Identity Access Management

Identity & Access Management (Entra ID)

/0 Comments/in /by

Microsoft Entra ID is a cloud-based identity and access management service for applications like Office365 and Azure.

Entra ID Security Defaults

Security defaults are a group of settings that help protect your organization from emerging threats and cyberattacks like brute force attacks, password spraying, phishing, etc.

Security defaults include the following requirements:

    • Register a multi-factor authentication method (all users).
    • Log in using multi-factor authentication to access the Azure portal, Microsoft Entra admin center, Azure PowerShell, and Azure Command-Line Interface (all users and administrators).
    • Block legacy protocol authentication.

NOTE! Security defaults are free, while Conditional Access requires Entra ID Premium licensing (P1 or P2). Also, Conditional Access policies are fully customizable, security defaults are not.

Conditional Access Policies

Conditional Access policies have the potential to prevent any unauthorized access to sensitive data, considerably improving your security framework.

Administrators can control who has access to applications and resources based on certain conditions/criteria: user identity, device, location, and more.

For instance, let’s say you oversee identity and access management at a company that has 70 employees in the following departments:

  • Research & Development (some employees are allowed to work remotely)
  • Sales (part of the team is based in the US)
  • Finance & Accounting

Also, the organization outsources the following services: Marketing, IT and Cloud consulting.

Employees should only have access to services and files relevant to their work (the principle of least privilege) while each department should be able to operate remotely.

This is how organizations usually operate today. Employees now work remotely, sometimes across different continents, in different roles and levels of access rights and privileges.

If your administrator logs in from overseas, his authentication process must be tighter than it would be in the office. Therefore, authentication security must be strict.

To give employees flexibility while addressing the diverse security requirements, a Conditional Access strategy is paramount. With it you can apply security measures to specific roles, locations, and applications for a robust and adaptable security posture.

Users, Target Resources & Conditions

The Users

Configure who is affected by the policy. You can include/exclude a group of users (e.g. Marketing department members), specific roles, and more.

Target Resources

User actions – Administrators can define policies based on user action. For instance, the user tries to register security information (MFA, password, etc.) or connect a new device to the tenant.

Cloud applications – Administrators can assign security controls to specific applications.

Authentication context – Administrators can configure authentication contexts which will be used to further secure data and actions in applications.

Conditions

Sign-in risk: This security feature enables administrators to control user access based on the likelihood of a fraudulent sign-in attempt.

User risk: It allows administrators who have access to Entra ID Protection to label users as risky if their activity is suspicious.

Location: You can approve or deny sign-ins based on the geographic location of the user.

Device platforms: Approve or deny access based on the operating system of the device used for login.

Client apps: You can approve/deny an authentication request based on the client application utilized for login. Unfortunately, legacy authentication apps can expose the user to identity frauds, brute-force attacks, etc.

Device filters: Approve or deny access based on the user’s device.

Conditional Access: Benefits

You can use Conditional Access controls to improve security and achieve compliance goals.

Location-based access: You can create trusted and untrusted zones, and you can apply access conditions. For example, you can enable multi-factor authentication for users logging in from home but skip the rule for all users who login from the headquarters.

Blocking unauthorized access: Allow access only to passwordless authentication methods to minimize the risk of compromised user accounts.

Identity and application granularity: You can create application/entity-specific policies to allow access in case of an emergency, under specific conditions.

Session controls: You may consider creating reauthentication policies for different roles within the organization. For instance, non-privileged users may be required to reauthenticate more often.

Compliance-based access: Allow/block access based on device compliance. This way you ensure that user devices meet minimum configuration requirements. For example, if a device used for authentication is marked as compliant in Entra ID, your controls can be less restrictive.

Final Thoughts

With proper Entra ID security controls, emergent cyberattacks are now preventable. On the other hand, Entra ID misconfigurations can impact your environment, so make sure to plan and partner with the right team for professional implementation.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *