Azure AD Connect Security Best Practices
Many consider identity the new boundary layer for security, taking over that role from the traditional network-centric perspective. The following post focus on Azure AD Connect Security Best Practices.
This evolution of the primary pivot for security attention and investments is because network perimeters have become increasingly porous. That perimeter defense cannot be as effective as they once were before the explosion of BYOD devices and cloud applications.
Azure AD Connect and the previous version allow syncing On-Premise Active Directory objects to the Azure Active Directory and extended the Active Directory objects to Azure, Office 365, and Intune.
The Azure AD Connect server must be hardened with all best practices and recommendations to prevent unauthorized access and all other security issues.
With an unsecured Azure AD Connect server, the password for all Office365 users can be discovered. Follow this guide Office 365 Security Inside–Discover Password.
So what can you do to make sure that your AAD Connect server is secure, hardened, and reduces the attack area for this server? Many actions!
Note The following guidelines are based on Microsoft documents and experience from the field.
Best Practice and Recommendations
Active Directory Account – local user with specific permissions for Password Sync, Exchange Hybrid, and Reset password
Active Directory Account Permissions – Specific permission for Password hash sync, Replicate Directory Changes, Reset password (if needed). Based on Microsoft Document.
Azure AD Admin – Required only for the first installation or for critical changes
Azure AD Connect Account – the built-in created account password must be changed to the complex password (can run under a Virtual Service Account (VSA), a Group Managed Service Account (gMSA/CSA), or a simple user account.
Monitoring – Perform monitoring for relevant events such as Policy Assignment, Network Security Group, Security Policy, and the Seamless SSO object
Baseline Server Hardening – You must meet several vital requirements to ensure that the server hardening processes described in this section achieve their security goals or NIST guide.
Azure AD Connect Health – Gain insights into your on-premises identity infrastructure and the synchronization services. More information Monitor your on-premises identity infrastructure and synchronization services in the cloud.
Enable latest OS patch updates – Make sure to install security updates every month
Azure AD Connect Update – Make sure to install and upgrade to the latest AAD Connect version (or configure auto-upgrade)
Activity reports based on Azure – Audit and monitors the synchronization for the Azure AD Connect using Enterprise application (based on Azure AD anomalous)
Enforce disk encryption on virtual machines – Ensure that data disks (non-boot volumes) are encrypted, where possible.
Minimize the number of admins – reduce the number of admins that access the AAD Connect
Restricted RDP for Admin – make sure to restrict admin RDP access. More information Restricted RDP for Admin (RestrictedAdmin)
Stay tuned for more information and recommendation.