Two Azure Active Directory essential security initiatives to protect your identities and tenant - And why you should implement them right now

Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources in:

  • External resources, such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.

  • Internal resources, such as apps on your corporate network and intranet, along with any cloud apps developed by your own organization.

The default Azure Active Directory configuration is tuned to make your enterprise and users collaborative and productive from the get-go. This does leave some flaws in the perspective of security, which you should address immediately upon leveraging from the Azure Active Directory.

I have chosen the following two subjects in a mix of what those misconfigurations attackers usually takes advantage of, and common misunderstandings plus lack of experience at our customers.

Multi-factor Authentication

According to Microsoft, 99.9% of attacks on your Azure Active Directory identity, which is used for authentication to your Microsoft/Office 365 and includes such as Outlook Online, SharePoint Online, OneDrive and various Microsoft Portals, can be prevented with enabling and enforcing Multi-Factor Authentication.

Multi-Factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cell phone or to provide a fingerprint scan. Azure Multi-Factor Authentication works by requiring two or more of the following authentication methods:

  • Something you know, typically a password.

  • Something you have, such as a trusted device that is not easily duplicated, like a phone or hardware key.

  • Something you are - biometrics like a fingerprint or face scan.

Two Azure Active Directory essential security initiatives to protect your identities and tenant

Unfortunately, what I usually experience is Azure Multi-Factor being enabled and enforced, but only on high-privileged users and roles, which is to be fair a major improvement in strengthening the security posture of your identities compared to no use of Azure Multi-Factor authentication, but not quite good enough. You need to take into consideration that an attacker likes to target your regular users first (or the CEO), because they are usually prone to get phished, and then create and form a trust between the victim and the potential higher-privileged user, and then move laterally through internal phishing.


Enforcing Azure Multi-Factor authentication

The best and most effective way to enforce Azure Multi-Factor authentication for users and groups, is through Conditional Access policies. Conditional Access policies can be granular and specific, and for this purpose you should create a policy that simply enforces an Azure Multi-Factor authentication challenge when a user (regular or administrator) tries to access a cloud resource, which could be the Azure Portal, OneDrive, SharePoint Online or Outlook Online.

Go to:

Azure Active Directory portal -> Security -> Conditional Access -> New Policy

In this scenario, we want to create a simple Conditional Access policy which enforces Azure Multi-Factor authentication on all users except our break glass account, on All cloud apps and on both Browsers and Mobile apps and desktop clients.

In the new Conditional Access policy configuration, insert the following:

Name: Give it an appropriate name according to the purpose of the policy

Users and groups: Choose all users included and exclude your break glass account

This can be approached in different ways. The two most common one are the Include all users and groups and exclude specific targeted users and groups, or simply just create an cloud group including only the normal users and administrator accounts who should be MFA enrolled, and by this leaving out your break glass account and the On-premises directory synchronization service account if you leverage from Azure Active Directory Connect, plus any other cloud service accounts.

Azura MFA

Cloud apps or actions: Choose All cloud apps

Two Azure Active Directory essential security initiatives to protect your identities and tenant - And why you should implement them right now

Conditions: Configure Client apps and choose Browser and Mobile apps and desktop clients

Two Azure Active Directory essential security initiatives to protect your identities and tenant - And why you should implement them right now

Grant: Grant Access and check Require multi-factor authentication

Two Azure Active Directory essential security initiatives to protect your identities and tenant - And why you should implement them right now

Enable policy: Choose On and hit Save

If the Conditional Access policy is configured correctly, you should be able to use the “What if” located in the Conditional Access policy section and confirm the policies effect.

Two Azure Active Directory essential security initiatives to protect your identities and tenant - And why you should implement them right now

By now you should also see your Microsoft Secure Score increase

Two Azure Active Directory essential security initiatives to protect your identities and tenant - And why you should implement them right now

Action

Let’s be practical and see what an attacker actually experiences trying to attack identities protected by MFA.

This is from an attacker’s perspective trying to password spray against your tenant:

newnnewnew.png

The picture above clearly indicates which identities are protected by MFA, and which aren’t.

The admin victim will then be able to query these sign-ins, and as you can see some of them failed, and some of them succeeded, which gives us an clear picture of which identities could potentially be compromised:

Two Azure Active Directory essential security initiatives to protect your identities and tenant - And why you should implement them right now

Block Legacy Authentication protocols

When Multi-factor Authentication (MFA) is configured and enforced, you obviously wish to leverage from this great security feature which you should, and this is where we need to make sure that no application should be allowed to authenticate solely through a legacy protocol. Why is this important you may ask? Legacy protocols simply does not support MFA, and this is because legacy authentication protocols like POP, SMTP, IMAP and MPAPI cannot enforce MFA, making them preferred entry points for adversaries attacking your organization. To put it into perspective:

  • More than 99 percent of password spray attacks use legacy authentication protocols

  • More than 97 percent of credential stuffing attacks use legacy authentication

  • Azure AD accounts in organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled


Legacy vs. Modern authentication

Legacy authentication is a term Microsoft uses to describe basic authentication when used with its cloud-based services. Modern authentication provides more security and capabilities, and is the way going forward, and at this point Microsoft is already slowly deprecating legacy authentication protocols on their services.

Legacy Authentication Protocols

The following options are considered legacy authentication protocols:

  • Authenticated SMTP - Used by POP and IMAP clients to send email messages.

  • Autodiscover - Used by Outlook and EAS clients to find and connect to mailboxes in Exchange Online.

  • Exchange ActiveSync (EAS) - Used to connect to mailboxes in Exchange Online.

  • Exchange Online PowerShell - Used to connect to Exchange Online with remote PowerShell. If you block Basic authentication for Exchange Online PowerShell, you need to use the Exchange Online PowerShell Module to connect. For instructions, see Connect to Exchange Online PowerShell using multi-factor authentication.

  • Exchange Web Services (EWS) - A programming interface that's used by Outlook, Outlook for Mac, and third-party apps.

  • IMAP4 - Used by IMAP email clients.

  • MAPI over HTTP (MAPI/HTTP) - Used by Outlook 2010 and later.

  • Offline Address Book (OAB) - A copy of address list collections that are downloaded and used by Outlook.

  • Outlook Anywhere (RPC over HTTP) - Used by Outlook 2016 and earlier.

  • Outlook Service - Used by the Mail and Calendar app for Windows 10.

  • POP3 - Used by POP email clients.

  • Reporting Web Services - Used to retrieve report data in Exchange Online.

  • Other clients - Other protocols identified as utilizing legacy authentication.

Modern Authentication

Modern authentication is characterized by:

  • a client and service capable of using OpenID Connect, SAML, and/or OAuth 2.0 for authentication

  • a client and service which can accept redirects to the identity provider for all authentication interactions and can work with authentication tokens of the protocols above


Is your organization ready for this?

At this point you could ask yourself: “Phew, this sounds like a no brainer. Let’s block those legacy protocols and feel safe”. The reality is that some users, service accounts and/or older integrated systems such as old phones and computers with outdated native browsers, and conference & meeting room schedulers might still only support the legacy protocols. In this case we can simply just exclude them from our design, until they are either upgraded to newer software which supports modern authentication, or completely migrated to a more modern solution, which should be addressed and done as soon as possible.

To identify these potential users, service accounts and systems, you should query your Azure AD sign-ins. This can be done by going to:

Azure Active Directory portal -> Sign-ins

Now we add a filter to isolate our query for utilization of legacy protocols. Hit Add Filters and choose Client App.

Make sure all Legacy Authentication Clients are checked, and the filtering will only show you sign-in attempts that were made by legacy authentication protocols. Clicking on each individual sign-in attempt will show you additional details. The Client App field under the Basic Info tab will indicate which legacy authentication protocol was used.

Two Azure Active Directory essential security initiatives to protect your identities and tenant - And why you should implement them right now

Directly block Legacy Authentication

How can you prevent apps using legacy authentication from accessing your tenant's resources? The recommendation is to just block them with a Conditional Access policy.

As with the previously created Conditional Access Policy, head over to:

Azure Active Directory portal -> Security -> Conditional Access -> New Policy

In the new Conditional Access policy configuration, insert the following:

Name: Give it an appropriate name according to the purpose of the policy

Users and groups: Choose all users included and exclude your break glass account plus the ones you identified in the sign-in query

Two Azure Active Directory essential security initiatives to protect your identities and tenant - And why you should implement them right now

Cloud apps or actions: Choose All cloud apps

Two Azure Active Directory essential security initiatives to protect your identities and tenant - And why you should implement them right now

Conditions: Configure Client apps and choose Exchange ActiveSync clients and Other clients

Two Azure Active Directory essential security initiatives to protect your identities and tenant - And why you should implement them right now

Grant: Block Access

Two Azure Active Directory essential security initiatives to protect your identities and tenant - And why you should implement them right now

Enable policy: Choose On and hit Save

You have now strengthened your identity security posture by a big margin, and your user identities are now less vulnerable of being compromised, and as a bonus your Microsoft Secure Score has now been increased

Two Azure Active Directory essential security initiatives to protect your identities and tenant - And why you should implement them right now