Microsoft Security – Best Practices for Cloud

Our Microsoft partner, SYNNEX, compiled the following guidelines established by Microsoft to ensure the highest level of security. Included below, they’ve provided security guidelines for the prevention of and response to security incidents and links to the related Microsoft articles for each recommended action.

Below are recommended best practices for use at all times. Follow these steps in this priority order.

1. Use Identity Isolation to limit exposure of credentials
   • Azure Guidance for Secure Isolation| Microsoft Docs
   • What is Azure role-based access control (Azure RBAC)? | Microsoft Docs
   • Steps to assign an Azure role – Azure RBAC | Microsoft Docs
2. Enable MFA on all user scenarios
   • Enable Azure AD Multi-Factor Authentication | Microsoft Docs
   • Configure Azure AD Multi-Factor Authentication – Azure Active Directory | Microsoft Docs
   • Set up multi-factor authentication for users – Microsoft 365 admin | Microsoft Docs
3. Store secrets in approved locations (ex: Key Vault)
   • Configure and manage secrets in Azure Key Vault – Learn | Microsoft Docs
4. Enable auditing for access to important resources
   • Azure security logging and auditing | Microsoft Docs
   • Audit logs in Azure Active Directory | Microsoft Docs
   • Enable security audits for Azure AD Domain Services | Microsoft Docs
5. Use minimal required permission level
   • Best practices for least privileged access on Azure AD – Microsoft identity platform | Microsoft Docs
6. Perform periodicity review of Activity Audit logs, checking for:
   • Were new groups and/or accounts provisioned?
   • Is the set of privileged users correct?
   • Has the set of users/applications for the Admin Agent group changed?
     • What are access reviews? – Azure Active Directory | Microsoft Docs
     • Manage user access with access reviews – Azure AD | Microsoft Docs

In the event of any suspected security incident, the following steps should be taken to ensure full security in the tenant. Follow these steps, in this order:

1. Perform an inventory of all credentials (including keys and service principles).
   • Reset all credentials
   • Identify and remove any unnecessary keys
   • Add or delete users – Azure Active Directory | Microsoft Docs
2. As a best practice and to prevent compromise, ensure MFA is enabled for all privileged user accounts. If MFA is already in use, expire all MFA tokens to force re-authentication.
   • Enable Azure AD Multi-Factor Authentication | Microsoft Docs
3. Review all constituents of the Admin Agent group and ensure there aren’t any accounts (users/service-principals) that should not be there.
   • Also check for and perform similar steps for any other similar privileged group akin to Admin Agent group
   • List Azure AD role assignments | Microsoft Docs
   • Azure Active Directory roles documentation | Microsoft Docs
4. Perform an inventory of application registrations.
   • Check/remove unfamiliar/unnecessary applications
   • Ensure proper certificates in place for all OAuth accounts, reset/refresh credentials
   • Reset all service principal accounts, generate/store new secrets
   • Create an Azure AD app and service principal in the portal – Microsoft identity platform | Microsoft Docs
   • How to: Remove a registered app from the Microsoft identity platform – Microsoft identity platform | Microsoft Docs
5. Retire all refresh tokens used for API integration.
   • Revoke user access in an emergency in Azure Active Directory | Microsoft Docs
   • Microsoft identity platform refresh tokens – Microsoft identity platform | Microsoft Docs
   • Revoke-AzureADUserAllRefreshToken (AzureAD) | Microsoft Docs
   • Changes to the Token Lifetime Defaults in Azure AD – Microsoft Tech Community