☁️
Tminus365 Docs
  • 🚀Welcome to Tminus365 Docs
  • 🔐Security
    • Azure AD (Entra)
      • MFA Shall Be Required for All Users
      • MFA is enforced on accounts with Highly Privileged Roles
      • MFA is enforced for Azure Management
      • MFA registration and usage shall be periodically reviewed
      • Legacy Authentication shall be blocked
      • High Risk Users Shall Be Blocked
      • High Risk Sign-Ins Shall Be Blocked
      • Browser Sessions shall not be persistent for privileged users
      • MFA shall be required to enroll devices to Azure AD
      • Managed Devices shall be required for authentication
      • Guest User Access Shall be restricted
      • The number of users with highly privileged roles shall be limited
      • Users assigned highly privileged roles shall not have permanent permissions
      • Activation of privileged roles should be monitored and require approval
      • Highly privileged accounts shall be cloud-only
      • Highly privileged role assignments shall be periodically reviewed
      • Passwords shall not expire
      • Azure AD Logs shall be collected
      • Only Admins shall be allowed to register 3rd party applications
      • Non-admin users shall be prevented from providing consent to 3rd party applications
      • Authorized Applications shall be configured for Single Sign-On
      • Inactive accounts shall be blocked or deleted
    • Teams
      • Private Channels shall be utilized to restrict access to sensitive information
      • External Participants SHOULD NOT Be Enabled to Request Control of Shared Desktops or Windows in Meet
      • Anonymous Users SHALL NOT Be Enabled to Start Meetings
      • Automatic Admittance to Meetings SHOULD Be Restricted
      • External User Access SHALL Be Restricted
      • Unmanaged User Access SHALL Be Restricted
      • Contact with Skype Users SHALL Be Blocked
      • Teams Email Integration SHALL Be Disabled
      • Only Approved Apps SHOULD Be Installed
      • File Sharing and File Storage Options shall be blocked
      • Only the Meeting Organizer SHOULD Be Able to Record Live Events
      • Attachments SHOULD Be Scanned for Malware
      • Link Protection SHOULD Be Enabled
      • Restrict Users who can Create Teams Channels
      • Teams Channels shall have an expiration policy
      • Data Loss Prevention Solutions SHALL Be Enabled
    • Exchange
      • Automatic Forwarding to External Domains SHALL Be Disabled
      • Sender Policy Framework SHALL Be Enabled
      • DomainKeys Identified Mail SHOULD Be Enabled
      • Domain-Based Message Authentication, Reporting, and Conformance SHALL Be Enabled
      • Enable Email Encryption
      • Simple Mail Transfer Protocol Authentication SHALL Be Disabled
      • Calendar and Contact Sharing SHALL Be Restricted
      • External Sender Warnings SHALL Be Implemented
      • Data Loss Prevention Solutions SHALL Be Enabled
      • Emails SHALL Be Filtered by Attachment File Type
      • Zero-Hour Auto Purge for Malware SHOULD Be Enabled
      • Phishing Protections SHOULD Be Enabled
      • Inbound Anti-Spam Protections SHALL Be Enabled
      • Safe Link Policies SHOULD Be Enabled
      • Safe Attachments SHALL Be Enabled
      • IP Allow Lists SHOULD NOT be Implemented
      • Mailbox Auditing SHALL Be Enabled
      • Alerts SHALL Be Enabled
      • Audit Logging SHALL Be Enabled
      • Enhanced Filtering Shall be configured if a 3rd party email filtering tool is being used
    • SharePoint
      • File and Folder Links Default Sharing Settings SHALL Be Set to Specific People
      • External Sharing SHOULD be Set to “New and Existing Guests”
      • Sensitive SharePoint Sites SHOULD Adjust Their Default Sharing Settings
      • Expiration Times for Guest Access to a Site SHOULD Be Determined by specific needs
      • Users SHALL Be Prevented from Running Custom Scripts
    • OneDrive
      • Anyone Links SHOULD Be Turned Off
      • Expiration Date SHOULD Be Set for Anyone Links
      • Link Permissions SHOULD Be Set to Enabled Anyone Links to View
      • Windows and MacOS devices should be prevented from syncing the OneDrive Client on personal devices
      • Legacy Authentication SHALL Be Blocked
    • Intune
      • Personal Devices should be restricted from enrolling into the MDM solution
      • Devices shall be deleted that haven’t checked in for over 30 days
      • Devices compliance policies shall be configured for every supported device platform
      • Noncompliant devices shall be blocked from accessing corporate resources
      • MFA Shall be required for Intune Enrollment
      • Security Baselines should be configured for Windows Devices
      • Windows Update Rings shall be configured for Windows Devices
      • Update Policies shall be configured for Apple Devices
      • App Protection policies should be created for mobile devices
      • Mobile devices shall only be able to access corporate data through approved client apps
      • Lockout screen and password settings shall be configured for each device
      • Encryption shall be required on all devices
      • Windows Hello for Business should be configured where applicable
      • Authorized Applications should be deployed to managed devices
      • Device Use Shall be restricted until required applications are installed
      • Devices and Applications shall be wiped when a user leaves the organization or reports a lost/stolen
  • ⚙️Configurations
    • GDAP
      • My Automations Break with GDAP: The Fix!
      • Vendor Integrations Break with GDAP: The Fix!
      • Adding GDAP Relationships
      • Leveraging PIM with GDAP
      • GDAP Migration with Microsoft 365 Lighthouse
    • GoDaddy
      • Defederating GoDaddy 365
  • 🛡️CIS Controls
    • CIS Mapped to M365
  • 🔌Vendor Integrations
    • Pax8
      • Automating NCE subscription renewal notices
      • Leveraging the Pax8 API in Power Automate
    • IT Glue
      • Automating Intune Device Documentation in IT Glue
      • Automating Microsoft Documentation
    • Huntress
      • Leveraging the Huntress API in Power Automate
    • Syncro
      • Automating Microsoft 365 Documentation in Syncro
      • Custom Connector in Power Automate
      • Creating Tickets for Azure AD Risky Users
Powered by GitBook
On this page
  • Description
  • Policy
  • Licensing Considerations
  • Set Up Instructions
  • End-User Impact
  • PowerShell Scripts
  • Videos
  1. Security
  2. Azure AD (Entra)

Activation of privileged roles should be monitored and require approval

Description

Since many cyberattacks leverage privileged access, it is imperative to closely monitor the assignment and activation of the highest privileged roles for signs of compromise. Create alerts to trigger when a highly privileged role is assigned to a user and when a user activates a highly privileged role

Require approval for a user to activate a highly privileged role, such as Global Administrator. This makes it more challenging for an attacker to leverage the stolen credentials of highly privileged users and ensures that privileged access is monitored closely.

Policy

  • Eligible and Permanent privileged role assignments shall trigger an alert

  • User activation of the Global Administrator role shall trigger an alert

  • Activation of the Global Administrator role should require approval

Licensing Considerations

Azure AD P2 if using Azure AD PIM. This can be purchased standalone or is part of the following bundles:

  • EMS+E5

  • Microsoft 365 E5

A 3rd party PAM tool could be used as a substitute.

Set Up Instructions

  1. In the Azure Portal, navigate to Azure AD Privileged Identity Management (PIM).

  2. Under Manage, select Azure AD roles.

  3. Under Manage, select Roles. This should bring up a list of all the Azure AD roles managed by the PIM service.

  4. Click the Global Administrator role.

  5. Click Settings and then click Edit.

  6. Click the Notification tab.

  7. Under Send notifications when members are assigned as eligible to this role, in the Role assignment alert -> Additional recipients textbox, enter the email address of the mailbox configured to receive the alerts for this role.

  8. Under Send notifications when members are assigned as active to this role, in the Role assignment alert -> Additional recipients textbox, enter the email address of the mailbox configured to receive the alerts for this role.

  9. Under Send notifications when eligible members activate this role, in the Role activation alert -> Additional recipients textbox, enter the email address of the mailbox configured to receive the alerts for this role.

  10. Click Update.

  11. Repeat steps 4 through 10 for each of the other highly privileged roles referenced in the policy section above, with one modification:

    1. When configuring the Send notifications when eligible members activate this role for these other roles, enter an email address of a mailbox that is different from the one used to monitor Global Administrator activations.

  1. In the Azure Portal, navigate to Azure AD and create a new group named “Privileged Escalation Approvers.” This group will contain users that will receive role activation approval requests and approve or deny them. Users in this group must, at least, have the permissions provided to the Privileged Role Administrators role to adjudicate requests.

  2. In the Azure Portal, navigate to Azure AD Privileged Identity Management (PIM).

  3. Under Manage, select Azure AD roles.

  4. Under Manage, select Roles. This should bring up a list of all the Azure AD roles managed by the PIM service.

  5. Repeat this step for the Privileged Role Administrator role, User Administrator role, and other roles that the agency has designated as highly privileged.

    1. Click the Global Administrator role in the list.

    2. Click Settings.

    3. Click Edit.

    4. Select the Require approval to activate option.

    5. Click Select approvers, select the group Privileged Escalation Approvers, and then click Select.

    6. Click Update.

End-User Impact

Level: Low

Impact is limited to users who are eligible to privileged roles which should be a small amount in the organization. These users will have to have someone approve their activation.

Tips

A group of users should be assigned for approval vs a single point of contact.

More granular settings can be applied to these roles such as requiring MFA upon activation and requiring a justification reason.

PowerShell Scripts

Videos

PreviousUsers assigned highly privileged roles shall not have permanent permissionsNextHighly privileged accounts shall be cloud-only

Last updated 1 year ago

PowerShell for PIM:

🔐
PowerShell for Azure AD roles in PIM - Azure AD - Microsoft Entra | Microsoft Learn