COPYRIGHT © 2022

BEST PRACTICES
EVERWORK
GAME STUDIO PRESENTATION TEMPLATE
SIGN IN RISK POLICIES
When a user signs-in with Risky behavior, you can
BLOCK access or REQUIRE Multi-factor
Authentication.

This added layer of security helps remediate

stolen/hacked accounts before they can cause
further damage.

Examples include:
ü Leaked credentials
ü Impossible Travel
ü Suspicious email forwarding
ü New Country
ü Account labeled Risky by an Administrator
Ø ( Global Admin, Security Admin, etc.)
USER RISK POLICIES
Ø When a User is Identified as Risky, you can choose to either
explicitly BLOCK access or REQUIRE a password change.

Ø A user is classified as risky based on the probability that their

account is compromised. This is determined by Microsoft’s
Threat Detection sources and Deep Web Investigations.
MULTI-FACTOR AUTHENTICATION
ü Multi-Factor Authentication (MFA) adds an extra layer
of security to user authentication.

ü Require MFA for administrative users and consider

enabling it for all users to enhance security.
 AZURE CONDITIONAL ACCESS
Ø Azure AD Multi-factor Authentication is enforced with
Conditional Access policies.

Ø Conditional Access policies are IF-THEN statements:

ü IF a SharePoint Online is accessed

ü IF a user is accessing a Trusted Network
ü IF a user is accessing Office 365 using legacy
authentication
ü IF a user is registering a new device

ü THEN Block Access

ü THEN Grant Access
ü THEN require MFA
ü THEN require Device Registration

v The Azure-Samples Github Repo contains sample Policies that you can test and deploy
AUDITING & MONITORING
ü Enable auditing and monitoring of Azure AD activity to detect
and respond to security threats.

ü Use Azure AD's built-in auditing and monitoring capabilities or

third-party solutions to monitor and log user activity.
AZURE ROLES
ü The importance of Azure roles lies in their ability to help organizations
manage access to their Azure resources and delegate responsibilities in a
secure and controlled manner. By using Azure roles, administrators can
ensure that only authorized users have access to the resources they need,
while still maintaining full control over the resources themselves.

ü Using Azure roles also helps to promote best practices for security and
compliance, as it allows organizations to implement least privilege, which
grants users only the permissions they need to perform their job functions.
This can help to reduce the risk of unauthorized access, data breaches, and
other security incidents
ROLE EXAMPLE
Ø roleName == Display Name of Role

Ø name == Unique Role-ID

Ø type == Custom Role or No

Ø description == Role Description

Ø actions == What can the role do

Ø notActions == What can’t it do

Ø dataActions == data actions the role can perform.

Ø notDataActions == data actions that it can’t perform.

Ø assignableScopes = == what does the Role apply to

your specific needs.
 AZURE AD /AZURE ROLES
Owner contributor

Ø Has full access to all resources within a subscription or resource Ø Can create and manage resources but cannot grant
group, including the ability to delegate access to others. access to others.
 AZURE AD /AZURE ROLES
reader Billing Reader

Ø Can view existing resources, but cannot make any changes. Ø Can view billing information for a subscription but
cannot make any changes.
AZURE AD /AZURE ROLES
You should regularly review the following Roles and assignments:

v Global Administrator
v User Administrator
v Privileged Authentication Administrator
v Conditional Access Administrator
v Security Administrator
v All Microsoft 365 and Dynamics Service Administration roles
AZURE AD /AZURE ROLES
Ø There is a difference between Azure Roles and Azure AD Roles.

Ø Simply put, Azure AD Roles apply to Tenant-Wide administration(Global

Admin, etc.) and Azure Roles can apply to a resource, resource group,
subscription, or management group(Owner, Contributor, Reader, etc.)

Ø In addition to the built-in roles, administrators can create custom roles that
meet the specific needs of their organization.

Ø This allows administrators to fine-tune access controls and delegate

responsibilities in a more granular fashion.
AZURE ACCESS REVIEWS

WHICH USERS SHOULD HAVE ACCESS TO WHAT ARE USERS DOING WITH THAT ACCESS?
WHICH RESOURCES?
Ø SOLUTION: Access Policies, RBAC
Ø SOLUTION: RBAC, Security Groups
ARE THERE EFFECTIVE ORGANIZATIONAL CAN AUDITORS VERIFY THAT THE CONTROLS
CONTROLS FOR MANAGING ACCESS? ARE WORKING?

Ø PIM, Access Reviews Ø Azure Sentinel, Azure Monitor, Log Analytics

WHAT CAN BE REVIEWED?
ü User access to Azure AD/SSO applications

ü Group membership and user synchronization

ü Access Packages that groups resources (groups, apps, and sites)

into a single package to better manage access.

ü Azure AD roles and Azure Resource roles as defined in

Privileged Identity Management (PIM).