Each and every administrative account must have enforced MFA at all times. Not enforcing MFA on administrative usersĪgain, just as number 1 this is more common than uncommon in many tenants today. More about these roles and their scope of use based on administrative tasks can be found here: Ģ. The administrative roles in Azure AD number to a total of 71 different roles at the time of writing this post. The permissions of Global Administrator are seldom needed, and you could in about 95% of cases make due with a more Role Based Access Control. And not the “go to” permisson for administrators. Global Administrator permission should be tightly kept under close guard. So, let´s get started on that “Top 8” shall we?īoy, if had a penny for every time a customer tenant has exceeded the recommended amount of Global Administrators in Azure AD, I´d be a “rich” man. The Azure AD Connect could be used to decrypt user passwords in order to further cement the foothold of the Threat Actor. This could lead to Global Administrator accounts being compromised, due to lack of MFA. Worst case scenario is of course that a Threat Actor establishes a foothold in your AAD and is allowed to gain access to sensitive data, or even encrypt data.Īzure AD administrators often overlook crucial steps when it comes to secure their AAD. If you´re using Azure Active Directory (which of course is a pre-requisite to run Microsoft 365 at all, this blog post is for you! Here I´ll list my “Top 8” when it comes to security related issues you need to keep under close guard!
0 Comments
Leave a Reply. |