An important attack vector to consider is your productivity suite and its associated identities.
Microsoft® offers built-in and premium Advanced Threat Protection (ATP) features, like anti-spoofing protection, to help protect your organization’s Microsoft 365 identities, but you can also take proactive steps to discourage users from managing their passwords anywhere other than locally on their workstations.
Let’s explore the concept of system-based password management, as well as a modern cloud tool to implement it across your organization’s fleet of systems.
System-Based Password Management Explained
System-based password management empowers end users to change and manage their passwords directly on their local system accounts, rather than in response to an email or through a web page.
If a user’s core organizational identity grants them access to both their machine and their Microsoft 365 account, they can change their core password locally. With the right tool in place, that change is then written back to Microsoft 365 and reflected anywhere else the password is used in an environment.
Benefits of Local Password Management
The primary benefit of this password management approach is that it reduces the efficacy of various phishing attempts. Often, attackers use fake emails or web pages to lure users into attempting to change their passwords and enter their credentials there.
According to researchers at Barracuda, Microsoft is among the brands that hackers impersonate most often with familiar-looking forms that prompt unsuspecting users to enter their credentials, and users with Microsoft 365 identities can also fall prey to false but urgent-sounding password-change emails. However, if users are trained that they should change their passwords only on their laptops, they’re less likely to try to change or enter them elsewhere.
This approach is also more convenient because users don’t need to navigate anywhere and can instead use familiar workflows to change their passwords without intervention from IT. The key, then, is to establish this workflow in a way that keeps password changes in sync across your environment.
How to Implement Local Password Management
To implement this model, you need to ensure that user identities are synchronized between their machines, regardless of operating system, and their other IT resources. This means that whether a user is set up on a macOS® or a Windows® machine, the same centralized identity grants that user access to the Microsoft 365 suite of tools.
One way to do this is via a platform-agnostic cloud directory service, which can integrate with virtually all modern IT resources. JumpCloud® Directory-as-a-Service® gives IT administrators the tools they need to centralize identity and access management (IAM) and connect users’ identities to systems, applications, files, and networks with one authoritative identity. This includes both macOS and Windows machines, as well as a directory-level integration with Microsoft 365.
With JumpCloud in place, a user can change their core credentials directly on their machine — using CTRL-ALT-DEL on Windows machines and JumpCloud’s Mac App on macOS machines. That change is reflected in their Microsoft 365 account and reflected elsewhere, including in their access to their web-based User Portals, WiFi and VPN networks, and more. Admins can also integrate an Active Directory instance with a bi-directional sync so that local user password changes are automatically written back to AD through JumpCloud, too.
With Directory-as-a-Service in place, admins can require multi-factor authentication at login to user workstations and online portals, VPNs, and other cloud-based and on-premises resources. If organization’s pair these measures with user security training about the new password workflow, phishing drills, and the ways to recognize malicious links and attachments, they’re much more fortified against phishing attacks.
With Directory-as-a-Service in place, you can manage your system fleet, improve the password change workflow, and increase security from a single, cloud-based platform. Click here to learn more about this and other deep system management features from the cloud.