Contact Us

Entra ID Identity Security Best Practices

How to protect Entra ID user identities
08 Nov 2023

1. Implement an Unphishable Entra Infrastructure

Entra ID offers various identity protection features, including conditional access and monitoring risky sign-ins; however, true security is achieved when there are no passwords to compromise at all. To guard against identity theft, we’ve adopted a fully passwordless approach for both user and machine identities. This goal might seem challenging, but with the right tools, it not only enhances security but also boosts productivity.

Phishing-Resistant User Identity

To achieve passwordless user authentication, you should employ smartcard and/or FIDO2 authentication. FIDO2 is a longstanding industry standard, yet there are instances (including in Entra ID) where it’s not an accepted authentication method! To address this, we combine FIDO2 with Entra CBA. We can easily use these two methods by having users self-onboard to their passwordless identity with EZCMS, the best FIDO2 and smartcard CMS for Entra.

Unphishable Machine Identity

Passwords are not limited to user identities; they’re also prevalent in machines, accessing Entra ID, databases, and more. To eliminate these, we primarily use Azure MSIs, which are passwordless and managed by the good folks over at Microsoft, simplifying authentication with other Microsoft services.

In cases where MSIs aren’t applicable, like cross-tenant authentication or when applications are hosted externally (such as on customers’ on-premises servers), we use Azure Service Principals with CBA. This method differs from MSIs or standard certificate authentication, as each new certificate must be registered in Entra. To avoid issues related to certificate expiration, we utilize EZCA’s automatic certificate rotation for Azure AD applications.

2. Isolate Your Entra ID Identity

It is of the utmost importance to isolate your Entra ID identity to bolster your Entra ID identity security. For example, here at Keytos, we manage essential services for numerous large organizations, necessitating top-tier security measures. While our advanced passwordless approach significantly minimizes our vulnerability, we further enhance our security by adhering to Microsoft’s identity best practices. This includes establishing an independent production tenant, completely separate and untrusted by our corporate tenant. Consequently, if a corporate account is breached, the intruder cannot access our production resources. This isolation enables us to implement stringent measures like smart conditional access policies. These policies grant permissions based on risk assessments, considering factors like intelligent login scores and device health.

Take it from us: isolating your Entra identity is paramount to enhancing your organization’s cybersecurity posture.

3. Isolate Your Devices

Although isolating identities significantly boosts resource security, it primarily safeguards against identity theft. Nowadays, hackers are becoming more and more sophisticated, launching malware attacks that can pilfer credentials or exploit your computer to access resources. To counter this threat, we recommend adopting a contemporary version of Microsoft’s PAW (Privileged Access Workstation) model. Instead of relying on outdated on-premises technologies like domain controllers, it’s more effective to use Intune for device management and Entra’s conditional access to verify device health before each login session.

4. Employ JIT (Just In Time) Access

We have strong confidence in our secure identity and device management approach, yet we also believe that human access to production should be restricted to essential instances only. This policy not only enhances security but also encourages robust engineering practices. By making production access more challenging, it incentivizes the development of automated deployment processes and self-repairing features which, in turn, boost our system’s reliability and efficiency. To uphold this standard, we’ve adopted a policy of no permanent access to production, and we strongly recommend that your organization does the same. Engineers requiring access to production resources must formally request it, either through Microsoft PIM for general resources or via EZSSH for Linux endpoints.

5. Monitor Your SSL Certificates

Adopting Microsoft’s “assume breach” approach, we recognize that relying solely on security protocols isn’t enough to safeguard infrastructure by any means – active monitoring and anomaly detection are also crucial. Beyond using Sentinel and Azure Defender for Cloud, we recommend using CloudWatcher. This free, open-source solution was developed by the ex-Microsoft engineers at Keytos, and it closely observes any minor alterations in our Entra environment, alerting our on-call engineer about any detected changes. As a security-focused company, we also suggest heeding Google’s recommendation to monitor CT logs using EZMonitor. This practice will not only shield your organization from potential SSL certificate based MITM attacks but also from other threats, like subdomain takeovers.

Keytos Meets and Exceeds These Entra ID Identity Security Best Practices

Here at Keytos, we practice what we preach. We follow every single one of the best practices listed in this blog to a T, and doing so has allowed us to meet and exceed some of the most respected compliance requirements in the cybersecurity space, such as SOC 2 type 2 and PCI level 4. As such, we can confidently say that we are the experts when it comes to helping your organization secure its infrastructure. Don’t believe us? Feel free to **schedule a FREE consultation with one of our security experts today to see how you can start your journey to bolstering your cybersecurity posture with Keytos today!

You Might Also Want to Read