By using this web site you accept our use of cookies. More information about cookies
Infopulse - Expert Software Engineering, Infrastructure Management Services
By using this web site you accept our use of cookies. More information about cookies
Infopulse - Expert Software Engineering, Infrastructure Management Services
Infopulse - Expert Software Engineering, Infrastructure Management Services

    Send message Please fill in this quick form and we will send you a free quote shortly.
    * Required fields
    Your privacy is important to us. We will never share your data.

      Subscribe to our updates Be among the first to get exclusive content on IT insights, innovations, and best practices.
      * Required fields
      Your privacy is important to us. We will never share your data.

        Subscribe to our New career opportunities Please fill in this quick form to be among the first to receive our updates.
        * Required fields
        Your privacy is important to us. We will never share your data.
        * Required fields
        Your privacy is important to us. We will never share your data.

          Subscribe to our updates Be among the first to get exclusive content on IT insights, innovations, and best practices.
          * Required fields
          Your privacy is important to us. We will never share your data.

            Default avatar Send an email to Viktor Golub Please fill in this quick form to contact our expert directly.
            * Required fields
            Your privacy is important to us. We will never share your data.

              Download ebook Please fill in this quick form
              * Required fields
              Your privacy is important to us. We will never share your data.

                Read the Full Case Study Don't miss the most interesting part of the story!
                Submit this quick form to see the rest and to freely access all case studies on our website.
                * Required fields
                Your privacy is important to us. We will never share your data.
                Infopulse - Expert Software Engineering, Infrastructure Management Services

                How to Create Secure Identity Infrastructure in Azure Cloud

                Reading time: 7 minutes

                In 2020, cybercrime is costing global economies  , with 80% of the threats being password related. Credential stuffing attacks, in particular, are a stinging area of IT security for enterprises since the average cost of an attack is $6mln/year per company  .

                The same Akamai survey suggests that while 100% of organizations have experienced credit stuffing attacks in the past 12 months, only 30% have sufficient solutions to stop attacks. That’s problematic, especially in the wake of remote work, when more and more sensitive data is traveling in and out of the cloud.

                ebook: Innovative Security Approaches to Enable Digital Business Transformation

                Granted, when it comes to Microsoft Azure security, you already have a diverse range of tools for ensuring that no user account can be easily compromised or hacked. However, Azure cloud data security is a shared responsibility. While Microsoft ensures the topmost security of the underlying platform infrastructure, it’s your job to set up custom security facets for your organization, pertaining to identity management and access control.

                In this post, we provide a step-by-step framework for enabling a security-tight, but user-friendly identity management process with the help of Azure Active Directory (AD).

                1. Implement Centralized Identity Management

                If you rely on hybrid environments (e.g., your on-premises data center is extended to Azure cloud), your first step towards Azure protection should be enabling integrated identity management. After integrating on-prem and cloud directories, you can manage all user accounts from a single place, plus provide users with a common identity for accessing both environments. This, in turn, reduces password management costs. Given that almost   are associated with password resets, the savings of a Single Sign-On (SSO) solution can be significant.

                Best Practices:

                • Designate one Azure AD instance to all corporate accounts (on-prem & cloud-based).
                • Use   to enable synchronization between your cloud and on-premises directories.
                • When it comes to high-privilege accounts that you already have in your Active Directory instance, don’t change the default Azure AD Connect configuration fileting them out. Or else, such accounts might meddle in the on-premises assets.
                • Enable password hash synchronization — a feature that helps protect against credential stuffing attacks. This config is particularly valuable as it helps check if users have used the same email/password combo on other services (non-connected to Azure AD), and prevent them from using the same credentials if these have already been compromised.
                • Embed Azure AD into all your newly developed business applications for extra security.

                2. Enable Single Sign-On (SSO) and Multi-Factor Authentication (MFA)

                Single sign-on (SSO) reduces the reliance on multiple passwords and, thus, increases overall Azure cloud security. Instead of asking your business users to maintain multiple passwords for their Salesforce, Microsoft 365, Google apps, and other accounts, you can set up seamless and secure access to all of them via Azure AD. Considering that an average enterprise has   with only 28% being integrated, users are forced to store a lot of passwords (and oftentimes re-use the weak ones). This can lead to security incidents and costly data breaches.

                The benefit of using Azure AD is that many business applications already have pre-integrated SSO connections with it. On top of that, you can find SSO connectors for some 3,000 applications on  .

                You can choose one of two approaches to enable SSO on Azure:

                • Federated SSO. In this case, Azure AD authenticates users with their Azure AD account. This method is available for all applications, supporting the following protocols – SAML 2.0, WS-Federation, or OpenID Connect.
                • Password-based SSO. When using this type of authentication, users are asked to provide a username/password combo to the application during their first access. For all the subsequent logins, Azure AD will supply the login credentials to the connected app.

                More information on the benefits of each SSO method can be found in this  .

                Multi-factor authentication (MFA) is another strong security facet we always recommend implementing as a part of the cloud security strategy.

                MFA is an intermediary measure that can help stop unsolicited login attempts, especially from compromised accounts, by asking the user to provide a second form of authentication for accessing their accounts. Azure provides an array of user-friendly authentication methods such as:

                • One-time text or voice passwords
                • Software token OTPs
                • Microsoft authenticator
                • Windows Hello
                • FIDO2 security keys (in preview).

                According to  , corporate accounts are 99.9% less likely to get hacked with MFA enabled.

                Conditional Access in Azure Active Directory - Infopulse - 1


                With SSO and MFA enabled, you reduce your company’s reliance on passwords and, subsequently, the risks of brute force breaches due to weak passwords.

                3. Proactively Manage User Access

                Having complete visibility into different user roles and permissions is essential to implementing proper security controls. Azure role-based access control (Azure RBAC) is an authorization service, designated for implementing granular access management of Azure resources.

                Consider implementing this service for all staff members.

                When it comes to line-of-business leaders, Azure AD Identity Governance is a service we recommend implementing. A comprehensive solution for managing roles, data, and resources access, Azure AD Identity Governance enables a single pane of glass view into all your employees’ activity and permissions for easy audit and monitoring without placing a strain on their productivity. Running in the background, the app allows you to perform the following tasks across all users, services, and applications, running on-premises, and in the cloud:

                • Govern the identity lifecycle
                • Govern access lifecycle
                • Secure privileged access for administration

                Through one convenient interface, your security team can monitor which users have access to which resources and how they are using that access.

                Privileged Identity Management (PIM) is another facet of Azure identity protection worth leveraging to safeguard the most sensitive data within your company. The service lets you smartly manage access to certain resources and operations in Azure AD, Azure, Microsoft 365, and other SaaS apps. The role of this service is to act as a controller for providing just-in-time privileged access to restricted resources to LOBs who need it, along with monitoring that access usage and automatically terminating it.

                Some of the main PIM features include:

                • Provisioning of time-bound access to certain Azure AD and Azure resources;
                • Approval management for activating privileged roles;
                • Auto-MFA initiation for activating any role;
                • Convenient access reviews for managing roles access;
                • Quick history download for audits.

                PIM is especially important for larger Azure instances as was the case with our client — Metinvest Group. As part of a large-scale digital transformation project, implemented together with Metinvest Digital and encompassing migration of two on-premises data centers (with 680 servers) and some 80,000+ business users, the Infopulse team performed advanced Azure AD configurations for effective management of user roles and permissions. Read the complete case study.

                Bonus tip: Azure Information Protection (AIP) is a handy cloud-based labeling service for discovering, classifying, and protecting various documents and business communication. It further extends the labeling functionality offered by Microsoft 365 and enables the support of additional file types, as well as protects File Explorer and PowerShell.

                4. Actively Monitor Your Security State

                After you are done with the initial setup, check your Azure AD identity secure score — a measure between 1 and 223, indicating how well your infrastructure complies with Microsoft’s security recommendations.

                How to Create Secure Identity Infrastructure in Azure Cloud - Infopulse - 1


                The dashboard shows how well you have coped with various tasks and lets you plan further implements by filtering them by cost and user impact.

                As the next step of your Microsoft Azure information protection plan, enable identity risk monitoring using Azure AD Identity Protection. This ML-based tool helps you automate the detection and mitigation of common identity-based risks and capture relevant data around them for further investigation. By means of Microsoft Intelligent Security Graph, which analyzes over 6,5 trillion signals per day to identify suspicious behavior patterns, these findings are then translated into alerts and mitigation suggestions for Microsoft Identity Protection users.

                Some of the common risks the tool can detect are as follows:

                Common Risks to Detect with Azure AD Identity Protection - Infopulse - 1


                Finally, make sure that you are continuously auditing accesses provided to various SaaS apps so that no third-party product attempts to overstep the granted permissions.

                5. Automate the Common Monitoring and Management Task

                For larger enterprises, effective identity management and security automation is a solid way to realize further TCO savings from Azure migration.

                As already mentioned, Azure AD Identity Protection is a stellar service for automating risk monitoring and taking advantage of Microsoft’s state-of-the-art machine learning algorithms, powering threat detection within this tool. With the help of this service, you can set up automated threat responses to common attack vectors. For example:

                • Roll-out new user risk policies in real-time to remedy compromised accounts.
                • Implement SSO policies in real-time to stall suspicious sign-in attempts.

                Also, to reduce the volume of menial work your IT service desk has to deal with you can integrate Microsoft Graph with Azure AD identity management and other services. This will help you to automate workflows such as:

                • Employee onboarding/termination
                • Profile maintenance
                • Licenses deployment.

                Lastly, many common identity management workflows can also be automated with the Azure Automation service.

                To Conclude

                User credentials have always been an attractive target for malicious parties. With the rise of remote work and rapid cloudification, hackers have become even more determined to access corporate systems as the rewards of doing so have majorly increased. Businesses should stay vigilant and proactive regarding their identity management and monitoring practices. Otherwise, they risk becoming another item in the growing list of recent password-related breaches.

                Infopulse, a Microsoft Gold Partner, CSP Tier 1 for the EU and CIS, and a Forrester-recommended vendor for Microsoft Azure Services, would be delighted to further consult you on Azure Cloud security.

                About the Author

                Default avatar

                Viktor Golub

                Senior Security Expert

                Viktor Golub is an experienced IT professional with a demonstrated history of work in the IT industry. During more than nine years in the industry, he has developed high competence in security system architecture design, complex project management, IT strategy, and helpdesk management. Viktor has contributed to a number of successful information security projects across Europe. His high level of expertise is supported by a Computer Science degree and certification in cybersecurity “Microsoft 365: Security Administrator Associate”.

                Originally published   November 26, 2020 Updated   January 15, 2021