![]() ![]() If the password is weak or has been exposed elsewhere, an attacker could be using it to gain access. ![]() If you only use a password to authenticate a user, it leaves an insecure vector for attack. It is important to identify and secure these accounts with MFA.Multi-factor authentication is a process in which users are prompted during the sign-in process for an additional form of identification, such as a code on their cellphone or a fingerprint scan. ![]() Enabling Multi-Factor Authentication in Azure requires little effort. Microsoft outlines that process nicely here.Īdministrator accounts in the wrong hands will have access to everything. Once we’ve identified the administrators from the various corners of the production Azure subscription enabling MFA is a straight forward process. ![]() With the exception of "Directory Readers" passing the ObjectId’s into theGet-AzureADDirectoryRoleMembercmdlet we were able to identify users with the respective admin role.Get-AzureADDirectoryRoleMember-ObjectId**OBJECT ID** To identify the various Azure AD admins run,Get-AzureADDirectoryRole. Using Powershell and the Azure AD modulewe were able to quickly identify these administrators. To name a few, but not limited to, resources such as Azure subscriptions, SQL databases and Azure AD admins such as global (company), service, user account, device and helpdesk administrators. While we regularly utilize Azure MFA, there was a recent scenario in which we worked with a client to enable MFA for users with administrative access to production resources. NIST brings attention to “risk indicators such as device swap, SIM change, number porting, or other abnormal behavior before using the PSTN (Public Switched Telephone Network) to deliver an out-of-band authentication secret.” Something to note is The National Institute of Standards and Technology’s stance discouraging the use of two-factor authentication systems that use SMS. Anyone looking to implement MFA should take into consideration recommendations and guidance from organizations such as The National Institute of Standards and Technology’sand the PCI Standards Council. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |