๐Secure Bits๐ก
Do you use ๐ ๐ถ๐ฐ๐ฟ๐ผ๐๐ผ๐ณ๐ ๐๐ป๐๐ฟ๐ฎ ๐๐ผ๐ป๐ป๐ฒ๐ฐ๐ /๐๐๐๐ฟ๐ฒ ๐๐ ๐๐ผ๐ป๐ป๐ฒ๐ฐ๐?
There are some best practices you should follow.
๐ก๏ธSynchronize only what you need in Entra ID
– No need to synchronize service accounts and nonpresonal accounts
– No need to synchronize on-premise privileged accounts
– No need to synchronize on-premise groups, if for AD purposes only
๐ก๏ธUse High Availability
– Do not rely on one server
– Create another server in staging mode
๐ก๏ธAD Sync service accounts
– Basic user account used to be created in the past
– Check you are using VSA, if remote SQL – GMSA
๐ก๏ธSeamless SSO vs SSO via Primary Refresh Token
– Seamless SSO uses AZUREADSSOACC computer account
– If it exists consider using recommended Primary Refresh Token method
– Both methods are potentially abusable
– If you want to stick with AZUREADSSOACC, follow these best practices:
๐ก๏ธAZUREADSSOACC
– Store the computer account in safe location in Active Directory (do not leave it in the default OU)
– Roll over the kerberos decryption keys every 30 days
– Set encryption type for kerberos only to AES256_HMAC_SHA1
