This a blog post supporting one of the Cyber Anxiety series, hosted by Inbay, alongside Daniel Welling of WellingMSP.
The latest one is about Conditional Access in Office365
Conditional Access in Office365
Conditional Access is probably the most powerful tool
available for security of your and your client’s Office365 tenants. When used
in combination with Multi Factor authentication (MFA), it can keep most of the bad
actors away, but can also protect your client’s data. It is such a powerful
tool that I can only give you a brief introduction to the power it has.
First a warning – it is very easy to lock yourself out of
the tenant with Conditional Access, so always have an emergency access account
configured and confirmed as working.
This is documented on the Microsoft web site (https://docs.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access) . If you have any rules already configured, then exclude this
account from all of them.
What is Conditional Access?
Conditional Access is a feature of
AzureAD which allows you to control who and what can access the Office365
tenant. It can enforce the use of a managed machine, MFA, location and approved
apps, giving the administrator full control over the tenant access.
It can also be used to limit MFA prompts, which are one of the main barriers to
adoption of MFA.
During initial adoption, the rules can be
run in Report Only mode, therefore allowing you to catch anything that could be
outside of the ruleset before it goes live. Enabling a small Azure subscription
(usually less than £10/month) will allow more advanced reporting. This can be very
useful to show to the client to demonstrate what conditional access could or is
blocking. If you followed my advice at the start about configuring an Emergency
Access Account, then the same log workspace can be used.
Two of the most common uses for
Conditional Access are Country Restrictions and Securing Sign Ups for MFA.
One of the easiest to implement, but most
effective uses of Conditional Access is to restrict what countries can access
the tenant. If you or your client are all located in the UK, then restricting
login to the UK will stop a lot of attacks, even if an account gets
Conditional Access works on the Block Everything, with exceptions rule, so you
will need to build a list of countries that can access the tenant (typically I
do UK, ROI, Jersey, Guernsey and Isle of Man).
The only drawback is if a user goes travelling and needs to access company
resources. To combat that, create a group for the exceptions, then add and
remove users from that group as required. Make sure that end users know to
inform you that they are traveling.
It can be tempting to allow some users to be in the exception group all of the
time. If this is a high value account (CEO, MD etc) then this should be
discouraged, because they remain a target.
However, be creative – if an end user has a holiday home where they spend a lot
of their time, then build an exception ruleset for them. If the staff member
can get a static IP address, then even better as you can restrict it to that
Conditional Access is the preferred
method to enforce the use of MFA, but you can also use Conditional Access to
secure MFA. If you are using trusted location to allow office-based staff to bypass
the need for MFA, then you can use Conditional Access to ensure that those users
cannot have their account abused. A common attack would be for a bad actor to
phish the user’s security details from them, then sign up for MFA using their
own phone and are able to access the tenant from wherever.
Therefore, configure a trusted location and then restrict MFA sign up to that
trusted location – so a user has to be in the office to sign up for MFA.
Spend some time with the conditional
access documentation and see how you can secure both your own tenant and those
of your clients. Just don’t lock yourself out!
Luke, Daniel and I discuss conditional access in the pod cast series Cyber Anxiety, the link to it can be found above.
If you would like to listen to the rest of the series, then they can be found here: