Locking down Azure Active Directory

Azure Active Directory has excellent security with conditional access being one of the most widely used tool to protect Azure Active Active Directory.

The sceen shot below shows the default settings for an Azure AD Premium Plan 2 tenant.

The information tab on the user consent to apps accessing company data on their behalf reads like this:

If this option is set to yes, then users may consent to allow applications which are not published by Microsoft to access your organization’s data, if the user also has access to the data. This also means that the users will see these apps on their Access Panels.
If this option is set to no, then admins must consent to these applications before users may use them.

So in the scenario where a phishing email slipped through the cracks and an end user grants access to a non Microsoft application to their organizations’s data. We do not want that to happen!!!!

The correct setting is listed below
Application administrators should be granted the application administrator role in Azure Active Directory , Then the next time an and user wants to add an application, the application administrator will receive an email and can approve from his\her Outlook client.

The next time an end user or IT staff member wants to add an application to Azure AD, Do not just simply grant the global administrator role.

User Azure Privileged Identity Management and Application Administrator Roles!

Azure AD Connect authentication error

I started to notice that Azure AD connect was failing and had a look in the console and seen the error message in the console displayed in the image below

Then when I tried to run the command Start-ADSyncSyncCycle -PolicyType delta ,  I received a long list of authentication errors.

To resolved the issue browse into properties of the Azure Active Directory account and copy the account name onto the clipboard.

Next add this account in as an excluded account from conditional access policies the same way a break glass cloud identity admin account would be excluded from conditional access policies.

As soon as the sync account has been added to the exclusions , syncs will resume