Skip to content

epomatti/azure-identity-security

Repository files navigation

Azure Identity security

Security implementation for various services from the Azure Identity domain.

⚠️ If you disable security defaults to test conditional access, don't forget to re-enable it

Setup

Initiate the baseline resources:

You must disable security defaults to use conditional access.

# Set up according to your Tenant
cp config/sample.tfvars .auto.tfvars

# Create the resources
terraform init
terraform apply -auto-approve

Password reset

Self-service password reset

You can configure this: None, Selected, All

Authentication methods

Number of methods required to reset (1 or 2), and the methods available.

Registration

Require users to register when signing in, number of days before users are asked to re-confirm their authentication information.

On-premises integration

Access Reviews

What to review:

  • Teams + Groups
    • All Microsoft 365 groups with guest users
    • Select Teams + Groups
  • Applications

It is possible to create multi-stage.

Reviewers:

  • Group owners(s)
  • Selected user(s) or group(s)
  • Users review their own access - if they can't, group owner reviews
  • Managers of users (synced attribute from Active Directory)

Recurrence is set.

Settings are then configured such as:

  • Apply or not the results to resource
  • No response behavior
    • No change
    • Remove access
    • Approve access
    • Take recommendations
  • Notifications
  • Justifications
  • etc.

Reviewers can access the access reviews on the My Access portal.

Policy exclusions

It is important to remind that inclusions are overwritten by exclusions:

When organizations both include and exclude a user or group, the user or group is excluded from the policy. The exclude action overrides the include action in policy. Exclusions are commonly used for emergency access or break-glass accounts.

Identity Protection

Risk reports:

Based of the portal, but also on the documentation and blob

  • Risky users
  • Risky workload identities
  • Risky sign-ins
  • Risk detections

You can enable User and Sign-in risk protection directly, or use Conditional Access (recommended).

Microsoft provides this article with tips for simulating risk events.

For example, simulating anonymous IP address using Tor browser to access https://myapps.microsoft.com/ (set the Risk level to Low in the dashboard).

Conditional Access

A conditional access will be create with Report-only functionality. Change to On when ready.

This policy will require MFA when for risky logins.

Cloud Apps

Cloud Apps such as Docusign and AWS.

Sign-in frequency

Options such as periodic authentication (hours, days) or every time.

Persistent Browser Session

A persistent browser session allows users to remain signed in after closing and reopening their browser window.

Must have All cloud apps enabled.

Continuous Access Evaluation (CAE)

Continuous Access Evaluation (CAE) allows access tokens to be revoked based on critical events and policy evaluation in real time rather than relying on token expiration based on lifetime.

MFA Policy

There is also a dedicated available MFA policy:

MFA Additional Settings

To reach the MFA additional settings hot site:

MFA Statues

Users can have the following MFA statuses:

  • Disabled (default) - User not enrolled in per-user Microsoft Entra MFA. Does not affect Legacy, browser, or modern.
  • Enabled - User is enrolled in per-user Microsoft Entra MFA, but can still use password for legacy authentication. Will be prompted to register for modern authentication when session or token expires.
  • Enforced - User is enrolled per-user Microsoft Entra MFA and must sign-in with MFA.

Importantly:

Don't enable or enforce per-user Microsoft Entra multifactor authentication if you use Conditional Access policies.

By accessing "All Users" > "Per-user MFA":

MFA Licenses

Different methods are available to license MFA on Entra:

Microsoft Entra multifactor authentication can be used, and licensed, in a few different ways depending on your organization's needs. All tenants are entitled to basic multifactor authentication features via Security Defaults. You may already be entitled to use advanced Microsoft Entra multifactor authentication depending on the Microsoft Entra ID, EMS, or Microsoft 365 license you currently have. For example, the first 50,000 monthly active users in Microsoft Entra External ID can use MFA and other Premium P1 or P2 features for free.

It is worth pointing out that on PIM, MFA enablement will override per-user settings.

Custom Roles

Custom roles will be created.

Entra ID actions allow only for granted permissions.

Azure RM actions have the capability for Action (allow) and Not Action (deny).

Custom roles can also be shared across different subscriptions that trust the same Microsoft Entra tenant. For example, the assignable scope can ge set to a Management Group.

Current limits are 5,000 custom roles per tenant.

There are also relevant prerequisites.

Scenarios

The following additional scenarios are implemented in this project.

Adding objects to a Security Group

It's possible to add the following objects to a Security Group:

  • Users
  • Security Groups
  • Devices
  • Enterprise Applications
  • Managed Identities

You cannot add Application Registrations, they must be enterprise.

Group nesting

For this scenario, the following groups are created:

Name Type Assignable to Entra ID roles
NestingGroup1 Microsoft 365 group Yes
NestingGroup2 Security group No
NestingGroup3 Security group Yes
NestingGroup4 Security group Yes

In this scenario, this is currently prohibited:

  1. Cannot nest Microsoft 365 into other groups.
  2. Cannot nest groups into Entra ID assignable groups.

Governance

To use all governance features, an additional Microsoft Entra ID Governance license is required. Most features are covered by Entrai ID Premium P2, but the most advanced require this license.

As of the writing of this page

  • Entitlement management advanced features
    • Verified ID
    • Custom extensions (Logic Apps)
    • Auto assignment
    • Directly assign any user
    • Guest conversion API
    • Sponsors policy
  • Access reviews advanced features
    • PIM for Groups
    • Inactive Users reviews
    • Machine learning assisted access certifications and reviews
  • Lifecycle Workflows (LCW)
  • LCW + Custom extensions

Lifecycle Workflows (LCW)

A security group called LifecycleTestGroup will be created, as well with a Logic App logic-lifecycle-task and a user newuser.

To use a Logic App with LCW, few requirements must be met. It might be easier to create a Logic App using the LCW console.

These resources can be used to create a lifecycle workflow:

  1. Create (or use the existing) logic app as a custom extension for LCW
  2. Create a new workflow from a template
  3. Trigger the workflow (on-demand, or via schedule)

The user department will be Marketing for this exercise.

The schedule time applies for the whole service, and the default settings is 3h (minimum 1h)

Here is an example with custom extension task:

Sample of final results after execution. Additional information is required for it work completely, such as the manager and email attribute.


Clean-up

⚠️ If you disable security defaults to test conditional access, don't forget to re-enable it

terraform destroy -auto-approve