Microsoft Active Directory best practices

Best practice rules for Active Directory

Trend Micro Cloud One™ – Conformity monitors Active Directory with the following rules:

• Allow Only Administrators to Create Security Groups

  Ensure that security groups can be created only by Active Directory (AD) administrators.

• Allow Only Administrators to Manage Office 365 Groups

  Ensure that Office 365 groups can be managed only by Active Directory (AD) administrators.

• Allow Only Administrators to Manage Security Groups

  Ensure that security groups can be managed only by Active Directory (AD) administrators.

• Check for Active Directory Guest Users

  Ensure there are no Microsoft Azure Active Directory guest users if they are not needed.

• Disable Remembering Multi-Factor Authentication

  Do not allow users to remember Multi-Factor Authentication (MFA) on their devices and browsers.

• Disable Self-Service Group Management

  Ensure that Active Directory (AD) self-service group management is disabled for non-administrator users.

• Enable All Users Group

  Ensure that "All Users" group is enabled for centralized access management within your Active Directory account.

• Enable Authentication Reconfirmation

  Ensure that user authentication information reconfirmation is enabled within Active Directory password reset policy.

• Enable Dual Identification for Password Reset

  Ensure that the number of methods required for user password reset is set to 2 (two).

• Enable Multi-Factor Authentication for Non-Privileged Users

  Ensure that Multi-Factor Authentication feature is enabled for all non-privileged users.

• Enable Multi-Factor Authentication for Privileged Users

  Ensure that Multi-Factor Authentication (MFA) is enabled for all privileged Azure users

• Enable Notifications for Administrator Password Resets

  Ensure that Microsoft Azure Active Directory (AD) admins are notified on password resets.

• Enable Notifications for User Password Resets

  Ensure that Microsoft Azure Active Directory (AD) users are notified on password resets.

• Enforce Administrators to Provide Consent for Apps Before Use

  Require Active Directory administrators to provide consent for applications before use.

• Limit Guest User Permissions

  Ensure that Active Directory (AD) guest users permissions are limited.

• Require MFA to Join Devices

  Ensure that joining devices to Active Directory requires Multi-Factor Authentication.

• Restrict Adding Gallery Apps to Access Panel

  Ensure that Active Directory users are not allowed to add applications to Azure Access Panel.

• Restrict Application Registration for Non-Privileged Users

  Ensure that non-privileged users are not allowed to register third-party applications.

• Restrict Guest User Invitations

  Ensure that guest users cannot invite other guests to collaborate with your organization.

• Restrict Invitations to Administrators Only

  Ensure that only Active Directory administrators can invite guests to your directory.

• Restrict Non-Admin Access to Administration Portal

  Ensure that non-administrator users are not allowed to access Active Directory administration portal.

• Restrict Office 365 Group Creation to Administrators Only

  Ensure that Office 365 groups can be created only by Active Directory (AD) administrators.