Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Having robust health monitoring and threat detection capabilities is one of the six pillars of the Secure Future Initiative. These guidelines are designed to help you set up a comprehensive logging system for archival and analysis. We include recommendations related to the triage of risky sign-ins, risky users, and authentication methods.
The first step to aligning with this pillar is to configure diagnostic settings for all Microsoft Entra logs so all changes made in your tenant are stored and accessible for analysis. Other recommendations in this pillar focus on the timely triage of risk alerts and Microsoft Entra recommendations. The key takeaway is to know what logs, reports, and health monitoring tools are available and to monitor them regularly.
Security guidance
Diagnostic settings are configured for all Microsoft Entra logs
The activity logs and reports in Microsoft Entra can help detect unauthorized access attempts or identify when tenant configuration changes. When logs are archived or integrated with Security Information and Event Management (SIEM) tools, security teams can implement powerful monitoring and detection security controls, proactive threat hunting, and incident response processes. The logs and monitoring features can be used to assess tenant health and provide evidence for compliance and audits.
If logs aren't regularly archived or sent to a SIEM tool for querying, it's challenging to investigate sign-in issues. The absence of historical logs means that security teams might miss patterns of failed sign-in attempts, unusual activity, and other indicators of compromise. This lack of visibility can prevent the timely detection of breaches, allowing attackers to maintain undetected access for extended periods.
Remediation action
- Configure Microsoft Entra diagnostic settings
- Integrate Microsoft Entra logs with Azure Monitor logs
- Stream Microsoft Entra logs to an event hub
Privileged role activations have monitoring and alerting configured
Organizations without proper activation alerts for highly privileged roles lack visibility into when users access these critical permissions. Threat actors can exploit this monitoring gap to perform privilege escalation by activating highly privileged roles without detection, then establish persistence through admin account creation or security policy modifications. The absence of real-time alerts enables attackers to conduct lateral movement, modify audit configurations, and disable security controls without triggering immediate response procedures.
Remediation action
All user sign-in activity uses strong authentication methods
Attackers might gain access if multifactor authentication (MFA) isn't universally enforced or if there are exceptions in place. Attackers might gain access by exploiting vulnerabilities of weaker MFA methods like SMS and phone calls through social engineering techniques. These techniques might include SIM swapping or phishing, to intercept authentication codes.
Attackers might use these accounts as entry points into the tenant. By using intercepted user sessions, attackers can disguise their activities as legitimate user actions, evade detection, and continue their attack without raising suspicion. From there, they might attempt to manipulate MFA settings to establish persistence, plan, and execute further attacks based on the privileges of compromised accounts.
Remediation action
- Deploy multifactor authentication
- Deploy a Conditional Access policy to require phishing-resistant MFA for all users
- Review authentication methods activity
High priority Microsoft Entra recommendations are addressed
Leaving high-priority Microsoft Entra recommendations unaddressed can create a gap in an organization’s security posture, offering threat actors opportunities to exploit known weaknesses. Not acting on these items might result in an increased attack surface area, suboptimal operations, or poor user experience.
Remediation action
No legacy authentication sign-in activity
Legacy authentication protocols such as basic authentication for SMTP and IMAP don't support modern security features like multifactor authentication (MFA), which is crucial for protecting against unauthorized access. This lack of protection makes accounts using these protocols vulnerable to password-based attacks, and provides attackers with a means to gain initial access using stolen or guessed credentials.
When an attacker successfully gains unauthorized access to credentials, they can use them to access linked services, using the weak authentication method as an entry point. Attackers who gain access through legacy authentication might make changes to Microsoft Exchange, such as configuring mail forwarding rules or changing other settings, allowing them to maintain continued access to sensitive communications.
Legacy authentication also provides attackers with a consistent method to reenter a system using compromised credentials without triggering security alerts or requiring reauthentication.
From there, attackers can use legacy protocols to access other systems that are accessible via the compromised account, facilitating lateral movement. Attackers using legacy protocols can blend in with legitimate user activities, making it difficult for security teams to distinguish between normal usage and malicious behavior.
Remediation action
- Exchange protocols can be deactivated in Exchange
- Legacy authentication protocols can be blocked with Conditional Access
- Sign-ins using legacy authentication workbook to help determine whether it's safe to turn off legacy authentication
All Microsoft Entra recommendations are addressed
Microsoft Entra recommendations give organizations opportunities to implement best practices and optimize their security posture. Not acting on these items might result in an increased attack surface area, suboptimal operations, or poor user experience.
Remediation action