The “Top 10 actions to secure your environment” series outlines fundamental steps you can take with your investment in Microsoft 365 security solutions. We will provide advice on activities such as setting up identity management through active directory, malware protection, and more. In this post, we explain how to enable single sign-on (SSO) in Azure Active Directory (Azure AD) to manage authentication across devices, cloud apps, and on-premises apps, and then how to set up Multi-Factor Authentication (MFA) to authenticate user sign-ins through a mobile app, phone call, or SMS.
Balancing employee productivity needs with enterprise security begins with protecting identities. Gone are the days when users accessed corporate resources behind a firewall using corporate-issued devices. Your employees and partners use multiple devices and apps for work. They share documents with other users via cloud productivity apps and email, and they switch between personal and work-related apps and devices throughout the day. This has created a world of opportunity for sophisticated cybercriminals.
Hackers know that users often use the same weak password for all their accounts. Sophisticated cybercriminals employ several tactics to take advantage of these vulnerabilities. Password spray is a method of trying common passwords against known account lists. In a breach relay, a malicious actor steals a password from one organization and then uses the password to try to access other networks. Phishing campaigns trick users into handing over the password directly to the hacker. Azure AD provides several features to reduce the likelihood of all three of these attack methods.
Access credentials in the form of email addresses and passwords are the two most compromised data types—at 44.3 percent and 40 percent, respectively.
Source: Dark Reading Date: November 2017
Simplify user access with Azure AD single sign-on
Most enterprise security breaches begin with a compromised user account that makes protecting those accounts a critical priority. If you manage a hybrid environment, the first step is to create a single common identity for all your users. We recommend password hash sync as your primary authentication method if possible. If you use federation services to authenticate users, be sure to enable extranet lockout. You can read about these and other hybrid identity security recommendations in the first blog in this series: Step 1. Identify users: top 10 actions to secure your environment.
One huge advantage of a hybrid deployment is that you can set up SSO. Users already sign in to on-premises resources using a username and password they know. Azure AD SSO lets them use the same set of credentials to access on-premises resources plus Office 365 apps. You can then increase productivity further by extending SSO to include more cloud SaaS and on-premises apps through AppProxy. Cloud-only customers gain the same productivity benefits by setting up SSO across Azure AD, Office 365, and Azure AD-connected cloud applications.
You can use the SSO deployment plan as a step-by-step guide to walk you through the implementation process of adding more apps to your SSO solution.
Strengthen your credentials
Given the frequency with which credentials are stolen, guessed, or phished, both cloud and hybrid customers should enable Azure MFA to add another layer of security to their accounts (Figure 1). MFA protects everything under the SSO identity system, including cloud SaaS and on-premises apps published with AppProxy, significantly decreasing the odds that a compromised identity will result in a security breach.
MFA works by requiring two or more of the following authentication methods:
- Something you know (typically a password).
- Something you have (a trusted device that is not easily duplicated, like a phone).
- Something you are (biometrics).
You can use the MFA deployment plan as a step-by-step guide to walk you through the implementation process.
Figure 1. MFA works by requiring two or more authentication methods.
One of the reasons users select weak or common passwords is because lengthy passwords that require numbers, letters, and special characters are difficult to remember, especially if they must be changed every few months. Microsoft recommends that you disable these rules, and instead prohibit users from choosing common passwords. If you are a hybrid customer, you will need to deploy Azure AD password protection agents on-premises to enable this feature. Azure AD password protection blocks users from choosing common passwords and any custom passwords that you configure. If you implement password hash synchronization as a primary or backup authentication method, you will have access to a leaked user credentials report, which provides usernames and password pairs that have been leaked to the dark web.
Better yet, move away from passwords entirely. One of the reasons passwords are frequently stolen is that they work from anywhere. Windows Hello allows users to set up device authentication using either a PIN or biometrics, such as a fingerprint scanner or face recognition. This form of authentication is easier for users because they don’t have to remember complex passwords, but it is also safer because the authentication method is tied to the device. A hacker would have to gain possession of the device and the biometrics or PIN to compromise your network.
Enable productivity with self-service
The Azure self-service portal allows you to turn over common tasks to your users, saving your help desk time without increasing your risks. Azure AD self-service password reset (SSPR) offers a simple means for users to reset their passwords or unlock accounts without administrator intervention. You can also give users the ability to manage groups using Azure AD security groups and Office 365 groups. Known as self-service group management, this feature allows group owners who are not assigned an administrative role to create and manage groups without relying on administrators to handle their requests. Letting users reset their own passwords and manage groups gets them back to productive work quickly while reducing your tech support costs.
You can use the SSPR deployment plan as a step-by-step guide to walk you through the implementation process.
In future blog posts, we will provide additional Azure AD configuration recommendations to help secure your identities. We will then touch on the recommended security best practices to protect your apps, devices, and infrastructure.
Check back in a few weeks for our next blog post: “Step 3. Protect your identities.” In this post, we’ll dive into additional protections you can apply to your identities to ensure that only authorized people access the appropriate data and apps.
Get deployment help now
FastTrack for Microsoft 365 provides end-to-end guidance to set up your security products. FastTrack is a deployment and adoption service that comes at no charge with your subscription. Get started at FastTrack for Microsoft 365.