In a mobile-first, cloud-first world, your users access your organization's resources from anywhere using a variety of devices and apps. As a result, focusing on who can access a resource is no longer enough. You also need to consider where the user is, the device being used, the resource being accessed, and more. Azure Active Directory (Azure AD) Conditional Access analyses signals such as user, device, and location to automate decisions and enforce organizational access policies for resource. You can use Conditional Access policies to apply access controls like Multi-Factor Authentication (MFA). Conditional Access policies allow you to prompt users for MFA when needed for security, and stay out of users’ way when not needed.
In a recent project to improve user identity security, one of our Azure Security Experts utilized Conditional Access to create policies.
Block Legacy Authentication Policy:
One of these policies was to block legacy authentication. Legacy authentication does not support MFA. This is because legacy authentication protocols like POP, SMTP, IMAP, and MAPI can't enforce MFA, making them preferred entry points for adversaries attacking your organization. The numbers on legacy authentication from an analysis of Azure Active Directory (Azure AD) traffic are stark:
- More than 99 percent of password spray attacks use legacy authentication protocols
- More than 97 percent of credential stuffing attacks use legacy authentication
- Azure AD accounts in organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled
Block Access by Countries
With the location condition in Conditional Access, you can control access to your cloud apps based on the network location of a user. The location condition is commonly used to block access from countries/regions where your organization knows traffic should not come from.
Reduce MFA for known locations
One of the biggest complaints about MFA is the additional step required by the user to access resources. Utilizing conditional access policies, you can avoid MFA for known locations like inside your locations or while connected via your wireless network.
Require MFA for Administrators
Administrator accounts are highly targeted by attackers. Once compromised, these accounts provide the “keys to the kingdom” for these attackers. Best practice is to require MFA for all administrator accounts to reduce the risk of these accounts being compromised.
Microsoft’s Conditional Access is a powerful solution to secure user identities and much more. Conditional access can be integrated with Single Sign On (SSO) to 3rd party applications to ensure that only valid users are allowed access to data and applications. Conditional Access is included in Microsoft Azure Active Directory (AAD) Premium P1. AAD P1 is included in Microsoft 365 F1/F3/E3/E5, Microsoft 365 Business Premium (300 users or less), EMS E3/E5 or as a stand alone license. Reach out to a Microsoft CSP licensing expert at Akins IT for assistance with any licensing questions. Additional features like Privileged Identity management and Risk-Based Conditional Access are included in Microsoft Azure Active Directory Premium P2.