User Review
( votes)Multi-factor Authentication (MFA) is a great first step in tightening data security to prevent a breach of your invaluable Microsoft Dynamics 365 CRM data. Think of how implementing multiple Microsoft Azure 365 identity and access management security measures can exponentially increase your tenant’s protection!
In Part 1, we covered best practices surrounding your Azure Portal settings, guest user access, enterprise apps, legacy protocols, and security defaults. If you need a refresher or haven’t checked out the step-by-step guide yet, click here!
Now onto the second half (tips 6-10) of IT expert and Cloud Practice Director of JourneyTEAM, Eric Raff’s security best practices to deploy along with MFA.
- Set up Access Reviews
Access Reviews allow you to set up periodic reviews for group membership and application assignments. You can set up Access Reviews for Azure AD Enterprise Apps (Part 1 #3), as well as Azure AD roles in Privileged Identity Management (PIM) (#7 below). The Access Review feature requires an Azure AD P2 license.
- Review Roles in PIM
Privileged Identity Management (“PIM”) is an Azure AD service used to manage your organization’s resources, including listing each user’s role.
- Log into the Azure AD portal (portal.azure.com).
- From the Dashboard, go to “Privileged Identity Management” > “Azure AD Roles.”
- Here you’ll find the report of all of the users in the tenant, along with their roles. This report can be exported to CSV.
Ever need to take on a temporary Administrator role to complete a specific task? You can also set this up in PIM.
- In the Azure portal, go to “Active Directory” to view your current role.
- Go to “Privileged Identity Management” > “My Roles” to request an Admin role that you can use for up to 10 hours.
- “Active Assignments,” give you a view of your temporary role and allows you to deactivate once complete.
- 8. Save your Log Files
There is a native integration between Azure AD and Azure Log Analytics (Azure Monitor) that provides an easy way to save and export your log files of sign-ins, changes to the tenant, and tracking of who did what (and when).
Note: When you review sign-in logs, if you only see 7 days or 24 hours as date options (and not 1 month), this means you do not have Azure AD premium in your tenant. It is advised that you have at least one license of Azure AD premium to get monthly logs (as well as other benefits).
- To export logs longer than one month in the Azure AD Portal, go to “Monitoring” > “Logs” > “Diagnostic Settings.” Here you can edit your settings to configure the export of your logs including its destination.
- Click “+ Add Diagnostic Setting” to create an Azure Log Analytics workspace.
- Click “Edit settings” to select the destinations to stream to or archive, as well as select categories of platform logs and metrics (and indicating the length of retention, 1 – 365 days):
-
- “AuditLogs”
- “SigninLogs”
- “NotInteractiveUserSigninLogs”
- “ServicePrincipalSigninLogs”
- “ManagedIdentifySigninLogs”
- “ProvisioningLogs”
- Then send to the right Azure subscription to the Log Archiving Workspace. You can also send them to a storage account.
- Conditional Access Policy for Admin Roles
Conditional Access (CA) policies can provide extra protection against attacks on Admin Roles. Here is how to create a new CA policy for Admins:
- From Azure Portal go to “Security.”
- Go to “Conditional Access Policies” > “New Policy.”
- Type in a name such as “Require MFA and Compliant Devices for Admin Roles.”
- “Select Users and Group” and select the specific roles that you want in this group.
- Go to “Cloud Apps or Actions” and select “All Cloud Apps.”
- Go to “Conditions” and select whatever is applicable.
- Go to “Access Controls” and select “Require Multi Factor Authentication” as well as “Require Device to be marked as compliant” and “For multiple controls, require all the selected controls.”
- 10. Set up MCAS Policy to Enable Real-time Monitoring
As a follow up to #3 in Part 1, Microsoft Cloud App Security (CAS) and OAuth policies can control access to cloud apps based on the user, location, device and apps. You can create a filter for the policy to alert and revoke access to uncommon or rare apps asking for high levels of permissions.
- First, go to the Cloud App Security Portal at portal.cloudappsecurity.com or through the Microsoft 365 Admin Center. Then “Control” > “Policies” > “Conditional Access.”
- Here you can create a policy for apps in which the permission levels are very high, and the community use is not common.
This concludes the top 10 security tips to deploy in your tenant after enabling MFA! We hope you have found this informative and are able to implement some of these best practices at your organization.
Click here to continue and read up on tips 6 – 10!
Get Started with JourneyTEAM
JourneyTEAM was recently awarded Microsoft US Partner of the Year for Dynamics 365 Customer Engagement (Media & Communications) and the Microsoft Eagle Crystal trophy as a top 5 partner for Dynamics 365 Business Central software implementations. Let JourneyTEAM walk you through any of these security best practices to help you ensure your CRM data stays safe. We can provide demos and full custom introductions. Contact JourneyTEAM today!
NEXT STEPS:
- Join a free consultation and ask all the questions you wish.
- Plan your Deep Dive meeting – Get your organization’s Customized Solutions presentation.
Article by:Jenn Alba – Marketing Manager – 801.938.7816
JourneyTEAM is an award-winning consulting firm with proven technology and measurable results. They take Microsoft products; Dynamics 365, SharePoint intranet, Office 365, Azure, CRM, GP, NAV, SL, AX, and modify them to work for you. The team has expert level, Microsoft Gold certified consultants that dive deep into the dynamics of your organization and solve complex issues. They have solutions for sales, marketing, productivity, collaboration, analytics, accounting, security and more. www.journeyteam.com
