Better together: Conditional Access with Azure Multifactor Authentication (MFA)

B2P1.png

As enabling multifactor authentication is the number one security recommendation to improve your Microsoft Secure Score, let’s take a look at how to deploy Azure MFA for all of your users in a single day. (And most users won’t even notice!)

Isn’t Office 365 already secure? Why do I need to enable MFA?

When your Exchange server was running on-premises, you probably required your users to VPN into the network using certificate authentication before they could access their email. While not a one-time token, this was a form of MFA: you needed a company issued certificate, a successful connection to a VPN, and your account credentials.

Now that Exchange is running in the cloud, it’s important to keep in mind the shared responsibility for cloud computing to keep your data secure. Sure, Microsoft has armed guards protecting their datacenters, but it’s still up to you to limit the ways your users can access data.

B2P2.png

As noted in a previous blog, here is an example of login attempts from around the world for a US based company with less than 10 employees:

B2P3.png

While Microsoft filters out most of this noise as botnet attacks, if we know these are malicious attacks, let’s just move forward with creating some targeted conditional access policies to block them.

Overview

To deploy MFA with Azure AD, Infused Innovations recommends following these steps:

  1. Populate Azure Active Directory (AAD) with all your users

    • For this blog, I’m assuming this step is already completed using Azure Active Directory Connect

  2. License your users with a SKU that includes at least Azure AD Premium 1 services

    • Infused Innovations Recommends Microsoft 365 Business for organizations under 300 users or Microsoft 365 E3 with Identity Threat Protection for larger companies

  3. Configure Azure Multifactor Authentication (MFA) response challenges

  4. Configure Named Locations

  5. Create an Azure AD group for exempt users

  6. Create Conditional Access policies

  7. Create a break glass policy

  8. Configure Company Branding

  9. Create a custom banned password list

  10. For AAD P2 licensed users, configure Azure AD Identity Protection

  11. Create an email campaign for your users to enroll with Azure MFA

  12. Create additional conditional access policies to secure your environment

Configure Azure MFA Response Challenges

Azure MFA and Self Service Password Reset can be configured by end users at the same time in a single management portal. Prior to enforcing user registration, Infused Innovations recommends setting the following configurations for Authentication Methods:

B2P4.png
  1. Require 2 response challenges to reset a password

  2. Allow the following challenge types:

  • Mobile App Notification

  • Mobile App Code

  • Email

  • Mobile Phone

Infused Innovations discourages using the mobile phone option as text message previews are often displayed on the lock screen of a phone. Social media also makes it easy to discover answers to security questions, and we do not recommend this option either.

Configure Named Locations

Named locations help the Azure MFA service target conditional access policies, as well as reduce false positives for risky sign in behavior. Infused Innovations recommends creating at least the following three locations:

B2P5.png
  1. Offices (The public IP addresses of your offices. Mark these as trusted locations.)

  2. Safe Countries (Typically the United States and any other countries that your staff travels to frequently)

  3. Blocked Countries (Typically Russia, China, North Korea, Iran, Nigeria, and unknown locations)

Create an Azure AD group for exempt users

Inevitably, you will have a service account or a contractor from Moscow that will need to be exempted from some of these rules. If you would like to deploy MFA in user batches, then you would probably start with the following security groups:

  1. Conditional Access Users

  2. Conditional Access Travel Users

  3. Conditional Access Exceptions

The Travel Users group could be used to allow users in foreign countries to login only from corporate owned and compliant devices without having to respond to an MFA token challenge.

Create Conditional Access policies

For details on how to draft a conditional access policy, you can review the following Microsoft literature:

In a nutshell, conditional access is simply:

B2P6.png

For our first rule, let’s create a rule named Block High Risk Countries to block those high risk countries:

B2P7.png

Now let’s create a second rule named MFA in Foreign Countries to require an MFA challenge if a login is outside of your usual geography:

B2P8.png

You can optionally exclude the Travel Users group from this rule, and create a duplicate rule, but set the grant value to Require All instead of Require One.

And it’s that simple! You’ve just enabled MFA for all your users, and most of them should not have even noticed.

Create a break glass policy

In the fall of 2018, you may have heard that the Azure MFA service went offline for several hours and users were unable to login. In the event that this ever happens again, you should consider having a break glass policy—a global admin account that does not use Azure MFA so that it can disable Azure MFA during the outage.

One possible solution is to have a single account that uses Duo or AuthAnvil for an MFA challenge to access your environment.

Another solution is to have a disabled Active Directory account that is a global admin but exempt from conditional access. To disable MFA, you would enable the account in AD, and force a sync with Azure AD Connect to enable the account for login to your tenant. Creating a monitoring alert that notifies all administrators if this account is ever enabled is highly recommended. This account should also be restricted to logging in from a single privileged access workstation and a single IP address.

Finally, our recommended solution is to purchase your Office licensing from Infused Innovations, and we can work with you to use our secured tenant access to disable MFA in your environment during the outage.

Configure Company Branding

This may seem like a very non-technical task, but configuring company branding in your portal can help prevent your users from falling for a phishing attack. The attacker would have to use your custom configuration instead of the generic Microsoft login page to perform the attack.

Follow this Microsoft guide to configure your portal.

Create a custom banned password list

Azure AD allows you to ban 1,000 custom passwords for cloud users for free. Infused Innovations recommends starting with this list of common passwords available on GitHub and adding your organization’s name, and any common terms used in your industry to the list.

 

For AAD P2 licensed users, configure Azure AD Identity Protection

This topic will be covered more in-depth in a separate blog post, but for now, navigate over to the Azure Marketplace and enable Azure AD Identity Protection:

B2P9.png

Turning this feature on will enable risk reporting for your tenant, and Infused Innovations recommends configuring the User Risk Policy to force a password reset for any high-risk users.

The high-risk classification means that Microsoft is confident that the account has been breached. For instance, if the user’s credentials were found published on the dark web.

Create an email campaign for your users to enroll with Azure MFA

Now that you’ve enabled MFA for all your users in a handful of risky scenarios, the next step is to get your users enrolled. Consider customizing the Microsoft Fast Track rollout materials that are available here: https://www.microsoft.com/en-us/download/details.aspx?id=56768

Once your users are enrolled with MFA, we suggest making more aggressive conditional access polices, such as always requiring MFA for OWA logins or requiring MFA on non-corporate owned devices.

One final thought: avoid using App Passwords. If you have an application that doesn’t support two-factor authentication, try to upgrade or replace that application.