Securing Office 365 identity with Azure Active Directory
Everyday enterprise staff receive phishing emails impersonating Microsoft. This recent proliferation of social engineering and human hacking has seen a drastic increase in emails targeting users' Office 365 identities and credentials.
However, when IT pros speak about end-user device security, we often only think about anti-malware software or WAN Edge firewalls. But if the bad guys behind these emails and obtain users' Office 365 identities and credentials, not even the most impenetrable anti-malware software or firewalls can stop them playing havoc with your core business data.
So while there is no silver bullet solution to this security challenge (I have personally received four phishing emails this month), I thought I'd share five steps I'm taking with my customers to dramatically improve their security posture.
"The recent proliferation of phishing and other social engineering has seen a drastic increase in emails targeting Office 365 credentials."
#1 Implementing Multi-Factor Authentication (MFA)
Today, there are so many nefarious methods of acquiring credentials, ranging from phishing, to key loggers and hacking databases. However, implementing Multi-Factor Authentication (MFA) puts the brakes on all of that.
The challenge with MFA in the past was it introduced issues for users and was painful for system administrators to manage. It seemed strong and frequently updated passwords were just as effective for most applications but provided none of the drawbacks of MFA. But with the proliferation of phishing and other social engineering based attacks, this is no longer the case.
Although there a number of MFA solutions available, Microsoft’s Azure Active Directory is a surprisingly seamless solution for Office 365. Each user has a range of options that can be configured to act as the second form of authentication, these include:
- Entering a code received via automated phone call to a fixed or mobile phone
- Entering a code received via text message
- Entering a code extracted from a mobile app
- Pressing approve on a mobile app
Some of these options, such as receiving a phonebot call on a fixed phone, seem a little unnecessary. However, you have options! IT pros can also enable or disable each options at their discretion, leaving users to choose from what remains - meaning you can easily customise it to your needs.
#2 Authenticator applications are a user's best friend
Authenticator applications are a easy way to simply MFA for staff. The app I'm encouraging my staff and customers to adopt is the Microsoft Authenticator app. With the app installed, anytime I login to an Office 365 service on a new device or where MFA is required, I receive a notification on my phone. I can simply tap on “approve” (as in screenshot below) and the whole thing is over before it started.
Even when your phone has no signal, you're provided an option to use a different authentication method. The easiest of which is to type in a 6-digit code (which cycles every 30 seconds) and you're good to go.
#3 Designing user friendly Multi-Factor Authentication
As mentioned earlier, today's threats arrise when the bad guys gain accessing your data from an unknown device. That being the case, we can reasonably relax security on known devices, or known networks. There are two key features that will insure your MFA solution is user friendly, while making little impact your organisation's security posture.
Note, in the screenshot below, there is a checkbox for Don’t ask again for 60 days.
This allows you to disable MFA for a period of time, on a device that you trust. Note you are still required to enter a password if you did not tick the checkbox.
Administrators can also use the admin portal to enforce MFA to join devices to Azure Active Directory, then disable the requirement for MFA on those devices moving forward.
The second feature is also configured in the admin portal and allows you to white list IP addresses or whole subnets from the requirement for MFA. At Fastrack we use this feature to disable MFA in all Australian offices, as well as our customer’s and partner offices.
By this point, if you work at Fastrack, you may need to click a few buttons on your phone to gain access to business-critical data, however, really only if you’re using the internet at McDonald’s to log into your mates laptop, to download files stored on OneDrive. Of course, if you happen to be an evil internet cowboy (or bot), you’re going to have a pretty tough time gaining access and likely move onto someone else.
#4 Deploying Azure Active Directory Identity Protection
If multi-factor authentication is the deadbolt on the front door, then Azure Active Directory Identity Protection is the security camera system. This little-known gem uses advanced machine learning capabilities to detect irregular sign-on behaviour and take action to either decline access or force MFA.
Azure Active Directory Identity Protection's (AADIP) portal highlights users at risk, either because their account hasn’t been appropriately configured with MFA or has a weak password. But where it hits its stride is in the way it detects unusual account behaviour. AADIP will alert you if there's a large numbers of logins, logins from strange IPs, or logins from remote geographic locations, in a short period of time.
#5 Regularly review the AADIP portal
Regularly reviewing the information in the portal will help you find vulnerable or compromised accounts and take action. However, while this is good for finding weaknesses before they are exploited, by the time the portal reports the compromised account, it may be already too late.
For this reason, you can also apply policies that take action if a certain risk level is reached. These actions include blocking access, forcing MFA or forcing a reset of the user’s password. (That last one may be redundant if the password has been compromised.)
In the end, there is no one solution to ensure the security of your data. The best approach is to layer-on security in a manner that is as unobtrusive as possible. Keep in mind if you make it too hard to get in, people will put their data someplace else, and you’ll be dealing with 1000 personal Dropbox accounts before you know it.
So figure out the risks that you’re trying to mitigate and then get out of your user’s way.