Tom Burt (Microsoft)
Partners should also check Partner Centre Activity Logs. Indeed, partners are advised to regularly check the 'Activity Log' in Partner Centre to monitor any user activities, including high privileged user creations, high privileged user role assignment, etc.
Partners can also use Partner Centre Activity Log APIs to create a custom security dashboard on key user activities in Partner Centre to proactively detect suspicious activities, Microsoft noted.
2. Remove delegated administrative privileges (DAP) connection when not in use
To improve security, Microsoft has recommended that partners remove delegated administrative privileges that are no longer in use.
Starting in November, a new reporting tool will be available that identifies and displays all active delegated administrative privilege connections and will help organisations to discover unused delegated administrative privileges connections, the company said.
This tool will provide reporting that captures how partner agents are accessing customer tenants through those privileges and will allow partners to remove the connection when not in use.
3. Conduct a thorough investigation and comprehensive response
Microsoft recommended that partners carry out additional investigations if they think they might have been affected to determine the full scope of compromised users or assets.
On this front, Microsoft recommends partners review the Azure AD Security Operations Guide to audit or establish their security operations.
“If you are a cloud service provider or an organisation that relies on elevated privileges, you need to assess the security implications in your network and its connectivity for your customers,” the Microsoft Partner Network team said in its guidance. “In particular, review authentications that are associated with Azure AD configuration changes using the Microsoft 365 compliance center (formerly in the Exchange admin centre) or Azure AD admin logs.”
Additionally, adequate log retention procedures for cloud-based resources are critical to effectively identify, respond to and remediate malicious activity.
“Cloud service providers and other technology organisations often configure individual subscriptions to meet specific customer requirements,” the team said. “These configurations might not include security controls that enable full accountability to administrative actions should an incident occur.
“We encourage all organisations to become familiar with logs made available within your subscription and routinely evaluate them for adequacy and anomalies,” it added.
Microsoft also included some tips for downstream customers as part of its guidance. These were: review, audit and minimise access privileges and delegated permissions; verify MFA is enabled and enforce conditional access policies; and review and audit logs and configurations.
“We encourage all organisations to become familiar with logs made available within your subscription and routinely evaluate them for adequacy and anomalies,” the Microsoft Partner Network team said.
“For organisations relying on a third-party organisation, work with them to understand their logging strategy for all administrative actions and establish a process should logs need to be made available during an incident," it added.
