Should You Enable or Disable 'Password Sync' on Microsoft Office 365?
If you are running a business, you probably get a headache the moment you hear the word “password.” It’s hard to keep with personal passwords, so dealing with multiple corporate passwords is a big challenge. To make matters easier, companies rely on such cloud services as Microsoft Office 365 to manage their email accounts.
However, these services are not fail-proof. We would like to draw your attention to the security analysis report released by the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). We will go through all the vulnerabilities pointed out in the report, and then focus on the Office 365 password sync issue.
Microsoft Office 365 Security Challenges
Migrating email services to cloud is becoming increasingly common among organizations. They might migrate the service individually, if they have separate and competent IT departments, or they might employ third-party companies to help them do that. The CISA pointed out in their report that there are certain security risks involved when it comes to transitioning to cloud services, and organizations along with their third-party partners should definitely be aware of them. Most of the risks lie in the cloud service configuration vulnerabilities, including the password settings.
We talked about multi-factor authentication many times before, although perhaps we were more focused on the aspect of individual data security. However, it shouldn’t come as a surprise that multi-factor authentication is extremely important for organizations as well. In fact, it is a common understanding that multi-factor authentication is the first step towards getting rid of passwords altogether, and Microsoft Office 365 strongly encourages it.
However, the security issue with Microsoft Office 365 and Azure Active Directory (Azure AD) is that multi-factor authentication for administrator accounts is not enabled by default. Azure AD has Global Administrators in the Office 365 environment, and these accounts are there to configure their tenant and migrate the users. In other words, Global Administrators have a lot of rights. If multi-factor authentication is not enabled by default, attacking these accounts could automatically cause damage to regular users as well.
Depending on when your organization migrated to the Office 365 cloud service, the mailbox auditing might be enabled or disabled by default. The settings that enable auditing by default were introduced in Office 365 in January 2019. If your Office 365 environment was created before that, your administrator has to enable mailbox auditing manually. CISA suggests keeping the auditing log enabled because then all actions performed by mailbox owners, administrators, and other users within the system are recorded.
Old legacy protocols
Older mail clients use a number of protocols that do not support modern authentication methods. Those protocols include Internet Message Access Protocol (IMAP), Post Office Protocol (POP3), and Simple Mail Transport Protocol (SMTP). Normally, these protocols are disabled, but if an organization needs older email clients, the protocols remain functional. As a result, for such clients, the password remains the primary authentication method, which lowers the level of account security.
It is possible to mitigate this risk by keeping a list of users who still require legacy protocols. CISA also suggests employing Azure AD Conditional Access policies to monitor and restrict the number of users who employ legacy protocol authentication methods. Also, since passwords for such users are the main method of authentication, they should consider employing password manager tools to improve their password safety.
Office 365 Password Sync
The Office 365 Password Sync issue is closely related to the Azure AD identities. Azure AD identities can be created beforehand or “on-premises.” When on-premises environments are integrated with Azure AD via Azure AD Connect, it is possible to match an AD identity created beforehand with on-premises AD identity. If the identities are matched, the on-premises identity becomes the authoritative identity. This is where the automatically enabled password sync might become troublesome. Imagine the on-premises identity getting compromised: The hacker would automatically move into the cloud environment once the Office 365 password is synced.
It should be noted that in October 2018, Microsoft displayed the capability to match certain accounts. Also, CISA says that if the Azure AD Office 365 password sync is carefully planned and configured before organizations migrate users, the risk can be mitigated. Therefore, companies and their IT departments (or their third-party partners) should definitely look into this potential security issue before ultimately migrating their email services to cloud.
Depending on your preferences, you can choose to either enable or disable the Office 365 password sync. Below, you will find the guidelines for both actions. Take note that, since password sync is automatically enabled by Microsoft in certain cases, our password sync guidelines will include AdSelfService Plus management tool, which is one of the previously mentioned third-party programs that can be used to manage Microsoft Office 365 accounts.
Enable Office 365 Password Sync
- Login to the AdSelfService Plus administrator account.
- Open Configuration and go to Self-Service.
- Select Password Synchronizer.
- Click the Office 365/Azure link.
- Select the Password Synchronizer module on the configuration page.
- Type in the domain name for your Office 365/Azure account.
- Enter the username and password for your Office 365/Azure account.
- Type in a configuration description.
- Choose the Self-Service Policies and click Save.
Disable Office 365 Password Sync
- Launch Azure AD Connect and click Configure.
- Choose Customize synchronization options.
- Go to the Optional features.
- Clear the Password synchronization check box.
- Save changes.
The bottom line is that the level of your organization’s security heavily relies on mutual efforts. There might be certain security risks associated with Microsoft Office 365 and migrating your email services to the cloud, but those risks can be taken care of through immediate and comprehensive action.
Ultimately, it is up to you to take such decisions as syncing your Office 365 password or not. However, it is strongly recommended that you arrive to such decisions after thorough security analysis. If you feel that your IT department might be missing important aspects when analyzing such features, you can also refer to an independent expert.