Itay Nachum

Hybrid computing environments will be the norm for the foreseeable future: According to a 2021 Gartner report, only 3% of mid-sized and large organizations will migrate completely from on-premises Active Directory (AD) to a cloud-based identity service by 2025. But IT leaders managing hybrid environments face an increasingly complex challenge: effectively securing identity systems that encompass both on-prem AD and Azure AD. This hybrid world has a risk landscape very different from the one that confronted Active Directory (AD) admins two decades ago.

As cloud use exploded, attackers took note of this shift and turned their focus to compromising cloud credentials, which they can use to gain elevated privileges across the system—including in the on-prem AD environment—and drop malware.

Securing and monitoring Azure AD, even for organizations that are using Azure AD only as a byproduct of implementing Microsoft 365, has become a critical part of maintaining business operations. Just as protecting AD involves detecting unauthorized changes and remediating any misconfigurations and vulnerabilities, the same is true for Azure AD.

To help organizations address these challenges, we have updated our Directory Services Protector (DSP) solution with new threat indicators designed specifically to help assess the security posture of Azure AD. Combined with DSP’s threat indicators for Active Directory, the new capabilities allow organizations to protect identities across their on-premises and cloud environments.

Every client is responsible for setting and customizing Azure AD’s security controls in a manner that makes sense for their organization. Because Azure AD enables secure access to internal resources as well as Microsoft 365—and countless other software-as-a-service (SaaS) applications—failing to identify risky configurations and unapproved or accidental changes in Azure AD can bring the modern enterprise to a grinding halt.

In introducing Azure AD indicators into DSP, we prioritized indicators that help organizations address some of the most common attack vectors that threat actors use to gain access to the AD environment, which can lead to an escalation of privileges and eventually to deployment of malware. Here’s a rundown of Azure AD security indicators in DSP and why they’re important to track to improve your Azure AD security posture.

1. Administrative units are not being used

In Azure AD, administrative units are a resource that can contain users, groups, or devices. They can be used to restrict permissions in a role to any portion of the organization they specify, such as a particular business unit or geography. Attackers that compromise an administrative account could have wide-ranging access across resources, so using administrative units helps you limit the scope of specific admins and ensure that a single compromise of credentials is constrained and doesn’t affect the entire environment.

2. Azure application registration granted read access

See #4.

3. Azure application registration granted write access

See #4.

4. Azure application registrations added or removed

When these Azure application registration indicators are run, they check whether those permissions have been granted (or revoked) within the past seven days. While these actions might not always be a security concern, a malicious or misconfigured application can lead to data exposure or compromise of an Azure tenant.

5. Check for guests having permission to invite other guests

Guest users should not be able to invite other guests to access your cloud resources. This power should be limited to admins to maintain tight control, and DSP will check to ensure this setting is properly configured.

6. Check for risky API permissions granted to application service principals

A service principal object is created when an application is given permission to access resources. If an application admin has excessive privileges, that could open the door to malicious activity.

7. Check if legacy authentication is allowed

Azure AD supports various authentication protocols. Unfortunately, legacy authentication methods might not support multifactor authentication (MFA), a critical component of account protection. Allowing legacy authentication increases the risk that an attacker will log on using previously compromised credentials.

8. MFA is not configured for privileged accounts

MFA is critical for protecting accounts from credential theft. In the case of privileged accounts, MFA is even more important, and DSP will issue a warning if the feature is not enabled.

9. Privileged group contains guest account

The number of privileged accounts should be limited per the principle of least privilege. The presence of a guest account in a privileged group could be a sign of excessive permissions or compromise by an attacker.

10. Security defaults not enabled

Security defaults, such as blocking legacy authentication protocols and requiring MFA for administrators, offer an important layer of protection for Azure AD. Security defaults should be used for tenants that have no conditional access policies configured. This setting notifies organizations if these defaults are not in effect.

11. Unrestricted user consent allowed

This indicator checks whether users are allowed to add applications from unverified publishers. This setting can create additional risk, as those applications might take intrusive or risky actions.

12. Azure AD privileged users that are also privileged in AD

This indicator checks for Azure AD privileged users that are also privileged in on-premises AD. The compromise of an account that is privileged in both AD and Azure AD can result in both environments being compromised.

13. Non-admin users can register custom applications

This indicator checks for the existence of an authorization policy that enables non-admin users to register customer applications. If non-admin users are allowed to register custom-developed enterprise applications, attackers might use that loophole to register nefarious applications, which they can then leverage to gain additional permissions.

Securing a hybrid identity environment

As threat risks change, security strategies should change with them. Risky changes to Azure AD—whether they are attributable to a cyberattack or an accident—can result in significant downtime and business disruption. Organizations need an approach to hybrid identity management that spans their entire environment, and that requires not only detecting policy violations and misconfigurations but also tracking changes and correlating them with activity happening on-premises and in the cloud. Armed with threat indicators based on an understanding of risk, organizations can proactively combat problems before they arise.