Microsoft 365 Security Series – Using Azure Active Directory to secure your Microsoft 365 Installation
What’s the difference between Azure AD and Microsoft 365?
Microsoft 365 (formerly Office 365) is a Software-as-a-Service (SaaS) that offers a cloud-based version of its popular software productivity suite, including MS Word, Excel, PowerPoint, Outlook, and OneNote. In contrast, Azure Active Directory (Azure AD) is an Infrastructure-as-a-Service (IaaS) that offers a cloud-based version of Active Directory to control identity management and access to virtual resources across an organization. Organizations should consider whether security controls are in place for their cloud environment and whether Azure AD can help tighten Microsoft 365 implementation.
How do I get Azure AD?
Microsoft 365 uses Azure AD to manage user identities behind the scenes for Microsoft 365 instances. Azure AD is operating in the backend of all Microsoft 365 instances, even for organizations that don’t run on-premise AD or self-manage their own Azure AD.
Different tiers of Azure exist. For starters, there’s the backend Azure AD deployment that’s included for all Microsoft 365 instances. Second, there’s Azure AD Free which enables organizations to manage the provisioning of user accounts and permissions for Microsoft 365 applications. Third there’s Azure AD Basis which provides on-premise Active Directory Domain Services (AD DS) integration for synchronizing user accounts and password or setting up single sign-on. This enables organizations to run a hybrid on-premise and cloud-based Azure AD environment. In fact, Microsoft says that 75 percent of its customers with at least 500 users have a hybrid environment. Azure AD Premium levels exist too, which are discussed later in this article.
How can Azure AD Basic help me protect my users’ identities in Microsoft 365?
- Single Sign-on (SSO) capabilities across Azure, Microsoft 365, and many popular SaaS apps
- Azure AD security groups – custom or built-in groups limiting what users can do when accessing certain services or resources.
- Microsoft 365 groups (formerly called Microsoft 365 groups) – similar to Azure AD security groups, but it’s also coupled to resources and workloads for the group, like a shared Exchange mailbox. Microsoft 365 groups can include users from both inside and outside the organization. With Dynamic Group Membership, group membership and access control can be automatically managed with administrator-created rules.
- Built-in Azure AD roles – Microsoft-designed roles for IT power users
- Multi-Factor Authentication (MFA) – while Azure AD supports MFA, some applications may require additional software to make use of this functionality
- Self-service password reset for cloud users (SSPR)
- Limited security reports, found in Azure portal> Azure Active Directory > Security
Want more security capabilities from Azure AD?
For enterprise-class organizations that require more access control capabilities, Microsoft offers Azure AD Premium P1 and P2 at a higher cost. These include everything in the Basic version, with additional security features geared toward identity protection and governance. These include:
- Conditional access – fine-grained control over access to applications and resources based on device, user, location or who is attempting access by user group. More granular risk-based conditional access is included with P2.
- Azure AD Identity Protection, included with P2 – includes features like the ability to review risky sign-ins
- Privileged Identity Management (PIM) – manages higher-level access accounts with features like just-in-time access and workflows
- Entitlement management – identity governance that uses automation to manage identity lifecycles, access lifecycles and privileged access
- Microsoft Defender for Cloud Apps
- AAD Application Proxy
- Cloud app discovery
- Global password protection (prevents AD users from setting weak or commonly guessed passwords)
- Additional security monitoring and reporting
How can Sedara help?
Sedara’s MDR services watch over your infrastructure by ingesting logs and delivering alerts about potentially malicious activity within your environment. If you are not already a customer, trust our team of Cybersecurity experts to assist your organization in selecting the best approach to cyber defense for your organization, and use your existing infrastructure to your best advantage. Click here to get started!
Basic Security Set Up Tips for Microsoft 365:
Overview of Azure AD Security Features vs. license levels:
Azure AD Built-In Roles:
Plan a conditional access deployment:
Find out How Microsoft 365 – E5 Can help Protect Your Organization Against Phishing Attacks