Security

An Administrator account is someone or something that can perform a change on an object. If you are enacting change on a user, group, computer, organizational unit, or any object on a domain, you need an administrative account.

Dive into Tiers

There are different levels of administrator access. Administrators have different accounts based on the resources they access.

The Tiers

Microsoft calls this administrative separation “Tiers.” Full documentation on Microsoft tiers requires a bit of in-depth reading.

There Are Three Tiers For Administrators; Tier 0, Tier 1, and Tier 2

• Tier 0 (Domain Admin): Accounts that have the ability to manage identities and permissions enterprise-wide
• Tier 1 (Server Admin): Accounts with control over resources or that manage critical data and applications
• Tier 2 (Workstation Admin): Accounts with administrative privileges over standard user accounts and standard-user devices

Tier 0 is the highest level and includes administrative accounts and groups, domain controllers, and domains that have direct or indirect administrative control of the AD forest. Tier 0 administrators can manage and control assets in all tiers but only log in interactively to Tier 0 assets. I.e. a domain administrator should never interactively log in to a Tier 2 asset.

Who are the Tier 0 (Zero) Admins?

The smallest circle of administrators on a domain, these accounts are the most vital in an organization. They contain the permissions required to view all the user passwords.

Guard these accounts with a sense of shear ferocity

Tier 1 is for domain member servers and applications. Accounts that control these assets have access to sensitive business data. Tier 1 administrators can access Tier 1 or Tier 0 assets (network logon) but can only manage Tier 1 or Tier 2 assets. Tier 1 administrators can only log on interactively to Tier 1 assets.

Tier 2 is for end-user devices. For example, helpdesk staff would be part of this tier. Tier 2 administrators can access all tier assets (network logon) as necessary but can only manage Tier 2 assets. Tier 2 admins can log in interactively to Tier 2 assets.

Azure AD Conditional Access is at the heart of the new identity-driven control plane.

Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. Example: A payroll manager wants to access the payroll application and is required to do multi-factor authentication to access it.

Conditional Access policies are enforced after first-factor authentication is completed. Conditional Access isn't intended to be an organization's first line of defense for scenarios like denial-of-service (DoS) attacks, but it can use signals from these events to determine access.

What is Conditional Access in Azure Active Directory?

Many organizations have common access concerns that Conditional Access policies can help with such as:

• Requiring multi-factor authentication for users with administrative roles
• Requiring multi-factor authentication for Azure management tasks
• Blocking sign-ins for users attempting to use legacy authentication protocols
• Requiring trusted locations for Azure AD Multi-Factor Authentication registration
• Blocking or granting access from specific locations
• Blocking risky sign-in behaviors
• Requiring organization-managed devices for specific applications

Zero Trust defined

Instead of assuming everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originates from an open network. Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to “never trust, always verify.” Every access request is fully authenticated, authorized, and encrypted before granting access. Microsegmentation and least privileged access principles are applied to minimize lateral movement. Rich intelligence and analytics are utilized to detect and respond to anomalies in real-time.

The modern security perimeter now extends beyond an organization's network to include user and device identity. Organizations can use identity-driven signals as part of their access control decisions.