Securing Your Identities with Azure AD

Transcription

1 Securing Your Identities with Azure AD Microsoft Azure Active Directory Deployment Guide for Retail Industry Customers Abstract As a follow-on to configuring identities at scale, and enabling productivity, this guide helps you enable a holistic security posture for information and kiosk workers. Intended Audience Identity Architects, Deployment Advisors, and System Integrators

2 The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The descriptions of other companies products in this document, if any, are provided only as a convenience to you. Any such references should not be considered an endorsement or support by Microsoft. Microsoft cannot guarantee their accuracy, and the products may change over time. Also, the descriptions are intended as brief highlights to aid understanding, rather than as thorough coverage. For authoritative descriptions of these products, please consult their respective manufacturers Microsoft Corporation. All rights reserved. Any use or distribution of these materials without express authorization of Microsoft Corp. is strictly prohibited. Microsoft and Windows are either registered trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Microsoft Azure Active Directory Deployment Guide Page ii

3 Table of Contents Microsoft Corporation Overview... 4 Key Concepts... 5 Build Your Identity Organization Teams... 7 Prerequisites... 8 Security Deployment Guidelines... 9 Deploying Multi-Factor Authentication... 9 Deploying Conditional Access Policies Assigning Administrative Roles Using Security Reports Security with Windows Additional EMS Security Components Conclusion Reference Microsoft Azure Active Directory Deployment Guide Page 3

4 Overview Microsoft Corporation Azure Active Directory (AD) Premium is a cloud-based identity and access management (IAM) system. The Managing Identity Lifecycles at Scale guide addresses the onboarding and off-boarding processes for workers in your organization. The Increasing Productivity with Azure AD guide addresses how to manage applications and provide self service capabilities to those workers. The third deployment guide in this series dedicated to customers in the Retail Industry focuses on security. When used to secure identities, Azure AD Premium solves common challenges: Multi-factor Authentication provides additional factors of authentication beyond passwords. Conditional Access allows you to configure access policies based on different criteria such as location, device state and risk level. Administrative Roles allow you to perform administrative tasks with the minimum level of privileges necessary, granted on demand and for a limited amount of time. Security Reporting gives you visibility into activity such as sign ins-and auditing. Microsoft Azure Active Directory Deployment Guide Page 4

5 Key Concepts Microsoft Corporation Multi-Factor Authentication (MFA) The use of more than one verification method, which adds a layer of security to user sign-ins and transactions. MFA works by requiring two or more of the following verification methods: Something you know (typically a password) Something you have (a trusted device that is not easily duplicated, like a phone) Something you are (biometrics) Learn More: Azure Multi-Factor Authentication What is It? Device Registration / Authentication Registering a device in Azure AD, providing the device an identity which can be used to authenticate it when users sign-in. Authenticated devices, as well as the attributes of the device, can be used to enforce conditional access policies for applications. Learn More: Azure Active Directory Device Registration overview Privileged Identities User accounts that have one or more administrative roles to manage, control, and monitor access to resources in Azure AD as well as other Microsoft online services. Learn More: Azure AD Privileged Identity Management Just-Enough-Access (JEA) Granting the minimum level of permissions required to accomplish a set of administrative tasks. Learn More: Azure AD Privileged Identity Management Just-In-Time Access (JIT) Giving administrative accounts privileges only when needed, with additional security controls and reporting. Learn More: Azure AD Privileged Identity Management Conditional Access Creating policies that grant access to resources based on the context of a request such as network location (inside or outside the corporate network), device used (compliant or known), or risk level. Microsoft Azure Active Directory Deployment Guide Page 5

6 Learn More: Azure Active Directory conditional access Machine Learning A technique of data science that helps computers learn from existing data in order to forecast future behaviors, outcomes, and trends. Azure AD uses machine learning techniques to assess risk events. Learn More: What is Machine Learning? and Azure Active Directory Identity Protection Risk Event Logins flagged as suspicious by Azure AD Identity Protection, indicating that an identity might have been compromised. Learn More: Azure Active Directory Identity Protection Microsoft Azure Active Directory Deployment Guide Page 6

7 Build Your Identity Organization Teams Identity Organization teams and responsibilities Team Identity Architecture / Development Team On-premises Identity Operations Team Security Team Application Business Owners Azure AD Administrator Network Team Helpdesk Responsibilities Designs the solution in cooperation with stakeholders. Owns the development process and creates the user acceptance environments. Documents the solution design and operational procedures and hands them off to the operations team. Manages on-premises identity sources such as Active Directory Forests, LDAP directories, HR systems, and Federation Identity Providers. Performs any remediation tasks needed before synchronizing objects to the cloud. Provides the service accounts required for directory synchronization to take place. Provides access to configure federation to Azure AD. Defines the security strategy. Defines access policies to resources. Provides security requirements for IT solutions. Reviews security aspects of IT solutions. Analyzes security reports from various sources and follows through on findings. Includes business stakeholders who use the applications. Understand the application use cases and have the best context of who should be assigned to the application. Manages the Azure AD configuration. Provides credentials to configure the synchronization service. May assign Azure AD administrative roles to distribute administration responsibilities, including password, application, and user management. May use Administrative Units (AU) to divide management boundaries based on geography, department or similar criteria. Owns the network infrastructure. Provides the required access at the network level for the synchronization service to access the data sources and cloud services (firewall rules, ports opened, IPsec rules and so on). Manages support incidents related to the migration process. Learn More: Assign administrator roles in Azure Active Directory, Office 365, Azure AD Administrative Units Microsoft Azure Active Directory Deployment Guide Page 7

8 Prerequisites Microsoft Corporation Review the following process for configuring prerequisites: Process for configuring prerequisites Set Up Common Infrastructure Create Azure AD Tenant(s) and activate Azure AD Premium license(s). Azure AD Tenant is the home for your organization s directory in the cloud. Most features discussed in this guide are available as part of Azure AD Premium and/or EMS. Create and configure custom domains. Users reach your cloud and on-premises resources through domains. Populate identities in Azure AD. The users and groups must exist in the directory before they can be assigned access to resources. Get an Azure AD Tenant Introducing Enterprise Mobility + Security Add Domain Managing Identities at Scale retail guide Determine Security Policy Aspects Identify set of resources to protect. This list will provide a concrete scope of security requirements that will determine policies, deployment options, and available tools. Define control functions and map to Azure AD Administration Roles. Roles must be assigned based on control functions, enterprise team structure and operational requirements. Define necessary Multi-Factor infrastructure. The target experiences and scenarios will determine which MFA solution to deploy (Azure MFA cloud-based solution, Azure MFA Server on-premises, smart cards, or third party) Define approach to representing internal networks in Azure AD. Security policies based on network location (i.e., inside or outside the corporate network) require one of the following: The IP addresses that constitute the internal network. A claim from the Identity Provider for federated domains. Define on-premises security monitoring requirements and infrastructure. An on-premises infrastructure is required to deploy Advanced Threat Analytics (ATA). Increasing Productivity with Azure AD retail guide Azure AD Administration Roles What is Azure Multi-Factor Authentication? Azure Active Directory Conditional Access technical reference ATA Prerequisites Microsoft Azure Active Directory Deployment Guide Page 8

9 Security Deployment Guidelines It is important to define the organization s security posture by deploying multi-factor authentication, defining access policies for resources, establishing role-based access control guidelines, and analyzing security reports on an ongoing basis. This gives you a consistent set of principles whenever you onboard new resources or actors. Deploying Multi-Factor Authentication Azure AD makes the onboarding of SaaS applications very straightforward. Once you have addressed the prerequisites described above, consider the following: Assess resources to be protected Which kind of resources you want to protect with Multi-Factor Authentication will determine which MFA component to deploy: MFA in the cloud: Suitable for Azure AD-protected resources such as Office 365, SaaS applications, and internal applications published with Azure AD Application Proxy. Azure MFA in the cloud can also be used with Windows Server 2016 for any claims-based applications that trust AD FS on-premises. MFA Server: Best for scenarios that span beyond Azure AD, such as VPN, Legacy LDAP applications, or stand-alone usage through the SDK. We recommend using MFA in the cloud unless it does not support the desired scenarios. When examining on-premises resources, consider the decision from the broader toolset perspective to determine whether a cloud-based solution will meet your requirements. A few examples: An on-premises IIS server can be published via Azure AD application proxy and use MFA in the cloud. An AD FS application can be moved to Azure AD for SSO and use MFA in the cloud. As a cloud service, Azure AD is constantly evolving and incorporating new functionality. As a result, the gap between the cloud-based MFA and on-premises MFA Server will reduce over time. Learn more: Azure Multi-Factor Authentication Getting Started Defining Multi-Factor Authentication Methods Deciding which MFA authentication methods to offer your users requires understanding the employee work environment, corporate policies and local regulations. Below are some considerations: Software Tokens / Authenticator app Software on mobile devices (smartphone or wearable) use cryptographic algorithms to prove identity. Microsoft Azure Active Directory Deployment Guide Page 9

10 Advantages Mobile applications can leverage computing power in the device to enable additional techniques, including Timebased One-time Password (TOTP), HMAC-based One-time Password (HOTP), etc. More flexible authentication experiences. Software can be updated on a regular basis, which enables future innovation, patching, leveraging of security capabilities in the mobile platform (e.g., fingerprint readers), etc. Users don t need to carry another device beyond their smartphone. Tradeoffs Dependency on availability of the device (battery, data plan, Wi-Fi, etc.) Higher learning curve for users who are not tech savvy. More overhead in the onboarding process, since the mobile device needs to be configured for use as a second factor. Depending on the authentication method used, end-users may incur data costs when using their device to authenticate. Hardware Tokens A dedicated hardware token (Smart Card, USB dongle, or key fob) serves as a second factor. Advantages If your enterprise already uses hardware tokens, Azure AD can be integrated with these existing investments. Can work in harsher environments than a smartphone can. Less dependency on availability of network, battery, Wi-Fi, etc. Tradeoffs Overhead of procuring and tracking hardware tokens. Unlike phones, users only carry hardware tokens to perform authentications, and are therefore more likely forget or lose the device. Hardware tokens are not easy to update, putting limits on the ability to update or upgrade their crypto algorithms. As of August 2016, using hardware tokens requires deploying on-premises components. Learn more: Getting started with the Azure Multi-Factor Authentication Server Call to Phone / Text Message to Phone Users receive a phone call or acknowledge a text message to complete authentication. Advantages Low friction onboarding of users. The vast majority of users have a mobile phone for receiving calls and text messages. Turnkey authentication experience. Users can quickly acknowledge the phone call or text message. Users are less likely to forget a phone and will take better care of it. Since mobile phones often contain personal information, users often take measures very quickly (report to authorities, remote wipe, etc.) when they lose them. Tradeoffs Phone and SMS systems have limitations, such as phone reception and signal strength, the handling of tone dials by the local PBX and phone network, interference on the line, background noise on the call, and more. Mobile phones are dependent on battery level, reception level, etc. If the company does not provide a phone, then users need to disclose their personal phone number to the employer. Depending on the authentication method used, end-users may incur costs when using their device (data, phone call, SMS). Relies on the phone s network infrastructure, which was not designed for security. Thus, it is vulnerable to man-inthe middle, fraud, phishing attacks, SIM cloning, etc. Learn more: NIST Special Publication B Microsoft Azure Active Directory Deployment Guide Page 10

11 Windows Hello Microsoft Corporation Windows Hello provides a secure way to authenticate to Windows 10 devices with biometric gestures or a PIN. When Windows 10 devices are deployed with Azure AD Join, Azure AD can accept Windows Hello logins as a second factor. Advantages A login with Windows Hello can be both secure and turnkey for end-user authentication: By signing into the device, users can seamlessly and securely access Azure ADprotected resources. Tradeoffs Only works on Windows 10 devices. Challenging to provision a large number of users onto shared devices. Learn more: What is Windows Hello?, Extending cloud capabilities to Windows 10 devices through Azure Active Directory Join Third-Party MFA solutions If your enterprise has already invested in a third-party solution for MFA (e.g., RSA SecurID, Vasco, etc.), it is possible to integrate it with Azure AD on federated domains. Advantages Preserves existing investments Tradeoffs Requires on-premises infrastructure (an identity provider such as AD FS, and the MFA provider) Learn more: Configure Additional Authentication Methods for AD FS, Set-MsolDomainFederationSettings Enroll users to MFA Users will need to enroll to select their preferred MFA method and supply the appropriate data (e.g., phone number to receive phone calls). Some considerations: We recommend a communications campaign to educate users on how to enroll at and sign in. We recommend that users enroll in multifactor authentication as soon as possible. If a user s password is compromised and the user did not register for MFA, a bad actor can use their credentials to register his or her own phone number and get access to the account. You can use Windows PowerShell to enable Cloud MFA for users. Learn more: Automate turning on multi-factor authentication using PowerShell Azure MFA can reuse an office phone number as pre-filled information. However, users must go through the process to complete their enrollment fully. Azure AD Identity Protection provides Cloud MFA registration as a policy, which can be scoped, enabled, and tracked within the Azure management portal. Learn more: multi-factor authentication registration policy MFA Server enables advanced customizations of the enrollment process on-premises: Microsoft Azure Active Directory Deployment Guide Page 11

12 Programmatic enrollment with Web Services SDK. Deployment of an enrollment portal in IIS (you can decide to enable access to this portal from the internal network only). Import enrollment data from flat file, or Active Directory. Deploying Conditional Access Policies This section describes the different criteria you can use to design access policies. User-Based Access Policy This is a broad policy that you can apply to users in the directory, who will be prompted for MFA when signing into any application, unless you let them bypass MFA when authenticating from the internal network. This policy applies to all applications the user attempts to access. Advantages Simple to deploy. Simple to communicate to users. Consistent behavior across all applications. Tradeoffs Lack of flexibility, since it applies to all applications. High friction for end-users. Recommendation Use this option if the long term security posture is: All users must do MFA when outside the corporate network. While this is a good place to start, most customers refine this posture over time to strike a balance between security and usability for end users. Consider using this policy to enforce MFA for high privileged accounts such as global administrators. (You can find more information on privileged accounts in the section Assigning Administrative Roles below.) Location-Based Access Policy Whether the request to authenticate comes from the internal network or an external network determines how this policy applies to applications. Azure AD can determine what constitutes the internal network in one of the following ways: An on-premises identity provider (such as AD FS) provides a claim that indicates the network location. This is the recommended approach for federated customers. Learn more: Trusted IPs for federated users Azure AD receives the list of IP addresses that constitute the internal network. This is the only option when using password hash sync or cloud-only identities. To capture the location effectively, it is important to understand the retail store s network infrastructure. A store network may be part of the corporate network, or it may be connected via a VPN link enabled by Microsoft Azure Active Directory Deployment Guide Page 12

13 third-party internet access (either a public ISP or a store within a store ). This will determine which of the above options you must use, or if a combination is required. Authentication Experience Location-based access policies for applications can be configured to deliver one of the following authentication experiences: Require MFA always. Always require the user to perform MFA when accessing this application, regardless of their access location Require MFA when not at work. If the user is accessing the application from a network location that is outside your internal network (as defined above), require MFA before allowing access Block access when not at work. Do not allow access to the application from a network location that is outside your internal network. Advantages Easy to deploy. Easy to communicate to customers. Granularity makes it possible to enable this policy for a subset of applications. Tradeoffs For large customers, it is challenging to assess and maintain the list of internal IP Addresses, especially when the network and directory are managed separately. The authentication experience for users such as field representatives and store associates, who sign in on a regular basis from outside the corporate network, will have friction. Configuration required when onboarding each application. Recommendation Use this policy if you have identified low-impact applications that don t require multifactor authentication (e.g., bulletin board) Use this policy to lock down access to applications that you do not expect to be used outside the corporate network. (e.g., clock in/out applications) Device-Based Access Policy You can apply this policy to applications based on whether the request to authenticate is coming from a compliant or a non-compliant device. The criteria to determine compliance is configurable through Microsoft Intune. NOTE: While Microsoft Intune is required to enable device compliance policies for ios and Android devices, Windows 10 devices can be integrated with third-party MDM solutions such as MobileIron and Airwatch. Learn more: Device Based Conditional Access Authentication Experience Device-based access policies for applications can be configured to deliver one of the following authentication experiences: Microsoft Azure Active Directory Deployment Guide Page 13

14 All devices must be compliant. Require that all device types need to be compliant in order to access the application Only selected platforms must be compliant. Restrict compliance requirement for the application to specific device types. Advantages Enforcing device health provides much better protection against malware, device loss, minimum mobile OS version accepted, etc. Tradeoffs Enrolling personal devices for some compliance criteria such as complex pins or potential remote wipe creates friction. To mitigate this, Microsoft Intune provides perapplication policies without requiring MDM enrollment. Learn more: Protect app data using MAM policies Managing the Intune infrastructure requires additional IT resources. Recommendation If your organization has acquired Windows Intune, then we highly recommend incorporating device health into your security strategy through MAM, MDM, or a combination. Using device state allows retail customers to create policies that enable access to a subset of wellknown devices in locations with restricted physical access, such as warehouses or behind the counter. Learn more: Windows Intune device compliance policies Risk-Based Access Policies Azure AD Identity Protection processes vast amounts of data across multiple data sources and assigns a level of risk to sign-in activity and users. You can use this information to create access policies that define a risk threshold and a mitigation action. Examples of risk events include the following: Sign-ins from unfamiliar locations. Sign-ins from anonymous IPs. Leaked user credentials. Examples of mitigations that can be part of a risk policy include the following: Require MFA. Require password reset. Block login. Authentication Experience Users will attempt to sign-in. If a risk-based policy is triggered, then the users will be presented with a message indicating abnormal behavior. Depending on sign-in risk policy configuration, a sign-in attempt can be blocked, or the user may be prompted to perform MFA. Depending on the user risk policy configuration, a user can be blocked from signing in, or required to reset her password. Microsoft Azure Active Directory Deployment Guide Page 14

15 Advantages Users will only be prompted to do MFA if the sign-in is deemed risky, which balances security and the user experience. Ideally, legitimate users will never see these prompts, while bad actors will be prevented from signing in. Tradeoffs Users might not fully understand why they see different behavior, which might result in support incidents. Some models might result in false positives (e.g., familiar locations or impossible travel). Identifying and correcting false positives might require multiple iterations. Recommendations Good option for customers who are user experience focused and require minimal MFA prompts. Learn more: User Risk Security Policy, Sing-in Risk Security Policy Deployment considerations All the access policies described above can be scoped to a subset of users. We recommend rolling out policies to a set of pilot users first so you can verify that user experience and security goals are met. This is especially important when deploying multiple policies that can act simultaneously. Azure AD Identity Protection provides a view to quantify the estimated impact of rolling out risk policies or MFA policies. Use this data to inform your rollout strategy and plan accordingly. We recommend educating users on what conditional access policies mean for them in terms of user experience. Consider a communications campaign as part of your rollout process. You can follow the order described above to transition from a simple policy to a richer one over time. Here s an example of a typical journey to deploy access policies: Enable MFA to administrators only. Define MFA for all users when accessing resources from outside the corporate network. Define MFA only for high impact applications accessed from outside the corporate network. Incorporate mobile device state to streamline sign-in for users with compliant devices Incorporate policies to require MFA only in response to risky events. Assigning Administrative Roles It is crucial to have a solid role-based access control that provides Just Enough Access and Just-in-Time Access to privileged operations. Azure AD provides capabilities for implementing an enterprise-wide administrative roles infrastructure. Enable Just Enough Access Each organization has different processes and a different staff breakdown, which determine the actors who will perform Azure AD management tasks. For this reason, we recommend looking at the definitions of the different Azure AD Administration Roles and mapping them to your IT structure. Microsoft Azure Active Directory Deployment Guide Page 15

16 Azure AD Administrative Units allow you to create subsets of users for roles specific to user management, such as User Administrator or Helpdesk Administrator. Large organizations with regional helpdesk teams can use this approach to further limit the privileges of Helpdesk operators. NOTE: Azure AD will evolve roles over time. We recommend that you check the Enterprise Mobility and Security blog on a regular basis to evaluate about new product capabilities and refine your roles accordingly. If you use Azure AD Administrative Units to scope roles, executing operations available to each role requires using PowerShell. The table below is an example of mapping roles for a typical enterprise: Target Customer Role Administrator ID Admin Helpdesk teams Collaboration Administrator Control Functions Azure AD Role(s) Role Scope (Azure AD Has full access to everything aka, the keys to the kingdom. Rarely used. Has access to administer identities in the directory for troubleshooting, but cannot modify privileged accounts. No access to SaaS Gallery. Provide password reset/change assistance to customers. People in this role can fully administer their own service, but cannot touch any element of each other s service, nor can they touch Azure AD. The service can be any Microsoft online service such as Exchange Online, Intune, SharePoint, etc. Global Administrator Privileged Role Administrator User Administrator Helpdesk Administrator SharePoint Service Administrator (...) Administrative Units) Helpdesk teams in: North America Europe Asia Helpdesk teams in: North America Europe Asia Security Auditor Info Sec No access to modify identities is possible, with the exception of some level of access to modify service-specific identity attributes. Read-only access to everything, including audit logs. Fine Tune Azure AD Information protection policies Investigate risk events Remediate user risk events Security Reader Security Administrator Directory Operations Looks after the hybrid infrastructure ADFS / Azure AD Connect: On-premises based assignment Azure AD Connect Health: Contributor Enable Just in Time Access for Privileged Accounts Just in time (JIT) Access allows administrators to elevate their privileges only when required to complete a management task. A JIT strategy involves the following: Microsoft Azure Active Directory Deployment Guide Page 16

17 Elevate privileges on demand. Provide privileged access only for a period of time. Track privileged access usage for monitoring and reporting. Azure AD Privileged Identity Management provides JIT for Azure AD administration roles described above this section, and Privileged Access Management (PAM) provides JIT to the on-premises Active Directory infrastructure. Recommendations for Privileged Accounts Using federated privileged accounts has the following advantages: Federated accounts can be further secured with on-premises tools such as smart card authentication, fine-grained access policy, etc. Existing on-premises management account models extend nicely to Azure AD roles without additional overhead for administrators (e.g., it is very reasonable that an on-premises domain administrator holds one or more Azure AD administrative roles). We recommend having at least two cloud accounts with privileged roles (Global Admin and Security Admin) to handle emergency cases when federated accounts cannot gain access (for example, federation itself is not working). It is only necessary for one employee to know the password of a privileged cloud account. Corporate guidelines regarding password management (strength, generation, rotation, etc.) can be applied here. We recommend you enable self-service password reset for privileged cloud accounts as a precaution. Consider this fallback account to be as sensitive as an on-premises Enterprise Administrator credential. A defense in depth measure on of top of JEA and JIT access is to separate privileged accounts from the accounts administrators use for their day-to-day work (e.g., , documents, etc.). This way, if the administrator s standard account gets compromised (e.g., by clicking a link on a phishing ), the privileged role is not compromised. Following this recommendation for dedicated on-premises management accounts allows for stronger access patterns when using AD FS. To be more specific, adding privileged accounts to on-premises security groups makes it possible for AD FS to do the following: Allow management from privileged workstations only based on the requestor s specific IP address, OS version, device state (requires write-back) or other additional criteria. Allow management from the intranet only so access will be allowed only when the request comes from the internal network. Learn More: Azure AD Privileged Identity Management Privileged Access Workstations Protecting high-value assets with secure admin workstations Microsoft Azure Active Directory Deployment Guide Page 17

18 Administrative units management in Azure Active Directory Securing Privileged Access Using Security Reports You can use Azure Active Directory's reports to gain visibility into the integrity and security of your organization s directory so you identify possible security risks and plan mitigations: Azure AD Identity Protection helps prevent the use of compromised accounts using industry leading machine learning (ML) that processes login signals from multiple sources such as Office 365, Xbox Live, Azure services, Outlook.com, etc. This login data is then combined with feeds from Microsoft s Digital Crimes Unit, Security Response Center, phishing attack data from Outlook.com, law enforcement, academia, security researchers and partners to provide real-time detection of risky events and vulnerabilities. Azure AD reporting APIs allow programmatic access that can facilitate integration with SIEM tools for archiving/auditing and forensics. Azure AD Connect Health provides reports that can be used to investigate potential security incidents and configuration vulnerabilities based on on-premises federated login activity. Advanced Threat Analytics provides additional visibility into potential vulnerabilities in on-premises Active Directory. User login anomalies Your security team must review the anomalous activity reports in order to identify and address any findings. Some patterns are not only reported, but are also flagged as risk events by Azure AD Identity Protection, which enables automated remediation actions as described in the section Risk-Based Access Policies above. The table below provides a summary of the scenarios that have available pre-defined reports: Scenario Sign-ins from unknown sources Users with leaked credentials Sign-ins from IP addresses with suspicious activity Sign-ins from possibly infected devices Azure AD Identity Protection Risk Event Sign-ins from anonymous IP addresses Security Report Yes Available? Anomaly/Risk Description May indicate an attempt to sign-in without being traced. An example of this using TOR networks. Leaked credentials Yes Indicates users whose passwords may have been compromised. Sign-ins from IP addresses with suspicious activity Sign-ins from infected devices Yes Yes May indicate a successful sign-in after a sustained intrusion attempt. May indicate an attempt to sign-in from a possibly infected device. The list of risky devices is determined via the cloud machine learning models described above. Microsoft Azure Active Directory Deployment Guide Page 18

19 Scenario Azure AD Identity Security Report Anomaly/Risk Description Protection Risk Event Available? Irregular sign-in activity Impossible travel to Yes Also known as impossible travel, this atypical locations identifies events anomalous to users sign-in patterns. Users with anomalous signin activity Yes Indicates users whose accounts may have been compromised. Sign-ins from unfamiliar Sign-ins from unfamiliar No locations locations Users with threatened Yes credentials Bad password attempts Yes. (Azure AD May indicate attempts at brute force attacks. with AD FS Connect Health for AD FS) This report encompasses applications that trust AD FS as well as Azure AD. It is also common to see applications using service accounts with expired passwords, as well as infrequently used devices that lack current password information. NTLM authentications in domain controllers Yes. (Azure AD Connect health NTLM is an older protocol that is not as secure as Kerberos, making it a risk to your for AD DS) organization. Environment Vulnerabilities Azure AD Identity Protection provides a report of vulnerabilities in the environment. We recommend addressing all vulnerabilities reported. The vulnerabilities reported are as follows: MFA registration is not configured: Reported when users who have not configured MFA are detected. MFA login is a valuable tool for mitigating authentication attack vectors. Unmanaged cloud apps: Reported when Azure AD Cloud App Discovery detects unsanctioned SaaS applications. Learn more: Finding unmanaged cloud applications with Cloud App Discovery. Security alerts from PIM: Generated when there are issues with privileged identities (e.g., too many global administrators). Learn more: How to configure security alerts in Azure AD Privileged Identity Management Monitoring On-Premises Active Directory with Advanced Threat Analytics (ATA) ATA is an on-premises platform included in Azure AD Premium and EMS to help you protect your enterprise from advanced targeted attacks by automatically analyzing, learning, and identifying normal and abnormal entities (user, devices, and resources). This includes the following: Malicious attacks: ATA detects known malicious attacks such as Pass-the-Hash (PtH) and Pass-theticket almost as instantly as they occur: Microsoft Azure Active Directory Deployment Guide Page 19

20 Abnormal behavior: Behavioral analytics leverage Machine Learning to uncover questionable activities and abnormal behavior such as anomalous logins, unknown threats, password sharing and lateral movement. Security issues and risks: ATA identifies known security issues using world-class security researchers work. Examples include broken trust, weak protocols, and known protocol vulnerabilities. Reporting API Azure AD provides a reporting API that allows you to build custom security reports based on business needs. Examples include the following: Sign-in activity history for all users or for a single-user. List of users who have access to applications. Audit trail of operations in the directory. The report API facilitates integration with SIEM tools. Recommendations Set up the Azure AD Identity Protection weekly digest to be sent to your security team. Designate owner(s) who periodically remediate risk events so you can keep your assessment of the user risk and policies current. Maintain your list of IP address to improve the effectiveness of location-based risk events, reports, and vulnerabilities. Enable the MFA registration policy so users sign up as soon as possible. This way, you can safely configure policies to remediate risk with high confidence that the second factor will be available when most needed. Deploy Azure AD Connect Health and assign owners to review reports for bad passwords and NTLM usage, as well as future reports. Deploy Advanced Threat Analytics and assign owners to review and address the findings on a regular basis. Export Azure AD reports to any SIEM tools deployed in your organization. Learn more: View your access and usage reports Azure Active Directory Identity Protection Vulnerabilities detected by Azure Active Directory Identity Protection Advanced Threat Analytics Getting started with the Azure AD Reporting API Microsoft Azure Active Directory Deployment Guide Page 20

21 Security with Windows 10 Microsoft Corporation Azure AD provides additional capabilities built into Windows 10 devices that allow a more seamless and secure experience: Azure AD Join. This feature enables single sign on to Azure AD resources such as SaaS applications, Office 365 and LOB applications, access to Windows Store with Azure AD credentials, enterprise roaming settings, and other capabilities. Additionally, a device can be joined to Azure AD and onpremises Windows Server AD, providing a seamless experience across both cloud and on-premises resources. Shared Devices Improvements. Azure AD Join reduces the time it takes to sign-in to a device the first time from the minutes it takes with traditional on-premises AD join to seconds. This allows turnkey provisioning of users in shared devices such as kiosks, warehouses, and points of sale. Windows Hello for Work. This provides enterprise-wide infrastructure to recognize a device user via different biometric gestures, authenticating using industry standards such as FIDO. Add Azure AD account for BYOD. Users can add an Azure AD account to personally owned devices to access work applications. This enables single sign on and MDM enrollment. Learn more: Connect domain-joined devices to Azure AD for Windows 10 experiences Windows Hello for Work guide Azure AD on Windows 10 Personal Devices Making Windows 10 More Personal and More Secure with Windows Hello Microsoft Azure Active Directory Deployment Guide Page 21

22 Additional EMS Security Components Microsoft Corporation Enterprise Mobility + Security provides additional components to secure your enterprise: Microsoft Cloud App Security provides visibility and controls for cloud applications, including popular SaaS apps like Box, Salesforce, ServiceNow, and Office 365. Learn more: Cloud App Security, Gain enhanced visibility and control with Office 365 Advanced Security. Microsoft Azure Rights Management (Azure RMS) helps you protect your organization s sensitive information from unauthorized access and control how this information is used. Learn more: What is Azure Rights Management? Azure Information Protection combines classification and labeling with persistent data protection to enable secure file sharing, internally and externally. Learn more: Azure Information Protection Intune Mobile Application Management (MAM) helps you prevent data loss on mobile devices, with the unique ability to manage the Office mobile apps without requiring device enrollment. Learn more: Protect app data using MAM policies Microsoft Azure Active Directory Deployment Guide Page 22

23 Conclusion Microsoft Corporation Azure AD Premium and EMS provide a comprehensive set of capabilities that enable your retail organization to have a robust security posture for cloud and on-premises resources. As a cloud service, Azure AD is constantly adding more capabilities and refined models/heuristics that will further strengthen your security posture. Check the Enterprise Mobility and Security blog periodically to learn about new product capabilities. Microsoft Azure Active Directory Deployment Guide Page 23

24 Reference Microsoft Corporation For more information about Azure Active Directory, see To stay informed on new capabilities, visit the Enterprise Mobility and Security blog. Microsoft Azure Active Directory Deployment Guide Page 24