Microsoft recently announced some Azure Active Directory improvements, including conditional access policy management enhancements and synchronization service additions.
In addition, Microsoft offered a general overview of security best practices for organizations using Active Directory on-premises identity and access management solution, as well as its cloud-based cousin, the Azure Active Directory service. A five-point best-practices plan was suggested by Joy Chik, corporate vice president for Microsoft Identity.
Active Directory Best Practices
Microsoft wants organizations to move toward a so-called “zero trust” treatment for network traffic with Active Directory. The team is also advocating non-password approaches to verifying user identities, such as using “Windows Hello for Business, Microsoft Authenticator, and FIDO2 security keys from partners like AuthenTrend, Feitian, or Yubico.”
Microsoft also advocates using multifactor authentication, a secondary means of verifying identity security besides a password. Last week, Microsoft explained that it will use public phone numbers as part of this authentication scheme, starting on Feb. 1, likely due to the widespread work-from-home phenomenon.
Included in Microsoft’s best-practices advice were cautions about how applications are set up to work with the Azure AD service. In particular, Microsoft’s advice didn’t seem enthusiastic about using Active Directory Federation Services (ADFS), a Windows Server role, which is used for identity federation, including with “legacy” or older applications. Microsoft is instead recommending that organizations use its Azure AD Application Proxy service, which has support for those older apps.
Here’s how Microsoft described that point:
If you want to extend MFA and Conditional Access to legacy on-premises apps, including header-based apps, use Azure AD Application Proxy or an integrated solution from one of our secure hybrid access partners. With our migration tools, you can modernize authentication of all apps and retire your ADFS implementation. This will help prevent attacks that are particularly difficult to detect in on-premises identity systems.
That last sentence seems to be reference to the Solorigate attack methods, which apparently used apps with too many permissions and ADFS to gain access to cloud-based e-mail services in a purported espionage action, as described by the U.S. Cybersecurity and Infrastructure Security Agency.
In January, Microsoft announced that it had integrated ADFS detections via a new sensor in its Microsoft Defender for Identity service, which is used for post-breach security analyses. This new sensor provides “visibility into advanced persistent threats.” It also detects ADFS server compromises “through techniques such as remote code execution or attempts to install malicious services.” Microsoft Defender for Identity is an extra cost that requires E5-type plan licensing.
Azure AD Connect Improvements
Microsoft on Friday announced some improvements to its Azure AD Connect solution, which is a tool that organizations can use to connect with the Azure AD service.
Azure AD Connect can use two synchronization services, namely “Azure AD Connect sync which lives on-premises, and Azure AD Connect cloud sync which is powered by the cloud,” Microsoft explained. Azure AD Connect Sync is Microsoft’s so-called “classic” solution for organizations that use a mixture of on-premises and cloud-based authentications. Azure AD Connect Cloud Sync, in contrast, is deemed to be “the future of our hybrid identity sync capabilities,” Microsoft indicated.
Despite that characterization, Microsoft appears to be continuing to support both sync options. It also indicated that it’s possible to beneficially use Azure AD Connect Cloud Sync alongside Azure AD Connect Sync, per a Microsoft document description.
On Friday, Microsoft announced that the Azure AD Connect Cloud Sync service (formerly known as “Azure AD Connect Cloud Provisioning”) had reached the “general availability” commercial-release stage. It has a few improvements, too, such as the ability to “sync large directories with up to 150,000 directory objects per configuration and large groups with up to 50,000 members.” Microsoft removed a requirement to have domain admin credentials to run it. It also added troubleshooting tools and service “health” monitoring capabilities.
In addition, Microsoft announced that Azure AD Connect Sync version 2 improvements are now available at the preview stage. The preview permits organizations to “sync groups of up to 250,000 members,” which also brings performance improvements.
In response to questions, a Microsoft spokesperson indicated at the end of its announcement that Microsoft is working on delivering “functional parity with AAD Connect” for the two sync services. Other items on its roadmap include adding a password write-back capability, plus pass-through authentication support for “multidisconnected forests.”
Conditional Access Policy Sorting
It’s now easier for IT pros to find and sort Azure AD Conditional Access policies based on improvements that are rolling out “in the next few weeks,” Microsoft announced this week.
Microsoft added a search bar to that end in its Azure Portal. In addition, Azure AD Conditional Access policies now can be sorted by “policy name, state, creation date and modified date.” There’s also a “filter” function that lets users “filter the policy lists by state, creation time and modified time.”
A count of the Conditional Access policies that were created now gets shown in the portal, too.
Frontline Worker Support
Last month, Microsoft described Azure AD capabilities for so-called “frontline workers” that had reached general availability commercial-release status. The definition of frontline workers seems to have shifted to include anyone whose job requires public contact.
A new My Staff portal was released for mobile devices that makes it easier for management in organizations to reset passwords, without having to go through the IT department. The My Staff portal also lets workers “register their team members’ phone numbers for SMS sign-in,” instead of requiring a user name and password for authentication. It’s possible to use Azure AD Conditional Access service for these devices as an added precaution. Microsoft also added a “shared device sign out” capability to ease matters in organizations when their devices are shared by employees across work shifts.
Reference: https://redmondmag.com/articles/2021/02/02/azure-ad-best-practices.aspx
