The Attacking and Defending the Microsoft Cloud (Office 365 & Azure AD) presentation from last week’s Black Hat conference by Sean Metcalf , CTO of Trimarc ,and Mark Morowczynski, principal program manager, Microsoft, got me thinking about Office 365 settings that admins should review. One setting that Office 365 administrators should evaluate is Privileged Identity Management (PIM).
The idea behind PIM is that rights for administrative roles should be enabled only when you need them. If you are the first person in your organization to sign up for Azure accounts, you will be given the roles of security administrator and privileged role administrator. Any other user/administrator in the organization should have admin rights only when they need them.
To be able to use PIM, you need to have a license for Azure Active Directory (AD) Premium P2, Enterprise Mobility + Security (EMS) E5 or Microsoft 365 M5. For Azure AD, you only need to license the feature you want per person. For Office, however, licenses are generally needed for all users. To use PIM, you can purchase Azure P2 licenses for administrators or users who have PIM roles, but have P1 or basic Azure AD licenses for all other users.
A P2 license is required for:
- Administrators with Azure AD roles managed using PIM
- Administrators with Azure resource roles managed using PIM
- Administrators assigned to the privileged role administrator
- Users assigned as eligible to Azure AD roles managed using PIM
- Users able to approve/reject requests in PIM
- Users assigned to an Azure resource role with just-in-time or direct (time-based) assignments
- Users assigned to an access review
- Users who perform access reviews.
To get started, go to the Azure portal and search for privilege identity management. Open the link offered. Before setting it up, the system will verify that you have two-factor authentication (2FA) enabled. You’ll then need to consent to the service to set it up.
Once it’s activated, you can review the roles and permissions. PIM might be difficult to administer at a small firm. If it has only one administrator and that person is a global admin, you can’t easily limit rights. However, in larger firms you can easily narrow the scope of administrator rights and their activities.
Launch the Azure PIM module and review the Azure AD roles by clicking on the overview tab, and then on admin view to discover the privileged roles used in the organization. You’ll want to reduce the number of users in your organization who have permanent privileged role assignments. Reducing these role assignments will minimize your vulnerability to security breaches.
You’ll also want to review the default activations rules for each role. I would recommend enabling notifications being sent when admin roles are enabled as well as making multi-factor authentication (MFA) mandatory.
When PIM is enabled, you must elevate eligible users to the privileges granted by the role. The elevation process may also include obtaining approval, performing MFA, or providing a reason why they are activating.
Office 365 administrative roles to watch
Microsoft recommends that the following administrative roles are available, limited and used and activated only when needed.
- Global administrator has access to all administrative features in Azure AD.
- Security administrator has all the read-only permissions of the security reader role, plus the ability to manage configuration for security-related services.
- User administrator can create and manage all aspects of users and groups.
- Exchange administrator has global permissions within Microsoft Exchange Online.
- SharePoint service administrator has global permissions within Microsoft SharePoint Online.
- Intune service administrator has global permissions within Microsoft Intune Online.
- Security reader has global read-only access, including all information in Azure AD, Identity Protection and PIM
- Service administrator can open support requests with Microsoft for Azure and Office 365 services.
- Billing administrator makes purchases, manages subscriptions, manages support tickets and monitors service health.
- Skype for business administrator has global permissions within Microsoft Skype for Business.
All these admin roles should be active and assigned to the admin user only when they need it. Enabling PIM will go a long way to keeping you safe and secure in the cloud.
Other security takeaways
Of course, PIM isn’t the only setting or security consideration Office 365 admins need to be aware of. At the end of their presentation, Metcalf and Morowczynski recommended the following steps to be taken:
- Require MFA for all cloud admin accounts.
- Configure Privileged Identity Management for all cloud admin accounts
- Enable Password Hash Sync (Azure AD Connect).
- Ensure all apps use Modern Authentication (Microsoft Azure Active Directory Authentication Library–ADAL) to connect to Office 365 services.
- Enable user and admin activity logging in Office 365 (UnifiedAuditLogIngestionEnabled).
- Enable mailbox activity auditing on all Office 365 mailboxes.
- Conditional Access: Make sure you Block Legacy Authentication.
- Integrate Azure AD Logs with your SIEM or use Azure Log Analytics or Azure Sentinel.
- Deploy Azure AD Banned Password for your on-premise AD.
- Enable Azure AD Connect Health for Active Directory Federation Services (ADFS)and ADFS Smart Lockout.
- Ensure all users are registered for MFA.
- Enable Self-Service Password Reset (SSPR).
- Enable MFA for all users via Conditional Access or Risk Based settings.
- Disable Legacy Authentication entirely via Conditional Access.
- Use FIDO (Fast ID Online) for admin accounts,
- Follow admin account best practices for cloud admins.
- Audit consented permissions for apps and user access to apps.
- Review app permissions
- Monitor app registrations.
- Review the recommendations in Microsoft Secure Score and implement as many as possible.
Don’t forget to sign up for the IDG Tech Talk YouTube channel where you can see more videos of my Windows security tips. I’ll be at The Experts Conference in Charleston South Carolina August 27 and 28 talking about Office 365 and the Windows update crisis. Hope to see you there!
Copyright © 2019 IDG Communications, Inc.