Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session


Azure Active Directory: Best Practices and Tutorials

Active Directory, IT Pros

azure active directory best practices illustration of a computer monitor and a lock on the screen

Are you one of the 90% of organizations that Gartner predicts will move to hybrid cloud infrastructure by 2020? Most of that 90% will use Microsoft Azure Active Directory for identity management and access control. Read on to learn about some best practices for Azure AD, such as multi-factor authentication, centralized identity management, and implementing role-based access control (RBAC).

Azure Active Directory Tutorials

azure active directory best practices definition of azure active directory

Get the Free Pen Testing Active Directory Environments EBook

“This really opened my eyes to AD security in a way defensive work never did.”

I binge-watched hours of Ignite and TechEd videos, auditioning the best Azure AD explainers.  And here are my faves:

This video also explained Azure AD but also provided foundational information on the challenges that lead to the creation of Azure AD, (i.e., the enormous amount of apps, a multitude of devices), while maintaining all sorts of credentials and connections with all your Saas applications.

I also really liked the Cloud App Discovery feature: you’re able to get a detailed report on who’s using yourSaaS applications. 

Azure Active Directory Premium: If you’re curious about Azure AD premium, this video is a demo of an enterprise that had data on-prem, but started to move to cloud applications such as Office 365, workday HR, Salesforce and Marketing applications.

Azure Active Directory Connect: The connector is a great tool to integrate your on-premise identity system with Azure AD and Office 365.

Azure Active Directory best practices: It’s extremely helpful to learn from others, especially what worked, what didn’t work, and how they made important, fundamental security and infrastructure decisions.

Authentication on Azure Active Directory: Before federation, a user had to share their username and password with any application that they wanted to use services on their behalf. Users had to trust unknown applications with their credentials, users had to update all their applications if their credentials changed, and once you provided your credentials, they could all do whatever they wanted. See what federation protocols, libraries, and directories you’ll be using to authenticate on Azure AD and 101 ways to authenticate with Azure AD.

Azure Active Directory Best Practices

azure active directory best practices summed up using icon illustrations: security privacy, account management, access control, storage accounts, SQL server, virtual machine use, network

Security experts advocate best practices to configure Azure AD to create a secure and stable operating environment. Here is a long list of different best practices for your consideration.

Azure Security Policy Best Practices

  • Enable Azure Policy Services so you can create, assign, and manage security policies.
  • Manage user password policies and enforce strong passphrases that are difficult for a computer to guess. 
  • Use Azure Management Groups to organize users into different Azure subscriptions. Each user account subscribes to Azure, and one user might not need the same subscription type as another. Management groups allow you to control cost by assigning each user only the subscriptions they need. 
  • Use Azure Blueprints during account creation to automate and recreate compliant and secure environments each time. 

Azure Account and Identity Management Best Practices

  • Make Identify the primary security perimeter. No one accesses the network without authorization.
  • If you are using a hybrid cloud – where you have resources both on-premise and in Azure – manage users in Azure AD as the authoritative user store, and sync Azure AD to your other directory services AD with Azure AD Connect
  • Enable Single Sign-on (SSO), so your users need one identity to access all of your company resources.
  • Configure Azure AD Conditional Access to prevent unauthorized devices and legacy authentication protocols from connecting to your environment. 
  • Set up the Azure Self Service Password Reset feature so users can update and manage their passwords, but monitor password requests for any shenanigans. 
  • Azure AD supports multi-factor authentication. Turn that on for all of your users.
  • Establish role based access control (RBAC) to provide new users with least privilege access based on their job function.
  • Carefully manage and monitor the use of privileged accounts

Azure Access Control Security Best Practices

  • Use the Azure Key Vault or something similar to store your application and encryption keys. Manage application and encryption keys from one system so you can revoke and deploy keys as needed.
  • Use secured workstations to access Azure AD management so only a few systems in your environment can make changes to Azure. 

Azure Storage Accounts Best Practices

  • Require secure transit protocols for any data transfers to your storage – on-premise or cloud.
  • Use encryption to keep your data on disk safer. 

Azure SQL Service Best Practices

  • Use firewalls to restrict database access to a whitelist of IP addresses.
  • Enable Azure AD database authentication to manage and monitor who accesses your data.
  • Encrypt your database and your database files on disk.
  • Enable database auditing to log database events. 

Azure Virtual Machine Best Practices

  • Only allow users to connect to your VMs via the VPN. Disable direct access to your VMs via RDP or SSH from the internet.
  • Lockdown and secure VMs.
  • Enable High Availability (HA) services on your VMs 
  • Install endpoint protection and monitor your VMs for malware and ransomware.
  • Manage and enforce OS update policies for your VMs.
  • Monitor VMs for security incidents and performance.
  • Encrypt VM hardware disk files.

Azure Networking Best Practices

  • Logically segment subnets in your Azure AD virtual network. 
  • Create specific routing behavior rules when necessary – for example, for your security appliances.
  • Use virtual networking appliances for the security of your Azure stack available on the Azure Marketplace.
  • Deploy perimeter network security zones, or DMZ, to keep traffic to your internal resources to a minimum.
  • Avoid exposure to the internet with a solution built for hybrid IT, like site-to-site VPN or Azure ExpressRoute.

Other Azure Best Practices

azure active directory best practices and how Varonis interacts

  • Actively monitor Azure AD for any abnormal activity that could indicate a cyberattack in process. 
  • Adopt the Zero Trust approach to network security and apply those principles to Azure AD.
  • Subscribe to receive incident reports from Microsoft about security threats to your Azure AD environment.
  • Perform pentesting to test out your security posture. 
  • Upgrade to Azure Security Center Standard to get the best security options available.

Azure AD provides many built-in capabilities to secure your hybrid cloud environment. Varonis gives you the monitoring of your hybrid cloud with the advanced threat detection and response capabilities you need to prevent data breaches. Varonis creates individualized baselines of user behavior and compares the current activity to those baselines and our data security threat models. Any abnormal behavior that matches a threat model generates an alert that your Incident Response team can use to investigate and deal with the threat. 

Check out our webinar 25 Key Risk Indicators to Help Secure Active Directory for some more tips to secure Active Directory from attackers.

Jeff Petters

Jeff Petters

Jeff has been working on computers since his Dad brought home an IBM PC 8086 with dual disk drives. Researching and writing about data security is his dream job.


Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.