Most people think of Azure and on-premises systems as two separate islands that are only loosely joined, but this shouldn’t be the case and sometimes only a combination can keep you secure and compliant. Microsoft has ensured that Windows 10, Azure and Office 365 all have strong authentication controls in place, and it is these you can utilize to increase the security of your on-premise systems too.
Using Azure AD Connect to extend your domain into the cloud is one of the simplest ways to implement multi-factor authentication (MFA), and can be implemented singly or in batch, and using SMS, Voice, and Authentication App.
Combining MFA with Azure Conditional Access can create an even safer and easier system to use, by making it flexible and location-aware. By using a set of rules, you can either force additional authentication requirements, such as MFA or re-logging in, when the user is connecting from a risky location like a coffee shop with free Wi-Fi, or reduce authentication requirements if the user is using a Domain Joined laptop from within the office, so the user can work uninterrupted by password prompts.
Azure AD Seamless Single Sign-On (SSSO) is also a huge advantage of Azure AD Connect, so users no longer need to enter their passwords when visiting Office 365 and other sites, such as Salesforce.com. This enables a smoother environment for users, as they no longer are required to repeatedly enter in their passwords, and reduces the chance of shoulder-surfing to obtain passwords.
By utilizing Azure AD Connect, you can also enable Windows Hello for Business (WHfB), which turns your device into the 2nd factor, and also enables biometrics to be implemented when using Windows 10. When combined with SSSO, users will hardly ever need to enter in their passwords, which is good for everyone.
The most difficult of the latest NIST password recommendations is the checking of passwords against a list of commonly used passwords. To address this, Azure AD Password Protection has just been released into preview. This can compare all new passwords against a directory of 500 known passwords, as well as an additional list you can customize. By installing an agent on your Domain Controllers, this is extended to your on-premise systems, thus giving your Active Directory a much-needed upgrade.
The last item on the list is different; Azure ATP utilizes sensors you install on your Domain Controllers to learn the behaviors of your users and to detect multiple suspicious activities on your network, such as Pass-the-hash, Golden Ticket, encryption downgrade, and other attacks. Azure ATP then alerts you to these attacks with a simple who, what, when, and how, which you can easily see in the order they happened, and take any actions needed. This increases the security of Domain Controllers and your network and is a must for anyone with compliance requirements.
Using Azure to secure your on-premise systems does make sense, even if you do not utilize any other part of Azure and Office 365. But once you have seen the strides Microsoft has taken with security, it will be hard to justify not taking advantage of them.