Highly privileged accounts in any tenant need special type of monitoring and security. Start by using the principle of least privilege which means you grant your administrators exactly the permission they need to do their job. I have seen many organizations with number of Global Admins suddenly raised when their IT team has grown. As a modern administrator, you need comprehensive data records to understand who has Global Admin access and what at any given time. Having this information not only ensures that no one has access to what they shouldn’t, but it can be used to track the root cause of a cyber-attack if one occurs.
One of the most important factors of least privilege principal is that access should be given only for specific time, using Azure AD Privileged Identity Management (PIM) lets you achieve that to all highly privileged accounts. I highly recommend using PIM with any administrative role, using PIM, user will be an eligible member of highly privileged role where they need to activate the role for limited time when needed. You can configure the PIM setting to require approval or receive notification emails with the justification when someone activate their role assignment. Use PIM for Azure AD Roles and Azure Resources as well.
Note: You can start your day by enabling all the roles you need except Global Administrator, enable it when you really need it.
Use dedicated workstation for administrative tasks, because this workstation isn't used daily for Internet browsing or email, it's better protected from Internet attacks and threats.
You can create Azure Virtual Desktop with static IP address and allow your admins to access with their admin users for their day-to-day administrative tasks. Then use Conditional Access to block the access to those users from anywhere except the AVD virtual machine (exclude Break Glass Account from this policy).
Note: Do your diligent testing before enabling this policy, you don't want to lock yourself out. Make sure you always exclude the Break Glass Account from all Conditional Access policies.
Keep them separated from regular user accounts, also leave them without O365 license, you definitely don't need to use any kind of privileged account to check email or upload a file.
Avoid using on-premises synced accounts for Azure AD role assignments. If the on-premises account is compromised, it can compromise your Azure AD resources as well.
Even if you don't use Passwordless in your environment, enable it for the highly privileged accounts.
Create at least one emergency access accounts. These accounts should hold Global Administrator privileges and should be cloud-only accounts that use the *.onmicrosoft.com domain and that are not federated or synchronized from an on-premises environment and not using the same multifactor authentication mechanism as the normal administrative accounts. These accounts should be excluded from any policy and monitored when they are accessed.
As a best practice, Microsoft recommends that you assign the Global Administrator role to less than five.
Use PIM to configure periodic access review for administrator's access and make sure only the right people have continued access.
In this article, I went through the best practices of securing the highly privileged accounts. These accounts hold keys to the throne, and it is in your best interest to keep the attack surface low. Follow the best practices and do your best to secure those accounts.
Visit my Linkedin to learn more about my Professional Experience.
Moe Kinani
Share this post:
Copyright © 2020 MoeKinani - All Rights Reserved.
We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.