Entra monitors for suspicious activity: Entra monitors for activities that are more than likely being carried out by attackers. So, for example, the following actions are monitored:
Users with leaked credentials.Sign-ins from anonymous IP addresses.Impossible travel to atypical locations.Sign-ins from infected devices.Sign-ins from IP addresses with suspicious activity.Sign-ins from unfamiliar locations.You can set a threshold for how much or how little you want to monitor someone. Before this policy is rolled out, you need to ensure that all accounts are covered by MFA, which may require you to go back and review how your break-glass accounts are set up.
MFA is key to setting up Entra ID P2: Many years ago, the best practice was to set up some administrative accounts with merely a long, strong password as their authentication into EntraID. This allowed you to log into the system should some catastrophe occur and your normal multifactor authentication process was not working.Now the best-practices recommendations are to ensure that your break-glass accounts have different MFA options than your normal one. So, if the Microsoft authenticator is your normal MFA app, ensure that you deploy a different MFA option for another administrator account.Take the time to determine the impact to your organization by having an EntraID administrator review the impact via the Microsoft Entra admin center. While there, take the time to review your sign-in logs and consider what logging and SIEM monitoring you have in place. It’s always wise to review settings and policies when deploying new settings to ensure that all of your previous settings and policies will align with your new settings.Before deploying this policy, you’ll want to ensure that you run a registration campaign to urge those who have not set up MFA to do so. This policy will allow you to urge, or rather push, users to set up MFA.Determine if you want to let users snooze until later or snooze indefinitely. My recommendation is to not let your users snooze on this setting. In fact, it’s highly recommended to deploy phishing resistant MFA in your organization. Review a recent CISA document as to guidance on setting up such implementations.
Entra ID P2 is fundamental for Microsoft 365 users: As CISA points out, you’ll want IT leadership to point out the advantages of deploying such stronger technologies and secure the commitment of senior leadership to using such technologies. As we’ve seen too often in this environment, identities are too easily abused and attacked and reused passwords being harvested and available for reuse and included in attack sequences.As humans, we get fatigued by our password reset policies and too often choose improper passwords that make it too easy for attackers to enter our systems. Ensuring that we have deployed something stronger is a key defense.I consider the Entra ID P2 policy to be a foundational need if you use Microsoft 365 and you want to keep your business secure. This fundamental license is either available as a separate standalone license or as part of the Microsoft 365 E5 for enterprise licensing.It also includes privileged identity management, self-service access for end users. If you work for a government agency, you may need to review whether you need supplemental Entra ID Governance service. These are available in the US Government community cloud (GCC), GCC-High, and Department of Defense cloud environments.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3836778/microsoft-pushes-a-lot-of-products-on-users-but-heres-one-cybersecurity-can-embrace.html
