Step 3. Protect identities
Use the following sections to protect your organization from credential compromise, which is typically the first stage of a larger ransomware attack.
Increase sign-in security
Use passwordless authentication for user accounts in Azure Active Directory (Azure AD).
During the transition to passwordless authentication, use these best practices for user accounts that still use password authentication:
- Block known weak and custom passwords with Azure AD Password Protection.
- Extend blocking of known weak and custom passwords to your on-premises Active Directory Domain Services (AD DS) with Azure AD Password Protection.
- Allow your users to change their own passwords with Self-Service Password Reset (SSPR).
Next, implement the Common identity and device access policies. These policies provide higher security for access to Microsoft 365 cloud services.
For user sign-ins, these policies include:
- Requiring multi-factor authentication (MFA) for priority accounts (immediately) and eventually all user accounts.
- Requiring high-risk sign-ins to use MFA.
- Requiring high-risk users with high-risk sign-ins to change their passwords.
Prevent privilege escalation
Use these best practices:
- Implement the principle of least privilege and use password protection as described in Increase sign-in security for those user accounts that still use passwords for their sign-ins.
- Avoid the use of domain-wide, admin-level service accounts.
- Restrict local administrative privileges to limit installation of Remote Access Trojans (RATs) and other unwanted applications.
- Use Azure AD Conditional Access to explicitly validate the trust of users and workstations before allowing access to administrative portals. See this example for the Azure portal.
- Enable Local Admin password management.
- Determine where highly privileged accounts are signing in and exposing credentials. Highly privileged accounts should not be present on workstations.
- Disable the local storage of passwords and credentials.
Impact on users and change management
You must make the users in your organization aware of:
- The new requirements for stronger passwords.
- The changes in sign-in processes, such as the required use of MFA and the MFA secondary authentication method registration.
- The use of password maintenance with SSPR. For example, no more calls to helpdesk for a password reset.
- The prompting to require MFA or a password change for sign-ins that are determined to be risky.
Here's the ransomware protection for your tenant for steps 1-3.
Continue with Step 4 to protect devices (endpoints) in your Microsoft 365 tenant.
Submit and view feedback for