MenuClose

11 Simple Ways To Securing Azure Functions

This is a powerful document that you can use to securing azure functions. With the rapid adoption of IaaS providers like Azure, the threat environment has evolved, but with the right preparation, any company can implement cloud security practices for services that significantly reduce the potential impact of an attempted breach.

Enable MFA

You should enable MFA for all of your user accounts because of a breach of those accounts can lead to a breach of any data that user has accessed to. MFA is encouraged to be mandatory across all users, especially in today’s remote workforce. At a minimum, it should be enforced on all global admins.

Microsoft recently enforced Azure security defaults in tenants in efforts to enhance security. Azure Security is on in net new tenants that you spin up after this date and enforces the following.

  • MFA on all accounts
  • Blocks Legacy Authentication (IMAP/POP/SMTP)
  • Enforcing MFA for users who access the Azure Portal, Azure PowerShell, Azure CLI
  • Click here for the full article

Security defaults are NOT a hard requirement for non-partner tenants but are recommended. If you have a tenant licensed with conditional access, it is recommended that you enforce a conditional access policies instead of Azure security defaults. Both CANNOT be turned on at the same time. If you enable a conditional access policy, then you will have to turn off Azure security defaults. MFA can also be enabled in the legacy portal but that will be deprecated in the future. For now, we will show you all three ways to enable MFA for users.

  • Go to the Microsoft 365 Admin Center>Users>Active Users
  • Click Multi-factor Authentication
  • Select users to enable multi-factor authentication and click enable
securing azure functions
  • The next time the user signs in they will be prompted with the following:
  • Depending on your settings, they will enter a phone used for the second form of authentication. You can adjust the settings by going to Service Settings on the top of the multi-factor page.

Security Defaults

  • In the Microsoft 365 Admin Portal, click on the Azure Active Directory link under Admin Centers
  • Click Azure Active Directory
  • Under Manage>Properties>Manage Security Defaults
  • Toggle on Security Defaults

Note: Turning on security defaults enforces MFA for all users. They will have 14 days to register after their first sign-in after you turn this on, and they will only be able to use the Microsoft Authenticator app as their second form of authentication. Be sure to plan and communicate accordingly.

Conditional Access

  • In the Azure Active Directory, under Manage, select Security
  • Click Conditional Access
  • Click New Policy
  • Give your policy a name and select all users under the users and groups blade.

Note: Microsoft gives you multiple warnings not to lock yourself out of the account. It is recommended that you create a break-glass global admin account so that you can get back in if you lose 2-factor on your primary account. You could use the exclude tab here to exclude that user from this list.

  • Select All Cloud Apps
  • Skip the conditions section and in the Grant section, select Require Multi-factor Authentication
  • Enable the policy and click Create

Enable MFA For Admins

If you are not going to want to turn MFA on for all users in the organization, you should at least be turning it on for privileged roles like global admins, exchange admins, etc. Dedicated accounts like a global admin roles should ONLY be used when performing admin task and generally should not be used for day-to-day end-user functions. This will help reduce your attack surface from the standpoint of a privileged account. Note that you can enable MFA on admin users via the legacy MFA portal as shown in the previous section or with a conditional access policy which will be shown here.

  • Go back to the conditional access and create a new policy
  • Give your policy a name and under the users and groups blade select Directory Roles. From the drop down, select Global Administrator at a minimum. If you have assigned other privileged roles like User Administrator or Security Administrator, we recommend adding them here too.
  • Select All Cloud Apps
  • Skip the conditions section and in the Grant section, select Require Multi-factor Authentication
  • Enable the policy and click Create.

Powershell

  • We added some scripts here for multi-tenant commands via your partner center credentials. With these scripts you can identify Global admins across all customer tenants and chose to enable MFA.
  • Retrieve a list of all Microsoft 365/Office 365 customers’ global admins without multi-factor authentication using the Powershell Script
  • Enable multi-factor authentication on admins in customer’s M365/O365 tenant. Here we will take the export data we performedand add the users for a particular tenant into a CSV file. Once complete, these admins will be prompted to establish MFA at their next sign in using the Powershell script
  • Block Admin access till MFA requirements are met using the Powershell script

Block Legacy Authentication

Legacy authentication is more susceptible to password spray attacks or brute force attacks because you cannot layer on MFA. It is advised to block all legacy authentication methods within your customer’s environments. Legacy authentication can be blocked by enabling Security Defaults or creating a conditional access policy.

Note: If you have any printers/copiers/scanners or IMAP accounts used for ticketing, you should update those protocols before blocking legacy auth.

  • Go back to the conditional policies and create a new policy. Name your policy and scope to all users.
  • In the Cloud apps or actions blade, click All cloud apps.

Also Read: Microsoft Cloud App Security: The Definitive Guide.

Note: If you do have applications that use legacy auth, you could exclude them here to give yourself more time to update the protocol.

  • In the conditions section, click Client Apps>Mobile Apps and Desktop Clients>Other Clients
  • In the Grant blade, leave the setting at Block Access
  • Enable the policy and click Create

Enable Self-Service Password Reset

With self-service password reset in Azure AD, users no longer need to engage helpdesk to reset passwords. This feature works well with Azure AD dynamically banned passwords, which prevents easily guessable passwords from being used.

  • Go to the Azure Active Directory Admin Portal and click on the Password Reset under Manage
  • The default tab allows you to enable for all users or select groups of users if you do not want to turn it on for everyone.
  • In the Authentication Methods tab, you can define what settings they can put in place. These may be the same you have selected for MFA. One that you could add that isn’t available with MFA is security questions.

Do Not Expire Passwords

Research has found that when periodic password resets are enforced, passwords become less secure. Users tend to pick a weaker password and vary it slightly for each reset. If a user creates a strong password (long, complex and without any pragmatic words present) it should remain just as strong in 60 days as it is today. It is Microsoft’s official security position not to expire passwords periodically without a specific reason. Make sure you have MFA enabled before making this setting change.

  • In the 365 Admin Center, expand Settings and select Org settings and click Security & Privacy.
  • From here, you can click edit to make changes to the password policy.
  • Ensure the set user passwords to expire after a number of days

Delete/block accounts not used in last 30 days

Deleting or blocking accounts that haven’t been used in the last 30 days, after checking with owners, helps prevent unauthorized use of inactive accounts. These accounts can be targets for attackers who are looking to find ways to access your data without being noticed. In GitHub, you can download a PowerShell script called “InactiveUsersLast90Days.ps1” to look up the users who have not logged in for the last 90 days.

Do not allow users to grant consent to unmanaged applications

Tighten the Azure security center of your services by regulating the access of third-party integrated apps. Only allow access to necessary apps that support robust security controls. Third-party applications are not created by Microsoft, so there is a possibility they could be used for malicious purposes like exfiltrating data from your tenancy. Attackers can maintain persistent access to your services through these integrated apps, without relying on compromised accounts.

  • Go to the 365 Admin Center>Expand settings>Org settings>Services
  • Click “User consent to apps”
  • Deselect the checkbox and save

Designate More than 1 Global Admin but fewer than 5

Reducing the number of global admins limits the number of accounts with high privileges that need to be closely monitored. If any of those accounts are compromised, critical devices and data are open to attacks. Designating fewer than 5 global admins reduces the attack surface area.

  • Go to the Microsoft 365 Admin Center>Go to Users>Active Users
  • On this page, you can filter by Global Admin roles.
  • You can manage user roles by selecting on a user and clicking on Manage Roles

Here you may change roles of a user.

Now It’s Your Turn:

So that’s how I’m securing azure functions.

Which tips from today’s post are you going to try first? Or maybe you have a question about something that I covered.

Either way, I’d like to hear from you. So go ahead and leave a comment below.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *