In my previous two posts in this series, we explored the question “What is Azure Active Directory?” and looked into Azure AD management . Now let’s turn our attention to Azure AD and hybrid Active Directory security and compliance.
Controlling user and admin permissions
One of the best ways to improve IT security and compliance is to regularly review your environment for potential weaknesses. In a cloud environment, of course, you don’t have to worry about checking system configuration settings the way you would in an on-premises deployment; Microsoft handles all of that behind the scenes. But you still have plenty of assessment work to do.
In particular, it’s essential for both security and compliance to be able to see who has access to what resources across your environment, and to ensure that those rights are granted in strict accordance with the least-privilege principle. That’s tough enough in an on-prem environment, but it gets even more complicated in a cloud or hybrid scenario. As we have seen in earlier blog posts, users can gain access to resources in a variety of ways, including by direct assignment in Active Directory or Azure AD, through membership in AD and Azure AD security groups — and through membership in Office 365 groups.
The latter is particularly concerning, since by fault, users can create any Office 365 groups they please, name them pretty much anything they like, and add and delete members at will. Plus, you’ll also have all the Office 365 groups created behind the scenes by applications like Microsoft Teams and SharePoint Online. Each Office 365 group has a shared mailbox and calendar, an associated SharePoint site collection, a OneNote notebook, and shared resources in applications like Microsoft Teams, Yammer, Planner and PowerBI, which opens up plenty of new avenues for security breaches. Even more concerning from a security perspective, Office 365 groups can include guests — users from outside your organization who gain access to many of the group’s shared resources.
With native tools, gaining control over these groups and the access they grant is an uphill battle. For instance, there is no way to granularly remove Office 365 group management functions (for instance, you can’t prevent a group owner from changing the group’s name), and there are no native capabilities to delegate specific management functions. There is no native mechanism that provides end-to-end attestation to ensure that Office 365 group membership is correct — you’ll have to create PowerShell scripts that enumerate the membership of each group and develop a custom solution to process the PowerShell output and email it to the group owners for attestation. And there are no native alerts to let you know when users or groups are created, modified or deleted in your cloud or hybrid environment. You can turn off the ability for users to create Office 365, but that’s a draconian measure guaranteed to stifle the collaboration and communication that drove your organization to the cloud in the first place.
Keeping a close eye on user and admin activity
Of course, ensuring that user permissions are assigned correctly and stay that way is not the end of your job, not by a long shot. It’s also critical to keep a close eye on what people — admins, regular users and guests alike — are doing across the IT environment. Anyone can make mistakes, fall victim to scams like phishing attacks, or deliberately take malicious or unauthorized actions that could result in a data breach or a compliance failure. Plus, Azure AD user and admin accounts are just as vulnerable to takeover by attackers as on-prem AD accounts, if not more so.
Native tools provide very limited visibility into user activity in your cloud environment, let alone across a hybrid one. For example, Azure AD Privileged Identity Management (PIM) helps you control privileged access to Azure AD and Azure resources by enabling you to limit how long privileged access is available and requiring multifactor authentication to use it. However, as the name implies, it works only for the cloud-based part of a hybrid environment — and it requires an Azure AD Premium P2 license.
Investigating and recovering from security incidents
Security incidents are inevitable, so you have to be prepared to quickly investigate and respond to suspicious activity. You need to be able to quickly determine where the breach originated, how it unfolded and exactly what was accessed. You also have to be able to recover from a security incident. Having an integrated enterprise strategy that covers both Active Directory backup and recovery and Azure AD backup and recovery, as I explained in my previous post in this series, is essential for ensuring business continuity.
Achieving, maintaining and proving compliance
Your organization is probably subject to at least one internal security policy or external regulation, such as GDPR, HIPAA, SOX or PCI-DSS; many organizations have to worry about multiple regulations. Following the basic security best practices outlined above will certainly speed you on your way towards compliance. However, many regulations impose specific requirements above and beyond what I’ve discussed here, such as the increasingly stringent breach notification requirements we’re now seeing.
To check your progress towards compliance and demonstrate your compliance to auditors, you need proper reporting across your Azure AD or hybrid AD environment. Reporting is critical for tasks other than compliance, though, so I’ll explore it separately in the last blog post in this series (coming soon).
Maintaining security across any IT environment, especially a hybrid one, is much easier when you have the right tools. Quest is the go-to vendor for Active Directory solutions, both on premises and in the cloud. Here are main ones to know about when it comes to hybrid Active Directory security and governance:
- Active Administrator for Azure Active Directory enables you to manage your hybrid environment from a single console, instead of having to constantly switch between different tools and try to make sense of multiple sets of data. It even alerts you in real time when critical users, groups or other objects are modified so you can respond quickly to any inappropriate changes that might put your organization at risk.
- On Demand Group Managementis a simple and secure SaaS solution that enables you to manage Azure AD and Office 365 groups effectively. From a single console, you get full visibility into all the groups being created, modified and deleted, so you know exactly what’s out there and how access rights are changing. Moreover, it offers robust group creation policies that control the naming and expiration of groups, as well as automated attestation for regular validation of group membership. There’s even a self-service portal where users can review the group’s membership and request access to resources with friendly naming conventions.
- Change Auditor for Active Directory provides a single, correlated view of user activity across both AD and Azure AD, giving you visibility into all changes, both on premises and in the cloud. It sends alerts on critical changes to email and mobile devices to enable you to respond immediately, no matter where you are. It even provides comprehensive reports that help you achieve and prove compliance with GDPR, SOX, PCI-DSS, HIPAA, FISMA, GLBA and other regulations.
- IT Security Search is a Google-like IT search engine that enables you to quickly respond to security incidents and analyze event forensics. Its web-based interface correlates disparate IT data from many sources across your on-premises, cloud or hybrid environment into a single console to speed troubleshooting, investigation and remediation.
- Enterprise Reporter Suite offers comprehensive access assessments that provide deep visibility into Azure resources, users, groups, permissions and much more. Even better, it includes Security Explorer, so you can quickly take action from within the Enterprise Reporter user interface to remove any inappropriate permissions. Security Explorer provides an array of additional security features, such as the ability to quickly grant, revoke, clone, modify and overwrite permissions from a central location. This combination of reporting and remediation facilitates security and compliance, enabling you to stay ahead of security vulnerabilities to prevent breaches.
Feeling like an Azure AD expert yet? We have indeed covered a lot of ground and you should feel proud, but be sure to round out your knowledge by reading the final two posts in this “What is Azure AD?” series:
- Part 4: Azure AD migration
- Part 5: Azure AD reporting