Identity and access management is a major pillar of modern cybersecurity—and for good reason. The use of stolen credentials is present in about 40% of cyberattacks, and some sort of human element, whether it’s falling for phishing attempts, accidentally downloading malware or some other kind of social engineering incident, is implicated in more than 80% of breaches.
For managed service providers (MSPs) who deliver Microsoft Azure for clients, this is absolutely something to pay close attention to. Azure environments are unfortunately not exempt from fraud attempts. On the bright side, however, there are plenty of actions MSPs can take to secure their tenants and practice vigilance against fraud attempts.
Recommendations for preventing fraud in Microsoft Azure
Both MSPs and their customers can protect against fraud in Microsoft Azure by adhering to some key best practices, such as enforcing multifactor authentication (MFA), regularly reviewing activity logs and setting up relevant budget alerts, among others.
Check your identity secure score in Azure Active Directory
Maintaining a bird’s eye view of your Azure tenants’ security is a great place to start for ensuring your MSP business is in alignment with parameters recommended by Microsoft. One way to effectively do this is by checking up on your identity secure score.
Essentially, a tenant’s secure score gives you an idea of how strong their security posture is based on their Azure Active Directory configuration. The score is determined across five categories: identity, data, devices, infrastructure and apps. It also provides further recommendations for how the score can be improved based on that configuration. To access the secure score, you’ll need to be assigned one of the following roles:
- Global administrator
- Security administrator
- Exchange administrator
- SharePoint administrator
Require MFA for all Azure tenants
Highly regarded as an effective way to prevent cyberattacks—including fraud in Microsoft Azure—MFA is a relatively easy way to ensure customers’ credentials go uncompromised.
There are a few different ways to configure MFA for your MSP’s clients. Depending on what license your tenant is using, you might choose between using Conditional Access or security defaults. Regardless of what method you implement, it’s important to ensure that your MFA method of choice is phishing resistant, and that it’s required for all user accounts across the tenant.
Regularly review admin accounts and sign-in activity
Keeping a close eye on who has access to customer environments is another best practice for preventing fraud in Microsoft Azure. Similarly, it’s a good idea to encourage your clients to review accounts and accesses from their end as well to ensure that the accounts of upstream partners are also legitimate.
Implementing a least-privilege approach to access is highly recommended for keeping accounts secure, especially for roles with global, security or other administrative credentials. Furthermore, Global Admin accounts should not be used for email and collaboration tasks and their account credentials should not be shared with multiple users.
MSPs can review sign-in information and accesses by checking the appropriate audit logs. Beyond checking for suspicious sign-in times and locations, providers should also pay attention to unfamiliar recovery email addresses and phone numbers.
Set up alerts for budgeting and cost anomalies
Microsoft partners and MSPs enrolled in the Cloud Solution Provider (CSP) program should be aware that they’re on the hook for any unauthorized purchases made using clients’ Azure accounts. Setting up email notifications for alerts regarding individual tenants’ budgets and respective costs can help with monitoring for such fraudulent activity.
Using Cost Management for Azure, MSPs can set budgets for tenant organizations to ensure their Azure consumption stays in line with their expectations. The Cost Management tool can also be configured to monitor and send out email alerts for charges that conflict with those budgets and forecasted costs.
Work with an expert partner to help secure your Azure tenants
Following the best practices listed above are a great step towards preventing fraud in Microsoft Azure, but it’s understandably a lot for an individual MSP to take on alone.
Sherweb can help! Our Azure experts can offer guidance and resources to help keep your clients safe according to their needs. Reach out to us to start a conversation about how we can support your Azure practice, or check out our partner guide for more information about how we can position your MSP business for growth.
