Entra ID: Limit Admin Access on Privileged Workstations with Entra ID!

Key insights

• Privileged Access Workstations (PAWs): PAWs are specialized devices dedicated to administrative tasks, enhancing security by reducing risks of unauthorized access and credential theft. They must meet organizational security standards.


• Conditional Access Policies: Implement policies in Microsoft Entra ID to restrict admin access only from tagged PAWs. This involves creating a security group for PAW users and setting device filters to allow or block access based on compliance.


• Multifactor Authentication (MFA): Enforce MFA for privileged accounts to protect against credential theft and brute-force attacks. Use options like FIDO2 keys and hardware tokens for added security.


• Password Protection: Utilize Entra Password Protection to enforce strong passwords by using global and custom banned password lists, transitioning from Audit Mode to Enforced Mode for better credential hygiene.


• User Settings Adjustments: Restrict default user permissions related to app registration, tenant creation, and security group management. Limit guest user access to specific objects they own to minimize exposure risks.


• Risk-Based Policies: Deploy risk-based policies that dynamically adjust access requirements based on sign-in risks such as unusual locations or compromised credentials, ensuring minimal disruption while enhancing security.

Introduction to Securing Microsoft Entra ID

In today's digital landscape, cybersecurity remains a top priority for organizations worldwide. As Microsoft continues to introduce cloud-based security features, it is crucial to ensure the foundational elements of security are in place. Dean Ellerby, a Microsoft MVP, recently released a YouTube video detailing how to restrict administrative access in Microsoft Entra ID (formerly Azure Active Directory) to specific privileged workstations. This article will explore the key points from the video, providing an in-depth look at the strategies and steps involved in enhancing security through Privileged Access Workstations (PAWs) and Conditional Access policies.

Implementing Privileged Access Workstations (PAWs)

One of the primary methods to secure administrative access in Microsoft Entra ID is through the use of Privileged Access Workstations (PAWs). These are dedicated devices configured exclusively for administrative tasks, offering a secure environment that minimizes the risk of credential theft and unauthorized access. To set up PAWs, organizations must ensure these workstations are compliant, managed, and meet their security standards. To differentiate PAWs from regular user devices, each PAW device object in Entra ID should be tagged using an attribute such as ExtensionAttribute1. This can be done through Microsoft Graph Explorer or PowerShell. By tagging devices, administrators can easily identify and manage PAWs, ensuring they are used exclusively for privileged tasks.

Creating Security Groups and Configuring Conditional Access Policies

After implementing PAWs, the next step is to create a security group for users who require access to these workstations. In Entra ID, administrators can create a security group, such as "PAW-Users," and add the necessary administrative accounts. This group will be the target of Conditional Access policies. Conditional Access policies are essential for enforcing security measures. By navigating to the Conditional Access section in the Entra admin center, administrators can create a new policy targeting the "PAW-Users" group. The policy should include device filters to identify devices where ExtensionAttribute1 equals "PAW." Access controls can then be set to grant access only from devices matching the PAW criteria while blocking access from non-compliant devices. Initially, the policy can be set to "Report-only" mode to monitor its impact before full enforcement.

Enhancing Security with Multifactor Authentication and Device Compliance

Multifactor authentication (MFA) is a critical component in protecting privileged accounts. It should be enforced at all times, regardless of location or device compliance, ensuring a second authentication factor is always required. Entra ID supports various MFA options, including FIDO2 keys, push notifications, and hardware tokens, to safeguard against credential theft and brute-force attacks. Moreover, privileged accounts should access admin portals only from compliant devices enrolled in Microsoft Intune and joined to Entra ID. Managed devices adhere to compliance policies like encryption, endpoint protection, and up-to-date patches, reducing risks associated with personal or unmanaged devices. Restricting access to specific PAWs further enhances security by limiting the attack surface and ensuring that privileged users enter their credentials on hardened devices.

Utilizing Entra Password Protection and Risk-Based Policies

Entra Password Protection is another layer of security that prevents users from setting weak or commonly compromised passwords. By enforcing a global banned password list and creating a custom list tailored to the organization, administrators can protect against credential stuffing and brute-force attacks. Audit Mode logs attempts to set weak passwords, providing insights into password hygiene before switching to Enforced Mode for active blocking. Risk-based policies in Entra ID automatically evaluate sign-in risks, such as unusual locations or compromised credentials, and adjust access requirements dynamically. This approach minimizes user friction while enhancing security, as low-risk users experience minimal disruptions, whereas high-risk scenarios trigger additional security steps like MFA or access blocks.

Adjusting User Settings for Enhanced Security

Default user settings in Microsoft Entra ID can pose significant risks if not properly adjusted. Reviewing and tightening these settings ensures a secure environment while maintaining user productivity. Key areas of concern include restricting users from registering applications, creating tenants, and managing security groups. These capabilities should be limited to administrators to prevent unauthorized access and potential data leakage. Guest user access should also be carefully managed. External collaborators should not have the same permissions as internal employees. Limiting guest user permissions to only the objects they own and configuring External Collaboration Settings in Entra ID helps mitigate risks while maintaining collaboration.

Conclusion: The Beginning of a Cybersecurity Journey

Securing Microsoft Entra ID is an ongoing process that requires continuous evaluation and enhancement. While the steps outlined in Dean Ellerby's video provide a solid foundation, they are just the beginning of an organization's cybersecurity journey. By implementing these measures, organizations can achieve an essential base level of security. However, it is vital to continue adopting additional security measures and enhancements to stay ahead of evolving threats and ensure comprehensive protection.

Keywords

Entra ID, restrict admin access, privileged workstations, how to guide, security best practices, IT administration tips, workstation management, Entra ID tutorial