Unconditionally Conditional - Strong Authentication in Microsoft Entra ID by Don Mallory at BSidesTO

not do that okay so uh welcome to unconditionally conditional strong authentication in Microsoft entra ID formerly Azure ID until recently because they keep changing stuff um so just out of curiosity show of hands because you know it looks like everybody's still out having coffee because I don't know about you but you know coffee and donuts or cookies is awesome how many of you are in an environment that has Microsoft 365 or Azure that's a good portion of you excellent and you've all got E5 licenses and you've got all sorts of funding oh wow there's like six okay that's cool so who am I and why should you care about about listening to me so I have about 30

years of experience in the IT industry primarily in critical infrastructure mostly with a security Focus today I work as a healthcare security professional uh in a large Hospital service and uh like things go I won't name organizations in uh in any of my talks uh if CTS are your thing well I have a couple to my credit um and over the years I've helped build mentor and run a number of infosec projects uh for a variety of different volunteer groups over the years uh and I teach black and white dark room techniques because who does from a hacking perspective who doesn't like something that's completely the opposite end of the spectrum of the things that

we like to do on a daily basis so most importantly this model that we're going to be talking about is uh and covering throughout this presentation is something that uh I've been building for the last six months it's been it's tested it's in production in a large Enterprise and this is the lessons learned that we that our team and primarily I learned along the way a quick disclaimer uh the thoughts and opinions shared throughout this presentation are mine alone and they are not those of my employer past present or future an agenda so let's uh let's talk about trust and zero trust we're going to talk about devices and applications conditional access policies and components a model of strong

authentication is going to be presented we're going to give an example risky signin um I originally had some troubleshooting stuff but I can't really fit it into the 25 minute time slot um we're going to talk about a few other things that tie in with this some licensing uh resources and Links at the end and we're going to finish it off with some conclusions there aren't there is no need to take any photos throughout the presentation and you should wait for the last QR code but if you really want to play along feel free to activate any of the QR codes throughout presentation so some assumptions uh authentication is only one part of your defense strategy

authentication does not only apply to users it also applies to devices applications services and users authentication is also is verification of identity authorization will be mentioned but will not be covered in detail something we will not cover we're not covering everything there will always be more and you need to embrace the rate of change especially in the in the Azure and and entra environments pricing that's between you and your sales rep how long is this going to T take to implement well talk to your change Advisory Board it can take minutes or it can take years so what is trust according to this special publication 8161 it's a belief that an entity meets a certain

expectations and therefore can be relied upon it's also a noun assured Reliance on character ability strength or truth of someone or something it's also a verb to Hope or expect confidentiality so what is zero trust um there's a number of definitions that I've read over the over the last few months and I really like this one but it really comes down to it's an IDE to protect our data by always choosing what you choose to trust but it's still all about trust so why should we care well the traditional thinking is the physical Network boundary is The Edge and the fire wall will save us but we know that that's just a layer and it's not going

to actually help in the end so in the cloud posture environment we're talking about the data as the edge the client is just a conduit to that data authentication is your gateway to your data but most importantly we have a legal and regulat legal Regulatory and moral obligation to protect the data of our clients and our staff uh when you're looking at moving your data into a cloudbased solution especially with strong authentication and data loss controls this can have a real impact on physical attacks while adding an entirely new attack surface to your environment we're going to start with devices so there is a variety of devices join types when you're looking at devices initially and the entra

registered or ad registered uh is useful for BYOD but pretty much useless for anything else ad joined is your on premises devices Azure ENT Azure or entra joined and I'm going to bounce back and forth between these terms partially because it's new and partially because the interface actually hasn't changed and it still has both terms all over it um so Azure join is um is something that's in the in the cloud environment only when you join them together through ad sync and a few other pieces you end up with hybrid joint so your active directory and your Azure ENT your ENT uh ID are the devices in both places and it's communicating back and forth between those what we want is we

want our devices to be co-managed between config manager that's a CCM on premises and in tune in the cloud and we want them compl client so when we start looking at devices and application management there are mobile device management and applic mobile application management policies Ma and Ma and MDM so MDM is device focused ma is application focused MDM has config policies and compliance policies well so does ma'am they both do encryption but Ma does it in a container and MDM manages again the full device you can also wipe the devices you can wipe the full device of MDM or just the application data in the container when we're talking about application updates in in ma we hope that the user updates

their apps in MDM we can push out those updates MDM is best for orgs and orgone devices ma is best for the applications and BYOD devices when we start looking at policies there's a variety of different operating system that you're you can have specific policy sets for I'm not going into detail of all of the specific features and functions partially because they actually change on almost a weekly basis as to what it's what's supported but the the uh here are some of them that have a reasonable impact on the controls for your specific devices keeping in mind that um there is an expectation that configuration policies will be applied before you apply your your compliance policies this

is especially true on Mac OS when we start looking at the app well like I said before protected data or protected apps run in a container so they might seem obvious but that means that things outside of the container are not in the container which means they're not protected so you'll notice that there's also a slack uh WebEx and zoom for in tune these are the ones in the container they are not the same as slack WebEx and zoom without the word in tune one is managed one isn't one is controlled one isn't one is in the container one isn't one can be wiped remotely the other one can't and they don't talk to one another

they're completely separate so when we get into the policies themselves keeping your data in the container is the only way to meet your obligations to protect your data uh to that end the things that we want to deny we want to deny backing up data to the iCloud or Google drive or whatever it happens to be we don't want users copying data out of the container we don't want them syncing data we don't want them printing our data we don't want third party keyboards because I don't know about you but I type passwords in on those so I sure don't want that going into being outside of my container uh we don't so when we want to

allow things we want to allow saving from one drive or to one drive because that's in the container and we still get to control that we want to allow numeric pins why because we don't want our users to hate us we do want to allow them to use Biometrics also because we don't want our users to hate us uh but again coming back to things that we aren't sure we should do blocking notifications does that really matter well maybe if you're in the nuclear industry and you're building nuclear power plants you might want to block notifications so that there's no pop up on the screen but really is it really that much of a big data loss if an individual is in the

wrong spot and they do something silly and they have a popup that has the name of a person in the subject unless somebody's sending subjects that actually have patient names in them which should never ever ever happen you're not likely going to have a problem so is that a risk I I don't know if it is uh forcing pin resets after a period of time who thinks forcing a pin reset put up your hands after 30 days is a great idea yeah no hands not one why because all you're going to end up with is one one one2 one one one3 one one one anyways you get the point man policies when we start moving into

conditional launch so this is an additional feature that adds more additional controls on top of the uh the user's authentication so when the user opens the app you can also apply these so user has too many pin attempts no problem reset the data or maybe wipe the data or block access to the data uh people's phones are lost and stolen all the time I I and we see all sorts of videos of it in on uh on YouTube and other things where people have had groups of people grab somebody's phone and it disappears you never see it again well um after 720 minutes of not being connected to anything block access to the data because if it's not

authenticating anymore it doesn't need access to the data after 90 days well just wipe all the container if the device device is offline and that data that those settings are become part of the app so even if the device doesn't actually connect it still wipes the data there's no data which is great for us because again we've met our regulatory requirements to control that data access user jail breaks the device well block access to the data minimum OS versions um there are some versions that don't support updates anymore maybe we should just wipe the data for any devices that are on and unsupported OS version in prior to that we block access after a particular amount or we might warn the

user because that version has been deprecated by Google and you know in a few weeks because it's to fall so there's another version that's going going to fall off that list and the same thing with apple maybe we don't want that actually connecting soon and we should warn them that they're about to lose access to any of the data because they're using a BYOD that they haven't updated some of in tune's limitations so all of these have been through Microsoft InTune up until this point privacy and troubleshooting with uh with ma'am is a an interesting challenge uh so when you're when you're an admin with mobile application management you can see the from entra you can see the OS the device name and

uh the OS version and that's it which is absolutely wonderful for the privacy of those people that brought all those BYOD devices but it's complete hot garbage for your troubleshooting aspects from any of your staff on the help desk policy reports are inconsistent so policy compliance any of the compliance reports that come out the only one that I've actually found that's of any value especially for the MDM policies is the per setting non-compliance because you'll actually be able to identify which specific setting it's it's failing on on a per policy basis uh config manager secm is uh is going away for 202 in 2024 q1 with respect to any integration with Cloud management policies so if you were

banking on using your secm as a compliance policy you might as well stop now there's no point in implementing it hybrid joining is important it's complicated it if you don't hybrid join your on devices they're not joined to a domain which from the InTune perspective which means they're not joined to your Azure active directory which means they're not a trusted device so you have to have group policies in place you have to have your active directory Federation services in place you have to have your ad or ENT sync depending on which name you're using this week you have to work closely with your secm team to make sure that secm is talking to the cloud

management Gateway which talks to In Tune all these pieces have to be together before any of this stuff is going to work properly and you need to make sure that the new secm client is is applied to all of your devices policy filters are an interesting art um they're really really helpful U but you need to make sure that you're applying them correctly an interesting side the policy filters only apply to devices that are in your MDM so if you for for example had say a contractor that regularly connected to your environment over VPN to provide you with all sorts of support and you're thinking okay that's cool he's connecting and he and you notice he

connects with Windows 7 every single time and you think okay that's no problem I'll just put in a filter that says Windows 10 and Below you know pick a pick the current rev uh I'm not going to allow that device to connect well guess what if you have an onboarded his device his his contractor device that he's not going to let you onboard into into your or MDM n or MDM policy the policy filter doesn't apply so now what well that means that you have to apply that with VPN controls on the client instead when we're talking about iOS and Mac you have reduced visibility unless you are using the data the device enrollment program it's not data

execution prevention I you know once again here we are reusing acronyms in this industry that's a complicated process that has to be done essentially at a device wipe time and then when we start looking at configuration policies you can't apply compliance policies on a Mac until you've applied config policies first because if you don't what will happen is you'll require that they have an eight character simple password and it'll brick their device because for some reason their password that's 24 characters upper and lower case doesn't want to be recognized as an actually compliant password I have no idea why but yes I have bricked a couple devices like this and it was not a happy day so

when we move into conditional access we're starting to talk about some signals who who's connecting where what are they connecting from where are they connecting from is the device compliant um how are you authenticating uh is there a sign in risk for your behavior based on that we're going to either allow or deny or limit your access to data we're going to enforce some controls by continuously evaluating your access and then we're going to monitor and adjust for signin risk conditional access applies allows you for to to uh allows you to layer controls around your data based on signals that you have defined it's Central to a data Centric security strategy it also provides you with just

in time evaluation to ensure that a person who is seeking access to content is authorized to have access to that content so is everybody with me so far okay so let's put this together uh the closer you are to your data the more trust you will require the F the less trust in your device or location or author authentication the greater fiction friction that's applied exclusion versus inclusion is important because especially when you start talking about layered policies narrow policies uh sorry wide policies give you uh control better controls over session settings but narrow policies are better for your your ease of troubleshooting and Target specific issues OS specific policy what type what's your user base are you

all windows are you all Mac well maybe you should pick the one that's appropriate and block all the other ones because they don't belong there if it shouldn't be there don't allow it browser only versus app policies as we had the the call The Talk this morning with Dave who's hey Dave um thanks for coming the uh so as we had the talk with Dave earlier this morning especially when you're talking about the differences between browsers versus apps there are different settings that apply based on whether it's a browser or an app if you put them in the same policy they don't actually apply quite right so you're actually better off separating them to make sure that you're applying

the settings you want trusted versus untrusted devices locations and user types those are important uh when we start looking at special use cases device enrollment security information registration administrative users thing and then there's some things that should never happen let's define some locations Oops um corporate you have an internal IP range identify that location privilege access workstations this is where your administrators should be working from if they're not working from here they shouldn't have access to the console so that example where we had uh Power access to the the graph API via pow shell to be able to query extra things well maybe you should block all of that because you're not coming from an authorized IP range Regional

locations is appropriate we need to identify those where should your users be coming from untrusted IPS anything that has an ioc associated with it you want to block that so you want to have an idea of where those are anything outside of your Geo so untrusted GEOS well there happens to be a Canadian government sanctions list start there allowed locations you might have some of those so what does this look like when you're looking at the the entire entirety apparently this wants to jump this is supposed to be clickable oh there it is cool excellent so um this policy diagram you don't have to take pictures is included at the end so this should give you an idea of of how the

complexity of this stuff looks works but when you're talking about a healthcare setting in particular which is the the environment that I'm specifically looking at we talked about on premises being a potential risk but um in our case we have a lot of localized controls we have Knack we have compliance and Remediation on that Knack environment we have EDR USB Group Policy configuration management centralized patching and Reporting segmented networks firewalled security zones and that's not any where near all of it so some of those things are in place also because we want our users to be able to walk and move around freely we have to build these zero Trust Systems so that they we have the respect

for our patients their families and their needs but also so that those they protected at all times while our staff are moving around to support them in those spaces sometimes prot protection for that can also mean reducing friction for staff that might also already be in a trusted area like an operating room theater it's really hard to physically get into an operating room theater without anybody noticing uh I I have tried and it doesn't actually work they catch you about three doors back usually guest Wi-Fi well guess what guess Wi-Fi is the same as any desire any remote space that includes bring your own device Wi-Fi anything that's not in the corporate Network that doesn't apply to Knack that doesn't have

all those other controls that's guessed it as far as I'm concerned you might as well be on a beach and Cabo it's the same place for me so things to block guest access uh for Global apps we want to do that uh highrisk admin tools we talked about making sure that you're coming from privileged access workstations this is how you do it Legacy authentication uh exchange active sync is a great way to get owned do not leave that on anywhere on your network under any circumstances other clients is SMTP and IMAP so that's a great way for your environment to get hacked um if you have a requirement for SMTP make sure that that's a specific server that's in your

environment that is not an exchange server that is relaying your S&P TP traffic from your old net app file file shares or U whatever it happens to be that you've got your your fiber switches pick something else and make sure only that IP can send SMTP to your to your tenant nothing else not one but put an entire ton of telemetry on that device and make sure that the only thing that is getting there is stuff you expect uh Linux apps M Mac apps well we said that we're not going to allow those because they're on untrusted devices windows phone I I'm just never mind um so Windows apps on an unmanaged device if it's unmanaged you don't

control the data if you have access to the apps you can download data off of the off out of the app onto the device if you don't control the data you don't control uh if you don't control the device you don't control the data mobile browsers so if it's exchange online or sh SharePoint online don't allow access to that over a mobile browser you're thinking why why would you do that well there's an app there's a mobile there's an exchange an Outlook app and SharePoint app if you if you control the data in the app you control the the data if you leave it outside that browser you have way less control over that data and

you open yourself up to token replay attacks so don't allow it session uh security information registration from offprem so in in a case with security information registration this one's kind of funny if you sync say 16,000 users Cloud because you want your global address list to have all your users in it before you migrate all your users and we we have some assumptions around here that all of our users use strong complex and unique passwords but just in case they don't we want to put in some guard rails and the reason for that is it ends up that the first person who authenticates to the Azure tenant with a username and password gets to register

the MFA and guess who owns the account from that point forward so don't allow it from off premises make them come on Prem yeah okay we're it's not you're not going to be anybody's friend at the beginning but we need to make sure that we've secured their authentication and TR got them into a trusted State before we start migrating into those circumstances and we do have things like Zoom or or teams or whatever happens to be your heal desk has a way to validate people you should use that unknown or untrusted device platforms if it's not in one of the list of supported device platforms don't ever let it anywhere near your tenant and I have an example

example of that later uh locations so exclude you allow all you exclude everybody and you allow the one location that you've trusted untrusted locations as an include this is for those things that are on that sanction list this makes sure that when you allow people later to go internationally that they still can't get to you from um you know Canada because we don't trust Canada right so session tokens uh session terms of use and risk policies uh administrator administrators should only should be required to to use MFA no matter what but we're not going to use the MFA option we're going to use the authentication strength and we're going to require a reduced uh timeout frequ or

signin frequency if you're using browser no browser persistence not ever if somebody closes a browser and reopens it they should never ever get their session back not ever MDM enrollment uh so sorry limiting downloads uh when we limmit downloads we're making sure that if you are coming from an untrusted device you don't get to download files because that would be to an untrusted device and we'd lose we'd lose access or lose control over that now that doesn't stop someone from pulling out their phone and going oh I'm going to take a picture of that but what it does is it stops those casual decisions terms of use great way to apply your administrative controls and

make sure that everybody's following them because ad everyone follows administrative controls sign and r uh if it's a high signin risk that's anybody that's coming from a malicious IP or an unfamiliar signin location that's really really malicious because it's usually on a CTI list block that access everybody else gets MFA and when you MFA you also reset your user and your signin risk which is great what about users if they if a user hits a user a high signin risk change their password they can do it remotely after they've signed up for self-service password reset and they're using two factors to to do it and two factors at that point it's okay to use SMS because

you're using an authenticator push so that's still valid two valid factors at that point allow policies on Prem we talked about apps and browsers are allowed longer signin frequency is actually appropriate because single sign on actually applies so when they when they authenticate every time they log in they're actually authenticating back to the Azure active directory and you show a full windows signin in the aad every single time for those approved for international travel there's your policy guess if you need that um you know maybe you should have some controls in there multiactor would be a good choice MFA for VPN so if you have a VPN you probably don't have your contractors in that environment you want to make

sure that you're applying authentication strength again against those nice short re sign in frequencies for those so off- premises allow policies this is where it starts to get really complicated because we have ex we're going to allow mobile apps with Device compliance and sorry with application compliance so an application protection policy within the U uh within the InTune side that we talked about earlier and we're going to use the mobile authentic sorry the uh the authentication strength the reason we're doing that and we're not doing MFA because you'll notice there's an MFA option that's actually a deprecated control it doesn't it's not actually planned anymore um we're also going to disable resilience defaults for everyone and we're requiring that

multiactor authentication strength for everyone there are no exceptions everyone off creme always gets MFA no matter what um disabling resilience defaults so that token Replay that we saw this morning this actually stops that in a very large number of circumstances what this what this does is if you have grab the session token with evil proxy or EV engine X or something else and someone already has managed to get your um your token based on on your post MFA and they can Replay that token well because you've disabled resilience if your IP address changes the new session doesn't connect anymore so this doesn't work all the time but this reduces that Microsoft has also just recently added something

called token protection it's very new it's so new it's in preview and it actually came out in the last few weeks and I have no idea anything about how well it works but what I do know is that there are so many restrictions around its use I'm it's not ready for me uh sorry I'm jumping ahead uh mobile devices yes I know I'm a couple of minutes over time now uh mobile devices uh so when we're talking about untrusted devices um if you are using uh sort of Outlook is is allowed with a longer signin frequency non- mam means MDM so if it's outside the container it falls back to the device compliance policies and that is an interesting one because

sometimes they'll do something like teams has an extra component that they add because teams has like a million components and that one component they mess up it's outside the container guess what that one piece now falls back to your device compliance and it's not leaking data so when Microsoft fixes that with an update that your users now have to go apply you can ask them to go apply that update because you're using Ma and you can't control their updates uh trusted devices so windows we talked about browsers earlier uh Mac Windows Linux if it's an untrusted device short signin frequency no downloads and when we get into trusted devices browsers with that are Azure ad joined or hybrid

Azure adid joined which Microsoft now calls Microsoft entra ID joined or eight hybrid entra ID joined or hey depending on your perspective um they they can have a longer sign in frequency a few days uh compliance policies apply as per InTune and they're allowed to download files because I get to remotely wipe that device so I don't have to worry about it in the same way I know it's encrypted I know I can wipe the device uh the same thing goes for apps they can download files because I have control over the device and I have control over my requirements exclude policies anything you want to test you need to you need you want to be able to exclude

um break glass account you want to exclude that an example risky signin you remember I was mentioning no os's no no information around what's going on there well that's where you stick that you'll notice that there are two separate policies that hit on that one of them is block unknown or unsupported OS one of them is block high-risk signning this is what it looks like when you put it all together and then are you ready for the race but wait there's more authentication context in Pim you can require PH2 tokens using this stuff all layered together just for your administrators to escalate to Global admin you can also apply this to conditional access or to sensitivity so

you could turn around and say okay this is Phi you're required to be in the place I trust and only the place I trust data loss prevention ties in with these licensing is very important E3 are higher E5 compliance are higher and that's all the only parts we talked about so there's a a little bit more in here so let's talk about conclusions quickly authentication starts with devices clients and apps hybrid joined for hybrid orgs enter joined for cloud-based orgs BYOD is only for is is registering is only for BYOD require compliance MDM for devices Belair M for for applications user authentication methods matter things change check them quarterly licenses are important so are your logs there's a whole ton of links

two that are important are the cesa scuba standard and the Australian government has a really awesome blueprint there is no time for kid for questions but please activate the QR codes everyone excellent thank you so much that was quite the raised condition I was hoping for somebody to activate the QR code this is the real QR code thank you for playing the QR code game nobody unfortunately got Rick Rolled on the way through so okay yes thank you so much