How to enforce Multi-Factor Authentication using Conditional Access

 In Cybersecurity, Internet, Security

Your customers are concerned about how you’re handling their personal data.

According to a recent survey, 42% of Australian consumers are more concerned than ever about how companies are handling their data, and 43% of consumers state they’d never spend money with a business again, following a data breach.

With uncertain economic times ahead, no business can risk losing 43% of their sales revenue. In our previous blog, we showed you how to protect your data against 99.9% of password-based data breaches, using Microsoft’s security defaults. These security defaults enforce Multi-Factor Authentication (MFA) and block legacy authentication protocols for all users.

So, what is legacy authentication, and why does it matter? Legacy authentication refers to protocols that use basic authentication. Typically, these protocols are not able to enforce any type of second-factor authentication and are vulnerable to brute force or password spray attacks which can compromise data and impact business. Modern authentication is a more secure solution. Another big advantage of using Modern Authentication is that it can leverage Azure AD Conditional Access, giving the option to force MFA for users.

But what if your business relies on some of these legacy authentication protocols?

If a single employee has a legitimate reason for requiring access to a single legacy authentication protocol, then security defaults may not be a viable option for your business.

So if you can’t use security defaults, then what’s the best way to keep your data safe?

In this article, we will show you how to enforce MFA and block legacy authentication for specific users by creating custom Conditional Access policies.

Want to speak to someone about securing your business or how to enable a modern, mobile workforce? We are passionate and knowledgeable technology experts, eager to understand your business and challenges. Get in touch, and one of our friendly team members will contact you.

What are Microsoft’s Conditional Access policies?

A Conditional Access policy is a series of if-then statements, for example, if the user wants to perform X, then they need to do Y. We’ll be creating two Conditional Access policies: a policy that enforces MFA across your entire organisation, and a policy that blocks legacy authentication protocols for certain users, or groups of users.

We will also show you how to identify users who are accessing their accounts using legacy authentication protocols, so you’ll know exactly who to include and exclude from your legacy authentication Conditional Access policy.

Make MFA mandatory: Creating a Conditional Access policy

Let’s start by enforcing MFA across all your Microsoft 365 accounts:

  • In the left-hand menu, select “Conditional Access

 

  • Click “New policy.”

 

 

  • Give your policy a name; I’m using “Enforce MFA.”
  • In the “Assignments” section, select “Users and groups.” This should open a new panel.

 

 

  • To enforce MFA across your entire organisation, select the “Include” tab and then select “All users.”
  • To ensure you don’t wind up locked out of your tenant, you should exclude at least one user from your MFA Conditional Access policy. Select the “Exclude” tab and then specify the account(s) that you want to exclude. Alternatively, you can select “Directory roles” and then exclude a group of users based on their assigned role.
  • Click “Done.”
  • In the left-hand menu, move onto the next section and then select “Cloud apps or actions.”

 

  • In the subsequent panel, push the slider into the “Cloud apps” position.
  • Make sure the “Include” tab is selected.
  • You can now apply this MFA policy to “All cloud apps,” which is the recommended approach. Alternatively, you can apply this policy to specific applications only, by clicking “Select apps” and then choosing your applications from the list.
  • When you’re happy with your selection, click “Done.”
  • In the left-hand menu, select “Conditions.”

 

  • You can now configure which clients this conditional access MFA policy should apply to, by selecting “Client Apps.”
  • In the new panel that appears, drag the “Configure” slider into the “Yes” position.
  • You can now select all the applications where you want to enforce MFA. Unless you have a specific reason not to, you should enforce MFA across all client applications as this provides the highest level of security.

 

 

  • When you’re happy with your selection, click “Done” to close this panel.
  • In the left-hand menu, select “Grant.”
  • In the panel that appears, select “Grant access > Require multi-factor authentication.”

 

 

  • Click “Select.”
  • Activate your policy by pushing the “Enable policy” slider into the “On” position.
  • Click “Create.”

Your MFA Conditional Access policy is now live! The next time a user tries to log into their Microsoft 365 account, they’ll be asked to setup MFA, either by entering a one-time code that’s sent to their smartphone via SMS or by using the Microsoft Authenticator app for iOS and Android.

See exactly who’s using legacy authentication

MFA can protect your organisation against 99.9% of password-based cyberattacks, but legacy protocols have the potential to completely undermine even the most robust MFA policies.

Legacy authentication protocols don’t support MFA, so users can completely circumvent your MFA policies by using these legacy authentication protocols. If a user can sidestep your MFA, then so can a malicious third party!

Microsoft’s security defaults disable legacy authentication protocols at an organisation-wide level, but if this isn’t practical for your business, then you should identify the users who are still accessing their accounts via legacy authentication protocols, and then block these protocols for everyone except those users.

To start, let’s review your organisation’s past sign-in attempts, and identify the users who still require access to legacy authentication protocols:

  • Log into your Microsoft Azure admin account.
  • Select “Azure Active Directory.”
  • In the left-hand menu, select “Sign-ins.”
  • Select “Add filters > Client App > Apply.”

 

 

 

  • In the menu bar, select “Client App: None selected.”

 

 

  • Select everything in the “Legacy Authentication Clients” section.

 

 

Azure Active Directory will now display every instance where a user accessed their account using a legacy authentication protocol. You can use this data to identify the employees who are still actively using legacy authentication and to gauge whether they’ll require access to these protocols moving forward.

 

Legacy authentication: Closing MFA’s security loophole

Once you’ve identified who you need to include and exclude from your legacy authentication policy, you’re ready to create that policy:

  • Log into your Microsoft Azure admin account.
  • Select “Azure AD Conditional Access.”
  • Select “New policy.”
  • Give your policy a descriptive name.
  • In the left-hand menu, select “Conditions.”

 

 

 

  • Select “Client Apps.” This opens a new panel.
  • In the new panel, push the “Configure” slider into the “Yes” position.
  • Select “Mobile and desktop clients.”
  • Select “Exchange ActiveSync clients” and “Other clients.”

 

 

  • Click “Done.”
  • In the left-hand menu, select “Grant.”
  • In the new panel that appears, select “Block Access,” and then click “Save.”
  • In the left-hand menu, select “Users and groups.”
  • Specify who this Conditional Access policy should apply to, using the “Include” tab. The users who you include in your Conditional Access policy will no longer be able to authenticate their identity using legacy authentication protocols.

 

 

  • To ensure you don’t accidentally lock your entire organisation out of your tenant, you should use the “Exclude” tab to exclude at least one user from this Conditional Access policy. If you identified any users who require access to legacy authentication methods, then you should also use this tab to exclude these people from your policy.

 

  • Push the “Enable policy” slider into the “On” position, and then click “Create.”

Your Conditional Access policy is now live, and everyone who was included in your policy will be unable to access their accounts using legacy authentication protocols, closing a dangerous security loophole in your MFA policy.

At Blackbird IT, we can help protect your business against the latest security threats, with a complete suite of security-focused services ranging from technology audits, to compliance and best practice consultation, and IT Health Checks. Or why not speak directly to one of our experts. Our security specialists will be happy to discuss your unique needs and concerns, and recommend the security services that have the most to offer your business.

Or Subscribe to Our Content Below

Recommended Posts