Security Detections for a Hybrid Azure AD Join Environment

The enterprise environment of today is much more highly complex than even a couple of years ago. Microsoft Windows Active Directory (AD) has been the most used go-to when it comes to a centralized authentication and authorization solution. However, now that more and more services are being migrated to the cloud, you may end up with assets in several places which could make it potentially difficult to manage.

To help with this, Microsoft now has the Hybrid Azure AD Join configuration capability. This setup allows you to have high scalability and flexibility without making your security (or your admins) suffer; it provides device management for both on-premises and in the cloud; an increased amount of features, and more. Hybrid Azure AD Join is a mode that allows you to manage devices both via traditional on-premises AD tools but also register it with Azure AD.

There are several different security features that are enabled for assets in Azure that give an upper hand as compared to the standard on-prem AD environment. You now have the ability to dictate access based on conditional access policies from within Azure.

Some of the more commonly applied policies include:

• Requiring multi-factor authentication for users with administrative roles
• Blocking sign-ins for users attempting to use legacy authentication protocols
• Blocking or granting access from specific locations
• Blocking risky sign-in behaviors

Another (long overdue) capability that can now be taken advantage of is the ability to restrict insecure passwords with Password Protection. No longer will you have to worry about all of your users setting their passwords to winter2020!! I think my favorite part is shown in the screenshot below. “These are case insensitive, and common character substitutions (o for 0, etc) are automatically considered.”

Of course, you can’t read an article from us without gaining some kind of insight into what the potential alerting would be! Microsoft has a very well-documented article on what we can expect from the on-prem logs for one of these hybrid setups.

Some top logs to pay attention to include:

• Password Validation Failures & Non-compliant Azure Password Policy Resets (event_id 10016, 10017, 30002, 30003, 30026, & 30027)
• Password Accepted due to Unavailable Azure Policy (event_id 30001)
• New Azure DC Agent Available (event_id 30034)
• New Azure Proxy Agent Available (event_id 20002)

With the addition of these new log types and events, additional channels are then added to the Windows Event Viewer on the local system where the DC and/or Proxy agents are now installed. To ensure you are able to view these logs in your log aggregator of choice, (ahem….Blumira….) you’ll need to include all of the new channels in whatever software is pushing/pulling those logged events.

For easier deployment across all Windows platforms, we’ve created Flowmira, our custom NXLog configuration file. As an addition to other Windows software such as the firewall, IIS, etc we also have included the Azure Password Protection section.