Azure Security Hardening

    In recent months, COVID-19 has accelerated trends in business and technology that were already in motion. The great shift of employees to work-from-home has hastened the shift to SaaS. Microsoft 365, Power BI, Dynamics, and Azure are some of the most popular clouds for businesses. Azure provides the underlying platform to this software. But for the majority of businesses, properly hardening Azure does not happen. Organizations can take a few steps to implement security hardening that will greatly reduce risk. The following Azure configurations to prevent attacks and monitor for attacks.

    • Harden Azure Active Directory
    • Conditional Access Rules
    • Security Center
    • Azure Sentinel
    • Preview Configurations

    Harden Azure Active Directory

    Azure Active Directory provides the Identity Provider for all Microsoft Services. It uses much of the same concepts as Active Directory servers. There are many functions available in Azure Active Directory and as a result many relevant security configurations. Administrators can configure the following settings within Azure Active Directory to harden authorization and authentication.

    Disable App Registrations

    Location: Azure AD > User Settings > Users can register applications

    This disables users from registering Azure AD applications. Only administrators should perform this action.

    Change from Yes (default) to No.

    Restrict Access to Azure Portal

    Location: Azure AD > User Settings > Restrict access to Azure AD administration portal

    This is another important setting, which limits access to the Azure AD admin portal to administrators. This prevents users from viewing sensitive details about your organization and aligns with the principal of least privileged access.

    Change from No (default) to Yes

    Restrict LinkedIn Accounts

    Location: Azure AD > User Settings > LinkedIn Account Connections

    Thihs setting allows linking Azure AD accounts to LinkedIn. This is rarely needed in most organizations, and poses a data loss risk.

    Change from Yes (default) to No.

    Guest User Access

    Location: Azure AD > User Settings > Manage external collaboration settings> Guest user access

    This setting limits the permissions that a Guest account has within Azure AD. The recommendation is to limit their access to only view their own objects. This prevents reconnaissance activity.

    Change to Guest user is access is restricted.

    Guest Invite Settings

    Location: Azure AD > User Settings > Manage external collaboration settings> Guest invite settings

    These settings control who can invite Guests into Azure AD. Disabling Guests from inviting other Guests should be a priority. But preferrably only Admins or users delegate the role can send invitations. This helps prevent the creation of back door accounts into your tenant.

    Change Members can invite from Yes (default) to No.

    Chane Guests can invite from Yes (default) to No.

    Restrict Invitations

    Location: Azure AD > User Settings > Manage external collaboration settings> Collaboration restrictions

    This setting restricts who can be invited into your Azure AD as a Guest. Only specific domain names are specified that members can invite.

    Change to Allow invitations only to the specified domains.

    Conditional Access Rules

    Conditional Access Rules are used to enforce Multi-Factor Authentication and granular authorization rules. Different components of the user’s session, such as location, device posture, and group membership are used to apply restrictions. Conditional Access Rules do require that users are licensed with an Azure AD Premium P1 license.

    Use the following Conditional Access Rules to lock down access. Navigate to Azure AD > Security > Conditional Access

    MFA for All

    Enable MFA for all users. This is an effective policy to prevent account take over for most users.

    • Users and Groups: All Users
    • Cloud Apps: All cloud apps
    • Conditions: Client Apps – Browser, Mobile Apps and Desktop Clients.
    • Access Controls: Grant Access – Require multi-factor authentication.

    Block Legacy Authentication

    Prevent users from using vulnerable protocols to authenticate.

    • Users and Groups: All Users
    • Cloud Apps: All cloud apps
    • Conditions: Client Apps – Other
    • Access Controls: Block Access

    Block by Location

    Use this policy to block logins from countries that your users never travel to. If the organization only has users in a certain region, it’s pretty safe to block most other countries.

    • Users and Groups: All Users
    • Cloud Apps: All cloud apps
    • Conditions: Locations – Blocked Countries list, Client Apps – Browser, Mobile Apps and Desktop Clients.
    • Access Controls: Block Access

    If you want more detail on this control, see my detailed article on implementing it.

    Enforce MFA for Admins

    Ensure all users with an Admin role must use multi-factor authentication.

    • Users and Groups: Specific Groups – Select all Admin Groups
    • Cloud Apps: All cloud apps
    • Conditions: Any device, Any location, All Client Apps – Browser, Mobile Apps and Desktop Clients.
    • Access Controls: Grant Access – Require multi-factor authentication.

    Security Center

    Security Center contains configuration vulnerability reporting and threat detection alerts. It’s a good idea to enable the Standard Tier and disable the unused components unless you have a 3rd party Cloud Security Posture Management (CSPM) service in use.

    Auto Provision Monitoring Agents

    Location: Security Center > Pricing & Setting > Data Collection

    This setting will cause the Microsoft Monitoring Agent to be installed automatically on all virtual machines in your environment. The event data will be pushed to a Log Analytics Workspace. This is a really simple way to centralize event collection for security purposes.

    Change the Auto provisioning from Off (default) to On. Use workspace created for Security Center.

    Enable Email Alerts

    Location: Security Center > Pricing & Setting > Email Notifications

    Security Center allows you to enable Email Notifications of configuration vulnerabilities. If you have thousands of deployed assets, this may not be a good solution for Posture Management, but for small Azure environments, this is a good way to stay on top of vulnerabilities. Use this to configure alerts about configuration vulnerabilities. An alternative is to configure a Logic App to push alerts into an Incident Management system.

    Enable Automation Integration

    Location: Security Center > Pricing & Setting > Workflow automation

    Add workflow automations to integrate alerts with other incident management tools. You can configure Logic Apps to push alerts to email or more complex workflows like Service Now or PagerDuty.

    Azure Sentinel

    Azure Sentinel provides a native Cloud Detection and Response function for Microsoft 365 and Azure customers. Sentinel will correlate and match events against out of the box or custom events. This provides a way to detect malicious activity in Office, SharePoint, Teams, and Azure services. Enable the following Data Sources to collect standard events.

    • Azure Active Directory
    • Azure Active Directory Identity Protection
    • Azure Activity
    • Azure Information Protection (Preview)
    • Azure Security Center
    • Azure Web Application Firewall (WAF)
    • DNS (Preview)
    • Microsoft Cloud App Security
    • Office 365
    • Office 365 Advanced Threat Protection (Preview)
    • Security Events
    • Windows Firewall

    Azure Sentinel has much more configurations that can be applied that are beyond the scope of this article, so I would recommend doing more research and testing with Sentinel.

    Preview Configurations

    The following are not currently in General Availability but can be accessed via the Preview Portal.

    Enable Continue Access Evaluation

    Location: Azure AD > Security > Continuous access evaluation

    Change from Disable Preview (default) to Enable preview


    This article provides a good overview of configurations that most administrators can apply to Microsoft 365 and Azure to reduce information security risk and further tighten security controls. We expect that attacks against these platforms will only continue to rise in the coming months, so these steps are important for your security program.

    Recent Articles

    Security Trends – Q2 2024

    Small businesses are under increasing cyberattack threat. The global cost of cybercrime is predicted to skyrocket, reaching a staggering $23.84 trillion by...

    Basic Microsoft 365 Security Improvements

    Overview Securing Microsoft 365 tenants involves implementing various measures to protect data, prevent unauthorized access, and mitigate potential...

    Cyber Security Trends for 2024

    Summary The state of cybersecurity in 2024 reflects a dynamic and complex landscape shaped by technological advancements,...

    Content Filtering with Microsoft Defender for Endpoint

    Why is Content Filtering Important? Web content filtering is a critical element of a comprehensive information security strategy.

    Migrating to Azure AD Authentication Methods

    Azure AD Authentication Changes On September 30th, 2024, the legacy multifactor authentication and...

    Related Stories

    0 0 vote
    Article Rating
    Notify of
    Inline Feedbacks
    View all comments

    Stay on op - Ge the daily news in your inbox

    Would love your thoughts, please comment.x