Do you know who accesses your company data right now? Can you automatically detect a risk of intrusion and deny access to your data?
Lately, the theft of passwords has proliferated alarmingly through fraudulent email practices with the aim of inducing recipients to reveal their personal information (a technique called Phishing and which according to studies is used in 81% of attacks on the companies).
To get a password, hackers send their victims an email on behalf of a real person with a text and a link to ask the user to perform an action that actually directs them to a fake web page (imitating the Office 365 login , to a bank, LinkedIn, etc). Logically, once the user enters your credentials on those fraudulent web pages …, they are compromised, immediately causing a severe security breach in the company.
But, if we also consider the growth in the use of applications in the cloud together with the fact that many users often reuse the same password to access them (for their convenience to remember them) and the known leaks of user data from large social networks and consumer services of the last 12 months (such as Google Plus, Facebook, Movistar, IESE, Adidas, Job Talent, Ticketmaster, my Heritage among many others), the security threat for companies is enormous due to the risk that a cybercriminal obtains only one password from any employee that he uses for personal matters in applications and portals.
The solution to this headache for IT departments is in the cloud and is called Azure Active Directory, as it can facilitate, through a unique and protected identity (single sign-on), secure access by validating that the users who They try to connect to corporate applications whether they are at home (on-premise) or in the cloud, they are who they say they are, also greatly simplifying IT management.
Azure Active Directory benefits
For the users:
- Protection against situations of attempted identity theft, thanks to functionalities that guarantee that the user is who they say they are by adding a second verification at the moment of identification (two-step authentication) and intelligent analysis systems to detect fraudulent uses based on detection of very suspicious behavior.
- If before the user managed multiple passwords (even if he incurred the risk of establishing the same), with AAD the user no longer has one password per application and instead has a single identity to access all applications in a unified way approved by the company. Therefore, once they log in (on their computer or in an Office 365 App), the user will no longer have to enter credentials in the applications that are configured this way.
- Autonomy for changing and resetting passwords, without IT dependencies.
- Validation without password (using mobile).
IT department:
- Greater control over access to data and applications from the outside.
- Peace of mind that the identity of the users is well protected against impersonation attempts and their consequences.
- Simplification of the management of passwords, users, groups and access to Cloud applications.
General chart on the main functionalities of Azure Active Directory Premium
Protection against vulnerable passwords
Most people choose to use weak passwords, either because of the ease of remembering them or because of the lack of knowledge of how easy it can be for a hacker to obtain weak passwords using techniques to discover user passwords, such as the so-called brute force. .
E conditions Azure Active Directory
Azure Active Directory (AAD), is offered in several editions: Free and those that incorporate security features that help us protect the identity of users and their access to our applications and data: Premium P1 and Premium P2.
Free Edition: Included in Office 365 , you can mainly:
- Synchronize local active directories with the cloud directory (Azure Active Directory), including passwords.
- Possibility of using the same identity (username and password), to access other applications in the cloud. Before Limited to 10 applications, since December 2020 this restriction is eliminated.
- Use MFA through the “Security Defaults” policy (in this version, customization is not allowed and is the same for all users, with the same behavior).
- Manage users, groups and self-service password change only for users created in the cloud (not synced).
- Possibility of having guest users using their own identity (coming from other companies that also use AAD). This feature, called B2B collaboration, allows up to 5 guests per license, the guest receiving the characteristics of the license.
Premium Edition P1: Features of the basic edition plus:
- Self-service password reset and change from outside the company for synchronized users.
- Two-step authentication, to ensure the identity of the user (via SMS, call or mobile App), including the possibility of configuring trusted locations (delegations, headquarters, …) to reduce the impact on users.
- Possibility of using the same identity (username and password), to access without limit other applications that we have locally.
- Discovery of applications in the cloud not managed by IT used by company users (“Cloud App Discovery”), with the aim that administrators can configure (force) access to them using a single identity (single sign- on), thus controlling the Shadow IT
- Monitoring agent for synchronization between local AD and Azure Active Directory: Users, passwords and domain controllers.
- Conditional access to limit access to applications from outside the company (based on group membership, geographic location, and device status).
- Make changes to Groups from Office 365 that will sync with your local Active Directory.
- Possibility of creating dynamic groups (by means of rules according to user or device properties).
- Advanced security reporting:
- Report with all logins.
- Report of “logins at risk” grouped by the concept of “risk events” such as “Users with lost credentials”, “Logins from anonymous IP addresses”. 30 day retention.
Premium P2 Edition: Features of the Premium P1 Edition plus:
- ” Identity Protection”: Configurable risk- based conditional access. For this, strange behavior is analyzed (for example, you have logged in from very far locations in an impossible time, you try to access from a computer not managed by the organization).
- Privileged Identity Management: Administration and protection of administrator accounts, allowing to assign the administrator role to a user temporarily, alerting of the change and supervising their access to resources among other functionalities.
- Very advanced security reporting:
- The “risk events” are categorized by severity and type of detection. In addition, more “risk events” are introduced
- The retention of the “logins at risk” report is increased to 90 days
In addition to these editions, Microsoft offered a basic AAD plan with lower-than-premium capabilities that was withdrawn on July 1, 2019.
If you want to go into detail about the features and functionalities, we recommend this link , and if you wonder how Microsoft protects your active directory in the cloud, you can see it here .
Ultimately, Azure Active Directory is the key to help protect the identity of users, closing the main gateway to cybercriminals and also facilitating secure access to all applications (whether at home or in the cloud) reducing management to IT departments.
Do you want to know more about how to improve security by protecting access to your data and applications?