Azure AD is a cloud-based identity and access management service that connects users with the resources they need to do their jobs. You can use it for managing identities for both cloud and on-premises resources.
However, when configuring an Azure security system to connect to on-premises Active Directory, there are a few common mistakes that you should avoid.
Synchronizing All Objects
By default, Azure AD Connect has a synchronization mode called “Hybrid.” Active Directory Domain Services objects are synchronized to Azure AD in this mode. While it provides a good starting point for many organizations, it is essential to understand which domain objects should be included in the synchronization process and which things should be excluded.
Including all objects in the synchronization process can result in unnecessary replication traffic and can slow down the performance of Azure AD and Active Directory Domain Services. Therefore, it is vital to carefully plan the synchronization process to ensure that only the needed objects are included.
Not Configuring Password Hash Sync
One of the top benefits of using Azure security system is managing passwords for cloud and on-premises resources. When configuring it to connect to on-premises Active Directory, it is crucial to enable password hash sync.
Enabling password hash sync ensures that passwords are synchronized between Azure AD and Active Directory Domain Services. It allows end-users to log on to the cloud and on-premises resources using the same password. Password hash sync also ensures that accounts cannot be accessed with plain text passwords in either Azure AD or Active Directory Domain Services by synchronizing only the password hashes.
Not Configuring Password Sync for Cloud Applications
Azure AD has a “cloud applications” feature for managing access to web-based cloud applications. The feature is unique because it allows users to have SSO access to various cloud-based applications from their corporate desktop or mobile device. For this to work, Azure AD must be configured with the credentials for each cloud application so that automatic sign-in can occur.
Configuring password sync for cloud applications is a two-step process. First, you must add the application to Azure AD. Second, you must configure the credentials for the application in this application. Using the Microsoft Online Services Module for Windows PowerShell, you can do it.
Not Configuring DirSync/Azure AD Sync for Password Changes
Most organizations have a password expiration policy. Frequently, users are required to change their passwords when they first log on after the password has expired.
When synchronizing with Active Directory Domain Services, this is often implemented by configuring scheduled tasks to run scripts that perform password changes for domain accounts at specified intervals. The password change scripts must be configured to run on the Azure AD Connect server for this to work.
Using the Microsoft Online Services Module for Windows PowerShell, you can do it. The scheduled tasks can then be configured to run the scripts at specified intervals.
Not Configuring an Alternate UPN Suffix
When configuring Azure AD to connect to on-premises Active Directory, it is essential to ensure that the UPN suffix for user accounts is configured correctly. The UPN suffix is used when creating user accounts in Azure AD.
If the UPN suffix is not configured correctly, user accounts will not log on to cloud resources. It is important to note that the UPN suffix must be a valid DNS suffix. If the UPN suffix is not configured correctly, user accounts will not log on to on-premises resources.
Not Configuring Multi-Factor Authentication
According to reports, the global demand for masking technologies that help organizations secure sensitive information is expected to reach $1 billion by 2026. Multi-factor authentication (MFA) adds extra protection to Azure security to user accounts. MFA requires two forms of authentication.
Without a second factor, user accounts will not sign on. Users required to have MFA configured can sign on using their username and password. Another method can be a phone call or text message.
Configuring MFA is an essential step in configuring cloud-based user accounts. You must configure MFA for all user accounts with access to cloud-based resources. It ensures that a stolen password will not give an attacker full access to the account without having physical possession of the device used for authentication purposes.
Not Configuring Provisioning
When configuring Azure AD Connect synchronization between on-premises Active Directory and Azure AD, it is vital to understand the concept of provisioning. Provisioning can be broken down into three categories:
- Zero-touch (not configured)
- Conditional access based on device compliance state(devices must be compliant)
- Conditional access based on user state (users must be compliant)
If provisioning is configured in Azure AD, it is essential to configure provisioning for cloud-based applications. It ensures that the correct users access cloud resources and that only compliant devices can gain access.
As organizations migrate to the cloud, it is vital to implement best security practices. And, avoid the mistakes in Azure AD Configuration.