Security Defaults in Azure Portal. IMPORTANT, SECURITY DEFAULTS IS NOT ALWAYS ENABLED BY DEFAULT. YOU MUST CHECK YOUR SETTINGS
What does Security Defaults give you? Security Defaults when enabled provide the following preconfigured security settings:
Requiring all users to register for Azure AD Multi-Factor Authentication.
Requiring administrators to perform multi-factor authentication.
Blocking legacy authentication protocols.
Requiring users to perform multi-factor authentication when necessary.
Protecting privileged activities like access to the Azure portal.
Azure Active Directory security defaults | Microsoft Docs
How do you enable? Azure Active Directory > Properties > Manage Security Defaults > Yes > Save
Discovering and blocking legacy auth:
Discovering and blocking legacy authentication in your Azure and Microsoft 365 subscriptions – Jussi Roine
Understanding Modern vs Legacy auth:
Understanding Modern vs. Legacy Authentication in Microsoft 365 – Ru365 (campbell.scot)
Maintain groups in Azure AD with dynamic groups and set expiration settings.
Example scenario : Controlling remote access to sub contractors working on a short term project. The project owner should remove all access for sub contractors after the project completes
How to guide :
If we combine Dynamic Groups and Expiration settings, we can automatically populate groups and then invoke regular check to maintain groups are still required. Group owners will be reminded regularly to verify groups are required. Owners will have a better understanding of who has access and this help assist with your security policies.
Dynamic Group Example
Steps: Azure Active Directory > New Group > Type : Office 365 > Name, Description, Dynamic User > Owner > Dynamic user Members
Group Name : Sub Contractors – Set the value for department equals “Sub Contractor”
Dynamic User Members – Add Experssion
(user.department -eq “Sub Contractor”)
Configure Group lifetime / Expiration Settings
Steps: Azure Active Directory > Groups > Expiration > Days > No Owner email > Selected > Group > Save
“Renewal notifications are emailed to group owners 30 days, 15 days, and one day prior to group expiration. Group owners must have Exchange licenses to receive notification emails. If a group is not renewed, it is deleted along with its associated content from sources such as Outlook, SharePoint, Teams, and PowerBI.” Info from the portal Expiration settings.
AZ-500: Microsoft Azure Security Technologies
#Azure #Security #AzureSecurity #CertifiedProfessional #CloudSecurity #CloudFamily #CyberSecurity #MicrosoftAzure #MicrosoftCloud #Microsoft #alwaysbelearning #AZ500 #EXAM #PASSED
Challenge: Separate subscriptions for multiple disciplines under the same Azure Active Directory Tenancy.
Required : Each subscription to have the same role assignments
Solution : Azure Blueprints to define a repeatable set of Azure resources
Azure Blueprints provides
- Role & Policy Assignments
- ARM templates
- And Resource Groups
Getting Started Azure Blueprints (PREVIEW)
Creating Blueprint Guide – Focused on Roles
Create a blue print, if your new, start with a sample predefined Blueprint.
For this example I have selected Resource Groups with RBAC (Role-based Access Control)
Create blueprint> Enter Name, Description and Definition Location
Next : Artifacts
Click Save Draft
How to Publish Blueprint
Click Blueprints > Blueprint Definitions > Select the version to publish
Click Publish blueprint.
Enter version and change notes > Click Publish
Sample screen shots of Azure Advisor
Recommendations : Cost , Security, High Availability, Performance, Operational Excellence
Example Recommendations report export, output as a PDF or CSV
This feature looks to identify activity and assign a risk level. “Risk detection and remediation”
All features look to be available in Azure AD Premium P2 and restricted number of features in Azure Premium P1 and Basic/Free.
Key differences are the notifications options only in Azure AD Premium P2.
There are three default polices
- User Risk
- Sign-In Risk
Example of the Identity Protection Policies
Reference How To Guides :
- How To: Configure the Azure Multi-Factor Authentication registration policy
- How To: Configure and enable risk policies
- How To : Identity protection configure notifications
How to prepare to collect security log data from your Azure Windows virtual machines. You require two things:
- Log Analystics Workspace to be created
- The agent to be installed on the Virtual machine.
This guide shows how to setup the workspace and install the agents on the virtual machine.
Create a Log Analytics Workspace
Pricing is Pay as you go
Next you connect to the data source
Click Virtual Machines > Select Virtual Machine and click Connect.
The Agent is then automatically installed and ready to configure for the log analytics workspace
Next Configure workspace under advanced settings. See MS Doc Quick Start Guide
Windows event log collect from Windows VM
- Click Data > Windows Event Logs.
- Add an event log. Example type System and then select “+”.
- In the table, check the options Error and Warning.
- Select Save at the top of the page to save the configuration.
Locking prevents the accidental deletion or modifying of critical resources. Example Azure Subscription, Resource Group, Network, Files, VMs.
How to configure Management locks to prevent the accidental deletion of core networks?
In this example we will put a “Delete” lock on a virtual network.
Virtual Network > Select the network > Locks > Add > Name + Set lock type to delete > Ok
To remove a lock / delete the lock
We have a storage account, “StorageV2 (general purpose v2)” and its can be accessed initially from all networks. We now want to restrict the storage access to an approved network location.
Click on the storage account > Firewalls and virtual networks and click “selected networks”
You can allow access from virtual networks or allow access through the firewall. Example below adds a Virtual network name and an external IP range. Then click Save.