Azure Active Directory Security Defaults—not for everyone

Microsoft’s powerful array of cloud offerings—Microsoft Azure, Dynamics, and Office 365—offer paths to business growth without the huge capital investment. Most organizations on the cusp of implementing and experimenting with those services may not make security  the first priority in the quest for productivity.

The first phase of the exciting journey into the cloud is to set up that new customized application, mine customer records, or launch those great office tools. Then everyone has to be brought on board. The organization’s business practices have to be retooled to get everyone working together.

Just leave those legacy passwords in place and let the IT sort it out. Right?

Besides, don’t those tools come with security default settings? Why not just rely on the security defaults in Azure Active Directory (Azure AD) with its multifactor sign in? Isn’t Azure AD security sufficient to thwart cyber attackers, who try to gain access through tactics like password spray?

Actually, it’s a double-edge sword. Azure AD provides no escape from security-related responsibilities. You either accept the default security settings or get busy setting up the best conditional access settings that meet your unique requirements.

The reality is that default settings aren’t for everyone. High security can get in the way of productivity. It’s not so much a matter of compromise; rather, it’s getting excessively stringent access controls out of the way of productivity.

Let’s investigate what those settings are, and see how default settings should either be disabled or tweaked, because they aren’t for everyone.

The default settings in Azure AD

Azure AD security defaults come with the following security settings:

  • Multi-Factor authentication (mfa) for users in the administrator role and for end-users. Activation is required within 14 days of the first single sign in. Azure multi factor authentication can thwart over 99% of password hacking attempts.
  • Block Legacy authentication for Azure resources and cloud apps. This security feature restricts access from older systems that do not support up-to-date traditional methods of managing Exchange Online using Remote PowerShell. This feature blocks legacy authentication, which has been a hacker’s end run around MFA.
  • Immediate MFA protection for privileged accounts. Provides Azure AD functionality via through the Azure Resource Manager API (such as Azure Portal Access, etc.).

Microsoft Office 365 subscribers could experience difficulties with the new Azure AD security defaults. Outlook clients, for example, might expect automatic account transition for connection to Exchange Online.

The problem is that when a mailbox migrates, it takes its legacy authentication with it. Subsequent sign-ins fail. According to Microsoft, this problem “can be solved, by switching off Security Defaults during your migration.” If you have control over your Outlook clients, you can deploy your registry key explained in this Microsoft Support article.

Note: Before changing any security settings in an Office 365 account, read more on how to enable and disable defaults. Test any security setting changes before applying them to a core business system. When toggled on, the defaults will be enforced across the entire organization.

The Trouble with Azure Active Directory Defaults

Rather than going with a “one size fits all” approach for access management, IT admins can turn on conditional access. The organization will have varying degrees of standards for security and compliance. Simply focusing on who can access a network resource or application is not enough.

It is a balance of security and productivity. The first criterion is how a resource is accessed.

Azure AD Conditional Access addresses that requirement through configurations that allow accessed based on work group, their location, and how the application integrates with SaaS and Azure AD-connected apps.

Conditional access is similar to its default counterpart in that the security configurations are from the same array. With conditional access, however, you just turn off what you don’t need. Leave the default settings in place, and everyone, regardless of location, must jump through the extra hoop of multi-factor sign in.

With MFA disabled for workers on the site, for example, the user could remove the annoying extra sign-in step throughout the workday. The organization could also opt to integrate its on-premises active directory privileged identity roles with the Azure AD in the cloud—while assigning special group and individual access privileges.

Summary

Whether the user opts for basic Azure AD connect or Azure AD premium, Microsoft has taken a giant step in securing its vast community of cloud services. Azure’s security defaults make it easier to inject the best security settings into its Azure AD director and Office 365 services.

Those default settings aren’t best for everyone, but anyone who has disabled multi-factor authentication or legacy authentication is placing an open invitation to hackers, thieves, and malware.

Check out a recent white paper, “8 Truths and Tips: Avoiding Outages in Azure Active Directory and Hybrid AD.” Understanding the eight concepts discussed in this paper should help you better protect your environment and plan for the inevitable recovery event. 

Check out these relevant resources.

New Survey Finds...

Active Directory forest recovery not taken serious enough. See what else your peers had to say.