Microsoft 365 Review Observations - WST

Here are a few items of note that keep popping up in Microsoft 365 Security Assessments with our clients.

Global Admin access
Microsoft states the best practice is to have at least two users assigned to the Global Admin role, and no more than four. The maximum number of four is arbitrary. The minimum number is just common sense. But it’s not really about the number as much as it is about controlling and limiting who has access to EVERYTHING in the Microsoft 365 tenant.

Most institutions don’t use Privileged Identity/Access Management and choose to only manage access through the predefined access roles. And that’s fine, unless your policy dictates a zero-trust architecture. So, if you want to keep admin access management simple, and you’ve got more than two IT staff members, then arguably only two to three of them need Global Admin role access. And all the other admins should be assigned to the roles appropriate to their job duties.

Service principal accounts should never be in the Global Admin access role, and those applications that document that need should get a very thorough review (it’s akin to your core provider saying all users should have local admin rights). And applications that need access to elevated security features are usually assigned that access through registered application administration via the Azure admin portal.

Managed Service Providers who manage your tenant should not be using a common user account in the Global Admin access role, or any role for that matter; they should be using individually assigned user accounts limited to the access they need to support your tenant. If the MSP is using a common user account, then as part of your vendor management program make them show you how that common user account is auditable and secure. Also, if you have an MSP relationship for Microsoft 365 administration, what does your contract say about continued access to the Microsoft 365 tenant should your relationship with the MSP end (hint: you should probably have at least one Global Admin access user account)?

The best practice here is to assign Global Admin access to a very limited number of trained senior IT employees, and an emergency admin access account with, mind you, no MFA on the emergency account and keep the credentials for that account stored under auditable dual-control access. The number of Global Admins and the complexity of admin access management should be commensurate with your institution’s size and complexity.

Conditional Access Policies
There is a basic set of Conditional Access policies that should be configured in every Microsoft 365 tenant. You might argue that you don’t have the licensing to support Conditional Access policies. Given the sensitive nature of email access, never mind using SharePoint and One Drive to store customer data, every Microsoft 365 tenant should have a base level of licensing assigned to users that supports Azure AD Premium P1. This gives your administrators access to features like Conditional Access Policies.

The basic recommended policies include blocking access from outside the United States, blocking unmanaged guest access, blocking legacy protocols, requiring MFA from all untrusted locations, requiring compliance PC devices, and requiring approved mobile applications.

Also consider requiring compliant mobile devices, blocking downloads to unmanaged devices, blocking MFA registration of device from untrusted locations, ALWAYS requiring MFA regardless of the location, requiring MFA for guest access, and blocking unsupported device operating systems (e.g., anything not iOS, macOS, Android, or Windows).

Failure to keep Azure AD Connect updated
On March 15, 2023, Microsoft deprecated older versions of Azure AD Connect, and there have been many versions with many bug fixes prior to and after that date. Microsoft has introduced an auto-update feature into AAD Connect. Although we haven’t seen a widely exploited vulnerability related to an AAD Connect vulnerability…yet…consider manually updating or using the auto-update feature, lest your institution become the case study on why updating AAD Connect is a good thing.

Way back in 2017, Microsoft ended support for the grandfathers to the modern AAD Connect application, AD Sync and DirSync. So if you’re still using those, it’s way past time to migrate to AAD Connect.

Authored by: Mike Smith, CBISO