Microsoft-User-Security-Evaluation-Reporter (MS USER)

Evaluating and Reporting on Azure Active Directory/Active Directory Users Security Posture

Problem

A Security Administrator within an Organisation enables security related configuration options on an Azure Tenant to implement security controls that align an organisation with Microsoft recommendations and best practice. The Azure Security Score provides an evaluation on the alignment of an organisation with best practice, however to some extent it still requires end users to have the right configuration for security related elements of their profile. But as a Service Desk Operator or Cyber Security Officer there isn’t a single view of a user’s security posture that can give you an individual user security score summary.

Introduction

Microsoft User Security Evaluation Reporter (USER) is an Azure AD and Active Directory tool for use by the Service Desk and Cyber Security Officers to get instant visibility of an organisations Azure Security Score that allows them to then evaluate current risks within an organisation right down to individual users. When the Azure WebApp loads the current Azure Security Score is retrieved, evaluated and displayed for alignment with Microsoft Recommendations. Also, on load the last 5 Active Security Risk Events are displayed. The Service Desk Operator or Cyber Security Officer can select one of the recent Security Events and drill down further into the associated identity. They will be quickly able to understand the users’ individual security posture aligned with best practice. What are the recent Security Risk Events for that user? Does that user;

  • Have MFA enabled? Is MFA enabled with an Authenticator App as the primary method?
  • Is the users Active Directory password in the Pwned Passwords v4 list from Have I Been Pwned?
  • Has the user recently being attempting Azure Password Reset functions?
  • What are the last 10 logins for that user?
  • What is the base user information for that user and what devices are registered to that user? Is the device Azure AD Joined?

Visual feedback/guidance is given for the retrieved user based on the configuration of the security options or risks associated with their profile.

Service Desk Operator

Likewise, any user in the environment can be searched for and returned. When a Service Desk Operator receives a call for a user they can use Microsoft USER to search for and retrieve that user. Does the user have multiple accounts (Hybrid (AD and Azure AD), Cloud Only and/or B2B)? What is the users recent activity? As part of the call with the end user the Service Desk Operator could configure the users AD/AAD account to require a password change on next logon if their password has been Pwned. They can advise and talk the user through changing their primary MFA method to use an Authenticator App over SMS. They can see if the user has been having problems using Azure Password Reset and why that maybe failing (e.g fuzzy password violation). They can also review the recent logons for the user and if the user’s Windows Desktop isn’t Azure AD Joined they can talk the user through doing that.

Summary

Through everyday use of this tool as part of end-user interactions by the Service Desk Operators and Cyber Security Officers, the Security Posture of end users calling the Service Desk or those who are being flagged with Risk Events can be improved. Continuous improvement of end user security posture will also improve the Azure Security Score for the organisation enforcing and aligning with the configuration implemented by the Security Administrators.

Inspiration

Recently I've had customers that are looking to improve their security posture. However they don't have visibility of individual users existing posture. Likewise when investigating an event there isn't a single view that gives a 360 degree view of a users security posture. This Microsoft User Security Evaluation Reporter solves these problems.

What it does

On load MS USER retrieves from the Security Graph an Organisations existing Security Score along with the 5 most recent active Security Risk Events. The Service Desk Operator or Cyber Security Officer can investigate a user associated with an active Security Risk Event or search and return all information for any user in the organisation. MS User then displays the following information for the user;

  • A Summarised view of the users risk profile
  • Any associated risk events
  • The users primary and other MFA enrolment methods
  • The status of the users Active Directory Password
  • The base users profile
  • Registered Devices associated with the user
  • Recent Sign-In Activity
  • Any recent Azure Self Service Password Reset activity

How I built it

Built using NodeJS and Javascript leveraging Azure Functions to interface with Azure AD, Microsoft Graph, Azure Table Service and Lithnet Password Protection for Active Directory. All secrets are stored in Azure Key Vault. The WebApp is Application Insights enabled. The WebApp is deployed using a Docker Container into Azure App Service.

Challenges I ran into

I'm not a developer and this is the first WebApp I've written. There were numerous challenges learning JavaScript to write the Front End and try and make it look good. Azure Functions provided the ability to use my PowerShell skills to do the heavy lifting of interfacing with Microsoft Graph for my first ever WebApp.

Accomplishments that I'm proud of

  • Developing a solution that is relevant and valuable
  • Writing my first WebApp
  • Creating my first Docker Image for a WebApp and pushing it to my first Azure Container Registry and deploying it to Azure App Service.
  • Entering my second hackathon

What I learned

  • Azure Security Graph
  • Microsoft Graph JSON Batching
  • Azure oAuth Token automation with Azure Functions
  • Javascript
  • Azure Container Registry
  • Docker Images
  • Azure Application Insights
  • Azure Web Application creation and deployment
  • Lithnet Password Protection for Active Directory
  • Have I Been Pwned NTLM Hashes for Pwned Password

What's next for Microsoft User Security Evaluation Reporter

It would be great to have assistance from a front-end developer to streamline the application and reduce some of the dependencies on Azure Functions. Extensions to the application could include;

  • the ability to force a user to change their password on next logon (if their password is contained in the compromised list)
  • the ability to force a user to register additional MFA methods (e.g get the user to use the Microsoft Authenticator App over SMS)
  • send the user a notification informing them of their security posture and how they could improve it
  • a report/export/pdf button for a Service Desk Operator to send a users profile to a Cyber Security Officer for review
  • subscribe to security graph events for users

Built With

+ 5 more
Share this project:
×

Updates