Protect Microsoft 365 Hybrid Environments
Connecting Microsoft 365 to on-premises systems can allow hackers to move laterally to the cloud if IT doesn’t follow some simple best practices. Districts should use Azure AD Connect to synchronize accounts and password hashes to the cloud or use pass-through authentication. Active Directory Federation Services provides few advantages for connecting Windows Server Active Directory to Azure AD, and it introduces risks that can make Azure AD vulnerable.
Objects synchronized to Azure AD should never hold cloud privileges beyond “standard user.” This ensures that compromised on-premises accounts can’t be used for malicious purposes in Microsoft 365. Schools should check that objects synchronized from on-premises AD don’t inherit elevated cloud privileges from Azure AD roles or groups.
Azure AD administrator accounts should always be created in the cloud and protected using multifactor authentication. Azure AD Conditional Access policy can be used to further secure privileged cloud accounts, which should only be accessed from Azure managed workstations.
READ MORE: Learn best practices for protecting student data when using emerging technologies.
Detect Compromised Microsoft 365 Accounts Using Free Tools
CISA recently released a PowerShell-based tool to help detect compromised Microsoft Azure accounts and applications by highlighting activity that might be considered unusual and potentially malicious. The tool, called Sparrow, is for incident responders and is specifically designed to detect threats like the recent authentication-based attacks highlighted during the SolarWinds hack.
Sparrow is available for free on GitHub, and it helps IT narrow down user and application activity that could suggest authentication-based attacks. Sparrow checks Azure’s unified audit log for signs of compromise, lists Azure AD domains, and checks service principals and Microsoft Graph application programming interface permissions.
CrowdStrike also has a PowerShell reporting tool for Azure AD that can detail permissions and configuration settings that are hard to see using Azure tools. The tool shows mail forwarding rules for remote domains, Exchange Online PowerShell–enabled users, and service principal objects with keyCredentials. Like Sparrow, the CrowdStrike Reporting Tool for Azure (CRT) is free to use and is available on GitHub.
Hawk is another free PowerShell tool that can be used to collect data from Azure and Microsoft 365. It provides incident responders with information on specific user principals or entire Microsoft 365 tenants, including IP addresses and sign-in data. Hawk also lets agencies track IP use for concurrent logins.