Azure Active Directory (AAD)

The Identity stupid!

James Carville’s campaign strategy for Bill Clinton’s ’92 campaign was “The economy, stupid!” These 3 words left no doubt to what was important, what to focus on, and the fact that getting the Economy right would make everything else possible.  Today, as we look at changes to the corporate IT network and infrastructure we should adopt a similar slogan:

The Identity, stupid!

Identity is a core enabler of modern solutions be they Collaboration, Security, from IaaS to PaaS.  Companies in the past could rely on physical controls to secure information, but today Cloud and the interconnectedness of businesses has destroyed those controls. So where does this leave us in a world where we don’t control where information is accessed from, by what devices, or where the information is stored? We are left with one truth, unique to everyone and applicable to devices and data: Identity.

The funny think is, we’ve known identity has been important for a long time. If you ever took a class on journalism the first thing they taught was the mantra “Who, What, When, Where, Why.” When you log into your computer today the first thing it asks you is: Who are you? When you go to buy a car, boat, or house you have to tell them is who you are.  You even have to tell the barista at Starbucks who you are!

Identity is important, so protect it!

Identity is the control mechanism today for enabling technology, if you secure the identity you’ve gone a long way to securing your systems and your data.  Here are some methods to improve your organization’s identity strength without hampering their ability to do work.

Update your password policy

Recently even NIST updated their password policy (Section 5.1.1.2) to reduce the artificial complexity rules, changes passwords only when suspected of compromise, and perform checks against ‘dirty words’ and previously compromised passwords. At Microsoft the use of ‘Seattle’, and ‘Seahawks’ are rumored to be banned (I wouldn’t know because I don’t live in Seattle and I’m not a Seahawks fan).

Beyond these recommendations think Passphrase not Password.  The longer the password the more difficult it is to guess so brute force and dictionary attacks are less likely to be successful.

All of these policies are easy to implement, prohibited words/phrases, detection of compromised passwords, and password length controls, and even self service password resets are built into Azure Active Directory.  Azure Active Directory can become the central hub for password management with the ability to synchronization changes to your on-premise systems.

Enable MFA

I wrote about this in another post, but seriously if you have any admin accounts that don’t have MFA enabled stop reading this and go GO TURN IT ON NOW!

MFA is one of the simplest solutions to interrupt account compromises, and it has become more common for users because it is used in Banking Apps, Commercial Email, and even Facebook recommends your account be protected with MFA.  At Microsoft we see a decrease in account compromises by over 99%.  Clearly, this is the first step in enhancing the security of your identities.  This is already included in O365 E3 or Azure Premium licenses and enabling it is just a few checkboxes, so there really is NO EXCUSE!

Use data

Monitoring accounts is critical, but there is a lot of information about what is happening in the world, like Dark Web sale of Credentials, that may not show up in your organization’s monitoring of accounts. However, a service like Azure Active Directory which is used by millions of user accounts daily gets lots of insight not only about your accounts but from all accounts, so when an attack is detected everywhere everyone can benefit from awareness and steps taken to block this type of attack.

Use AI and ML

Along with information about what is happening globally around authentications, it is also important to understand what is ‘normal’ and what is ‘abnormal’ for your users.  If users sign in Monday-Friday between 9am and 5pm for 15 years then your identity system should recognize that a sign in on Saturday at 2:30am is abnormal.  In this scenario the system may require extra identity validation (MFA), block the login attempt, or alert your other security monitoring tools and personnel.  This capability is part of the Azure Active Directory Conditional Access which natively learns user behavior patters and can dynamically adapt the authentication experience based on user behavior patterns.

Change Written Policy to Automated Action

If you want to protect identities, really if you want to protect anything these days, then you need to take written policies and automate them in your identity system.  A written policy like “If a password is compromised require a user to change it” requires a user to be notified and then for them to take action.  Instead, your Identity tools should be able to detect the credential compromise and require a password reset (with MFA validation) on the next login attempt.  In Azure Active Directory this can be done with Identity Protection policies, so if a user’s authentication event appears risky then flag the account for a password reset.

Loose the Password

I mention this one last because a Zero Password World isn’t quite there for everyone, but we are close.  With Windows Hello and the Microsoft Azure Authenticator app we are moving closer and closer.  Personally I don’t have a password for any of my Microsoft consumer accounts (Hotmail, OneDrive, etc.) and I very seldom use a password when accessing my Microsoft corporate resources.  Actually, one the rare occasion I am prompted for a password I usually have to perform a Self Service Password reset, because I honestly don’t remember it.

Azure Active Directory has added this ability, but it is currently in Preview (maybe even Private Preview) so customers have to opt it to enabling the capability, but this is coming and I predict by the end of 2019 this capability will be readily and easily available to customers.

The Identity, Stupid!

It is time for us to focus on what is most important to the success of modern IT, both for usability and security, and it is all about Who!  Like the 90’s campaign use this motto/mantra/whatever you want to call it to help you focus on The Identity, Stupid!  If you get Identity right you can make everything else happen.

Advertisements

Azure AD MFA managed by User Account Administrator Role

Many organizations want to delegate enabling and disabling MFA for a user to their helpdesk, but the only RBAC role that allows MFA management is the Global Administrator and no one wants to grant helpdesk technicians Global Admin access to their tenant.  However, there is a way around this RBAC limitation if your organization has Azure AD Premium.

General Concept

At a high level enabling and disabling MFA will be managed by adding and removing users from a security group.  The security group will be included in a Conditional Access policy which defines the MFA requirements.

Setup

Requirements

  1. Admin with Conditional Access administrator role
  2. Helpdesk user(s) with User Administrator role assigned

Setup

Have a Helpdesk user create a security group in Azure Active Directory and assign the users your organization wants to require MFA when accessing applications.  Make sure to include a descriptive name like MFA Required Users.

NewGroup.png

Next, have the Conditional Access Admin create a new Conditional Access rule with Assignments target set to the group created by the Helpdesk user.

CATargetGroup.png

Next, select the Cloud apps you want to require MFA before allowing access, or select All Cloud Apps.

SelectCloudApps.png

Next, choose the option to Grant Access and check Require multi-factor authentication.

GrantMFAAccess.png

Finally, Enable the policy and choose Create.

CreatePolicy.png

Operations

Now, when the Helpdesk (someone with User Administrator Role) needs to enable or disable MFA for a user all they need to do is add (Enable MFA) or remove (Disable MFA) the user from your MFA Security Group.

O365 MFA vs Azure AD MFA

As a Technical Solutions Professional at Microsoft who covers Identity and Security I get a lot of questions about Office 365 MFA vs. Azure Active Directory MFA around the differences, benefits, and what I suggest.  Customers always assume because I concentrate on the EMS stack Microsoft offers (Intune, Azure AD, Azure Information Protection) I recommend Azure AD MFA over Office 365 MFA, but the reality is when customers really compare the experiences they will almost always go with Azure AD MFA.

Before we talk about Office 365 vs Azure AD MFA let me make this position perfectly clear.

Use MFA! If you are not using, or haven’t implemented, MFA stop reading and GO TURN IT ON especially for your Administrator accounts.

Why?  We, Microsoft, find that by enabling MFA on your accounts the your organization will reduce account compromise by OVER 99%!

Office 365 MFA

Office 365 E3, and up, subscriptions entitle an organization to enable Multi Factor Authentication for their users who will be accessing O365 resources (SharePoint, OneDrive, Office Pro Plus, etc.).  When a user is entitled and enabled to use MFA they have three (3) options:

  1. Azure Authenticator App
  2. Text Message
  3. Phone Call + PIN

To enable Office 365 MFA you must turn the feature on for each user individually (user-by-user), and once MFA is required for the user, it is always required for the user.  Therefore, when a user is authenticating to O365 resources from their work computer or home computer using Office or browser, they will be prompted for MFA verification.

Azure AD MFA

Azure AD MFA is available for organizations that purchase Azure AD Premium P1, or P2, licenses for their users and this Multi Factor Authentication solution can be use with Office 365, Azure, On-Premise applications, third party applications (SaaS), and custom built Line of Business applications.  Like the O365 MFA offering Azure AD MFA provides three (3) ‘native’ options:

  1. Azure Authenticator App
  2. Text Message
  3. Phone Call + PIN

Azure AD also offers customers the ability to use 3rd party MFA providers including the following:

  1. RSA
  2. DUO
  3. Trusona
  4. (More to come)

This additional integration with 3rd party MFA providers means that any existing investment in MFA can continue to be leveraged and we can provide MFA support even in locations where mobile or office phone access is limited or prohibited.

The way an organization applies MFA with Azure AD is also different than Office 365.  When applying MFA with Azure AD an organization does so by creating Conditional Access (CA) rules.  CA rules for MFA can be very simple:

All Users + All App + MFA = Grant Access

Basically this is what the Office 365 MFA solution provides, but limited to O365 apps that is.  However, CA can do much better, it can actually allow you to address questions and policies intelligently:

  • Why prompt for MFA when a user is connecting from a corporate network and is using a corporate device?
  • Why prompt for MFA when a user is connecting to their time card the same way you would if they were connecting to the corporate account line of business application?
  • Why MFA everyone all the time, can we target specific users when they are accessing accessing sensitive information?

Using CA to drive MFA also allows your organization to integrate MFA easily with Windows Always-On VPN solutions.  Now not only do you protect a user when their app connects to a service, but you protect your corporate network when an endpoint device connects and its all managed with the same CA, MFA, and identities.

What drive Azure AD MFA over Office 365 MFA

I find most organizations choose Azure AD MFA over Office 365 MFA for one of these two reasons:

  1. They already invested in an MFA solution, maybe RSA, so the users know it, IT trusts it, and they can continue to use it.
  2. They don’t have to use an All-Or-Nothing approach, they can apply a Who-What-When-Where approach to their MFA policy and only require MFA when necessary.

To me, the greatest benefit of Azure AD MFA is the ability to target MFA scenarios.  I’ve seen many customers push MFA for everyone all the time, and within a short period of time they turn it off because “there was too much prompting”