Secure your AzureAD Identity infrastructure

In the Global Azure I had the oportunity to talk about how to secure our Azure AD. Now Microsoft has published a new link about how to protect our AzureAD: https://docs.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity

So now, we have official documentation to support my recommendations 🙂

The mystery of non-access to DevOps

This history began with a new dev project, we needed to be included in a DevOps Project inside the customer organization.

We were first invited to the Teams group to collaborate, upload the documentation and so on, so our users were first created in the AAD of the customer, till here, no problem.

But then, the customer created the DevOps project, and he invited us to collaborate in the project, we received the mail, but when we tried to access, we were receiving the following error message:

We were pretty sure, that we had access to the project, we were checking with the customer the access, and we were having access, we waited some time to replicate the permissions change, but nothing, so where was the problem?

The error page shows that we do not have access, so after digging a while with the problem, I realized that when I tried to navigate to the organization URL, in Edge was showing the error message that could lead us to something:

So, the problem is that guests are not allowed to access to the organization (TF909091), so how we can solve that problem?

Pretty simple, we need to ask the customer, to go to the organization settings and modify the security policies:

Also, to check if in the policies of the project, the check was allowed:

After doing that, we were able to access to the DevOps project, and start working

Problem and mystery solved!

Duplicated users in AzureAD

Sometimes it happens, users syncronized from OnPrem to AzureAD, are not being soft matched, and it’s necessary to do a hard match, in this post I will explain the basic steps to do it:

  1. Disable the sync for that particular object, my recommendation would be to create a OU in your AD which is not being selected to be synchronized
  2. Execute a Sync Delta in your ADConnect Start-ADSyncSyncCycle -PolicyType Delta
  3. Check that the bogus user has been deleted, and delete it from Recycle bin withRemove-MsolUser -UserPrincipalName <user> -RemoveFromRecycleBin
  4. Find the users ObjectIDldifde -d "CN=username,CN=Users,DC=domain,DC=local" -f C:\user.txt
  5. Find objectGUID:: in c:\user.txt
  6. If you don’t like the previous step, you can search for the sourceanchor in the metaverse of AADConnect,
  7. Update AzureID, setting the object ID to sync with toSet-MsolUser -UserPrincipalName <upn> -ImmutableId <objectGUID>
  8. Now, sync withStart-ADSyncSyncCycle -PolicyType Initial

With this, what we are doing id a hard match for the user, once is done, you’re ready to go

Does my organization need Azure AD Conditional Access?

Consider how the authentication process has traditionally worked: Organizations require users to supply a user ID and password. Then, the user can go on to access all the data, applications and other resources they’ve been granted permissions for. But what about if an attacker has stolen a user’s credentials? How can we reduce these risks? It is where Conditional access takes place 🙂

But the question is, do I really need it? It depends your case or scenario 😛 but let’s dig in depending in what you’re using:

  • Security Defaults: To help organizations establish a basic level of security, Microsoft makes security defaults available to everyone at no extra cost. This feature automatically enforces the following policies:
  1. All Users must register for AzureAD MFA
    1. Users must complete MFA challenge when they authenticate using a new device or application
    2. Administrators must complete an MFA step every time they sign in. This policy applies to nine key Azure AD roles, including Global Administrator, SharePoint Administrator, Exchange Administrator, Conditional Access Administrator and Security Administrator.
    3. Any user trying to access the Azure portal, Azure PowerShell or the Azure CLI must complete additional authentication
    4. All authentication requests made using older protocols are blocked
  • Azure AD COnditional Access: But as you can imagine, in some organizations these security defaults are not enough, they want to have more fine-grained controls, so to do this we need Conditional Access, which allows us to:
  • create a policy to require administrators — but not regular business users — to complete an MFA step
    • Use the user location and the type of protocol being used to restrict the access
    • Deny all requests that comes from a particular country, and require MFA for the rest
    • As you can see, you can create multiple policies that work together to put guardrails in place exactly where you need them

Azure AD Conditional Access is an extremely valuable tool for helping you implement a Zero Trust model, protecting the three cores of the strategy:

  • Least privilege — Helps to grant the right access at the right time to only those who need it by enabling trusted locations and IP ranges, implement stronger controls for privileged users, and control access to sensitive applications and content.
  • Verify explicitly — Continually verify identities as users move around the network by requiring MFA when users appear on new devices and from new locations.
  • Assume breach — Weak passwords, password spraying and phishing all but guarantee malicious actors are inside your network. It allows to block legacy authentication and putting stronger access controls in front of your most valuable resources.

As you can see, Azure AD Conditional Access is a powerful tool for strengthening security and ensuring regulatory compliance

Take care!

Authentication methods in AzureAD: Security Questions

Security questions

I’ve been searching some information about Security Questions in AzureAD, and one of the fisrt conclusiones that I came, is that Security Questions are only available for users that use, SSPR.

Taking this into considerations, you have to be aware of the following, when using security questions:

  • Azure stores security questions privately and in a security-enhanced manner on a user object in the directory. Only users can answer the questions and only during registration. An administrator can’t read or change a user’s questions or answers.
  • Azure provides 35 predefined questions, all translated and localized based on the browser locale.
  • You can customize the questions by using the administrative interface; however, Azure displays them in the language entered. The maximum length is 200 characters.

Authentication methods in AzureAD

Have you been struggling in how and what to configure in AzureAD in order to set your authentication methods? With the following table, you will be able to see th different authentication methods that we have available, and which services can use them.

Authentication methodServices
PasswordAzure AD MFA and SSPR
Security questionsSSPR
Email addressSSPR
Microsoft Authenticator appAzure AD MFA and SSPR
OATH hardware tokenAzure AD MFA and SSPR
Text messageAzure AD MFA and SSPR
Voice callAzure AD MFA and SSPR
App passwordsAzure AD MFA in certain cases

Using the forceDelete option in AzureAD

This is something that I have discovered while reading documentation, to it could be useful to help to reset a tenant and recover an initial situation:

You can ForceDelete a domain name in the Azure AD Admin Center or using Microsoft Graph API. These options use an asynchronous operation and update all references from the custom domain name like “user@contoso.com” to the initial default domain name such as “user@contoso.onmicrosoft.com.”

To call ForceDelete in the Azure portal, you must ensure that there are fewer than 1000 references to the domain name, and any references where Exchange is the provisioning service must be updated or removed in the Exchange Admin Center. This includes Exchange Mail-Enabled Security Groups and distributed lists. Also, the ForceDelete operation won’t succeed if either of the following is true:

  • You purchased a domain via Microsoft 365 domain subscription services
  • You are a partner administering on behalf of another customer organization

The following actions are performed as part of the ForceDelete operation:

  • Renames the UPN, EmailAddress, and ProxyAddress of users with references to the custom domain name to the initial default domain name.
  • Renames the EmailAddress of groups with references to the custom domain name to the initial default domain name.
  • Renames the identifierUris of applications with references to the custom domain name to the initial default domain name.

An error is returned when:

  • The number of objects to be renamed is greater than 1000
  • One of the applications to be renamed is a multi-tenant app

What is really PIM?

Currently in all project were I’m involved I’m trying to used Best Practices of Security, including the use of PIM.  Privileged Identity Management it is a service that is available in Azure AD and is part of Azure AD Plan 2, it is used for all admin related tasks, where no employee has standing access within the company, reducing the surface of an attack.

PIM makes it possible to give a user the privilege to elevate his or her access rights for a preset amount of time to a higher role such as User Administrator or SharePoint Administrator.

PIM gives access to huge quantity of roles in Office 365 and Azure resources where the user is by default a reader and can elevate it to be an owner of a resource (group) for a specific amount of time (which is great!)

Enabling a PIM role is done by going to the Azure Portal and select the role you want to elevate. You need to do this for every role separately.

For example, imagine that you have members that need to elevate their account daily to be a SharePoint and User administrator, so they need to do this daily. After enabling they need to sign out and sign in again to make sure the roles are activated.

No more to give the role to a user and forget which role we give to them…

 

Discover who invited guest users with Log Analytics

Reading my posts, you will probably know that I am a bit fan of Log Analytics, so in this post we are trying to examine the AzureAD logs in order to discover who invited a specific a guest account, because sometimes can be quite a challenging question to find this information…

So first of all, we need to forward the audit logs from AAD to workspace in Log Analytics, once we have done this, we can execute the following query:

AuditLogs
| where OperationName == 'Invite external user' and Result == 'success'

InviteExternalUsers

As you can see in the image, this query shows some basic information about the users, but if you want to find all accepted invitations, you can execute the following…

AuditLogs 
| where OperationName == 'Invite external user' and Result == 'success'
| extend InvitationId = tostring(AdditionalDetails[0].value)
| join (
   	AuditLogs
	| where OperationName in('Redeem external user invite')
	| parse kind=regex TargetResources[0].displayName with * "InvitationId: " InvitationId:string ","
)
on $left.InvitationId == $right.InvitationId

Once we have done that, we can include this information in our Governance Plan or even to create some Log Analytics alerts in order to be sure that everything is doing under our umbrella os security