts and then forget about them, making them permanent. And due to misconfigurations, trusted IP address ranges sometimes include guest WiFi networks. Even with the free tier of Azure AD, one can use Security defaults to enable multi-factor authentication for all users. And users assigned the Global Administrator role can be configured to use multi-factor authentication at all times.

4. Overprivileged Applications

Many applications registered in Azure AD are assigned much stronger privileges than they actually require. It is also not obvious that app owners can impersonate their applications, which sometimes leads to privilege escalation. Registered applications and service principals should be regularly audited, as they can be used by malicious actors as persistent backdoors to the tenant.

5. Fire-and-Forget Approach to Configuration

Azure AD is constantly evolving and new security features are introduced regularly. But many of these newly added features need to be enabled and configured before they can be used, including the super-cool passwordless authentication methods. Azure AD deployment should therefore not be considered a one-time operation but rather a continuous process.

6. Insecure Azure AD Connect Servers

Azure AD Connect servers are used to synchronize Azure AD with on-premises AD, for which they need permissions to perform modifications in both environments. This fact is well-known to hackers, who might misuse AAD Connect to compromise the entire organization. These servers should therefore be considered Tier 0 resources and only Domain Admins should have administrative rights on them.

7. Lack of Monitoring

Even with an Azure AD Premium plan, user activity logs are only stored for 30 days. Is this default behavior really enough for your organization? Luckily, custom retention policies can be configured when Azure AD logs are forwarded to the Azure Log Analytics service, to the Unified Audit Log feature of Microsoft 365, or to 3rd-party SIEM solutions. And components like Azure AD Identity Protection or Azure Sentinel can automatically detect anomalies in user activity.

8. Default Settings

Not all default settings provide the highest security possible. Users can register 3rd party applications in Azure AD, passwordless authentication methods are disabled and ADFS endpoints with NTLM authentication that bypasses the Extranet Smart Lockout feature are published on proxies. These and other settings should be reviewed during Azure AD deployment and adjusted to fit organizational security policies.

Azure AD is a critical attack surface that needs continuous monitoring for misconfigurations. We hope this guide makes managing the security of your AD easier by helping you to detect and resolve vulnerabilities.

Comments