TagSecurity

Security Defaults – a lifesaver for some and a little pain for others

So lets talk about “Security Defaults” a bit, this new feature in AzureAD who replaces “Baseline policies: ” in the Conditional Access pane within Security in AzureAD.

First of all – the baseline policies where in preview and could be changed before the feature went GA so we cant blame anyone of the service changing before production.

The Baseline policies gave us remediaton of MFA and and blocking of legacy authentication within 4 policies that everyone could use within Conditional Access, these four policies where free so no cost and that sweet!

  • Baseline Policy: Require MFA for admins (Preview)
    • Enabled MFA to all administrator roles within AzureAD
  • Baseline Policy: End user protection (Preview)
    • Enabled MFA registration to all users and required MFA for users with leaked password or other risky signins.
  • Baseline Policy: Require MFA for Service Management (Preview)
    • Require MFA for accessing the Azure Portal, Azure PowerShell modules or Azure CLI
  • Baseline Policy: Block legacy authentication (Preview)
    • Blocked the usage of legacy authentication on all services (such as pop, IMAP, native android clients etc.

For a good time now we cound enabled one or more of those 4 baseline rules – but that ends! At February 29th 2020 Microsoft will discontinue the use of Baseline policies so if you are using some of them you need to enable Security Defaults in AzureAD.

Head into portal.azure.com -> Properties -> Security Defaults and enable it.

Please not that if you have license for using Conditional Access (Azure AD Premium P1) you cannot a Conditional Accessrule without disabling Security Defaults.

And if you have Azure AD Premium P1 you should be creating the Conditional Access rules manually and that gived you several advantages such as exclude users, pinpoint to some cloud apps or exclude them and set other requiremets aswel.

Best practice says that you should always have a “Break the glass administrator” account who is excluded from all the Requirements – but please note! That account need to be monitored and high security alerts should be raised every time the account is used.

AIP is deprecated, move to Unified labels now!

At 06.01.2020 Microsoft released the deprication notice for Azure Information Protection client and Label management in the Azure portal. The service is deprecated as of March 31, 2021.

The notice is telling us that within 15 months you all need to migrate all your labels from AIP in the Azure portal over to the new Unified label experience within Office 365 portals.

You find the new label management in several places;

So heres a easy pointer on how to migrate you labels from Azure Information Protection to Unified labels within Office 365.

Navigate to portal.azure.com and head into the Azure Information Protection pane.

From there click on “Unified Labeling” in the left menu and acitvate it.

When this is done you can start using the Unified labeling clients and stop rolling out the classic Azure Information Protection client.

Please keep in mind that you need to have a specific version of Office applications installed on your machine or phone.

  • Windows Desktop – 1910 or higher
  • Mac Desktop – 16.21 or higher
  • iOS mobile – 2.21 or higher
  • Android mobile – 16.0.11231 or higher

For the licensing part here is the license requirement to use Sensitivity labels.

  • Microsoft 365 E3 or above
  • Office 365 E3 or above
  • Azure Information Protection P1

For more advanced use like Automated labeling with sensitivity labels you need to go to E5

  • Microsoft 365 E5
  • Office 365 E5
  • Azure Information Protection P2

How do I know all my users are enabled for and using MFA?

More and more organizations is taking advantage of using MFA for their users and there is no reason for them not to since it`s free for all Office 365 users and also for all Azure AD users if you are not using the Office 365 services. But after you enable it for your users, are you sure everyone is enabled?

You may have seen at the Secure Score that not all users are registred for MFA, and if you do so you have users with no MFA! So these users may be victims for bruteforce attacks so it`s super important to remediate all users to see how everything is configured! Some of the users with no MFA maybe legit and should not have it.

So let`s dig into the materials for a second or two.

First thing is that there is a “Secure Score” check for MFA registered users that will show you how many of your users which are not registered (if any)

If you have any users in that list it would not show who the users are so we need to go deeper in the material to retreive this status.

So to get the list of users who don`t have setup MFA you need to run this PowerShell command with the AzureAD PowerShell module loaded.

Connect-MsolService

Get-MSOLUser -all | where {$_.StrongAuthenticationMethods.methodtype -eq $null} | Select Displayname,UserPrincipalName,BlockCredential,LastPasswordChangeTimestamp,UserType |Out-GridView

And now that we have found all users we can check them out why they don`t use MFA and make sure that they use it 🙂

Further on we can check what method users are using when authenticating with MFA. For this I use this script located in Technet PowerShell archives HERE

If you have deployed MFA the Conditional Access way (recommended) you will see that the MFA status on all user are set to “Disabled” but the method is set to what the user are using.

Have checking status on your users! 🙂

Automated Investigation & Response

The Automated Investigation & Response feature under Threat management in Security & Compliance admin portal is a pritty new and amazing feature in Office 365.

To use this feature you need to have “Office 365 Advanced Threat Protection Plan 2” licenses witch you can purchase standalone or it`s included in the Office 365 E5 license and yes – you need to be a “Global Administrator” or “Security Administrator” to configure the service. Once configured you can also use “Security Reader” or “Security Operator” to see whats happening.

Have a look here to see all capabilities within “Advanced threat protections”.

So over to Automated Investigation & Response (AIR) – have a look at this screenshot

As we see her we have two detection on-going which waiting on user action. The first one in the picture is automatically found by the system and the second one is a email which I reported through the “Message Report” add-in for Outlook which are deployed to all users (Both Outlook and Outlook Web).

In the overview of the case (the one i reported) we see what`s going on with the message, the Trigger alert, what threats  who where found, how many emails are “infected” and which users that have the infected email in their mailbox (could be a mass-phishing attack)

When we navigate to the Email tab we see what section of the email that are found malicious and in this case the Advanced Threat Protection has matched the URL to a malicious URL

Moving to the Action tab – we are given several a big tool belt meaning that we can do a soft delete from the users mailboxes (in this case only one user, but if this malicious email was delivered to 100 users we can in one click remove the email from the users mailboxes) and block the URL in Safe Links.

So this was very short on how to easily use AIR in your tenant if you have the right license.

Get started with MFA – part two

So in the previously post I went through how to activate MFA for Administrator roles i a really simple and effective way.

In this post we will focus on activating MFA for all regular users. And first off all we need to evaluate who should be activated first or should we activate on all users at the same time and do a evaluation on service accounts! If we enable MFA on for example a serivce account used for scan to email on “multi functional printers” or on a mailbox account witch are used on a thirdparty ticketingsystem (POP/IMAP) we could break those service by just enabling MFA on all users.

My recomandation is when you are more then 30 users in your company you should select a few ambasadeurs who is getting the MFA activated first and can therefore be the power users who can help others with the registration if there is any hick-ups (should not be many).

And to activate MFA for end users I highly recomend to use Conditional Access for

  • all users and exclude a AzureAD Group which contains a “Break the glass Admin” and other service accounts.
  • All cloud apps (no exeptions)
  • Grant Access – but require MFA

Easy like that! And It`s a realy quick solution for your company.

Drawback here is that you need “Azure AD Premium P1” licenses to use Conditional Access and a second drawback is that it`s not scored at the Microsoft Secure Score.

Get started with MFA – part one

You problably heard about multifactor authentication by now, but have you enabled it in your environment?  

If not! Please do so at once! I will in this short blogpost give you the direction to get started with MFA in Azure AD. 

So let`s just jump right into it.  

First things first – protect your admin accounts!  

With admin accounts i mean a account who has a additional role assigned other then beeing a regular user and to mitigate these users we will enable a Conditional Access who is requires MFA for all administrator accounts 

So navigate to Azure Active Directory in portal.azure.com 

Dive into “Security” -> “Conditional Access”  

Click the “Baseline policy: Require MFA for Admins (Preview) and choose to use it immidiatly 

So now you have successfully enabled MFA for all your admins! Great work 😊 

To make it easier for yourself you can now change the MFA verification from the default SMS to Authenticator app by visiting https://aka.ms/mfasetup and add the Authenticator app as a preffered method. 

Next up is to enable it for all your users and that i will cover in the next blog post – Stay tuned for “Get started with MFA – Part two” 🙂

© 2020 IdefixWiki

Theme by Anders NorénUp ↑