Reading time:
3 min

Is Your Azure AD 100% Safe? Hackers Betting It Ain’t


Azure is the host to Office 365 and a key way end users are identified in the cloud. This also makes Azure and Azure AD the main thoroughfare for cybercriminals making their way into the network.

A piece by Microsoft: ‘Azure Identity Management and Access Control Security Best Practices’, lists a handful of tips, including:

  1. “Treat identity as the primary security perimeter
  2. Centralize identity management
  3. Manage connected tenants
  4. Enable single sign-on
  5. Turn on Conditional Access
  6. Plan for routine security improvements
  7. Enable password management
  8. Enforce multi-factor verification for users
  9. Use role-based access control
  10. Lower exposure of privileged accounts”

Fortunately, this checklist is a roadmap of many CoreView security features. One key item is CoreView’s Azure Activity Reports, which include:

  1. Application usage: summary and detailed reports
  2. Application dashboard
  3. Detailed audit logs
  4. Account provisioning errors
  5. Individual user devices and activity
  6. Groups activity reports
  7. Password reset activity

Too Little Attention Paid to Azure AD Security

With Azure monitoring and reporting, customers audit and report on suspicious login activity, different device access methods and DLP activities, and perform security and compliance auditing, all from a common management interface. These capabilities also allow customers to configure automated alerts to notify administrators when security compliance issues with Azure AD are identified. In total, CoreView now allows auditing and alert notifications based on over 500 actions in Office 365 and Azure AD.

Tracking Suspicious Sign-Ins

One of the biggest items is tracking AD suspicious sign-in activity. The Azure AD security monitoring and auditing reports available in CoreView provide the proactive, bloodhound type trail to sniff-out suspicious activities for user account log-ins. Many security breaches come from botnet driven brute-force attacks on user accounts by trying different password combinations until they gain access over time. This was the method used by the “KnockKnock” attack which targeted Office 365 system accounts. Add to this the ShurL0ckr type attacks in 2018 that are still ongoing and infect OneDrive collaborate storage folders, and you can see how IT admins have their hands full with monitoring security breaches and infestations.

azure ad protection

Monitoring suspicious sign-in activities on user accounts has quickly become a critical security task for IT administrators responsible for managing Office 365. The customizable reports from CoreView enable IT admins to easily monitor these suspicious activities, identify who performed the sign-in, when it happened, and from what geographic location (which IP address). The anomalous AD activity reports combine suspicious sign-in details from the following categories:

  1. Sign-ins from unknown sources
  2. Sign-ins after multiple failures
  3. Sign-ins from multiple geographies in the same days/weeks
  4. Sign-ins from IP addresses with suspicious activity
  5. Sign-ins from possibly infected devices
  6. Irregular sign-in activity

Easily Secure AD with Workflow

The good news is CoreView can easily establish and manage AD identities, and have this work automated in a pre-set, serial workflow process with full auditing implemented by default. Here are the steps that can be automated, and done without error:

  1. Import New User List – into CoreView processing queue using a CSV file
  2. On-Premises Account Creation – in the on-premises Active Directory using the CoreView Hybrid management functionality
  3. Azure AD Account Creation – setup synchronized accounts in the cloud
  4. O365 License Assignments – based on department and job role profile
  5. Addition to Office 365 Groups
  6. Policies Assignment for Various Services
  7. E-Mail Sent to Manager With Temporary Password
  8. Preconfigured Welcome Message Sent to New User – containing links to onboarding materials and training portal
  9. New User Account Included in Virtual – Tenant for Associated Business Unit

Protect Your O365 Tenant With CoreView

Get your O365 security profile FREE with our new CoreDiscovery solution. You can get your free software now at the CoreDiscovery sign up page:

Or sign up for a personalized CoreView demo.


See how CoreView can help you with this

Learn more about securing and optimizing your M365 and other SaaS applications.