![]() ![]() Taking this step will greatly reduce an organization’s attack surface. ![]() Using Azure AD Conditional Access policies can help limit the number of users who have the ability to use legacy protocol authentication methods. ![]() One approach to mitigate this issue is to inventory users who still require the use of a legacy email client and legacy email protocols and only grant access to those protocols for those select users. This leaves email accounts accessible through the internet with only the username and password as the primary authentication method. However, should an organization require older email clients as a business necessity, these protocols will presumably not be disabled. Legacy protocols can be disabled at the tenant level or at the user level. Legacy protocols are often used with older email clients, which do not support modern authentication. These protocols include Post Office Protocol (POP3), Internet Message Access Protocol (IMAP), and Simple Mail Transport Protocol (SMTP). There are a number of legacy protocols associated with Exchange Online that do not support MFA features. Also, threat actors compromise normal user accounts in order to send phishing emails and attack other organizations using the apps and services the compromised user has access to.ĭisable legacy protocol authentication when appropriate: Azure AD is the authentication method that O365 uses to authenticate with Exchange Online, which provides email services. Enabling UAL allows administrators the ability to investigate and search for actions within O365 that could be potentially malicious or not within organizational policy.Įnable multi-factor authentication for all users: Though normal users in an O365 environment do not have elevated permissions, they still have access to data that could be harmful to an organization if accessed by an unauthorized entity. An administrator must enable the Unified Audit Log in the Security and Compliance Center before queries can be run. Always assign administrators only the minimum permissions they need to do conduct their tasks.Įnable Unified Audit Log (UAL): O365 has a logging capability called the Unified Audit Log that contains events from Exchange Online, SharePoint Online, OneDrive, Azure AD, Microsoft Teams, PowerBI, and other O365 services. Practicing the principle of “Least Privilege” can greatly reduce the impact if an administrator account is compromised. Instead, using Azure AD’s numerous other built-in administrator roles instead of the Global Administrator account can limit assigning of overly permissive privileges to legitimate administrators. ![]() If not immediately secured, an attacker can compromise these cloud-based accounts and maintain persistence as a customer migrates users to O365.Īssign Administrator roles using Role-based Access Control (RBAC): Given its high level of default privilege, you should only use the Global Administrator account when absolutely necessary. These accounts are internet accessible because they are hosted in the cloud. The new feature, called “Security Defaults,” assists with enforcing administrators’ usage of MFA. Microsoft has moved towards a “Secure by default” model, but even this must be enabled by the customer. Multi-factor authentication (MFA) is not enabled by default for these accounts. The Azure AD Global Administrators are the first accounts created so that administrators can begin configuring their tenant and eventually migrate their users. This is equivalent to the Domain Administrator in an on-premises AD environment. The following list contains recommended configurations when deploying O365:Įnable multi-factor authentication for administrator accounts: Azure Active Directory (AD) Global Administrators in an O365 environment have the highest level of administrator privileges at the tenant level. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |