Security implementation for various services from the Azure Identity domain.
⚠️ If you disable security defaults to test conditional access, don't forget to re-enable it
Initiate the baseline resources:
You must disable security defaults to use conditional access.
# Set up according to your Tenant
cp config/sample.tfvars .auto.tfvars
# Create the resources
terraform init
terraform apply -auto-approveYou can configure this: None, Selected, All
Number of methods required to reset (1 or 2), and the methods available.
Require users to register when signing in, number of days before users are asked to re-confirm their authentication information.
What to review:
- Teams + Groups
- All Microsoft 365 groups with guest users
- Select Teams + Groups
- Applications
It is possible to create multi-stage.
Reviewers:
- Group owners(s)
- Selected user(s) or group(s)
- Users review their own access - if they can't, group owner reviews
- Managers of users (synced attribute from Active Directory)
Recurrence is set.
Settings are then configured such as:
- Apply or not the results to resource
- No response behavior
- No change
- Remove access
- Approve access
- Take recommendations
- Notifications
- Justifications
- etc.
Reviewers can access the access reviews on the My Access portal.
It is important to remind that inclusions are overwritten by exclusions:
When organizations both include and exclude a user or group, the user or group is excluded from the policy. The exclude action overrides the include action in policy. Exclusions are commonly used for emergency access or break-glass accounts.
Risk reports:
Based of the portal, but also on the documentation and blob
- Risky users
- Risky workload identities
- Risky sign-ins
- Risk detections
You can enable User and Sign-in risk protection directly, or use Conditional Access (recommended).
Microsoft provides this article with tips for simulating risk events.
For example, simulating anonymous IP address using Tor browser to access https://myapps.microsoft.com/ (set the Risk level to Low in the dashboard).
A conditional access will be create with Report-only functionality. Change to On when ready.
This policy will require MFA when for risky logins.
Cloud Apps such as Docusign and AWS.
Options such as periodic authentication (hours, days) or every time.
A persistent browser session allows users to remain signed in after closing and reopening their browser window.
Must have All cloud apps enabled.
Continuous Access Evaluation (CAE) allows access tokens to be revoked based on critical events and policy evaluation in real time rather than relying on token expiration based on lifetime.
There is also a dedicated available MFA policy:
To reach the MFA additional settings hot site:
Users can have the following MFA statuses:
- Disabled (default) - User not enrolled in per-user Microsoft Entra MFA. Does not affect Legacy, browser, or modern.
- Enabled - User is enrolled in per-user Microsoft Entra MFA, but can still use password for legacy authentication. Will be prompted to register for modern authentication when session or token expires.
- Enforced - User is enrolled per-user Microsoft Entra MFA and must sign-in with MFA.
Importantly:
Don't enable or enforce per-user Microsoft Entra multifactor authentication if you use Conditional Access policies.
By accessing "All Users" > "Per-user MFA":
Different methods are available to license MFA on Entra:
Microsoft Entra multifactor authentication can be used, and licensed, in a few different ways depending on your organization's needs. All tenants are entitled to basic multifactor authentication features via Security Defaults. You may already be entitled to use advanced Microsoft Entra multifactor authentication depending on the Microsoft Entra ID, EMS, or Microsoft 365 license you currently have. For example, the first 50,000 monthly active users in Microsoft Entra External ID can use MFA and other Premium P1 or P2 features for free.
It is worth pointing out that on PIM, MFA enablement will override per-user settings.
Custom roles will be created.
Entra ID actions allow only for granted permissions.
Azure RM actions have the capability for Action (allow) and Not Action (deny).
Custom roles can also be shared across different subscriptions that trust the same Microsoft Entra tenant. For example, the assignable scope can ge set to a Management Group.
Current limits are 5,000 custom roles per tenant.
There are also relevant prerequisites.
The following additional scenarios are implemented in this project.
It's possible to add the following objects to a Security Group:
- Users
- Security Groups
- Devices
- Enterprise Applications
- Managed Identities
You cannot add Application Registrations, they must be enterprise.
For this scenario, the following groups are created:
| Name | Type | Assignable to Entra ID roles |
|---|---|---|
| NestingGroup1 | Microsoft 365 group | Yes |
| NestingGroup2 | Security group | No |
| NestingGroup3 | Security group | Yes |
| NestingGroup4 | Security group | Yes |
In this scenario, this is currently prohibited:
- Cannot nest Microsoft 365 into other groups.
- Cannot nest groups into Entra ID assignable groups.
To use all governance features, an additional Microsoft Entra ID Governance license is required. Most features are covered by Entrai ID Premium P2, but the most advanced require this license.
As of the writing of this page
- Entitlement management advanced features
- Verified ID
- Custom extensions (Logic Apps)
- Auto assignment
- Directly assign any user
- Guest conversion API
- Sponsors policy
- Access reviews advanced features
- PIM for Groups
- Inactive Users reviews
- Machine learning assisted access certifications and reviews
- Lifecycle Workflows (LCW)
- LCW + Custom extensions
A security group called LifecycleTestGroup will be created, as well with a Logic App logic-lifecycle-task and a user newuser.
To use a Logic App with LCW, few requirements must be met. It might be easier to create a Logic App using the LCW console.
These resources can be used to create a lifecycle workflow:
- Create (or use the existing) logic app as a custom extension for LCW
- Create a new workflow from a template
- Trigger the workflow (on-demand, or via schedule)
The user department will be Marketing for this exercise.
The schedule time applies for the whole service, and the default settings is 3h (minimum 1h)
Here is an example with custom extension task:
Sample of final results after execution. Additional information is required for it work completely, such as the manager and email attribute.
⚠️ If you disable security defaults to test conditional access, don't forget to re-enable it
terraform destroy -auto-approve