Lukas Beran
Lukas Beran

Welcome to my blog! If you're looking for tutorials, hints or tips for IT, you're right here. You will find mostly articles on Microsoft products and technologies - operating systems, servers, virtualization, networks, management, but also the cloud. Sometimes I add some other interesting things.

November 2019
MTWTFSS
« Oct  
 123
45678910
11121314151617
18192021222324
252627282930 

Categories


Recommended Conditional Access Policies in Azure AD

Lukas BeranLukas Beran

Each organization can create policies at its discretion and needs. But there are some policy recommendations that should be developed in all organizations. You can read about conditional access in my previous article.

Microsoft internal statistics say that by activating Multi-Factor Authentication (MFA) on user accounts, you eliminate 99.9% of attacks on user identities. More information in Your Pa$$word doesn’t matter.

Break-Glass account

Conditional access policies are also related to a security account that can be used for emergency access, the so-called Break-Glass account. This account should not have any security restrictions imposed and should be excluded from all conditional access policies. This should be a global admin account with a very strong randomly generated password (at least 36 characters in length, a random combination of uppercase / lowercase letters, numbers, and special characters). This account should be locked in one of the vaults and no one should have access to it, and the account should never be used for anything except for exceptional events. It is also a good idea to monitor every activity on this account and reset your password immediately if you suspect abuse.

In addition, it is a good idea to exclude service accounts that run different services, such as Azure AD Connect, from security policies. These accounts should have limited rights and again only very strong generated passwords.

Require MFA for privileged users

Privileged user accounts are very sensitive, so they should be extra protected. We should always require MFA for these accounts – from all locations, from all types of devices. So also from the company network and company computers.

Microsoft recommends that you enforce MFA for at least the following roles:

In the Azure portal, we will find Conditional Access and create a new policy. In Users, select Users and groups and then Directory roles, in which we mark the above roles. In Applications, we select All applications. In Access Control, select Grant access – Require multi-factor authentication.

Block legacy authentication

Legacy authentication is a protocol that allows access to services by name and password authentication. The problem with this protocol is that it does not allow any advanced security techniques, including MFA. For this reason, the vast majority of attacks (some statistics say 99%) target just legacy authentication.

Legacy authentication may be due to old Microsoft Office applications (2010 or earlier) or applications / devices / services that use the IMAP, POP, or SMTP protocols. So if you don’t need legacy authentication, it’s a good idea to disable it. And if you need it, you should leave it allowed for only those accounts that need it, and for the rest you should disable it.

How to determine the use of legacy authentication in your organization

Before blocking legacy authentication, it is a good idea to verify that this type of authentication is not used. This can be found easily from the Azure Active Directory in the Azure portal – Sign-ins. Here we have to add the Client App column first. Then we can filter the results according to the type of client application, where we select Other clients.

Blocking legacy authentication via Conditional Access

We already know that legacy authentication is displayed as Other clients. So we can create a new policy to block Other clients. In the Azure portal, we will find Conditional Access and create a new policy. We select all users in Users and optionally we can exclude some accounts if they need legacy authentication. In Applications, we select All applications. In the Conditions, select Client applications, select Mobile and desktop applications and check Other clients.

Require trusted locations to register for MFA

Organizations that have active combined registration can set to force authentication information to be registered from trusted locations. This resolves the hen-egg problem for MFA registration so that an attacker who already has access to a user identity cannot register the authentication information.

In the Azure portal, we find Conditional Access and create a new policy. In the Users select All users. In Cloud applications, select User actions and mark Register security information. In Conditions, select Location and choose All locations and Exclude Trusted locations. Together with the access blocking setting, this ensures that registration is only allowed from trusted locations – we block all but trusted locations.

Block risky logins

Login risk detection is included in Azure AD Premium P2 license. With this license, Azure AD Identity Protection calculates the risk for each sign-in in real-time, and based on this, the activity is categorized into one of four categories:

  1. None
  2. Low risk
  3. Medium risk
  4. High risk

It is recommended to block login for high-risk login activity. In the Azure portal, we will find Conditional Access and create a new policy. In the Users, select All users. In Applications, we select All applications. In Conditions, choose Sign-in risk and choose High. In Access control, select Block access.

Require company devices for privileged users

Privileged user accounts are very sensitive, so they should be extra protected. We should only allow access to privileged accounts from trusted devices, that is, managed devices. We detect those in Azure AD by either having an Azure AD Hybrid join or managed by Intune.

Managed devices detection also requires a supported browser, such as Microsoft Edge, Internet Explorer, or Google Chrome with the Windows 10 Accounts extension installed.

Microsoft recommends that you protect at least the following roles:

In the Azure portal, we will find Conditional Access and create a new policy. In Users, select Users and groups and then Directory roles, in which we mark the above roles. In Applications, we select All applications. In Access Control select Grant access – Require device to be marked as compliant and Require Hybrid Azure AD joined device.

Require login from local country for privileged users

Privileged user accounts are very sensitive, so they should be extra protected. We should only allow access to privileged accounts from your organization’s local country or a limited set of countries. Attacks usually come from abroad, so this limitation naturally eliminates most of the attacks. In addition, administrators, if they are outside the organization, should use VPN anyway, so it is possible to manage services from abroad via VPN.

Microsoft recommends that you protect at least the following roles:

In the Azure portal, we find Conditional Access. Before we can create a conditional access policy, we need to define our local countries. Select Named locations in the menu and create a new location. We will name it somehow and choose Countries / Regions to identify those countries that belong to our local countries from which we will manage the services.

We can now create a new conditional access policy. In Users, select Users and groups and then Directory roles, in which we mark the above roles. In Applications, we select All applications. In Conditions, select Locations and include Any location in Include and in Exclude select Selected locations and select the named location that you just created + select MFA Trusted IPs. In Access Control, select Block access.

Block Exchange ActiveSync

Exchange ActiveSync is a legacy protocol that is no longer recommended from a security perspective. Outlook on all platforms no longer needs Exchange ActiveSync. Additionally, Exchange ActiveSync does not support multi-factor authentication (MFA).

In the Azure portal, we find Conditional Access and create a new policy. In Users, select All users. In Applications, select Office 365 Exchange Online. In Conditions, select Client apps and choose Mobile apps and desktop clients and Exchange ActiveSync clients. In Access Control, select Block access.

New technology enthusiast interested primarily in Microsoft technologies and services. Intermittent blogger and traveler.

Comments 0
There are currently no comments.