Best practice rules for Active Directory
Trend Micro Cloud One™ – Conformity monitors Active Directory with the following rules:
- Allow Only Administrators to Create Security Groups
Ensure that security groups can be created only by Active Directory (AD) administrators.
- Allow Only Administrators to Manage Office 365 Groups
Ensure that Office 365 groups can be managed only by Active Directory (AD) administrators.
- Allow Only Administrators to Manage Security Groups
Ensure that security groups can be managed only by Active Directory (AD) administrators.
- Check for Active Directory Guest Users
Ensure there are no Microsoft Azure Active Directory guest users if they are not needed.
- Disable Remembering Multi-Factor Authentication
Do not allow users to remember Multi-Factor Authentication (MFA) on their devices and browsers.
- Disable Self-Service Group Management
Ensure that Active Directory (AD) self-service group management is disabled for non-administrator users.
- Enable All Users Group
Ensure that "All Users" group is enabled for centralized access management within your Active Directory account.
- Enable Authentication Reconfirmation
Ensure that user authentication information reconfirmation is enabled within Active Directory password reset policy.
- Enable Dual Identification for Password Reset
Ensure that the number of methods required for user password reset is set to 2 (two).
- Enable Multi-Factor Authentication for Non-Privileged Users
Ensure that Multi-Factor Authentication feature is enabled for all non-privileged users.
- Enable Multi-Factor Authentication for Privileged Users
Ensure that Multi-Factor Authentication (MFA) is enabled for all privileged Azure users
- Enable Notifications for Administrator Password Resets
Ensure that Microsoft Azure Active Directory (AD) admins are notified on password resets.
- Enable Notifications for User Password Resets
Ensure that Microsoft Azure Active Directory (AD) users are notified on password resets.
- Enforce Administrators to Provide Consent for Apps Before Use
Require Active Directory administrators to provide consent for applications before use.
- Limit Guest User Permissions
Ensure that Active Directory (AD) guest users permissions are limited.
- Require MFA to Join Devices
Ensure that joining devices to Active Directory requires Multi-Factor Authentication.
- Restrict Adding Gallery Apps to Access Panel
Ensure that Active Directory users are not allowed to add applications to Azure Access Panel.
- Restrict Application Registration for Non-Privileged Users
Ensure that non-privileged users are not allowed to register third-party applications.
- Restrict Guest User Invitations
Ensure that guest users cannot invite other guests to collaborate with your organization.
- Restrict Invitations to Administrators Only
Ensure that only Active Directory administrators can invite guests to your directory.
- Restrict Non-Admin Access to Administration Portal
Ensure that non-administrator users are not allowed to access Active Directory administration portal.
- Restrict Office 365 Group Creation to Administrators Only
Ensure that Office 365 groups can be created only by Active Directory (AD) administrators.