This is the second article in the Zero Trust Security in Microsoft 365 series. Here you will gain an understanding of the strategies to deploy Zero Trust Identity Security.
Managing identity will always be at the forefront of this security model. Environments with proper identity policies are better placed to handle attempts at gaining access to their account credentials. The Zero Trust principles of verifying explicitly, providing least privileges to accounts and assuming breaches is applied to all types of access requests originating from user accounts, applications, devices and services.
Several environments still use on-premises solutions to decide whether an access request is approved or rejected. However, you must consider routing the role of policy decision-making to Azure AD, so that you can impose the Zero Trust principles of explicit verification, controlled privilege access, and assumption of breaches. This means placing Azure AD in the path of every access request.
In order to achieve this, you must use the Azure AD Connect tool to sync on-premises users to Azure AD. This tool is capable of filtering users; hence, you can also exclude unwanted items from syncing to the cloud.
Choosing the right authentication methods is a vital step. Microsoft provides you with the following methods:
This graph here shows the factors that would influence your decision. For more information please refer to this article.
All the applications must authenticate via Azure AD. Single Sign-On must be used, so that users can sign in to all the applications seamlessly. Application using OAuth 2.0 and SAML frameworks can authenticate in Azure AD using SSO. Azure AD Application Proxy must be used to bring form-based and Kerberos applications under Azure AD. You can also migrate existing Identity Management solutions to Azure using the Microsoft tools mentioned here.
Apart from using passwords, Azure AD Multifactor Authentication adds another layer of protection. You can force users to use SMS, calls, authenticator app, or even go passwordless. The various means to do this are displayed here with the level of safety for each.
Passwordless authentication is by far the safest. Azure AD MFA can be deployed by creating conditional access(CA) policies. When these conditions are met, users would be required to authenticate using MFA. You can use several criteria in CA policies like group membership, location, IP address, device type, application being accesses, among others.
Legacy authentication protocols like POP3, IMAP4, EAS, Outlook Anywhere, EWA, and others pose a security risk. Hence these must be disabled in your tenant. Again you can create a CA policy to achieve this.
As seen in the previous section, CA policies play a crucial role in deploying the Zero Trust Identity Security model. You can control access to resources bases on several criteria.
Apart from enabling MFA using CA policies, you can also block sign-ins from risky users.
Several environments use on-premises AD to manage user devices. If you wish to move to cloud-based device access policies, then you must enable Azure AD Hybrid Join. In this setup, devices can join on-premises AD and be registered in Azure AD. Such devices can use SSO to access both cloud and on-premises resources.
Mobile devices must be managed so that only valid devices are allowed to access your organization’s resources. This is where Intune comes in handy. The Microsoft Endpoint Manager (EMS) must be used on mobiles, laptops, and tablets. It provides you with an inventory of the devices and their current status. You can also check individual device status under ‘All Devices’.
You can configure compliance polices via this portal. Microsoft does provide a few baseline policies which can be further customized.
Admin roles in cloud-like Global admin, Security Admin, Exchange Admin, and other roles are all high privilege access roles. Hence, it’s important to control how these roles are used. One of the tenets of the Zero Trust Security model is to provide just-in-time access to such Admin roles. Azure AD PIM is a tool that will help you to achieve this goal.
Following are the key points in Azure AD PIM:
This feature requires Azure AD Premium P2 or EMS E5 licenses.
Deploying passwordless authentication is a vital step in the journey towards safeguarding your users from attacks. Passwordless authentication methods:
Windows Hello for Business – This is best suited for users with dedicated Windows machines. Here a biometric or a PIN are tied to the machine. Biometric sign-ins include facial and fingerprint recognition. More details are available here. Microsoft Authenticator App – This app uses the user’s iOS or Android phone for passwordless authentication. It provides users with a notification on their phones while signing into any platform or browser. And they can sign in using a biometric method or using a PIN.
FIDO2 security keys – Fast Identity Online(FIDO) is termed as an unphishable way of authentication by Microsoft. This involves users signing in through physical USB sticks or Bluetooth. Users need to register and then select FIDO2 Security Key as the method of authentication. This method can be used on Azure AD or Hybrid Azure AD joined Windows machines.
The Azure AD portal has the Identity Protection page where you can get a bird’s eye view of several security aspects of your tenant. This page will show you the risky user, risky sign-ins, high and medium risk users, and also unprotected risky sign-ins. These reports would help you to extract a list of users who are at risk and then you can take actions like:
The main principles of Identity Protection are:
You can apply classification labels automatically to files by integrating MCAS with AIP. With MCAS you can view all the files in one location, investigate events according to classification levels and also create policies to manage file. You can perform this integration from the MCAS portal under settings.
You can label files automatically, control how files are shared, and also apply labels directly to files using policies in MCAS.
Access to SharePoint and exchange online from unmanaged devices must be blocked. Following is a screenshot of the setting from the SharePoint admin center to block access from unmanaged devices.
You can also ‘allow limited web-only access’ for such unmanaged devices. At the same time, you must also block access from devices not using modern authentication. This setting is found on the same page. Access to Outlook on the web from unmanaged devices can be blocked using CA policies.
Under session, you must select ‘use app enforced restrictions. This will force Azure AD to provide device information to Sharepoint Online and Exchange Online. This helps them to block access to unmanaged devices.
Microsoft Defender ATP checks the health of windows devices and reports of any anomalies or compromised. It involves discovery and remediation of risks, AIR, secure score for devices. It provides a centralized configuration and can be integrated with other solutions like MCAS, Azure Sentinel, Intune, Microsoft Defender for Identity and Office 365. You may refer this link for more information.
Zero Trust Identity Security is an amalgamation of all the security features in use in the identity area. However, with this security model, Microsoft has defined all the components that ensure that the overall identity security of the environment is enhanced. The ‘Zero Trust’ security approach is to verify everything and to trust none, and you can take advantage of that approach by deploying zero trust in the identity sphere of your infrastructure. Next week we shall see how Zero Trust EndPoint Security can be deployed in your environment.