{"id":87346,"date":"2018-12-17T09:00:23","date_gmt":"2018-12-17T17:00:23","guid":{"rendered":"https:\/\/cloudblogs.microsoft.com\/microsoftsecure\/?p=87346"},"modified":"2023-05-15T23:10:04","modified_gmt":"2023-05-16T06:10:04","slug":"step-2-manage-authentication-and-safeguard-access-top-10-actions-to-secure-your-environment","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/12\/17\/step-2-manage-authentication-and-safeguard-access-top-10-actions-to-secure-your-environment\/","title":{"rendered":"Step 2. Manage authentication and safeguard access: top 10 actions to secure your environment"},"content":{"rendered":"

The \u201cTop 10 actions to secure your environment\u201d series outlines fundamental steps you can take with your investment in Microsoft 365 security solutions. We will provide advice on activities such as setting up identity management through active directory, malware protection, and more. In this post, we explain how to enable single sign-on (SSO<\/a>) in Azure Active Directory (Azure AD) to manage authentication across devices, cloud apps, and on-premises apps, and then how to set up Multi-Factor Authentication (MFA) to authenticate user sign-ins through a mobile app, phone call, or SMS.<\/em><\/p>\n

Balancing employee productivity needs with enterprise security begins with protecting identities. Gone are the days when users accessed corporate resources behind a firewall using corporate-issued devices. Your employees and partners use multiple devices and apps for work. They share documents with other users via cloud productivity apps and email, and they switch between personal and work-related apps and devices throughout the day. This has created a world of opportunity for sophisticated cybercriminals.<\/p>\n

Hackers know that users often use the same weak password for all their accounts. Sophisticated cyber criminals employ several tactics to take advantage of these vulnerabilities. Password spray is a method of trying common passwords against known account lists. In a breach relay, a malicious actor steals a password from one organization and then uses the password to try to access other networks. Phishing campaigns trick users into handing over the password directly to the hacker. Azure AD provides several features to reduce the likelihood of all three of these attack methods.<\/p>\n

Access credentials in the form of email addresses and passwords are the two most compromised data types\u2014at 44.3 percent and 40 percent, respectively.
\nSource<\/strong>: Dark Reading<\/a>\u00a0 Date<\/strong>: November 2017<\/p><\/blockquote>\n

Simplify user access with Azure AD single sign-on<\/h3>\n

Most enterprise security breaches begin with a compromised user account that makes protecting those accounts a critical priority. If you manage a hybrid environment, the first step is to create a single common identity for all your users. We recommend password hash sync as your primary authentication method if possible. If you use federation services to authenticate users, be sure to enable extranet lockout. You can read about these and other hybrid identity security recommendations in the first blog in this series: Step 1. Identify users: top 10 actions to secure your environment<\/a>.<\/p>\n

One huge advantage of a hybrid deployment is that you can set up SSO<\/a>. Users already sign in to on-premises resources using a username and password they know. Azure AD SSO<\/a> lets them use the same set of credentials to access on-premises resources plus Office 365 apps. You can then increase productivity further by extending SSO to include more cloud SaaS and on-premises apps through AppProxy<\/a>. Cloud-only customers gain the same productivity benefits by setting up SSO across Azure AD, Office 365, and Azure AD-connected cloud applications.<\/p>\n

You can use the SSO deployment plan<\/a> as a step-by-step guide to walk you through the implementation process of adding more apps to your SSO solution.<\/p>\n

Strengthen your credentials<\/h3>\n

Given the frequency with which credentials are stolen, guessed, or phished, both cloud and hybrid customers should enable Azure MFA<\/a> to add another layer of security to their accounts (Figure 1). MFA protects everything under the SSO identity system, including cloud SaaS and on-premises apps published with AppProxy, significantly decreasing the odds that a compromised identity will result in a security breach.<\/p>\n

MFA works by requiring two or more of the following authentication methods:<\/p>\n