### Install AzureADAssessment Module Source: https://github.com/azuread/azureadassessment/wiki/Home Installs or updates the AzureADAssessment PowerShell module to the latest version. Requires administrative privileges and internet access. Use -Force to overwrite existing versions and -AcceptLicense to automatically accept any license agreements. ```PowerShell Install-Module AzureADAssessment -Force -AcceptLicense ``` -------------------------------- ### Contribution Guidelines Source: https://github.com/azuread/azureadassessment/blob/master/README.md Outlines the process for contributing to the project, including the Contributor License Agreement (CLA) and the adoption of the Microsoft Open Source Code of Conduct. It guides users on how to submit pull requests and find more detailed information. ```Markdown This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com. When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA. This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. For more detailed guidance and recommendations for contributing, see the page for [contributing](CONTRIBUTING.md). ``` -------------------------------- ### Install MSAL.PS with SkipPublisherCheck Source: https://github.com/azuread/azureadassessment/blob/master/README.md Installs the MSAL.PS module, bypassing the publisher check to resolve Authenticode issuer errors related to certificate changes. ```PowerShell Install-Module MSAL.PS -SkipPublisherCheck -Force ``` -------------------------------- ### Azure AD Assessment Reference Source: https://github.com/azuread/azureadassessment/wiki/Home Provides a reference for Azure AD configuration assessment, used to compare customer configurations against recommendations and document findings in the final report. ```APIDOC AzureADAssessment-Reference: Purpose: Guide for reviewing and documenting Azure AD configuration recommendations. Usage: Compare customer's Azure AD configuration against each recommendation/check. Documentation: Link recommendations in the ReportOut PowerPoint to specific sections in this reference. Sections: - General Configuration Checks - Conditional Access Policies - Identity Synchronization - Hybrid Identity Setup - Security Best Practices ``` -------------------------------- ### Azure AD Connect Sync Performance Recommendations Source: https://github.com/azuread/azureadassessment/wiki/Assessment-Reference Provides recommendations for optimizing Azure AD Connect synchronization performance based on sync cycle durations and object change trends. It suggests deep dives into setup and hardware guidelines for performance issues and reviews the causes of high add/delete/update volumes. ```APIDOC AzureADConnectSyncPerformance: Recommendations: - If delta sync takes over 30 minutes for 95 percentile: Deep dive and review setup against hardware guidelines. - If significant discrepancies exist between staging and production delta sync performance: Deep dive and review setup against hardware guidelines. - If full sync cycles are not needed: Deep dive to understand why. - If consistent volume trend of add/deletes is over 1% and/or updates is over 10%: Review what's causing it (e.g., a script on-prem touching all objects). Data Sources: - Power BI: Tab "AADCH – Alerts", "Sync Performance", and "Sync – Object Count" Priority: - P2 for sync performance issues. - P3 for high volume trends. Learn More: - https://aka.ms/aadconnectperf - https://support.office.com/en-us/article/prepare-directory-attributes-for-synchronization-with-office-365-by-using-the-idfix-tool-497593cf-24c6-491c-940b-7c86dcde9de0 - https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-troubleshoot-sync-errors ``` -------------------------------- ### Generate Azure AD Connect Config Documenter Report Source: https://github.com/azuread/azureadassessment/wiki/Home Generates an HTML report detailing the Azure AD Connect configuration. This report is used to provide recommendations to the customer. Requires the AzureADAssessment module. ```powershell Import-Module AzureADAssessment Expand-AADAssessAADConnectConfig -CustomerName 'Woodgrove' \ -AADConnectProdConfigZipFilePath C:\AzureADAssessment\Woodgrove\AzureADAssessmentData-AADC-PROD.zip \ -AADConnectProdStagingZipFilePath C:\AzureADAssessment\Woodgrove\AzureADAssessmentData-AADC-STAGING.zip \ -OutputRootPath C:\AzureADAssessment\Woodgrove\Report\AADC ``` -------------------------------- ### Install and Update AzureADAssessment Module Source: https://github.com/azuread/azureadassessment/blob/master/README.md Installs the AzureADAssessment module from the PowerShell Gallery or updates it to the latest version. Requires PowerShell. ```PowerShell Install-Module AzureADAssessment -Force -Scope CurrentUser ## If you have already installed the module, run the following instead to ensure you have the latest version. Update-Module AzureADAssessment -Force -Scope CurrentUser ``` -------------------------------- ### Export Portable Module for Offline Installation Source: https://github.com/azuread/azureadassessment/blob/master/README.md Exports a portable version of the AzureADAssessment module to a specified directory, allowing installation on servers without internet access. Requires the AzureADAssessment module. ```PowerShell ## Export Portable Module to "C:\AzureADAssessment". Export-AADAssessmentPortableModule "C:\AzureADAssessment" ``` -------------------------------- ### Complete Azure AD Assessment Reports Source: https://github.com/azuread/azureadassessment/wiki/Home Generates assessment reports using collected Azure AD data. Requires the path to the data file and an output directory for the reports. The command processes the .aad file and creates detailed assessment reports, including Power BI templates. ```PowerShell Complete-AADAssessmentReports ` -Path C:\AzureADAssessment\Woodgrove\AzureADAssessmentData-woodgrove.onmicrosoft.com.aad ` -OutputDirectory C:\AzureADAssessment\Woodgrove\Report ``` -------------------------------- ### AD FS to Azure AD App Migration Report Source: https://github.com/azuread/azureadassessment/wiki/Home Instructions for generating a report on migrating applications from AD FS to Azure AD. This is applicable if the customer has provided AD FS data. ```APIDOC ADFS-to-AzureAD-App-Migration: Instructions: Follow the official documentation for running the analysis from another server. Link: https://github.com/AzureAD/Deployment-Plans/tree/master/ADFS%20to%20AzureAD%20App%20Migration#instructions-if-you-want-to-run-the-analysis-from-another-server Data Requirement: Customer must provide AD FS data. Output: Report detailing application migration readiness and steps. ``` -------------------------------- ### Update PowerShellGet to Latest Version Source: https://github.com/azuread/azureadassessment/blob/master/README.md Updates the PowerShellGet module to the latest version to resolve 'AcceptLicense' parameter errors during module installation. Option 1 uses a script, Option 2 involves manual commands. ```PowerShell iex $(irm 'https://aka.ms/Update-PowerShellGet') Install-PackageProvider NuGet -Scope CurrentUser -Force Install-Module PowerShellGet -Scope CurrentUser -Force -AllowClobber Remove-Module PowerShellGet,PackageManagement -Force -ErrorAction Ignore Import-Module PowerShellGet -MinimumVersion 2.0 -Force Import-PackageProvider PowerShellGet -MinimumVersion 2.0 -Force ``` -------------------------------- ### Azure AD Application Provisioning Recommendations Source: https://github.com/azuread/azureadassessment/wiki/Assessment-Reference Recommendations for implementing and improving automated application provisioning in Azure AD to ensure consistent identity lifecycle management across systems. ```APIDOC Application Provisioning Recommendations: - Ad-hoc provisioning to Apps: Implement application provisioning with Azure AD for supported applications; define patterns for unsupported apps (P1) - Provisioning using CSV, JIT, etc., not covering full lifecycle: Implement application provisioning with Azure AD (P2) - Automated and consistent provisioning with on-premises tools (e.g., MIM): Simplify application provisioning with Azure AD for supported applications (P3) ``` -------------------------------- ### Azure AD Connect Recommendations Source: https://github.com/azuread/azureadassessment/wiki/Assessment-Reference This section outlines recommendations for optimizing Azure AD Connect configuration. It covers scenarios like importing too many objects, disaster recovery for sync, configuration mismatches, versioning, source anchor selection, custom rule management, and group filtering. ```APIDOC Recommendation: Filter by OU or attributes if too many objects are imported and not exported. Priority: P3 Recommendation: Deploy Azure AD Connect in Staging Mode for disaster recovery/failover. Priority: P2 Recommendation: Re-baseline Azure AD Connect staging mode to match production configuration (versions and configurations) if there's a mismatch. Priority: P2 Recommendation: Operationalize Azure AD Config Documenter to document sync servers and compare configurations if no process exists to compare staging and production changes. Priority: P3 Recommendation: Plan to upgrade Azure AD Connect to the most recent version if the current version is more than 6 months behind. Priority: P2 Recommendation: Use ms-ds-ConsistencyGuid as the source anchor instead of ObjectGuid. Priority: P3 Recommendation: Fix custom rules with precedence values over 100 to avoid conflicts with default sets. Priority: P2 Recommendation: Investigate and simplify overly complex rules. Priority: P3 Recommendation: Transition away from Group Filtering in Production. Priority: P2 Recommendation: Remediate synchronization to come from the proper forests if the synchronized forest is not the same one users log into on their devices. Priority: P2 ``` -------------------------------- ### AD FS Migration to Azure AD Recommendations Source: https://github.com/azuread/azureadassessment/wiki/Assessment-Reference Recommendations for migrating applications from Active Directory Federation Services (AD FS) to Azure AD, focusing on Single Sign-On (SSO) configurations and handling uncommon configurations. ```APIDOC AD FS Migration to Azure AD: **Recommendations:** 1. **Applications supporting SSO against Azure AD:** - Re-configure these applications to use SSO with Azure AD. - Priority: P2 2. **Applications using uncommon configurations not supported by Azure AD:** - **Step 1:** Reach out to application owners to confirm if the special configuration is a requirement. - **Step 2a (If not required):** Re-configure the applications to use SSO with Azure AD. - **Step 2b (If required):** Provide configuration details and scenarios to your Microsoft Representative. - Priority: P2 **Learn More:** - Migrate AD FS on-premises apps to Azure AD: [https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/migrate-adfs-apps-to-azure](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/migrate-adfs-apps-to-azure) ``` -------------------------------- ### Windows Hello for Business (WH4B) Deployment Source: https://github.com/azuread/azureadassessment/wiki/Assessment-Reference This section focuses on the importance and deployment of Windows Hello for Business (WH4B) as a passwordless authentication method for Windows 10 devices. It provides recommendations for organizations that have not yet deployed or are partially deploying WH4B. ```APIDOC Windows Hello for Business (WH4B): - Importance: Replaces passwords with strong two-factor authentication, streamlining MFA and reducing password reliance. - Recommendations: - Customer has Windows 10 devices but WH4B is not deployed or partially deployed: Deploy WH4B to all Windows 10 Devices (Priority P2). - Customer has not started Windows 10 Rollout: Adjust plan to include WH4B as part of the Windows 10 Rollout project (Priority P2). ``` -------------------------------- ### Azure AD Identity Management Recommendations Source: https://github.com/azuread/azureadassessment/wiki/Assessment-Reference Provides recommendations for managing Azure AD identity lifecycle and operational tasks. It details task ownership and alignment with Microsoft's best practices, including license assignment and identity provisioning. ```APIDOC AzureAD_IdentityManagement_Recommendations: Owners_of_Key_Tasks: Description: "Assign owners to key operational tasks and adjust ownership if misaligned with recommendations." Priority: "P1 for assigning owners, P2 for adjusting ownership." Data_Source: "Interview questions" Recommendations: - "Assign an owner to tasks that miss owners." - "Adjust ownership for tasks where owners are not aligned with reference." Operationalize_Process: Description: "Operationalize processes for Azure AD tasks according to Microsoft's recommendations." Tasks: - Task: "Define process how to create Azure subscriptions" Microsoft_Recommendation: "(Varies by customer)" - Task: "Decide who gets EMS licenses" Microsoft_Recommendation: "IAM Team" - Task: "Decide who gets Office 365 Licenses" Microsoft_Recommendation: "Productivity Team" - Task: "Decide who gets Other Licenses (Dynamics, VSO, etc.)" Microsoft_Recommendation: "Application Owner" - Task: "Assign Licenses" Microsoft_Recommendation: "IAM Operations Team" - Task: "Troubleshoot and Remediate license assignment errors" Microsoft_Recommendation: "IAM Operations Team" - Task: "Provision Identities to Applications in Azure AD" Microsoft_Recommendation: "IAM Operations Team" Learn_More: - "Assigning administrator roles in Azure Active Directory | Microsoft Docs: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-assign-admin-roles-azure-portal" - "Governance in Azure | Microsoft Docs: https://docs.microsoft.com/en-us/azure/security/governance-in-azure" ``` -------------------------------- ### Azure AD Hybrid Component Upgrade Recommendations Source: https://github.com/azuread/azureadassessment/wiki/Assessment-Reference Recommendations for ensuring that on-premises components like Azure AD Connect, Application Proxy Connectors, and Pass-through authentication agents are kept up-to-date with the latest versions. ```APIDOC Hybrid Component Versions: - Components Reviewed: - Azure AD Connect - Azure AD Application Proxy Connectors - Azure AD Pass-through authentication agents - Azure AD Connect Health Agents - Upgrade Recommendations: - No process in place to upgrade hybrid components: - Recommendation: Define a process to upgrade these components, ideally relying on Auto-Upgrade whenever possible. - Priority: P2 - Components more than 6 months behind: - Recommendation: Upgrade components. - Priority: P2 ``` -------------------------------- ### Azure AD On-premises Identity Provisioning Recommendations Source: https://github.com/azuread/azureadassessment/wiki/Assessment-Reference Addresses synchronization issues between on-premises environments and Azure AD. It focuses on identifying and cleaning up synchronization errors that may cause support incidents. ```APIDOC AzureAD_OnPremises_Sync_Recommendations: Patterns_of_Sync_Issues: Applicability: "Assessments performed by Microsoft Identity team" Description: "Cleanup objects in errors that have lingered for more than 100 days, as they might not be relevant." Priority: "P3" Data_Source: "Power BI: Tab \"AADCH – Alerts\", \"Sync Performance\", and \"Sync – Object Count\"" Recommendations: - "Cleanup of objects in errors lingering for more than 100 days." ``` -------------------------------- ### Project File Structure Source: https://github.com/azuread/azureadassessment/blob/master/README.md Lists the main files and folders within the Azure AD Assessment project, providing a brief description of each. This includes build scripts, source code, test scripts, configuration files, and documentation. ```Markdown | File/folder | Description | |-------------------|---------------------------------------------------------| | `build` | Scripts to package, test, sign, and publish the module. | | `src` | Module source code. | | `tests` | Test scripts for module. | | `.gitignore` | Define what to ignore at commit time. | | `README.md` | This README file. | | `LICENSE` | The license for the module. | ``` -------------------------------- ### Azure AD Seamless SSO Implementation Source: https://github.com/azuread/azureadassessment/wiki/Assessment-Reference Recommendations for deploying Seamless Single Sign-On (SSO) to improve user authentication experience on-premises. ```APIDOC Deploy Seamless SSO: - Scenario: Customer uses cloud-managed authentication (PHS or PTA) but users are prompted for passwords on-premises. - Priority: P1 - Related: Password Hash Sync (PHS), Password Hash Sync (PTA), User Experience. ``` ```APIDOC Plan Seamless SSO Migration: - Scenario: Customer is federated and plans to migrate to cloud-managed authentication. - Recommendation: Plan to deploy Seamless SSO as part of the migration project. - Priority: P2 - Related: Federated Authentication, Cloud Managed Authentication, Migration Planning. ``` -------------------------------- ### Azure AD 'All Users' Group Assignment Recommendations Source: https://github.com/azuread/azureadassessment/wiki/Assessment-Reference Guidance on the use of the 'All users' dynamic group for application assignments, highlighting potential issues with guest users and recommending best practices. ```APIDOC All Users Group Assignment Recommendations: - 'All users' enabled, apps assigned, guests not desired: Fix entitlements by creating appropriate groups (e.g., 'all members') (P1) - 'All users' enabled, not used for resource access: Double-check operational guidance to intentionally include members and guests (P2) ``` -------------------------------- ### Azure AD Licensing Recommendations Source: https://github.com/azuread/azureadassessment/wiki/Assessment-Reference Recommendations for managing Azure AD licenses, including addressing errors, automating assignments with Group Based Licensing (GBL), and improving lifecycle management. ```APIDOC Licensing Recommendations: - Outstanding licensing errors: Triage and remediate (P1) - Ad-hoc manual license assignment: Deploy Group Based Licensing (GBL) (P1) - Standardized manual license assignment: Deploy Group Based Licensing (GBL) (P2) - On-premises tools for license assignment: Offload assignment, deploy GBL, define group lifecycle management (P3) - Inconsistent Joiners/Movers/Leavers process: Define lifecycle management improvements, define group membership lifecycle if GBL is deployed (P2) - GBL with on-premises groups lacking lifecycle management: Consider cloud groups for delegated ownership, dynamic membership (P3) - No monitoring of licensing errors: Define process improvements to discover and address errors (P2) - License count less than users, no Assigned vs. Available monitoring: Define improvements to monitor licensing assignment (P2) ``` -------------------------------- ### Azure AD Application Assignment Recommendations Source: https://github.com/azuread/azureadassessment/wiki/Assessment-Reference Recommendations for managing application assignments in Azure AD. Focuses on using groups for flexibility and scale, and implementing attestation and governance for direct assignments and group management. ```APIDOC App Assignment Best Practices: 1. **Assign users to applications using groups:** - Leverage dynamic group membership based on attributes. - Delegate group management and governance to application owners. - Allow self-service access to applications. - Define dynamic groups based on user attributes for access determination. 2. **Implement attestation/governance for assignments:** - For applications with direct user assignments and no attestation, implement attestation. - For applications with group assignments and no group attestation, implement group attestation. 3. **Manage IT-managed groups for application access:** - Improve management at scale by delegating group management and governance to application owners. - Enable self-service access to applications. - Define dynamic groups if user attributes can consistently determine access. ``` -------------------------------- ### On-Premises Agents Management Best Practices Source: https://github.com/azuread/azureadassessment/wiki/Assessment-Reference Assesses the management of on-premises agents, focusing on high availability and troubleshooting capabilities. Recommends deploying multiple agents/connectors and utilizing debug groups with necessary tools. ```APIDOC Check: On-Premises Agents management Description: Assesses the adoption of best practices for optimal operation of on-premises agents. Recommendations: - Deploy at least two connectors in production connector groups for Azure AD Application Proxy to allow failover (Priority P2). - Deploy at least two pass-through authentication agents to allow high availability (Priority P2). - Create an App Proxy connector group for debugging purposes, useful for onboarding new on-premises applications (Priority P3). - Deploy debugging tools (e.g., Message Analyzer, Fiddler) in the App Proxy connector within the debug connector group (Priority P3). Data Source: Interview Questions ``` -------------------------------- ### Import and Run Hybrid Data Collection Source: https://github.com/azuread/azureadassessment/blob/master/README.md Imports the AzureADAssessment module and initiates hybrid data collection. ```PowerShell Import-Module "C:\AzureADAssessment\AzureADAssessmentPortable.psm1" Invoke-AADAssessmentHybridDataCollection ``` -------------------------------- ### Azure AD Notification Configuration Recommendations Source: https://github.com/azuread/azureadassessment/wiki/Assessment-Reference Details recommendations for configuring Azure AD notifications to ensure administrators receive timely updates on service changes, configuration needs, and errors. It covers data sources and specific actions for different scenarios. ```APIDOC Check: Notifications Why is this important? Microsoft sends email communications to administrators to notify various changes in the service, configuration updates that are needed, and errors that require admin intervention. It is very important that customers set the notification email addresses, to be sent to the proper team members who can acknowledge and act upon all notifications. Also, customer email infrastructure should be configured to relay email properly. Recommendations: Where to find the data for this check? - Power BI: Tab "Roles & Notifications" - Screenshots: "Office Portal" – "Message Center Settings" - Admin Portal Interview Questions If you find … | We recommend … | With this suggested priority … … Technical Notification is not set to a distribution list (DL) or shared mailbox | Move technical notification to a DL | P1 … Office 365 Message Center does not contain a DL or Shared Mailbox | Add multiple recipients to Office 365 message center | P1 … Only one global admin has an email address (mail attribute, or alternate email) | Allow at least two e-mail capable accounts | P1 … Azure AD Connect Health is not configured DL or Shared Mailbox for alert notification | Enable Shared Mailbox or a DL for Azure AD Connect Health notifications | P1 Additional Reference: "From" Addresses used by Azure AD From Address | What does it send | o365mc@email2.microsoft.com | Office 365 Message Center azure-noreply@microsoft.com | Azure AD Access ReviewsAzure AD Connect HealthAzure AD Identity ProtectionAzure AD Privileged Identity ManagementEnterprise App Expiring Certificate NotificationsEnterprise App Provisioning Service Notifications Notifications sent by Azure AD Notification source | What is sent? | Where to check? Technical contact | Sync Errors | Azure Portal – Properties Blade Office 365 Message Center | Incident and degradation notices of Identity Services and O365 backend services | Office Portal Identity Protection Weekly Digest | Identity Protection Digest | Azure AD Identity Protection Blade Azure AD Connect Health | Alert notifications | Azure Portal - Azure AD Connect Health Blade Enterprise Applications Notifications | Notifications when certificates are about to expire and provisioning errrors | Azure Portal – Enterprise Application Blade(Each application has its own email address setting) Learn More: - Change your organization's address, technical contact, and more - Office 365: https://support.office.com/en-us/article/change-your-organization-s-address-technical-contact-and-more-a36e5a52-4df2-479e-bb97-9e67b8483e10 - Message center in Office 365 - Office 365: https://support.office.com/en-us/article/message-center-in-office-365-38fb3333-bfcc-4340-a37b-deda509c2093 - Azure Active Directory Identity Protection notifications | Microsoft Docs: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotection-notifications - Azure Active Directory Connect Health operations | Microsoft Docs: https://docs.microsoft.com/en-us/azure/active-directory/connect-health/active-directory-aadconnect-health-operations#enable-email-notifications - Azure Active Directory Reporting Notifications | Microsoft Docs: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-notifications ``` -------------------------------- ### Azure AD Access Management: Key Operational Processes Source: https://github.com/azuread/azureadassessment/wiki/Assessment-Reference Focuses on the importance of assigning owners to key operational tasks in Azure AD for optimized environment operation. It outlines recommendations for assigning and adjusting ownership based on task alignment. ```APIDOC AzureADAccessManagementKeyTasks: Category: Access Management Key Operational Processes: Check: Owners of Key Tasks Importance: Managing Azure AD requires continuous execution of key operational tasks and processes for optimized environment operation. Recommendations: - If tasks miss owners: Assign an owner (Priority P1). - If tasks have owners not aligned with reference: Adjust ownership (Priority P2). Data Sources: - Interview questions Additional Reference: Operationalize process per suggestions: Task: Manage lifecycle of SSO Configuration in Azure AD | Microsoft Recommendation: IAM Operations Team Task: Design Conditional Access Policies for Azure AD Applications | Microsoft Recommendation: InfoSec Architecture Team Task: Archive Sign-In Activity in a SIEM system | Microsoft Recommendation: InfoSec Operations Team Task: Archive Risk Events in a SIEM system | Microsoft Recommendation: InfoSec Operations Team Task: Triage Security Reports | Microsoft Recommendation: InfoSec Operations Team Task: Triage Risk Events | Microsoft Recommendation: InfoSec Operations Team Task: Triage Users Flagged for risk, and Vulnerability reports from Azure AD Identity Protection (P2) | Microsoft Recommendation: InfoSec Operations Team Task: Investigate Security Reports | Microsoft Recommendation: InfoSec Operations Team Task: Investigate Risk Events | Microsoft Recommendation: InfoSec Operations Team Task: Investigate Users Flagged for risk, and Vulnerability reports from Identity Protection (P2) | Microsoft Recommendation: InfoSec Operations Team Learn More: - https://docs.microsoft.com/en-us/azure/active-directory/active-directory-assign-admin-roles-azure-portal - https://docs.microsoft.com/en-us/azure/security/governance-in-azure ``` -------------------------------- ### Azure AD Authentication Options Source: https://github.com/azuread/azureadassessment/wiki/Assessment-Reference Recommendations for aligning authentication choices with Microsoft's best practices for hybrid identity solutions. ```APIDOC Align Authentication with Microsoft Recommendation: - Purpose: Ensure authentication methods meet Microsoft's recommended standards. - Context: Applies when current authentication choices differ from aka.ms/auth-options. - Benefits: Enhances security and user experience in hybrid environments. - Related: Password Hash Sync, Seamless SSO, Federated Authentication. ``` -------------------------------- ### Conditional Access Policy Recommendations Source: https://github.com/azuread/azureadassessment/wiki/Assessment-Reference This section details recommended actions for various Conditional Access policy configurations. It covers best practices for excluding users and groups, managing break-glass accounts, blocking legacy authentication, avoiding common misconfigurations, ensuring adequate coverage for guests and specific applications like Office 365 and Azure Management, cleaning up stale data, and implementing network location-based policies. ```APIDOC Conditional Access Policy Best Practices: 1. Exclusion Strategy: - Policies with No Users or Groups Excluded: Recommend excluding at least one group. - Policies with Individual Non-BGA Users Excluded: Recommend grouping users and excluding the group. - Policies with Only Groups Excluded: Recommend excluding at least two Break Glass Accounts (BGAs). 2. Inclusion Strategy: - Policies that Only Include Users: Recommend grouping users and including the group. - Policies that Include Both Users and Groups: Recommend consolidating included users into existing groups or a new group. 3. Break Glass Hygiene: - Less than two Break Glass Accounts: Recommend reviewing policies to ensure at least two common Global Admins are excluded from every CA policy. 4. Legacy Authentication: - No Policies that Block Legacy Authentication: Recommend creating a CA policy that blocks legacy authentication. 5. Bad Practice Avoidance: - Policies blocking access for all users/apps: Review to prevent organizational lockout. - Policies requiring compliant device access for all users/apps: Review to avoid locking out users without enrolled devices. - Policies requiring Azure AD Hybrid Joined devices for all users/apps: Review to avoid locking out users without domain-joined devices. - Policies requiring App Protection Policy for all users/apps: Review to prevent organizational lockout if Intune policies are missing. - Policies blocking all users, apps, and device platforms: Review to prevent organizational lockout. 6. App Lockout Risk: - Policies blocking with all apps filter: Review to prevent user lockout. 7. Guest Coverage: - No Policies Explicitly Including Guests: Recommend creating a policy targeting guests. - No Policies Requiring Guest MFA for All Apps: Recommend creating a policy for guests requiring MFA for all applications. - Policies Requiring Azure AD Hybrid Joined or Compliant Devices for Guests: Review to avoid locking out guest users. - Policies Using "All Users" Filter Impacting Guests: Review to ensure intended impact on guests. 8. Office 365 Coverage: - No Explicit Policies targeting Office 365 App Group: Recommend creating a policy targeting the Office 365 App Group. - Policies Using Individual Office 365 Apps: Recommend using the Office 365 App Group instead. - Policies without Client MAM for Office 365 Apps: Recommend adding "Require App Protection Policy" grant control. 9. Azure Management Coverage: - No Policy Explicitly Including Microsoft Azure Management App: Recommend creating a policy including the Microsoft Azure Management App. 10. Stale Inclusion/Exclusion: - Stale Users, Apps or Groups in CA Policies: Recommend re-saving policies to trigger automatic removal of stale data. 11. Network Locations: - No Named Locations Marked as Trusted: Recommend marking at least one named location as "Trusted". - No Policies Blocking Based on Countries AND No Policies Blocking All Besides Certain Countries AND Customer has Parts of the World they don't do Business with: Recommend creating a policy to block specific countries or allow only trusted countries. ``` -------------------------------- ### Privileged Accounts Management Recommendations Source: https://github.com/azuread/azureadassessment/wiki/Assessment-Reference Provides recommendations for managing privileged accounts in Azure AD. Focuses on reducing standing access, implementing security gates, removing unnecessary access, and reviewing access regularly. It highlights the importance of PIM and MFA for securing administrative roles. ```APIDOC Privileged Accounts Management: Recommendations: - Admins have standing access using their day-to-day accounts: Deploy PIM (if licenses available) or use separate accounts (Priority P0). - No security gates/process for privileged accounts: Define strong authentication for privileged roles (separate admin account with MFA, or PIM with P2 licenses) (Priority P1). - No strategy to remove unnecessary access: Review privileged accounts (e.g., global admins) and assign less privileged roles (Priority P1). - No strategy to review access: Define Access Reviews for privileged accounts (automated via PIM or manual process) (Priority P2). - Strategy to review access exists but not automated/regular: Define Access Reviews for privileged accounts (automated via PIM or manual process) (Priority P2). - Non-human, no emergency access accounts: Clean up non-human, non-emergency access privileged accounts (Priority P2). Dependencies: Azure AD Premium licensing for PIM. Related: Azure AD Access Reviews, Emergency Access Accounts. ``` -------------------------------- ### Azure AD Access Reviews Source: https://github.com/azuread/azureadassessment/wiki/Assessment-Reference Establishes a regular access review process for all external identities. Recommends using Azure AD Access Reviews if proper licensing is available. This addresses scenarios where no process or ad-hoc reviews are found, or when the process doesn't cover all external identity types. ```APIDOC Azure AD Access Reviews: Purpose: Establish a regular access review process for all external identities. Recommendation: Consider using Azure AD Access Reviews if proper licensing is available. Priority: P2 (if no process or ad-hoc reviews, or process doesn't cover all external identities), P3 (if process exists but is not automated/periodic, or is on-premises). Dependencies: Azure AD Premium licensing for full automation. Related: Privileged Accounts Management, Emergency Access Accounts. ``` -------------------------------- ### Azure EA Portal Authorization Recommendations Source: https://github.com/azuread/azureadassessment/wiki/Assessment-Reference Recommendations for managing Microsoft Accounts and EA portal authorization settings to enhance security and streamline access control within the Enterprise Agreement portal. ```APIDOC EA Portal Authorization: - Mixed Mode Authorization: - Recommendation: Configure EA portal to use Azure AD accounts only. - Priority: P2 - Microsoft Accounts with Privileged Access: - Recommendation: Remove Microsoft Accounts from all privileged access in the EA portal. - Priority: P1 - Delegated Roles: - Recommendation: Identify and Implement delegated roles for departments and accounts. - Priority: P3 ``` -------------------------------- ### Azure AD Device Registration and Conditional Access Source: https://github.com/azuread/azureadassessment/wiki/Assessment-Reference This section details recommendations for ensuring Windows devices are registered in Azure AD and utilized within Conditional Access policies. It covers scenarios for domain-joined devices and devices managed via MDM, emphasizing the use of Hybrid Azure AD Join and Compliant Device controls. ```APIDOC Conditional Access Policies: - Require Managed Devices: - Description: Enforces that only managed devices can access cloud applications. - Controls: - Hybrid Azure AD Join: For domain-joined devices registered in the cloud. - Compliant Device: For devices managed by MDM (e.g., Intune). - Priority: P2 - Use Cases: - Domain Joined Windows Devices not registered in cloud: Register devices and use Hybrid Azure AD Join. - Domain Joined Windows Devices registered but not used in policies: Use Hybrid Azure AD Join as a control. - Windows 10 devices managed by MDM, controls not used: Use Compliant Device as a control. - Mobile devices managed by Intune, controls not used: Use Compliant Device as a control. ``` -------------------------------- ### Azure AD Testing Strategies Source: https://github.com/azuread/azureadassessment/wiki/Assessment-Reference Provides recommendations for testing various types of changes in Azure AD, such as authentication type modifications, policy rollouts, application onboarding, and sync rule updates. It suggests approaches like using test domains, assigning policies to test users, and creating parallel environments. ```APIDOC Change Type: Authentication Type (Federated to Password Hash Sync / Pass Through Authentication and vice versa) Recommended Testing Approach: Test Domain in the same tenant. Create accounts in the test domain. Change Type: Roll out a new CA policy or Identity Protection Policy Recommended Testing Approach: Create a new CA Policy, assign to test users. Change Type: Onboard a test environment of an Application Recommended Testing Approach: Add it to a production environment, hide it from My Apps panel, and assign to test users during QA phase. Change Type: Change of Sync Rules Recommended Testing Approach: Do the changes in a test Azure AD Connect with the same configuration that is currently in production and analyze CSExport Results. If satisfied, swap to prod if / when ready. Change Type: Change of Branding Recommended Testing Approach: Test in a separate test tenant. Change Type: Roll Out a new Feature Recommended Testing Approach: If the feature supports roll out to a target set of users, identify pilot users and build out. Change Type: Cut Over Application from on premises Identity provider (IdP) to Azure AD Recommended Testing Approach: If the app supports multiple IdP configurations (e.g. Salesforce), configure both and test Azure AD during a change window (in case the application introduces HRD page). If the App does not support multiple IdP, schedule the testing during change control window and program downtime. Change Type: Update Dynamic Group Rules Recommended Testing Approach: Create a parallel dynamic group with the new rule. Compare against the calculated outcome (e.g. Run PowerShell with the same condition). If test pass, swap the places where the old group was used (if feasible). Change Type: Migrate product licenses Recommended Testing Approach: Follow steps [https://docs.microsoft.com/en-us/azure/active-directory/active-directory-licensing-group-product-migration] from [How to safely migrate users between product licenses by using group-based licensing in Azure Active Directory | Microsoft Docs]. Change Type: Change AD FS Rules (Authorization, Issuance, MFA) Recommended Testing Approach: Use group claim to target subset of users. Change Type: Change AD FS Authentication Experience or similar farm-wide changes Recommended Testing Approach: Create a parallel farm with same host name, implement config changes, test from clients using HOSTS file, NLB routing rules or similar routing.If the target platform does not support HOSTS files (e.g. mobile devices), control change. ``` -------------------------------- ### Conditional Access Implementation Source: https://github.com/azuread/azureadassessment/wiki/Assessment-Reference Recommendations for implementing Conditional Access policies to enhance organizational security, including ensuring all SaaS applications have policies, migrating legacy policies, and establishing core policy sets. ```APIDOC Ensure that all SaaS applications will have at least one policy applied Priority: P1 Migrate all "legacy" policies to the Azure Portal Priority: P1 Customer still has per-user MFA Priority: P2 Catch-all criteria for users, devices, and applications Priority: P1 Have a small set of core policies that can apply to multiple applications Priority: P2 ``` -------------------------------- ### Client Application Access Policies Source: https://github.com/azuread/azureadassessment/wiki/Assessment-Reference Recommendations for deploying Mobile Application Management (MAM) policies to manage application configuration on personal devices and restrict access to corporate resources from MAM-capable clients. ```APIDOC Deploy application MAM policies to manage the application configuration in personal owned devices without MDM enrollment. Update Conditional Access policies to only allow access from MAM capable clients. Priority: P1 Deploy application MAM policies to manage the application configuration and be future proof for personal devices. Update Conditional Access policies to only allow access from MAM capable clients. Priority: P3 ``` -------------------------------- ### Azure AD Access Reviews for Applications Source: https://github.com/azuread/azureadassessment/wiki/Assessment-Reference Addresses the importance of regular access reviews for applications to manage user entitlements and prevent accumulation of unnecessary access. It recommends establishing automated processes, potentially using Azure AD Access Reviews, for organizations lacking a formal review strategy. ```APIDOC Check: Access Reviews to Applications If you find … No process or ad-hoc access reviews of applications access We recommend … Establish a regular access review process for applications. If there is proper licensing in the tenant, consider using Azure AD Access Reviews With this suggested priority … P2 If you find … There is a process, but it is not automated We recommend … If there is proper licensing in the tenant, consider using Azure AD Access Reviews With this suggested priority … P3 If you find … There is a process but it is on-premises We recommend … If there is proper licensing in the tenant, consider using Azure AD Access Reviews With this suggested priority … P3 Learn More: [Azure AD access reviews | Microsoft Docs](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-azure-ad-controls-access-reviews-overview) ``` -------------------------------- ### Azure AD Device Trust Access Policies Source: https://github.com/azuread/azureadassessment/wiki/Assessment-Reference Explanation of how device trust and conditional access policies enhance security and usability in Azure AD. ```APIDOC Device Trust Access Policies in Azure AD: - Purpose: Improve security and usability by authenticating devices and their trust type. - Benefits: 1. Avoid friction (e.g., MFA) for trusted devices. 2. Block access from untrusted joined devices. - Management Tools: - Microsoft Intune: Manages devices, enforces compliance, attests health, sets conditional access policies. - Hybrid Azure AD Join: Enables conditional access based on domain join status. - Enforcement: - Device Management and Compliance: Enforced externally via Group Policy Objects, System Center Configuration Manager, etc. - Related: Conditional Access, Microsoft Intune, Hybrid Azure AD Join, Device Management. ``` -------------------------------- ### Identity Secure Score Recommendations Source: https://github.com/azuread/azureadassessment/wiki/Assessment-Reference Provides recommendations for improving the Identity Secure Score in Azure AD. It details where to find the data and suggests priorities for remediation actions. ```APIDOC Check: Identity Secure Score Why is this important? The Identity Secure Score provides a quantifiable measure of the security posture of your organization. It is key to constantly review and address findings reported and strive to have the highest score possible. Recommendations: Where to find the data for this check? - Screenshots: "Security" – "Identity Security Score" - Admin Portal Interview Questions If you find … | We recommend … | With this suggested priority … … No plan/initiative to monitor changes in the Identity Secure Score | … implement a plan and assign owners to monitor and drive the Improvement Actions | P2 … Outstanding high score (>30) Improvement Actions | .. remediate and plan implementations of Improvement actions | P1 Learn More: - What is Identity secure score in Azure AD? - preview | Microsoft Docs: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score ``` -------------------------------- ### Azure AD Connect Delta Sync Cycle Baseline Source: https://github.com/azuread/azureadassessment/wiki/Assessment-Reference Information regarding the importance of understanding Azure AD Connect delta synchronization volumes and ensuring predictable synchronization times. Applicable to assessments by the Microsoft Identity team. ```APIDOC Azure AD Connect Delta Sync Cycle Baseline: - Importance: Understand change volume and synchronization time predictability. - Default delta sync frequency: 30 minutes. ``` -------------------------------- ### Azure AD Password Policy Recommendations Source: https://github.com/azuread/azureadassessment/wiki/Assessment-Reference This section details recommendations for Azure AD password policies to enhance security. It covers aspects like preventing weak passwords, detecting leaked passwords, and moving away from complexity-based rules towards more robust methods. ```APIDOC Password Policy Recommendations: 1. **No mechanism to protect against weak passwords** - Recommendation: Deploy Azure AD SSPR and password protection. - Priority: P1 2. **No mechanism to detect leaked passwords** - Recommendation: Deploy password hash sync (PHS) to gain insights. - Priority: P1 3. **Password policy uses complexity-based rules (Length, Multiple Character Sets, Expiration)** - Recommendation: Reconsider in favor of Microsoft Recommended Practices and switch to passwords that are not easy to guess, to either not expire or a long expiration period. - Priority: P2 4. **No MFA registration of users at scale** - Recommendation: Register all users for MFA, so it can be used as a mechanism to authenticate in addition to just passwords. - Priority: P2 5. **No revocation of passwords based on user risk and customer has P2 licenses** - Recommendation: Deploy Identity Protection User Risk Policies. - Priority: P2 6. **No smart lockout mechanism to protect malicious authentication from bad actors coming from identified IP addresses** - Recommendation: Deploy cloud managed authentication with either password hash sync (PHS) or pass-through authentication (PTA). - Priority: P2 7. **Customer has AD FS and it is not feasible to move to managed authentication and Extranet Soft Lockout is not deployed, or Smart Lockout is not deployed** - Recommendation: Deploy AD FS extranet soft lockout and / or Smart Lockout. - Priority: P1 ``` -------------------------------- ### Azure AD Reporting API with Certificates Source: https://github.com/azuread/azureadassessment/wiki/Assessment-Reference Guidance on using certificates with the Azure AD Reporting API for secure data retrieval. ```APIDOC Get data using the Azure AD Reporting API with certificates: - Purpose: Securely retrieve data from Azure AD using certificate-based authentication. - Benefits: Enhances security compared to traditional credential methods. - Related: Azure AD Reporting API, Certificates, Authentication. ``` -------------------------------- ### Azure AD Reporting API Reference Source: https://github.com/azuread/azureadassessment/wiki/Assessment-Reference Provides information on accessing Azure Active Directory audit and sign-in activity logs via REST APIs. It covers using certificates for authentication and integrating with Azure Monitor. ```APIDOC Azure Active Directory audit API reference | Microsoft Docs https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-api-audit-reference Azure Active Directory sign-in activity report API reference | Microsoft Docs https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-api-sign-in-activity-reference Get data using the Azure AD Reporting API with certificates | Microsoft Docs https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-api-with-certificates Microsoft Graph for Azure Active Directory Identity Protection | Microsoft Docs https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotection-graph-getting-started Office 365 Management Activity API reference | MSDN https://msdn.microsoft.com/en-us/office-365/office-365-management-activity-api-reference Azure Active Directory activity logs in Azure Monitor (preview) | Microsoft Docs https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/overview-activity-logs-in-azure-monitor ``` -------------------------------- ### Azure AD Strong Credential Management Recommendations Source: https://github.com/azuread/azureadassessment/wiki/Assessment-Reference This section provides recommendations for strengthening credential management in Azure AD, emphasizing the importance of MFA and self-service password reset (SSPR) for enhanced security. ```APIDOC Strong Credential Management Recommendations: 1. **Not all privileged accounts are registered and using MFA** - Recommendation: Enable MFA for all privileged accounts. - Priority: P0 2. **Not all users are registered with MFA** - Recommendation: Plan to register MFA to all users. - Priority: P1 3. **MFA is not part of authentication policies (e.g. Conditional Access, Per User MFA, IdP on prem MFA) at all** - Recommendation: Protect user authentication with MFA using Conditional Access. - Priority: P1 4. **MFA is part of authentication policies using per-user MFA (old policies) or on-prem IDP rules** - Recommendation: Upgrade authentication policies to use Conditional Access. - Priority: P2 5. **Users are configured with only one kind of MFA credentials** - Recommendation: Register additional factors for users per guidance on https://aka.ms/resilientaad. ```