Step 3. Protect identities

Use the following sections to protect your organization from credential compromise, which is typically the first stage of a larger ransomware attack.

Increase sign-in security

Use passwordless authentication for user accounts in Azure Active Directory (Azure AD).

During the transition to passwordless authentication, use these best practices for user accounts that still use password authentication:

Next, implement the Common identity and device access policies. These policies provide higher security for access to Microsoft 365 cloud services.

For user sign-ins, these policies include:

  • Requiring multi-factor authentication (MFA) for priority accounts (immediately) and eventually all user accounts.
  • Requiring high-risk sign-ins to use MFA.
  • Requiring high-risk users with high-risk sign-ins to change their passwords.

Prevent privilege escalation

Use these best practices:

  • Implement the principle of least privilege and use password protection as described in Increase sign-in security for those user accounts that still use passwords for their sign-ins.
  • Avoid the use of domain-wide, admin-level service accounts.
  • Restrict local administrative privileges to limit installation of Remote Access Trojans (RATs) and other unwanted applications.
  • Use Azure AD Conditional Access to explicitly validate the trust of users and workstations before allowing access to administrative portals. See this example for the Azure portal.
  • Enable Local Admin password management.
  • Determine where highly privileged accounts are signing in and exposing credentials. Highly privileged accounts should not be present on workstations.
  • Disable the local storage of passwords and credentials.

Impact on users and change management

You must make the users in your organization aware of:

  • The new requirements for stronger passwords.
  • The changes in sign-in processes, such as the required use of MFA and the MFA secondary authentication method registration.
  • The use of password maintenance with SSPR. For example, no more calls to helpdesk for a password reset.
  • The prompting to require MFA or a password change for sign-ins that are determined to be risky.

Resulting configuration

Here's the ransomware protection for your tenant for steps 1-3.

Ransomware protection for your Microsoft 365 tenant after Step 3

Next step

Step 4 for ransomware protection with Microsoft 365

Continue with Step 4 to protect devices (endpoints) in your Microsoft 365 tenant.