Securing Azure Active Directory

Cloud services has become more common, this has led into a situation where the same account is used across different cloud services.

Example. The account is created to a local directory service where it’s synchronized to a cloud directory such as Azure Active Directory, that is a Microsoft cloud directory. This account could be used for Microsoft cloud services as on verkkokauppa.com which is webstore. So, user can login with the same user identity and password to different services,

This post is about what we shouldn’t use as a login identity in the Azure Active Directory, there is only one bad habit and it’s an email address.

Why email address is BAD login identity?

Let’s suppose, everyone knows your email address

  • Why you want everyone to know your login identity?

  • Everyone doesn’t know your facebook login id or your online bank account login id. 

Top four reasons why email address is used as login identities:

  • Your login identity must be an email address:

No No No. Your login identity must be in format of email address NOT an email address.

Example. User Bob Doe’s email address is bob.doe@company.com and he’s login identity is U467389@company.com both are valid email address formats. Which one is harder to find out for the hacker?

  • It’s much easier to deploy these services if login identity and email address is same:

Well this partial true but it really depends on the service. As far I know every Microsoft services will work if the user login identity is not an email address, Office 365, D365, PSA, Office Pro Plus, Azure etc. 

  • I can’t remember complex login identity

Well could you remember your password? Could you remember your credit card pin-code, number? Do you remember your address?  Do you remember your best friend pet 6:th name?

So, we can remember lot of stuff but newer login identity, is the “Hard drive full of information”? This might be the case, but please try remember your login identity. 

— EDITED @ 15.01.2019 05:30 UTC — 

  • 3rd party apps don’t work

This assumption came from my work mate. This might be the partial true but if application is coded/configured correctly it not assumes that your azure ad userprincipalname is your email address. Email address property can be read through Azure AD/Microsoft graph api. 

If 3rd party app assumes that email address is your login id, one thought came to my mind. 3rd party app provider does not care about your safety in cloud world. So, is it worth to use that kind of application?

After all cloud is absolutely great if we keep our accounts in safe. This is the first part of posts what I’m planning to write about securing Azure Active Directory.