Using Conditional Access Policies and MFA to Enhance Azure AD Security
Earlier this year, we saw a large influx of successful phishing campaigns, primarily due to attackers being able to circumvent multifactor authentication (MFA). Their schemes worked because they were able to trick users into clicking on a link and giving away their security token—essentially bypassing MFA. The human-error factor highlights the need for phishing simulation training to ensure users are more aware of security threats. With phishing attacks still running rampant—and becoming more complex and harder to detect—it’s imperative that financial institutions use multiple strategies and technologies to optimize security.
The implications of MFA-resistant phishing are huge; the attacks have the potential to affect numerous organizations that depend on Microsoft Entra ID (formerly Azure AD) and Microsoft Office/M365 services to support their operations. However, institutions can minimize account compromises by combining a variety of tactics to prevent cyberattacks from happening. For instance, conditional access policies (CAPs) are a key proactive measure that banks and credit unions can implement to enhance security.
CAPs—which are quickly becoming the baseline of security—are the cornerstone of protecting identities within Microsoft Entra ID. These policies protect the very first step of the identification chain, the sign in attempt. They govern the conditions for users to access Azure services and will grant or deny access based on configured logic. At a high level, this logic can be far reaching but even so, organizations will not rely on only a single CAP. No CAP can provide complete protection. Instead, financial institutions should stack multiple CAPs together to produce better overall coverage and security. For example, requiring MFA, denying sign ins form outside of the USA, and requiring device compliance or specific join status.
Not only will organizations look to stack multiple CAPs, but they will also look to utilize telemetry from multiple Azure services for their logic. Combining services means institutions must have the appropriate licensing for each respective Azure service. For example, to obtain device compliance information, organizations will be required to implement and license for Intune.
Additionally, when designing CAP logic, it can be helpful to take as broad of an approach as possible to the scope of the CAP. The objective is to try to affect as many areas as possible with a single stroke to maximize coverage and reduce gaps in logic. Gaps, or logic bugs, are the result of incorrect scope definitions which will leave an organization vulnerable or at risk when they believe otherwise. A good example of a logic bug is when an organization implements a CAP requiring MFA but not for all users. This leaves a subset of the user base at risk.
Generally, when it comes to creating gaps in logic for CAPs, the rule of thumb is to always create compensating controls. This is how organizations can create complex webs of conditions and still allow for business continuity while simultaneously reducing risk. The trade-off is the more complex an organization’s CAPs are, the harder they will be to design, assess at a glance, and to maintain.
By blending various security tactics and technologies, financial institutions can implement a layered approach to enhance their security posture. They can also partner with a third-party expert like Safe Systems to improve their ability to proactively detect and respond to phishing attacks and other threats. Our CloudInsight™ M365 Security Basics solution offers critical reporting and alerting to help institutions better gauge their security awareness. M365 Security Basics provides visibility into security settings for Azure AD and M365, making it easier for institutions to mitigate the impact of potential cyberattacks.
For more information about how to employ CAPS and modern MFA to minimize security risks, view our recorded webinar on “Securing Azure AD with Conditional Access Policies.“