ITPro-Tips

Azure Active Directory Best Practices

Published on 22 Mar 2020

Bastien Perez
Bastien Perez

Clap

For now, this article is just a checklist. I have a bunch of documentations on my side to configure for each topic. But if you want to start from now, here are the ressources:

  1. Use Microsoft Microsoft Secure Score
  2. Use Microsoft Identity Protection (Azure AD Premium P2 needed)
  3. Create beak glass emergency admin account
  4. Use least privileged
  5. Configure password hash synchronization (PHS) or pass-through authentication (PTA) or use Federation
  6. Take advantage of Password Protection to protect cloud and on-premises (Active Directory) password
  7. Configure Seamless SSO
  8. Enable Modern authentication (and block basic authentication)
  9. Use Multi Factor Authentication with Microosft Authenticator or other software token without license. Hardware token need Azure AD Premium license. More info about license here
  10. Go PasswordLess (currently in preview and only works from computer browser. Not support neither Android/iOS or PowerShell. Not publicly available for Windows authentication on hybrid join computers)
  11. Configure company branding and teach users to not trust page without the custom logo/background. BUT be careful about the upcoming changes in the background
  12. Block application registration by end-user (https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/UsersManagementMenuBlade/UserSettings)
  13. Block Users can consent to apps accessing company data on their behalf
  14. Enable admin consent to give end users a way to request access to applications
  15. Restrict access to Azure AD administration portal (https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/UsersManagementMenuBlade/UserSettings )
  16. Manage guests settings (manage external collaboration settings)
  17. Enable Self Service password
  18. Enable Conditionnal access
  19. Configure SaaS enterprise application with Single Sign-On and SCIM provisioning(if possible). Even if the application is NOT on the gallery, you can set up Single Sign-On with SAMLor password based (add-on in browser needed)
  20. Check Azure AD related applications with this script and this one (and delete application not needed)
  21. Configure on-premise application with Azure AD Proxy (Azure AD Premium needed for each user who access the app) or use see previous point if application has SAML
  22. Audit risky logins weekly (needed Azure AD Premium).

Comments

banner-Bastien Perez
Bastien Perez

Freelance Microsoft 365 - Active Directory - Modern Workplace

France