New Baseline Conditional Access Policies in Azure ADAlex Fields
Remember over a year ago when the first Baseline Conditional Access policy dropped? It was simple enough and most definitely a good move, but of course, most people still aren’t using it. I have heard some nightmarish statistic–something like less than 2 percent of admin accounts in Azure AD are protected by MFA. Puke! Hopefully these baselines see better adoption in the months to come.
Anyway, now we have three brand new, additional baseline polices available. It’s like a mid-year Christmas!
There are now four baseline policies available:
- Require MFA for admins (this was the original policy)
- End user protection
- Block legacy authentication
- Require MFA for Service Management
To start, look at Block legacy authentication; this is something that has been sorely needed for a long time. Of course, in Exchange Online it is also possible to create authentication policies which disable basic auth, and I have been recommending that for a long time. But now, blocking legacy protocols can be accomplished across all Microsoft 365 services with this one policy. Note that you may have service accounts in your environment that require basic auth, but as with all policies this one allows you to exclude selected users.
I think that Exchange Online authentication policies are still relevant though, since you can turn off basic authentication at a more granular level—for each individual service/protocol. For example maybe you need to exclude a handful of users from this policy. But then, let’s say you find out that you only need to leave EWS open for them, so then why not disable IMAP, POP, SMTP and others? You can do that with an EXO auth policy, but not with this conditional access policy.
Check out the End user protection policy. This one blows my mind a little actually; it is leveraging “risk-based” conditional access, which is a technology normally accessible only via an Azure AD Premium P2 subscription.
Really cool to see that Microsoft felt strongly enough about identity protection to include this premium feature as a baseline policy. Kudos, Microsoft. As another surprising bonus, if any evidence of leaked credentials surfaces on the dark web, Microsoft will also block sign-in and force the user to perform a password reset using their second factor.
The other cool thing I want to point out here is that SO MANY businesses still gawk at the idea of MFA. Why? Because they think it’s annoying. I just want to slap these customers sometimes. WAKE UP! Do you not realize the era we live in? MFA is non-negotiable in my mind. But this is one way to make the transition easier for end-users. They will need to register for MFA within 14 days of their first login attempt after applying this policy, but moving forward they would only be challenged for that second factor under “risky” conditions (e.g. unknown or infrequent location, etc.).
Now I generally just turn on MFA straight up for users across the board. In some circumstances where Azure AD Premium is available to the customer, they may decide to exclude known/trusted locations such as their corporate offices, and maybe trusted devices. But, good to have a low-impact entry point here as well (and at no additional cost). Even if you are enforcing MFA for all user sign-ins, the extra protection against leaked credentials is huge, so I would still recommend enabling this one.
The last policy isn’t really that cool. It’s just requiring MFA whenever certain services are accessed that rely on the Azure Resource Manager API. I just think this is redundant if you are already enforcing MFA more widely anyway (as you should be).
Thumbs up though to MS. Now if we could just force the issue somehow… Sigh. I guess there is always ransomware and the other threats out there–eventually those who aren’t adopting a better baseline will get hit hard, and realize it’s time to transform their thinking about security in the cloud. Don’t let that be you. They are making it easier and easier to adopt a better security posture these days–go check out these policies to get started.