Careers   |   Events   |   Contact   |   402.238.1399   |   contactus@deliveron.com

Deliveron
Connect with us on FacebookConnect with us on LinkedInFollow Us on Twitter

Category List


Tag List

action-filters (2)
Collaboration (2)
team foundation server 2012 (4)
HOLs (1)
single page applicaiton (1)
Meetings (1)
visual studio 2010 (18)
connect() (1)
cascading-dropdown (2)
Nuget (1)
web deploy (1)
fluentvalidation (2)
tfs odata (2)
tfs 2013 (2)
azure mobile services (2)
nebraska code camp (2)
coded ui tests (6)
sql server (2)
sharepoint 2013 (6)
opensource (1)
netstandard (2)
2013 (2)
Big Data (2)
zap (1)
Template (1)
windows azure (2)
Power BI (3)
DevSecOps (2)
windows 8 store app (2)
dependency-injection (2)
tfs 2012 (4)
Azure (14)
API Tests (1)
webcast (4)
user profiles (4)
Office 365 (1)
rest assured (1)
tips (2)
MVP (2)
team foundation server (6)
load tests (2)
test controller (2)
asp.net-mvc (6)
lync (2)
continuous integration (2)
wiki (1)
vsts (22)
MSBuild (1)
Document (1)
json (2)
onenote (4)
site collections (2)
mvvm (2)
power tools (2)
azure resource manager (1)
code-first (4)
team web access (2)
ssl (1)
lab environments (1)
xunit (1)
powershell 2.0 (8)
burndown (2)
razor (4)
deliveron agile delivery process (2)
Quality (2)
sharepoint 2010 (10)
webpack (1)
nintex (4)
Data Analytics (1)
video (2)
sp1 (2)
storyboarding (2)
Visual Studio 2017 (4)
tokenization (1)
team foundation 2012 (2)
tfs 2010 (2)
continuous inegration (2)
ninject (2)
visual studio team services (1)
kanban (1)
c# (13)
whitelist (1)
visual studio 2012 (10)
release management (7)
test agent (2)
gulp (2)
wit (2)
xaml (2)
subsites (2)
microsoft test manager (2)
webparts (2)
artifacts (1)
sharepoint (5)
adfs (3)
react (1)
preview (1)
team deploy (2)
silverlight (2)
bundling (2)
Azure Functions (1)
webs (2)
deployment (2)
tags (2)
example (2)
mstestv2 (1)
necc (2)
selenium (4)
Powershell (1)
gherkin (2)
tls 1.2 (1)
asp.net-mvc-4 (2)
pipelines (1)
entity-framework (6)
service-fabric (1)
whitesource (1)
Multi-Factor Authentication (1)
ssas (2)
test cases (2)
AzureAD Admins (1)
visual studio 11 beta (2)
Analytics (2)
scrum (8)
Mike Douglas (4)
licensing (2)
Decisions (2)
sharepoint 2007 (2)
workflow (2)
Build (6)
pipeline (1)
angular 2 (3)
application insights (2)
ARM Template (1)
security (1)
my work (2)
selinium (1)
OAuth2 (1)
Keith Holt (1)
test automation (1)
sql saturday (2)
Visual Studio Online (6)
alerts (2)
asp.net-mvc-3 (4)
exchange (2)
DevOps (14)
sql server 2008 (2)
vsdbcmd (2)
asp.net-mvc-routing (2)
web application firewall (1)
CI (3)
ssrs (4)
insiders (1)
team build (2)
load testing (2)
fields (2)
deliveron alm delivery guidance (2)
microsoft case study (2)
top 5 (1)
IntelliSense (1)
Functions (2)
owasp (3)
serverless (3)
PBI (1)
work item (2)
Web API (1)
tfs (11)
visual studio (8)
reporting (2)
dbpro (2)
visual studio code (1)
Cosmos DB (1)
github (1)
feedback (2)
alm rangers (1)
database publishing wizard (2)
Java (1)
lunch and learn (2)
association (1)
business insight (2)
data warehousing (2)
business intelligence (2)
dns (2)
bi (2)
alm (9)
table-valued-parameters (4)
planning poker (4)
spc14 (4)
web performance tests (2)
AzureAD (1)
pdf (2)
installation (2)
outlook (2)
jquery (4)
requirements (2)
microsoft alm rangers (2)
bdd (2)
certificates (2)
Infrastructure (1)
automatedui (1)
angular (1)
team foundation server 11 beta (2)
Node.js (1)
REST (1)
javascript (3)
agile (12)
faq (2)
MFA (1)
testing (5)
web (1)
swagger (1)
home projects (1)
msi (2)
AAD (2)
performancepoint services (2)
tfs 2017 (1)
event-handling (2)
Business (2)
nunit (1)
TFS 2015 (6)
database projects (4)
TestArchitect (5)
M Query (1)
performance (3)
lab management 2010 (2)
Automated Testing (10)

Archive

Securing Azure Active Directory Administrators with Multi-Factor Authentication

Mar 08, 2018

According to Centrify, in 2016 more than one billion credential records were stolen. Enabling Multi-Factor Authentication (MFA)  is one of the best ways to prevent unauthorized users access to data.

MFA in Azure is free for your global administrators and is included with the following licensing options:

  • Azure Multi-Factor Authentication (MFA)
  • Azure Active Directory (AD) Premium
  • Enterprise Mobility & Security

Review licensing options here.

Anyone looking to implement MFA should take into consideration recommendations and guidance from organizations such as The National Institute of Standards and Technology’s and the PCI Standards Council.

Something to note is The National Institute of Standards and Technology’s stance discouraging the use of two-factor authentication systems that use SMS. NIST brings attention to “risk indicators such as device swap, SIM change, number porting, or other abnormal behavior before using the PSTN (Public Switched Telephone Network) to deliver an out-of-band authentication secret.”

While we regularly utilize Azure MFA, there was a recent scenario in which we worked with a client to enable MFA for users with administrative access to production resources. To name a few, but not limited to, resources such as Azure subscriptions, SQL databases and Azure AD admins such as global (company), service, user account, device and helpdesk administrators.

Using Powershell and the Azure AD module we were able to quickly identify these administrators.

To identify the various Azure AD admins run, Get-AzureADDirectoryRole. The following is what is returned.
PowershellScreenShot.jpg

With the exception of "Directory Readers" passing the ObjectId’s into the Get-AzureADDirectoryRoleMember cmdlet we were able to identify users with the respective admin role.
Get-AzureADDirectoryRoleMember -ObjectId **OBJECT ID**

Once we’ve identified the administrators from the various corners of the production Azure subscription enabling MFA is a straight forward process. Microsoft outlines that process nicely here.

Administrator accounts in the wrong hands will have access to everything. Enabling Multi-Factor Authentication in Azure requires little effort. It is important to identify and secure these accounts with MFA. 


Resources / additional reading:
MFA licensing options:
https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-cloud

MFA SMS Security
https://www.pcisecuritystandards.org/pdfs/Multi-Factor-Authentication-Guidance-v1.pdf
https://pages.nist.gov/800-63-3/sp800-63b.html#pstnOOB

Powershell Azure AD Module
https://docs.microsoft.com/en-us/powershell/azure/active-directory/install-adv2?view=azureadps-2.0

Enabling MFA:
https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-user-states

 



Category: Azure

Matt Sierra


We believe in helping our customers create software solutions in a better way.
We do this by having a project delivery process and technology expertise that ensures we are solving the right problem in the right way and driving the most business value.