In Part 1, of our blog series outlining the details of Azure security defaults, we left off on the topic of MFA registration, which utilizes the Microsoft Authenticator app. While all users MUST register for MFA, MFA is not required for all users every time. Security defaults does enforce MFA for privileged accounts every time they log on as these accounts have increased access to your environment. Security defaults requires added authentication for the following nine Azure administrator roles.
- Global administrator
- SharePoint administrator
- Exchange administrator
- Conditional Access administrator
- Security administrator
- Helpdesk administrator or password administrator
- Billing administrator
- User administrator
- Authentication administrator
MFA should be standard policy for all Azure admin account as account takeover attacks are one of the leading types of threats today. Cybercriminals specifically target privileged accounts so special attention is needed.
Protecting all users
Security defaults is about improving the protection for all users, not just admin accounts. While MFA is not required of every logon attempt, non-admin users are prompted for additional authentication when connecting from a new device or app. There may be other instances that trigger MFA for standard users as well.
Limitations of MFA using security defaults
As mentioned, security defaults gives you free access to Azure AD MFA. Free however, has its limitations. Some of these shortcomings are listed below.
- Admins have no control over verification methods
- SMS and phone calls are not available as second factors
- You cannot configure trusted IPs for MFA exclusion
- An exclusion account for emergency access
- No MFA reports or fraud alerts
Again, keep in mind that Azure security defaults gives you the bare security minimum. To obtain more features and control over MFA, you will need to ante up some additional money. If you have a license for Conditional Access but have not yet enabled it, you can use security defaults as a temporary security band-aid until you are ready to enable Conditional Access policies.
Blocking legacy authentication
The majority of compromising sign-in attempts come from legacy authentication. These credential stuffing or account takeover attacks tend to be automated and performed by bot nets. Legacy authentication utilizes protocols that only use basic authentication. These outdated protocols only require single factor authentication and cannot enforce a second factor as part of the natural authentication flow. This is in contrast to modern authentication, which does support second factor authentication. Using legacy authentication, an imposter can simply bypass your active MFA policy.
Client applications or services that use legacy authentication also have a blaring vulnerability in that credentials are collected and then stored until validated against an authority. Apps or services that utilize modern authentication never store credentials. Instead, they only present them. In other words, modern authentication never trusts the app or service that is requesting your credentials.
For these reasons, it is highly recommended that legacy authentication protocols such as IMAP, SMTP and POP3 be blocked. This means that clients cannot use an older version of Office 2010 but can use a more current version such as Office 2016. Some email/faxing software and other types of applications require the use of these older protocols. Make sure that none of your applications are using legacy authentication protocols before enabling security defaults.
Protecting privileged actions
We mentioned how security defaults uses MFA to protect privileged user accounts. It also protects privileged actions as well. This is important because non-admin users can be delegated to Azure Resources. Azure services can be managed through the Azure Resource Manager API. These services include:
- Azure portal
- Azure PowerShell
- Azure CLI
These services give users tenant wide powers such as the ability to modify configurations, service settings and billing subscriptions. This is why it is imperative to verify the identity of users that utilize them. When enabled, security defaults will require added authentication before allowing delegated access.
Azure AD security defaults certainly has its shortcomings and should not be considered a long-term solution for any sizable organization. It also does not provide the rich security protections that many organizations need to satisfy security policies or compliances. It does provide a “one-click” easy button that new tenants can use to protect themselves right out of the gate while they begin to learn their solution options. While it may provide ample protection for small organizations, tenant owners should view it as a transitory measure only. Security defaults is a great first step and one that hopefully, will better secure the entire O365 community as well.