Azure AD is a Microsoft cloud-based Identity and Access Management (IAM) solution. Over the years, many features have been added to the platform to address the needs of its millions of customers worldwide. Many of these features were security features that weren't turned on by default. For newer Azure AD tenants, some of the security features are turned on by default.

This chapter shows how to configure an Azure AD tenant to increase its confidentiality, integrity, and availability. Some of these features and functionalities might hinder productivity, so you might not want to make changes without communicating these first.

The recipes in this chapter start with recipes any administrator can apply to harden any Azure AD tenant. Then, recipes are covered that require Azure AD Premium P1 licenses. At the end of the chapter, two recipes require Azure AD Premium P2 licenses, and one recipe requires at least one Enterprise Mobility + Security (EMS...

This recipe shows how to set contact information for the tenant.

Getting ready

When you work in a team, create a distribution list to receive important updates for the Azure AD tenant.

Find out who the contact is for privacy within the organization and where the organization has publicly published its privacy policy.

To complete this recipe, sign in to the Azure AD tenant with an account that has the Global administrator role assigned. If the organization uses the Azure AD PIM feature, activate the Global administrator role in advance.

How to do it...

Perform the following steps to set contact information:

1. Navigate your browser to https://aad.portal.azure.com.
2. Sign in with an account in Azure AD that has the Global administrator role assigned.
3. Perform multi-factor authentication (MFA) when prompted.
4. In the left navigation pane, click Azure Active Directory.
5. In the Azure Active Directory navigation pane, click Properties...

This recipe shows how to restrict access to the Azure portal for non-privileged users to make it only available to privileged users.

Getting ready

To complete this recipe, sign in to the Azure AD tenant with an account that has the Global administrator role assigned. If the organization uses the Azure AD PIM feature, activate the Global administrator role in advance.

How to do it...

Perform these steps to restrict access of non-privileged users to the Azure AD portal:

1. Navigate your browser to https://aad.portal.azure.com.
2. Sign in with an account in Azure AD that has the Global administrator role assigned.
3. Perform MFA when prompted.
4. In the left navigation pane, click Azure Active Directory.
5. In the Azure Active Directory navigation pane, click User settings to go to the User settings pane for the tenant:

Figure 16.2 – User settings pane

6. In the User...

This recipe shows two ways to view all privileged users in Azure AD through the Microsoft Graph application programming interface (API).

Getting ready

To complete this recipe, sign in to the Azure AD tenant with an account that has the Global administrator role assigned. If the organization uses the Azure AD PIM feature, activate the Global administrator role in advance.

When using the PowerShell method, install the Microsoft.Graph PowerShell module first. Use the following line of PowerShell on a Windows or Windows Server system that runs Windows PowerShell 5.0 or higher in an elevated Windows PowerShell window:

Install-Module Microsoft.Graph

Press Yes twice.

How to do it...

You can view all privileged users in Azure AD by executing the following lines of PowerShell on the device where you installed the Microsoft.Graph PowerShell module:

Import-Module Microsoft.Graph 
Connect-MgGraph -scopes RoleManagement.Read.Directory...

This recipe shows how to prevent users from consenting to apps.

Getting ready

To complete this recipe, sign in to the Azure AD tenant with an account that has the Global administrator role assigned to it. If the organization uses the Azure AD PIM feature, activate the Global administrator role in advance.

How to do it...

Perform the following steps to prevent users from consenting to apps:

1. Navigate your browser to https://aad.portal.azure.com.
2. Sign in with an account in Azure AD that has the Global administrator role assigned.
3. Perform MFA when prompted.
4. In the left navigation pane, click Azure Active Directory.
5. In the Azure Active Directory navigation pane, click User settings.
6. In the User settings pane, change the Users can register applications setting to No.
7. Click Save at the top of the pane.
8. In the left navigation pane, click Azure Active Directory again.
9. In the Azure Active...

This recipe shows how to prevent people in the Azure AD tenant from inviting guests through Azure AD B2B.

Getting ready

To complete this recipe, sign in to the Azure AD tenant with an account that has the Global administrator role assigned to it. If the organization uses the Azure AD PIM feature, activate the Global administrator role in advance.

How to do it...

Perform these steps to prevent users from inviting guests:

1. Navigate your browser to https://aad.portal.azure.com.
2. Sign in with an account in Azure AD that has the Global administrator role assigned.
3. Perform MFA when prompted.
4. In the left navigation pane, click Azure Active Directory.
5. In the Azure Active Directory navigation pane, click User settings.
6. Follow the Manage external collaboration settings link to navigate to the External collaboration settings pane:

Figure 16.4 – External collaboration settings pane

This recipe shows how to allow or block Domain Name System (DNS) domain names for Azure AD B2B invitations.

Getting ready

To complete this recipe, sign in to the Azure AD tenant with an account that has the Global administrator role assigned to it. If the organization uses the Azure AD PIM feature, activate the Global administrator role in advance.

How to do it...

Perform the following steps to allow or block Azure AD B2B invitations:

1. Navigate your browser to https://aad.portal.azure.com.
2. Sign in with an account in Azure AD that has the Global administrator role assigned.
3. Perform MFA when prompted.
4. In the left navigation pane, click Azure Active Directory.
5. In the Azure Active Directory navigation pane, click User settings.
6. Follow the Manage external collaboration settings link.
7. In the External collaboration settings pane, under Collaboration restrictions, select either the Deny invitations...

This recipe shows how to limit the Azure AD join and Azure AD registration features for your organization, and allow the Enterprise State Roaming functionality.

Getting ready

To complete this recipe, sign in to the Azure AD tenant with an account that has the Global administrator role assigned to it. If the organization uses the Azure AD PIM feature, activate the Global administrator role in advance.

Configuring additional accounts with local administrator privileges on Azure AD-joined devices and enabling Enterprise State Roaming requires Azure AD Premium P1 licenses or Microsoft licenses that include the P1 license, such as Azure AD Premium P2, EMS E3, EMS A3, Microsoft 365 E3, or Microsoft 365 Business licenses.

How to do it...

Configuring the Azure AD join and Azure AD registration features consists of these three distinct configuration changes:

• Limiting who can join Azure AD devices
• Limiting who can...

This recipe shows how to configure auto-enrollment in Microsoft Intune for MDM and mobile application management (MAM) upon Azure AD join.

Getting ready

To complete this recipe, sign in to the Azure AD tenant with an account that has the Global administrator role assigned to it. If the organization uses the Azure AD PIM feature, activate the Global administrator role in advance.

An MDM solution, such as Microsoft Intune, needs to be configured for the Azure AD tenant. This recipe shows how to configure auto-enrollment for Intune, but when the URLs for your organization's alternative MDM solution are known, the default URLs can be replaced to meet your organization's needs.

How to do it...

Perform these steps to configure Intune auto-enrollment upon Azure AD join:

1. Navigate your browser to https://aad.portal.azure.com.
2. Sign in with an account in Azure AD that has the Global administrator role assigned...

Azure AD offers the Security defaults feature to offer default security settings for any Azure AD tenant. For administrators of tenants with Azure AD Premium licenses, using Conditional Access offers more flexibility in some respects. This recipe shows how to decide between using Security defaults and Conditional Access.

Getting ready

To make a choice on which to use, you'll need to know the following characteristics of your organization:

• Has your organization assigned Azure AD Premium P1 licenses to all people in scope for security measures?
• Has your organization assigned Azure AD Premium P2 licenses to all people in scope for security measures?
• Does your organization use any applications, services, and/or systems that rely on user accounts in Azure AD instead of security principals?

How to do it...

Use the following flowchart to make the right choice between Security defaults and Conditional...

This recipe shows how to switch from Security defaults to Conditional Access and configure Conditional Access policies. As three example policies, we will perform the following configurations:

• All users can access an Azure AD-integrated application only when they perform MFA.
• All users can access any Azure AD-integrated applications only when they use a hybrid Azure AD-joined device when they are visiting sensitive countries on business trips.
• No users can use legacy authentication.

Getting ready

To complete this recipe, sign in to the Azure AD tenant with an account that has the Global administrator or Conditional Access administrator role assigned to it. If the organization uses the Azure AD PIM feature, activate the Global administrator or Conditional Access administrator role in advance.

The Conditional Access functionality requires Azure AD Premium P1 licenses or Microsoft licenses that include the P1 license, such as...

This recipe shows the benefits of using Azure AD Connect Health to monitor and troubleshoot a hybrid identity implementation.

Getting ready

To complete this recipe, sign in to Azure AD with an account that has the Global administrator role assigned to it. If the organization uses the Azure AD PIM feature, activate the Global administrator role in advance. Access to the Azure AD Connect Health dashboard can be delegated through its role-based access control (RBAC) IAM settings.

The Azure AD Connect Health functionality requires Azure AD Premium P1 licenses or Microsoft licenses that include the P1 license, such as Azure AD Premium P2, EMS E3, EMS A3, Microsoft 365 E3, or Microsoft 365 Business licenses.

How to do it...

Perform these steps:

1. Navigate your browser to https://aad.portal.azure.com.
2. Sign in with an account in Azure AD that has the Global administrator role assigned.
3. Perform MFA when prompted.
4. In the left...

Azure AD Connect Health can be expanded to include monitoring of AD FS servers and Web Application Proxy (WAP) servers of your organization's AD FS implementation. This recipe shows how to do this.

Getting ready

To complete this recipe, sign in to Azure AD with an account that has the Global administrator role assigned to it. If the organization uses the Azure AD PIM feature, activate the Global administrator role in advance. Access to the Azure AD Connect Health dashboard can be delegated through its RBAC IAM settings.

The Azure AD Connect Health functionality requires Azure AD Premium P1 licenses or Microsoft licenses that include the P1 license, such as Azure AD Premium P2, EMS E3, EMS A3, Microsoft 365 E3, or Microsoft 365 Business licenses.

Ensure all AD FS servers and WAP servers run Windows PowerShell 4.0 or above and have Internet Explorer Enhanced Security Configuration (IE ESC) turned off.

How to do it...

Azure AD Connect Health can be expanded to include monitoring of the domain controllers of your organization's Active Directory implementation. This recipe shows how to do this.

Getting ready

To complete this recipe, sign in to Azure AD with an account that has the Global administrator role assigned to it. If the organization uses the Azure AD PIM feature, activate the Global administrator role in advance. Access to the Azure AD Connect Health dashboard can be delegated through its role-based access-control (RBAC) IAM settings.

The Azure AD Connect Health functionality requires Azure AD Premium P1 licenses or Microsoft licenses that include the P1 license, such as Azure AD Premium P2, EMS E3, EMS A3, Microsoft 365 E3, or Microsoft 365 Business licenses.

Ensure all domain controllers run Windows PowerShell 4.0 or above and have IE ESC turned off.

How to do it...

Configuring Azure AD Connect Health for AD DS consists...

This recipe shows how to get the most out of Azure AD Privileged Identity Management (PIM).

Getting ready

To complete this recipe, sign in to Azure AD with an account that has the Global administrator role assigned to it.

The PIM functionality requires Azure AD Premium P2 licenses or Microsoft licenses that include the P2 license, such as EMS E5, EMS A5, or Microsoft 365 E5.

People whose Azure AD accounts are assigned privilege roles in PIM and are required to perform MFA to request the role should already have registered at least one MFA method.

Tip

Microsoft recommends configuring at least two MFA methods that are not tied to the same mobile number or mobile device.

How to do it...

Perform these steps to set up a person with the Conditional Access administrator privileged role in PIM that requires MFA and a justification to request it:

1. Navigate your browser to https://portal.azure.com.
2. Sign in with an account in Azure AD...

Azure Identity Protection offers additional protection to organizations that worry about password breaches. This recipe shows how to configure an MFA registration policy.

Getting ready

To complete this recipe, sign in to Azure AD with an account that has the Global administrator role assigned to it. If the organization uses the Azure AD PIM feature, activate the Global administrator role in advance.

The Azure AD Identity Protection functionality requires Azure AD Premium P2 licenses or Microsoft licenses that include the P2 license, such as EMS E5, EMS A5, Microsoft 365 E5, Microsoft 365 Information Protection and Compliance, or Microsoft 365 Business Premium licenses.

How to do it...

Perform the following steps:

1. Navigate your browser to https://portal.azure.com.
2. Sign in with an account in Azure AD that has the Global administrator role assigned.
3. Perform MFA when prompted.
4. In the top bar in the search field...

Microsoft Defender for Identity offers additional alerts, reports, and hunting capabilities for Active Directory forests. This recipe shows how to deploy the Defender for Identity sensor on your domain controllers.

Getting ready

To complete this recipe, sign in to the Microsoft 365 Defender portal with an account that has the Global administrator or Security administrator role assigned to it. If the organization uses the Azure AD PIM feature, activate the Global administrator or Security administrator role in advance.

Microsoft Defender for Identity requires at least one EMS E5 or Microsoft 365 license.

To install the Defender for Identity sensor on your domain controllers, sign in with an account that has local administrator privileges on the domain controllers. By default, members of the Administrators, Domain Admins, and Enterprise Admins security groups in Active Directory have these privileges.

How to do it…

Implementing...

• Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals
• Improve your learning with Skill Plans built especially for you
• Get a free eBook or video every month
• Fully searchable for easy access to vital information
• Copy and paste, print, and bookmark content

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at packt.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at customercare@packtpub.com for more details.

At www.packt.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks.