8 Tips to Secure IAM on Azure AD

Every 22 seconds, another person’s identity is stolen. Its rate security experts anticipate rising beyond 2022. 

As work and workloads keep moving to the cloud, hackers follow along, amping up phishing attacks to steal tokens or compromised credentials. The risks will increase with the Gartner prediction that, by 2025, cloud-native platforms, like Netflix and Uber, will run 95% of digital workloads.

To protect against identity theft and prevent untrusted access to resources, organizations use identity and access management (IAM) solutions. IAM combines processes, policies, and technologies to protect access to devices, systems, software, and people. 

While many companies worldwide run their workloads, services, and applications on Microsoft Azure with Azure Active Directory (AD) as their IAM solution, it’s not foolproof—or hacker-proof.

Learn how Azure AD uses IAM to secure user sign-ins and understand the role of IAM in meeting compliance. Then, follow our 8 tips to help secure IAM on Azure AD and protect your organization from identity theft. 

How IAM works on Azure Active Directory?

Azure AD enables organizations to authenticate users and applications before granting access to resources. With identity as a service (IDaaS) at its core, Azure AD is the IAM backbone to help protect identities with secure sign-in for Microsoft 365 applications, the Azure portal, and other SaaS applications. 

IAM is a role-based access control (RBAC) service that runs on Azure AD. It manages resource permissions, regardless of their level, such as group, subscription, and resource levels. 

Securing and granting access to resources is based on:

• An employee’s role in an organization’s hierarchy
• Permitted or unpermitted actions
• Data they might or might not have access to 

RBAC’s built-in roles include owner, contributor, and reader. It also authorizes management by a user access administrator and co-administrators. These roles grant user and application access, as well as cross-tenant, guest-user, and multi-tenant application access. 

IAM requirements for key compliance standards

IAM plays a critical role in maintaining government and industry compliance standards, each of which has its own requirements for IAM solutions. Regardless of the compliance standards you must follow, make sure your IAM solution addresses the three stages of an account: provisioning, maintenance, and de-provisioning. 

Let’s take a brief look at the requirements for the following key standards:

General Data Protection Regulations (GDPR) for European Union citizens

• Access management and governance
• Authorization
• Authentication, such as single-factor, two-factor, and multi-factor (MFA) 
• Identity management and governance

Health Insurance Portability and Accountability Act (HIPAA) to protect patient information

• Authentication, such as single sign-on (SSO), for credential protection
• Ways to onboard and offboard healthcare partners
• Central governance over access management across the organization
• Automatic access logging for tracking and audit reporting 

Sarbanes-Oxley Act (SOX) for financial services

• Centralized access management and identity governance
• Policies about separation of duties
• Regular auditing of user rights and permissions
• Automatic access logging for tracking and audit reporting 

Gramm-Leach-Bliley Act (GLBA), referred to as the Financial Modernization Act

• Role-based management
• Separation of duty controls
• Automated provisioning and de-provisioning
• Just-enough access (entitlement management) for users to complete their jobs
• Multi-factor authentication 

California Consumer Privacy Act (CCPA) for US companies doing business in California

• Identity management between individual consumers and their data and privacy requests
• Access governance about where data is stored and who has access to it
• Strong authentication to guard against unauthorized users
• Centralization access management and identity governance

By ensuring your IAM solution meets regulatory requirements, you not only protect your data, but your organization, employees, and the individuals you serve.

8 tips to secure IAM on Azure AD

Azure AD has a built-in set of security and compliance capabilities and supports a comprehensive list of compliance certifications. But these capabilities alone can’t protect your individual users. Follow these tips to protect identities from theft.

1. Centralize identity management for cloud and on-premises resources

Integrate your cloud and on-premises resources so you can manage all accounts in one place. Users use SSO—based on a single set of credentials—to access all applications, websites, and other systems. 

Having one place to manage accounts reduces security risks caused by human error from complex IAM configurations that use multiple sets of credentials. Users don’t have to sign into multiple accounts to access the resources they need, reducing password fatigue.

2. Set up multi-factor authentication for users

Beyond centralizing IAM and SSO, set up MFA to require users to identify themselves by using one or two more verification methods. This added layer of protection prevents brute force attacks that credentials with shorter passwords are prone to.

MFA examples include:

• Information a user knows, such as a password, pin number, or secret question
• Something a user has, such as an authenticator app, security badge, or code via SMS text message
• A unique user biometric, such as a fingerprint, voice, or retina pattern

MFA can also be location-based by looking at a user’s IP address and geographical location.

3. Create strong passwords for IAM roles

As hackers have upped their attacks, password guidelines have evolved to stay ahead of them. Recently, the National Institute of Standards and Technology (NIST) updated its password guidance to include:

• Check passwords against breached password lists by using third-party breached password protection.
• Block passwords used in password dictionaries that contain specific words related to the organization.
• Prevent users from creating repetitive or incremental passwords, such as P@ssw0rd1 or p@ssW0rd2.
• Require non-context-specific passwords that use a mix of only three, not four, of the character categories: lowercase, uppercase, numeral, or symbol.
• Increase password length for greater complexity by requiring users to create passwords at least 8 characters long. The longer passwords are, the more difficult they are for hackers to crack. 

Also, consider using a third-party password generator or password manager tool to create complex passwords, check their strength, and manage them.

4. Create individual user accounts

In Azure AD, administrator accounts have the highest level of access, with user accounts having custom access and guest users having restricted access. By creating individual user accounts, administrators customize the access of internal organization and Azure AD users based on the type of user, job role, and ownership of information. 

You can assign users to enterprise applications and user groups to make it easier to manage access. However, keep in mind individual users can’t manage other users, such as adding or deleting them. 

5. Manage connected tenants

To gain visibility into potential risks and whether your organization is following internal and regulatory requirements, manage connected tenants—dedicated instances of Azure AD. By managing connected tenants, you establish a hierarchy of elevated access. This way, your global administrator can upgrade access to a user administrator and see all subscriptions and managed groups that are connected to an environment. 

Again, the purpose of elevating access is to assess risk across your connected tenants. Once you’ve done the risk assessment, remove the elevated access. 

6. Use role-based access control

Because IAM is based on RBAC, you can manage who has access to resources in the cloud, which areas they can access, and how they can use the resources. RBAC is based on need-to-know and least-privilege security principles, which are critical for securing data access and protection. 

To enforce these principles, assign the responsibility of specific functions to designated groups or individual roles. This approach minimizes risk and confusion that result from errors caused by humans and automation. Grant your cloud security roles access to your cloud resources and to Microsoft Defender for Cloud to help them assess risks and conduct remediation.

7. Actively monitor for suspicious behavior

Monitor for suspicious behavior by using Azure AD Premium and Azure AD Identity Protection. These tools provide anomaly reports and flag current risks on a dashboard.

You must also create cybersecurity awareness for employees by providing continuous training at regular, timely intervals. Look for a training program that delivers short content bites and real-world simulations in your employees’ workflows and is customized for each person’s role and localization. The right program helps employees understand the threats your organization faces, identify them, and prevent them. 

8. Deprovision IAM accounts

As employees leave your organization or their roles change, guest users no longer require access, or systems and applications change, deprovision your IAM accounts. These accounts are the identities and roles you created or provisioned for your applications and other resources. 

Establish a process that you must follow to delete administrator or user accounts when an identity or role no longer needs it. In Azure AD, you can also deprovision entire groups in bulk. 

Protect your business from security risks with cyber awareness training

Hackers aren’t going anywhere. They’ll keep coming back for personal identities and more until they get what they want. While IAM in Azure AD is one way to thwart them, it’s not enough. Organizations must require greater vigilance in their IAM approach; enforce stronger, more secure passwords; and create a culture of security awareness across all levels, departments, teams, and geographic locations. 

Don’t let hackers steal your employees’ identities. Protect your organization from security risks by securing IAM on Azure AD and by building a human firewall with CybeReady. To get started, request a demo.