The Microsoft Secure Score is an indication of how well your environment is configured for security. In this post I will focus on the Identity aspect of the Secure Score.
There are eleven ‘improvement actions’ Microsoft recommend to improve the identity secure score, with varying levels of impact. Some are easy wins, others need a bit more thought and planning. Some are must haves, others are ‘ideal world’ configuration and won’t be possible in every environment.
- Use least privilege administrative roles
- Designate more than one global admin
- Enable self-service password reset
- Do not allow users to grant consent to unreliable applications
- Enable password hash sync if hybrid
- Protect all users with a user risk policy
- Protect all users with a sign-in risk policy
- Enable policy to block legacy authentication
- Do not expire passwords
- Ensure all users can complete multi-factor authentication
- Require multi-factor authentication for administrative roles
Use least privilege administrative roles
Score Impact: +1.64% | User Impact: Low
Users should have the privileges they need to do their job and no more. This limits the damage should an admin account be compromised, and also stops users going ‘rogue’ and taking actions they shouldn’t. Identify who in your organisation requires admin access and ensure they have the correct role. Then remove all the others – but bear in mind the next recommendation.
Designate more than one global admin
Score Impact +1.64% | User Impact: Low
Security is a battle to ensure you keep your organisational data secure and accessible. Global admin accounts are dangerous things; if they fall into the wrong hands then attackers essentially have the keys to the kingdom. But too few global admin accounts are equally dangerous. If you have a single global admin, and they get hit by a bus, then you have no global admins. Simple maths.
Too many global admins are also a problem, as it increases the attack surface. Microsoft recommends you have between 2 and 4 global admin accounts.
Enable self-service password reset
Score Impact +1.64% | User Impact: Moderate
This recommendation requires Azure AD Premium P1 licensing.
Allowing users to reset their own passwords reduces the load on your helpdesk and loss of productivity for your users. It requires users to have a secondary authentication method – which they will have if you’ve enforced multi-factor authentication.
Users will need to register for self-service password reset (SSPR), but this can be combined with registering for multi-factor authentication. You will also need to decide whether to enforce SSPR registration, or just make it available.
But first, you will need to enable Password Writeback, so that passwords set online can be written back to on-prem Active Directory.
Open Azure AD Connect, and click Customize synchronisation options. Log in, and go to Optional features. Select Password writeback.
Now you can enable self-service password reset (SSPR) in Azure.
Open Azure AD, and click Password reset. Carefully consider all the options, including the administrator policy. Require at least two methods for administrators and notify all other admins if an admin resets their password. Enable SSPR for all users (or a group if you want a staged rollout) and click save.
Do not allow users to grant consent to unreliable applications
Score Impact +6.56% | User Impact: Moderate
Occasionally users will want to use apps that require permissions to sign in a read profile information, and occasionally other data. Attackers can use this to steal data because let’s face it, users will more often than not just accept the permissions request.
There are a number of ways to resolve this. You can disable user consent completely, meaning any requests have to be approved by an admin. This could potentially generate a lot of work for IT staff, and create a roadblock for users getting to what they need.
Alternatively, you can allow users to consent to applications with verified publishers, and ask for consent for applications without. This is the configuration recommended by Microsoft.
Open Azure AD, and click Enterprise Applications, then Consent and Permissions. Under User Consent Settings, select ‘Allow user consent for apps from verified publishers, for select permissions (Recommended)’. Click Save.
Enable password hash sync if hybrid
Score Impact +8.20% | User Impact: Low
For modern authentication, users need to be able to authenticate against Azure Active Directory – not on-prem Active Directory. Microsoft achieves this by synchronising passwords using Azure AD Connect, but securely. By created an MD4 hash of the password, then a SHA256 hash of the MD4 hash (keep up!), the password that is sent to the cloud can never be decrypted and used in an attack. Passwords are synchronized every two minutes.
By enabling this, users will be able to login to their Microsoft 365 account even if the on-prem infrastructure is unavailable.
Open Azure AD Connect, and click Customize synchronisation options. Log in, and go to Optional features. Select Password hash syncronization.
Protect all users with a user risk policy
Score Impact +11.48% | User Impact: Moderate
This recommendation requires Azure AD Premium P2 licensing.
Azure can automatically detect when users are at risk of compromise, using various methods, and a user risk policy can determine what actions should automatically be taken when a user is detected as being at risk.
Risk detections cover things including anonymous IP addresses, unfamiliar sign in properties, and impossible travel. Depending on how risky Azure thinks the user is, it will score it high, medium or low risk. Microsoft recommend that all high risk users are made to change their passwords.
Open Azure AD, and click Security, Identity Protection, then User Risk Policy. Select All users (make sure you exclude at least one global admin account), set the risk level to high, and the control to Allow Access. Tick Require Password Change. Click done, then toggle the policy enforcement to On.
You may decide that this is not right for you – simply change the settings as you see fit, but before you do anything you should check through the risky users report to determine the impact your policy will have.
Protect all users with a sign-in risk policy
Score Impact +11.48% | User Impact: Moderate
This recommendation requires Azure AD Premium P2 licensing.
This one is similar to the last, but deals with individual sign-ins rather than accounts. If a sign-in is detected as being suspicious, you can configure various actions to take. Microsoft will score the sign-in as high, medium or low risk, and recommend that all medium or high risk sign-ins are challenged for multi-factor authentication.
Open Azure AD, and click Security, Identity Protection, then Sign-in Risk Policy. Select All users (make sure you exclude at least one global admin account), set the risk level to medium and above, and the control to Allow Access. Tick Require multi-factor authentication. Click done, then toggle the policy enforcement to On.
Again, you may decide to change the settings. Visit the sign-in risk report beforehand to assess the impact this will have.
Enable policy to block legacy authentication
Score Impact +13.11% | User Impact: Moderate
This recommendation requires Azure AD Premium P1 licensing.
Legacy authentication methods such as POP, IMAP, and SMTP cannot enforce multi-factor authentication, making them easy targets for attackers. According to Microsoft, more than 99% of password spray attacks and more than 97% of credential stuffing attacks use legacy authentication methods. These methods should be disabled.
Open Azure AD, click Security, and select Conditional Access. Click New Policy from Templates, and select Block Legacy Authentication. Configure the policy to include all users and exclude at least one global admin account. You can run the policy in report-only more to assess the impact before turning it on.
Do not expire passwords
Score Impact +11.48% | User Impact: Moderate
In the past, it was generally accepted that regularly changing passwords was best practise, as it meant that any compromised password would be cycled out. But that advice didn’t take into account user behaviour, which would mean that users would only make minor variations to the password, and probably write it down and stick it to their monitor.
This guidance has changed over the past few years, and now Microsoft (and the NCSC) recommend that organisations don’t expire passwords.
With the increasing use of password managers, it’s become easier for users to select a strong password and keep it secure. Instead of expiring passwords, users should be encouraged to set a strong password and keep it safe.
Visit the Microsoft 365 Admin Center, go to Settings, Org Settings, Security and Privacy. Click Password expiration policy, and check Set passwords to never expire (recommended)
If you have a hybrid environment, you will also want to set the group policy here:
Open Group Policy Management Editor, and set Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policies\Maximum password age to 0.
Ensure all users can complete multi-factor authentication
Score Impact +14.75% | User Impact: High
The best way to protect your accounts against password compromise it to mitigate the impact of passwords being compromised by using multi-factor authentication. Enabling a second factor ensures that attackers have an additional hurdle to gaining access to an account, which is often enough to put them off.
Firstly, you will need to configure the MFA registration policy:
Open Azure AD, click Security, Identity Protection and select Multi-factor authentication registration policy. Include all users, and exclude at least one global admin account. Tick Require Azure AD multi-factor authentication registration, and set the policy enforcement to on.
Then, set a conditional access policy to require MFA:
Open Azure AD, click Security, and select Conditional Access. Click New Policy from Templates, and select Require multi-factor authentication for all users. Configure the policy to include all users and exclude at least one global admin account. You can run the policy in report-only more to assess the impact before turning it on.
You can get clever with your policies to ease the impact on your users, for example setting locations that are exempt from requiring MFA, such as your on premises network.
Require multi-factor authentication for administrative roles
Score Impact +16.39% | User Impact: Low
This recommendation requires Azure AD Premium P1 licensing.
An absolute must, a no brainer. If you do nothing else on this list, do this one. Even admins are vulnerable to password compromise, and the accounts need additional protection. If an admin account is compromised, the damage could be catastrophic.
Open Azure AD, click Security, and select Conditional Access. Click New Policy from Templates, and select Require multi-factor authentication for admins. Configure the policy to include all users and exclude at least one global admin account. You can run the policy in report-only more to assess the impact before turning it on.
And that’s it, as far as recommended actions for identity protection in Azure go. It may not be possible for you to configure them all, but by enabling the majority of the high score impact recommendations you should be able to boost your secure score significantly.
SysAdmin Tales 
Leave a Reply