Updates coming soon to the Azure AD Best practices checklist

Back to Blog
24Jul2019

Updates coming soon to the Azure AD Best practices checklist

Update: The best practices checklists and guides are now available.

I will be updating the best practices checklist and guide for Azure AD again soon, but I wanted to post a couple of notes about the coming changes–since it may be a while before I get around to editing and publishing the PDF’s (I will also be uploading the original XLSX workbooks as well, by popular demand).

Change #1: Assign Azure AD Premium P2 (or Enterprise Mobility + Security E5) to highly sensitive accounts such as administrator accounts, or others who have access to the most sensitive data sets in your organization.

Recently on Twitter, Alex Simons clarified something important that has long been misunderstood. The conversation was about how all the best identity features are tied up in E5 plans, or Azure AD Premium P2. Identity Protection, Privileged Identity Management (PIM), Risk-based Conditional access and so forth.

And this response makes sense. The reason being, you should only need to license users for software if they are explicitly benefiting from the features included with said software. Therefore, it would be possible to have risk-based policies, PIM, etc. in place for your admin accounts, without also licensing every single user in the company.

Asked for further clarification, Alex confirmed that even the individuals who are participating in the PIM approval process do not need to be included–just the admin accounts themselves, which are being protected by PIM.

Knowing this, even small businesses could benefit from some of these protections, and it doesn’t have to break the bank.

Now the reason I say go for EM+S E5, rather than just Azure AD Premium P2, is that the bundle holds a lot of extra value without adding a lot more $ (since you only need to purchase it in small quantities for specific users, typically–see my licensing guide for more details). For example:

  • Azure Information Protection P2 = ability to automatically classify sensitive data sets, so that users who handle extra sensitive data do not have to “think about it” and manually classify the information;
  • Azure ATP = Good tool for Identity forensics, gaining insights into users’ activity, especially suspicious activities;
  • Microsoft Cloud App Security = Get pre-canned alerts and the ability to create some really great custom alerts from a filter-friendly activity log; alert when admins sign-in from unknown locations, alert on admin activities–which also gives you a change log, etc.; also discover cloud apps, review OAuth app usage, and more!

Change #2: Introduce a third risk category to the Conditional access policy design.

Update September 2019: I ultimately decided against the third more restrictive category, and kept just two: typical and sensitive or restrictive environments. You do not have to implement every policy, but you should consider each of them in any new implementation.

Currently I describe one “baseline” policy set for the typical small business, and an additional set of policies for businesses with a little more sensitivity, where they want to “go the extra mile.” I am now going to outline three tiers:

  • typical
  • sensitive
  • most restrictive

The new design will leverage some of the advanced capabilities in EM+S E5, for those extra sensitive accounts, like Risk-based, Identity Protection and PIM.

The “typical” and “sensitive” policy sets will basically remain the same otherwise. Currently the sensitive policy set will block downloads on unmanaged devices from SharePoint and Exchange Online. A stronger version of this would just block access outright, and require any devices to become enrolled and compliant, even if they are using a web browser. This will be the behavior in the most restrictive tier, along with the MFA requirement (always enforced).

Also, as discussed previously, we will want to block unsupported devices such as Chromebooks and the like, in the most restrictive tier. And last of all, we’ll look at Windows Information Protection (basically MAM for Windows)–which is to be used only in very restrictive environments.

And that’s about it for now. I’ll have to carve out some time to update the publications on GitHub, and I’ll post back once that happens.

Technical , , , , , , , 0 Comments
Share:

Leave a Reply

Back to Blog

Related Posts

26Nov

Summary post: How to migrate from SBS to Office 365 & Server 2016

I had a series of posts on the topic of migrating from SBS to Office 365 and Windows Server a while back, and I've been getting a number of requests for a "summary" post with links to all the articles. I get a few people... read more
30Mar

Why you need UAC (and how to enable it)

I don't know why it has come to this, but here it is. Here we are. We need to review why it is that you need User Account Control (UAC), and how to go about turning it on. I know! Like, why is this even... read more
11Nov

Exciting: Teams sites now visible in SharePoint admin center!

I just ran across this and had to share. I'm sure it was previously announced somewhere and I've just been behind the times on reading up, BUT--there are new Admin center updates coming soon to a tenant near you, and... THE NEW SHAREPOINT ADMIN CENTER EXPOSES SITES... read more
15Jun

Implementing the ACSC Essential 8 with Microsoft 365

I have had this request on my backburner for a while, and I finally got around to knocking it out: from a reader in the Land Down Under--Australia! Update: Microsoft has a much-improved set of Learn articles on the Essential Eight, with detailed guidance on implementing... read more
25Apr

Two philosophies for deploying Microsoft Teams in an organization

IT admins throughout the world subscribe to one of two worldviews today: Control mindset: IT's job is to control and restrict, and of course, to protect the clueless users from all of those scary threats out there in the world today (including themselves)Empower mindset: IT's... read more
22Nov

How to improve Remote Desktop performance for remote users through an RDS Gateway Server

Do you have a Remote Desktop Server (properly) configured with the Gateway Role in your environment? In this configuration, all traffic is secured via SSL (port 443), and clients connecting over the internet to your internal RDS host(s) will be encrypted (and not necessarily identifiable... read more
28Sep

How to perform an Unplanned Failover from Azure Site Recovery

In a previous series, I wrote about Azure Site Recovery, and the new integration tools available in Windows Server 2016, through the Essentials role (enabling some pretty cool new offerings, potentially, for service providers and consultants). ASR for Windows Server Essentials makes setting up Disaster... read more
21Jul

New Options for High Availability using Hyper-V with Storage Spaces Direct (S2D)

Windows Server 2016 introduces a new feature called Storage Spaces Direct. Expanding on their existing software-defined storage technology, Microsoft now allows us to pool internal disks across multiple servers--meaning that you do not need to use a separate enclosure and extra cabling to enable a shared storage... read more
Alternatives to SharePoint and OneDrive
01Sep

Alternatives to OneDrive and SharePoint (and when to consider them)

One of the things I often get asked about is how to deal with various limitations in OneDrive and SharePoint Online. For those who don’t know, SharePoint Online is the file storage & sharing solution underpinning the Microsoft 365 universe of applications, including the popular... read more
09Feb

CRUD: When to use Create, Replace, Update or Delete in Group Policy Preferences?

I have to admit: I don't use Group Policy Preferences as much as I probably should. Historically, when I migrate clients from a legacy system such as Windows Server 2003 or 2008 to something newer, I tended to leave well enough alone, so to speak, and just update... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me