GAME STUDIO PRESENTATION TEMPLATE EVERWORK COPYRIGHT © 2022 BEST PRACTICES

SIGN IN RISK POLICIES When a user signs-in with Risky behavior, you can BLOCK access or REQUIRE Multi-factor Authentication. This added layer of security helps remediate stolen/hacked accounts before they can cause further damage. Examples include: ü Leaked credentials ü Impossible Travel ü Suspicious email forwarding ü New Country ü Account labeled Risky by an Administrator Ø ( Global Admin, Security Admin, etc.)

USER RISK POLICIES Ø When a User is Identified as Risky, you can choose to either explicitly BLOCK access or REQUIRE a password change. Ø A user is classified as risky based on the probability that their account is compromised. This is determined by Microsoft’s Threat Detection sources and Deep Web Investigations.

MULTI-FACTOR AUTHENTICATION ü Multi-Factor Authentication (MFA) adds an extra layer of security to user authentication. ü Require MFA for administrative users and consider enabling it for all users to enhance security.

AZURE CONDITIONAL ACCESS Ø Azure AD Multi-factor Authentication is enforced with Conditional Access policies. Ø Conditional Access policies are IF-THEN statements: ü IF a SharePoint Online is accessed ü IF a user is accessing a Trusted Network ü IF a user is accessing Office 365 using legacy authentication ü IF a user is registering a new device ü THEN Block Access ü THEN Grant Access ü THEN require MFA ü THEN require Device Registration v The Azure-Samples Github Repo contains sample Policies that you can test and deploy

AUDITING & MONITORING ü Enable auditing and monitoring of Azure AD activity to detect and respond to security threats. ü Use Azure AD's built-in auditing and monitoring capabilities or third-party solutions to monitor and log user activity.

AZURE ROLES ü The importance of Azure roles lies in their ability to help organizations manage access to their Azure resources and delegate responsibilities in a secure and controlled manner. By using Azure roles, administrators can ensure that only authorized users have access to the resources they need, while still maintaining full control over the resources themselves. ü Using Azure roles also helps to promote best practices for security and compliance, as it allows organizations to implement least privilege, which grants users only the permissions they need to perform their job functions. This can help to reduce the risk of unauthorized access, data breaches, and other security incidents

ROLE EXAMPLE Ø roleName == Display Name of Role Ø name == Unique Role-ID Ø type == Custom Role or No Ø description == Role Description Ø actions == What can the role do Ø notActions == What can’t it do Ø dataActions == data actions the role can perform. Ø notDataActions == data actions that it can’t perform. Ø assignableScopes = == what does the Role apply to your specific needs.

AZURE AD /AZURE ROLES Ø Has full access to all resources within a subscription or resource group, including the ability to delegate access to others. Ø Can create and manage resources but cannot grant access to others. Owner contributor

AZURE AD /AZURE ROLES Ø Can view existing resources, but cannot make any changes. Ø Can view billing information for a subscription but cannot make any changes. reader Billing Reader

AZURE AD /AZURE ROLES You should regularly review the following Roles and assignments: v Global Administrator v User Administrator v Privileged Authentication Administrator v Conditional Access Administrator v Security Administrator v All Microsoft 365 and Dynamics Service Administration roles

AZURE AD /AZURE ROLES Ø There is a difference between Azure Roles and Azure AD Roles. Ø Simply put, Azure AD Roles apply to Tenant-Wide administration(Global Admin, etc.) and Azure Roles can apply to a resource, resource group, subscription, or management group(Owner, Contributor, Reader, etc.) Ø In addition to the built-in roles, administrators can create custom roles that meet the specific needs of their organization. Ø This allows administrators to fine-tune access controls and delegate responsibilities in a more granular fashion.

WHAT ARE USERS DOING WITH THAT ACCESS? Ø SOLUTION: Access Policies, RBAC WHICH USERS SHOULD HAVE ACCESS TO WHICH RESOURCES? Ø SOLUTION: RBAC, Security Groups AZURE ACCESS REVIEWS

CAN AUDITORS VERIFY THAT THE CONTROLS ARE WORKING? Ø Azure Sentinel, Azure Monitor, Log Analytics ARE THERE EFFECTIVE ORGANIZATIONAL CONTROLS FOR MANAGING ACCESS? Ø PIM, Access Reviews

WHAT CAN BE REVIEWED? ü User access to Azure AD/SSO applications ü Group membership and user synchronization ü Access Packages that groups resources (groups, apps, and sites) into a single package to better manage access. ü Azure AD roles and Azure Resource roles as defined in Privileged Identity Management (PIM).