Skip to content
Security alert picture

Security Baseline for Azure Active Directory

Published by Andreas Rogge on 6. November 2022

Last updated on 5. December 2022

At the beginning of M365 there was no problem creating a tenant and leave it at default. But this was years ago. Now a lot of attack paths are available to compromise and get access to data. If you leave the default, a lot of attack vectors are open for use.

In this blog post I would like to show you my baseline for Azure AD configuration. This should and can be used in most scenarios. If this is not fitting your or your customers environment, try to understand the need and check, if there is any way to secure it nevertheless with some workaround. I will configure some basic settings from the M365 tenant but will also configure Conditional Access and Azure AD Identity Protection. At time of writing, you will need Azure AD Premium Plan 1 for Conditional Access but Azure AD Premium Plan 2 for Identity Protection and Risk-Based Conditional Access.

Table of content:

User settings

  1. We will focus on the new Entra portal and make our first configurations.
    – Navigate to https://entra.microsoft.com
    – Open Users
    – Open User settings
Navigate in Entra portal to User settings

2. Take a look at the settings on the right. We start with the first settings that can be set right now and then we use the hyperlinks to jump to the other configuration sites.
– Turn App registrations to No. This one is crucial because a lot of attacks exist, where users get an application prompt and when a user can accept it, there is a malicious app in the tenant registered.
– Make sure that LinkedIn account connections is set to No
– The option Show keep user signed in depends on how users work. Do they work a lot in the browser with M365 apps, the option should be enabled, otherwise disable it!

Options for Azure AD user settings

[UPDATE 18.11.2022] The next setting has to be changed in AAD Portal (“https://aad.portal.azure.com”). Navigate to User settings and set Tenant creation to No

Disable Tenant creation for User

Application settings

1. Click on Manage how end users launch and view their applications! Now we get redirected to Applications –> Enterprise applications –> User settings.

Navigate to enterprise applications user settings

2. I set the following settings on this page:
Users can add gallery apps to My Apps is set to No, so that administrators have to add applications and the users are not permitted to do so themselves.
Users can request admin consent to apps they are unable to consent to is set to Yes so that administrators can review and accept or deny the request.
Who can review admin consent requests is at default set to Global Administrators but should be extended to some Azure AD group with people that can decide, if the app should be allowed inside the M365 tenant.
Selected users will receive email notifications for requests is set to Yes. So the selected users will not always have to check the portal for new applications but get an email, as soon as a new request is created.
Selected users will receive request expiration reminders is also set to Yes. If the persons forget about the existing request, they get a reminder.
Users can only see Office 365 apps in the Office 365 portal is set to No. If you add own applications like Salesforce, ServiceNow or some other app to Azure AD, you can see them in the portal. Otherwise your users cannot see and access them through the My Apps site.

Settings for Enterprise applications

Guest settings

1. We jump back to the User settings, where we started (see user settings) and click on Manage external collaboration settings. This hyperlink redirect us to External Identities –> External collaboration settings.

External collaboration settings in Entra portal

2. Please check the settings carefully so they match with your needs:
Guest user access restrictions should be set to Guest users have limited access to properties and memberships of directory objects.
Guest invite restrictions is set to Only users assigned to specific admin roles can invite guest users. Otherwise other people in the organization would be able to invite guests; this can easily lead to chaos. If the organization can do without guests, you should select the most restrictive option.
Enable guest self-service sign up via user flows is set to No. Otherwise apps can be enabled and used so that guests can be set up through an user flow.
Allow external users to remove themselves from your organization is a relative new setting for me. At the moment I don’t know where I can leave a tenant I was invited into. I leave this to Yes because this should have no security impact.
Collaboration restrictions depends completely on your environment. If you only work with dedicated partners, set it to Allow invitations only to the specified domains. Does your company work with a lot of partners, just use Allow invitations to be sent to any domain.

Configuring external collaboration settings

Group settings

1. Now we focus on Group settings. To find these settings, navigate to Groups –> Group settings.

Navigate to Group settings in Azure AD

2. On this page we configure how users can interact with groups:
Owners can manage group membership requests in the Access Panel is set to Yes. Owners of groups should be able to manage their groups.
Restrict user ability to access groups features in the Access Panel is set to No.
Users can create security groups in Azure portals, API or PowerShell is set to No. Otherwise users are able to create security groups.
Users can create Microsoft 365 groups in Azure portals, API or PowerShell is set to No. Otherwise users are able to create security groups.

Group settings

Company branding

1. The next one is not quite clear at the beginning but you will understand the need, if you think about how a user can difference between an authentication prompt for your tenant with no branding and a prompt from some malicious site. Malicious sites don’t have your branding normally and users can clearly see, if they are on the correct site. Navigate to User experiences –> Company branding

2. If you have just one language your users speak, you can stick with the default. Otherwise it is a good idea to use different brandings in the correct language. Edit the branding and upload the correct images for your company.

Company branding settings

Cross-tenant access settings

1. We will update some settings, that we can trust MFA and compliance settings from Azure AD tenants. Navigate to External Identities –> Cross-tenant access settings.

Navigate to Cross-tenant access settings

2. From here we will update the default inbound access settings. Navigate to Default settings –> Inbound access settings –> Edit inbound defaults

Edit inbound default settings

Make sure that everything under B2B direct connect is blocked and check everything under Trust settings:

Trust settings from external tenants

Conditional Access

1. To get into the menu for Conditional Access, navigate to Protect & secure –> Conditional Access

Navigate to Conditional Access

2. From there navigate to Named locations. Here it is a good idea to create some lists. One for trusted IPs from your environment and another with countries where your company is certainly not working from.

If you have enabled that MFA with GPS is working and used by everyone, you can configure that the location is determined by GPS otherwise use IPv4:

Create list with blocked countries

I will be accessing the M365 services only from Germany, so all other countries are selected:

All countries selected for Blocked Countries list

3. Now lets create some Conditional Access Policies! Navigate to Policies –> New policy from template.

Navigate to New policy from template conditional access

From there create a new Policy for Identities and create a Conditional Access Policy for every template available. You can stick with the naming schema or choose your own. If you set this up for the first time or just want to see what happens, if you implement this in your productive tenant, be sure to choose Report only.

Choose Identities
Conditional Access templates

If all policies are created, it should look like this:

Conditional Access policies

Check every policy you created and make changes if necessary. For example, I do not use Require multifactor authentication but go rather with the new option Require authentication strength and choose the option for Passwordless MFA. Furthermore, I add my breakglass account to every policy as exclusion, so that this account is unaffected from these policies.

Changing Grant control

4. Now that we have the templates enabled, lets add one more to block access, when the request comes from our Blocked Countries list. Click on New Policy and give it a name.
– Select All users and exclude your breaking glass account
– Select All cloud apps
– Under Conditions –> Locations –> Select your Blocked countries list
Block access under Grant

Configure Conditional Access Policy to block blocked countries

Password reset

1. To get into the menu for Password reset, navigate to Protect & secure –> Password reset

Navigate to Password reset

2. Activate this for all your users:

Activate Self service password reset for all users

3. Navigate to Authentication methods and configure the settings as needed. In my example I activated everything and require at least 2 settings:

Configuring authentication methods

Done!

If you miss anything here, please let me know in the comments. I would be grateful, if you share this as far as you found this article interesting.

Published inAADM365Security

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *