![]() ![]() ![]() While these policies are assignable to regular user accounts, they would cause a hindrance because the policies generate constant MFA prompts and only permit logins from a limited subset of devices. Require a password change when the account has a risk associated with it.Only allow sign-ins from Windows & MacOS devices.Only allow sign-ins from compliant devices (Intune devices which adhere to a compliance policy.).Microsoft will be turning off legacy authentication for Exchange Online starting October 2022, and it’s my recommendation to start implementing these controls beforehand to avoid a big bang. Always prompt for Multifactor Authentication, with no exclusions.I like to implement a set of ‘basic admin Conditional Access policies’ which includes the following: ![]() While we can use Conditional Access to target administrator roles, this filter doesn’t provide us with enough granularity. Security Policiesīy having two separate accounts, you can target different Conditional Access policies for your administrator accounts compared to your regular user accounts. As a best practice, use plus addressing for this email account to verify the source of the email. If you still wish to receive emails which are meant for the admin account (such as Product Updates from Microsoft), you can configure an alternative email that will ensure emails are sent to your primary users’ inbox. Since that account doesn’t need a license attached to the account and doesn’t have a mailbox or Teams, no phishing emails will be received by the account, therefore phishing emails can’t affect it. However, you can drastically decrease the chances of a phishing attack just by operating a separate admin account. Whether it’s a phishing attack through email or a potential malicious Teams message, phishing attacks are omnipresent. Phishing is the number one way for an attacker to breach a user account. In this article, I explain the importance of using separate accounts, detail how to target different Conditional Access policies for admin and user accounts (thereby limiting the attack surface for a potential “Pass-the-PRT attack”), and highlight how this approach can increase your security posture and limit potential attack vectors against Microsoft 365 administrator accounts. Often when I’m discussing this subject with customers, I hear pushback around why separate accounts are still required, to the tune of “If Privileged Identity Management is in place, why do we need separate accounts? By default, the accounts don’t have any permissions, they only become active when a user activates the PIM role.” While this is certainly a valid statement, there are remaining security concerns which necessitate the operation of separate accounts, and the fact is many organizations without PIM aren’t separating user and administrator accounts like they should. When these on-premises organizations eventually migrate to the cloud, I’ve observed many instances where admins will shift to one, combined account. This means that an IT administrator has at least two different accounts: one that’s used for day-to-day office work (including signing into their personal workstation) and another for administrative tasks performed on servers or in Active Directory. In the on-premises world, most organizations separate regular ‘user’ accounts from Microsoft 365 administrator accounts. ![]()
0 Comments
Leave a Reply. |