Hello everyone and welcome to our mind-blowing series of blogs we have lined up to show you the significant impact of the Azure Active Directory Security Features had for one of our SMC customer.
This blog is a cumulative effort from the Mission Critical Team (Altug, Morne, Nibin, Zoheb & Simon).
We will be showcasing in detail what efforts our Identity experts in the Mission Critical Team have gone through for one of our customers in MEA. As a result, we achieved an immense overall improvement in their identity security posture.
Let us start first by introducing ourselves:
Morne: I am an Identity Customer Engineer and have been in Microsoft for 2 years. My primary focus is enablement of the Microsoft hybrid cloud and securing Cloud identities along with the optimization and production remediation of Directory Services. I work as a Designated Support Engineer (Dedicated Customer Engineer) for this customer.
Zoheb: I am an Azure/Identity Solution Engineer and have been in Microsoft for 7 years in different roles (Microsoft Support, PFE/CE & presently SMC) and working as a SMC lead for this customer.
Nibin:I am an Azure/Identity Sr Solution Engineer and have been in Microsoft for 13 years in different roles (Microsoft Support, PFE/CE & presently SMC) and working as a SMC lead for this customer. Altug:I am a Sr Solution Engineer specializing in the Manageability and Operations realm. I have been in Microsoft for almost 15 years in different roles (Microsoft Support, PFE/CE & presently SMC).
Simon: I am a Modern Workplace Sr Mission Critical Solution Engineer specializing in Messaging and Collaboration. I have been working in Microsoft for 19 years in various roles. I work as a Mission Critical Customer Lead for this customer.
Before we go in more details, we would like to share some Background on the Microsoft Mission Critical methodology that will enable you to better understand this blog series and the way we work.
Microsoft SMC (Support for Mission Critical) Team is the ultimate personalized support experience from Microsoft. Each SMC customer will have designated team that:
· Knows you and knows what your solution means to your enterprise
· Works relentlessly to find every efficiency to help you get ahead and stay ahead
· Advocates for you and helps ensure get you the precise guidance you need 24x7.
How the Microsoft Mission Critical team helped secure AAD
To come back to our valuable SMC customer. This customer has an environment of about 25,000 users, was new to Azure Active Directory and ultimately was in the process of exploring as many new features as possible.
Historically they had to deal with various Security incidents in their environment, which resulted in Identity compromise, phishing, malware attacks etc. They had challenges to Protect, Detect and Respond proactively to these varying levels of compromise.
As our customer’s footprint grew in AzureAD they started observing many similar attack trends in AAD like described below:
Hundreds of Risky Sign ins reported every day
More than 1 million incorrect username and password attempts in a month (Password Spray attacks)
M365 team were detected many phishing emails
Many impossible travel alerts detected
Many attempts detected from legacy Browser using weak authentication
Being part of the Microsoft Solution team, we always go above and beyond to support our customers. The first step is always to quickly resolve the reactive issue, subsequently identify the Root Cause, and finally through our Proactive Delivery Methodology making sure this does not happen again.
Below you will now find the chronological flow of our approach to fix some of the issues over a period.
Each topic described will have a separate blog as all these Individual topics require in depth discussion.
Risky Sign in's Process Improvements: We observed that there are hundreds of Risky Sign ins reported every day and our customer wanted to add restrictions which could help secure their users’ Identity.
Eliminating weak passwords for organization: They received more than 1 million bad password attempts in a month. We wanted to protect them against this and one of the remediation's we followed was to implement Azure AD Password Protection. Before enforcing this, they wanted to evaluate the impact, for which we created a custom dashboard that helped them to analyze weak passwords usage in the environment.
How we found a compromised Exchange Online user: Our customer got alerted through Azure AD Risky Sign in Activity that the user is in high Risk and has done impossible travel. This user made attempts to compromise many other accounts also.
Conditional Access & MFA adoption : All the users were located only in 1 country but were receiving Authentication attempts from across the globe. Considering this risk, we forced MFA for any authentication attempts for Non-Trusted IP users. (Blog link will be updated once posted)
Securing Domain Controllers in Azure : Customer had Domain controllers in Azure but we realized that multiple people had ability to access to the subscription and resources which was risky. To avoid privilege escalation from an Azure operator to Domain Admin we followed the Least Privilege model and gave permissions to the Subscription/Resources having Domain Controllers to only the Identity team who really needed these privileges.
Reduction in Privileged Identity Users: This is a basic for any Identity platform to implement the least privilege administration model. We reduced the numbers of High Privileged users from 30 to 9, this will further be improved post implementation of PIM. (Blog link will be updated once posted).
Reducing number of Users synced to AAD: They had more than 60,000 users synced with AAD comparing to the active users which were less than 25,000. This was mainly due to Inactive/Disabled accounts in the On-Premises AD. We collaborated with customers Messaging & Identity team to identify and clean many stale accounts. (Blog link will be updated once posted)
PIM for Azure Identity roles: PIM enables you to manage, control, and monitor access to important resources in your organization. We used PIM to Provide just-in-time approvals for privileged access to the Azure AD. (Blog link will be updated once posted)
Enabling Internal Application access through Supported Platforms only: We found that legacy browsers were being used to exploit vulnerabilities and to use weak Authentication methods. In order to mitigate this concern, we restricted company applications access only through supported Browsers/Apps. (Blog link will be updated once posted)
NOTE: The features and guidelines implemented in this case was specific to this customers requirements and environment, so this is not a “General” guideline to enable any of the mentioned features.