Securing your O365 Tenant Azure Blade Directory Services

I like to provide some basic settings to be turned off for your O365 Tenant Azure Blade. Before you take my word and start changing these settings, please take some time to investigate yourself. From my experience dealing with multiple tenants, these setting listed below will raise security concern especially for regulated environments. 

As always test these changes before applying to your production environment and make sure to follow your change management process.

# Step 1

Configure Azure Company branding to disable ‘Show option to remain signed in’

Sign in to the Azure portal using a Global administrator account for the directory. Select Azure Active Directory, and then Select Company branding and then Select Configure. The ‘Keep me signed in’ (or, now known as ‘Stay signed in’) feature can be Disabled for your tenant by setting the ‘Show option to remain signed in’ setting in Company Branding. Save Changes.

# Step 2

-Restrict none privilege account access to O365 Administration portal to read directory information

Log onto your administrator server or workstation to manage O365 resources After successful log on , open web browser such as IE Use following URL | https://portal.azure.com/#home | Use your global administrator account to log on On the left pane, click | Azure Active Directory | Select | Users| then | User Settings | under Administration Portal| Restrict Access to Azure AD Administration Portal Select | YES | and click save

# Step 3

Prevent users from consenting to applications on their own behalf

After successful log on, locate internet explorer and Navigate to following URL | http://aad.portal.azure.com | Use your Admin account to authenticate, such as Global Administrator account In the Azure portal, navigate to User settings section under Enterprise applications To prevent users from registering their own applications: Change Users can consent to apps accessing company data on their behalf to <NO> Save the change In the Azure portal, go to the User settings section under Azure Active Directory, Change Users can register applications to   <NO>.

# Step 4

Disable LinkedIn Account Connections and External Collocation Setting Azure Directory services supporting O365 Production

Connect to Azure ADD Portal, directory services that supports O365 Services Click User | User Settings | under LinkedIn Accounts connections Default selected option is "yes" Click on "No" and click save on top Click on External Users (Manage external coloration settings) NEW SETTINGS Guest user permissions are limited ~ YES Admin and user in the guest invite role can invite ~ NO Members can invite ~ NO Guests can invite ~ NO Enable Email One-Time passcode for quest (preview) NO Coloration restrictions Allow invitations to be sent to any domain (most inclusive) Deny invitations to the specific domains ~ SELECTED Allow invitations only to the specific domains (most restrictive)

MS Link Explain some of these these settings

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions

• a    Member users can register applications, manage their own profile photo and mobile phone number, change their own password, and invite B2B guests. In addition, users can read all directory information (with a few exceptions).
• b     Guest users have restricted directory permissions. For example, guest users cannot browse information from the tenant beyond their own profile information. However, a guest user can retrieve information about another user by providing the User Principal Name or objected. A guest user can read properties of groups they belong to, including group membership, regardless of the Guest users permissions are limited setting. A guest cannot view information about any other tenant objects.

Casey Dedeal

Azure Solutions Architect

Azure Security Engineer Associate

AWS Certified Cloud Practitioner

https://simplepowershell.blogspot.com

https://cloudsec365.blogspot.com

https://msazure365.blogspot.com

https://twitter.com/Message_Talk