Validating New User Accounts

VALIDATING NEW ACCOUNTS

Purpose

Every week you will receive new account creation notifications tickets come through Fresh Service.

We will need to check and verify the validity of those accounts. We will need to know who or what initiated the creation of those accounts and why those accounts were created. Once we have determined this we need to decide whether we need to escalate for further investigation if we suspect any unusual account(s) in our domain that should not be there.

This will allow us to enhance our security monitoring by proactively identifying unexpected or unauthorized account creation activities, improving our detection and response capabilities for identity-related threats.

This guide shows the steps that we can take to check new accounts.

Procedure

Every week you will receive Fresh Service ticket for account validation with a log like the one shown below (Figure 1):

Figure 1 - Log

Pre-joiner account

For new starters soon to be starting with Teach First, the account will be classified as Pre joiners in the system and added to the azure group “AAD-SG-DYN-LIC-M365-PreJoiners”

You will come across accounts that are Pre-Joiners please make use of the IT Operations New Starters Sharepoint list shared by HR here to confirm they are Pre-joiners.

Here is an example of a pre-joiner account on Azure Entra ID (Figure 2). Notice that account has been added to the pre-joiner Azure AD group “AAD-SG-DYN-LIC-M365-PreJoiners”

A screenshot of a computer AI-generated content may be incorrect., Picture

Figure 2 - Azure Entra ID Account

External contact / guest accounts

There is an external facing Sharepoint site which is used by both internal and external members. Access to resources within this site is given by certain members of Teach First staff such as the Delivery team to external members via directly sharing resources such as files/folders or site to external members email address.

When an external user accepts an invitation to access a SharePoint file or site, a guest user account will be created in our Azure Active Directory (Azure AD). This allows the external user to access the shared content after accepting the invitation.

Text Box 1, Textbox Picture 1183584956, Picture The log you will receive will show who initiated this request (Figure 3).

On Azure AD:

Click into any external accounts then click on the Properties option at the top as shown below (Figure 4):

Picture 1, Picture

Figure 4 - Azure account properties

Under properties you can see the account type, how it was created, date created and whether that invite was accepted and who invited the user.

For example below (Figure 5) you can see the external account was created via an invitation that was sent out to this external user.

Text Box 1, Textbox A screenshot of a computer AI-generated content may be incorrect., Picture

You can also see the Sponsor field. This will show you details of who initiated this account creation and for accountability. Click view beside Sponsor to reveal this detail as shown below (Figure 6):

A screenshot of a computer AI-generated content may be incorrect., Picture

Figure 6 - Sponsor field

If after checking through the log an account seems to be suspicious please reach out to the Infrastructure team asap to alert them. Do not simply assign the ticket, as if you have identified a suspect account it should be treated as urgent.

NB – If as a result of raising this with the Infrastructure Team, you learn some additional techniques for validating the accounts, please add the details to this procedure.

For the word document version, please click here to access as well.