I read somewhere that less than 10 percent of all Global Admins in Azure AD are enrolled for MFA. Even thou I don’t have the source for this number, I would not be surprised if it was correct. From what I’ve seen in real tenants there are many lazy admins out there. If you manage your organisations IT infrastructure and cloud services, you are managing security even if it’s not your primary role. Security is everyone’s responsibility.
Securing user identities should be every organisations primary security concern. In this cloud connected world the identity of admins and users are the one thing sitting between organisation data and evil hacker organisations. You can’t afford to be lazy around security and there are no excuses when the features required to fix this is right in front of you.
For example, it is not uncommon to see tons of authentication requests coming from countries like China, which is a bit odd when you are a European organisation without a business unit in Asia. Attacks are coming from all over the world.
This is an example from a Scandinavian company I’m working with. Azure Sentinel illustrates data from the Azure AD sign-ins log and it’s easy to notice the 309 authentication attempts from the last 24 hours coming from Chinese IP addresses.
You will never notice when one of these authentication attacks are successful since this is logged as a success. MFA would have removed this threat since it’s very hard to perform remote attacks without the second factor, usually a physical smart phone.
With Azure Sentinel’s powerful query features it’s easy to dig deeper and see exactly which accounts are being targeted. If you see admin accounts and C-suites here, you are in big trouble.
All admin accounts must be extra protected. These accounts gives access to virtually everything and they are the primary target by attackers. Microsoft provides PIM (Priviledged Identity Management) as an Azure AD Premium P2 features and every admin account should be managed by this feature. PIM makes sure no accounts have admin roles enabled. Instead admins must activate roles for a limited time period and only when necessary.
MFA is the most important security feature for any account and now you even get it for free for all admins with the new free Conditional Access baseline policies. Just switch this policy on!
I don’t know if people with administrator privileges are lazy, unaware of the threat or just ignorant but I see this as one of my most important functions as an IT consultant, to educate people about these threats and what to do about it.
Finally, I know that there are capable cloud admins out there who realizes the importance of this topic. That’s great! Please help me to spread the word!
Please follow me here, on LinkedIn and on Twitter!