turbot/microsoft365_compliance

Control: 1.1.6 Enable Conditional Access policies to block legacy authentication

Description

Use Conditional Access to block legacy authentication protocols in Office 365.

Legacy authentication protocols do not support multi-factor authentication. These protocols are often used by attackers because of this deficiency. Blocking legacy authentication makes it harder for attackers to gain access.

Remediation

To setup a conditional access policy to block legacy authentication, use the following steps:

  1. Log in to https://admin.microsoft.com as a Global Administrator.
  2. Go to Admin centers and click on Azure Active Directory.
  3. Select Azure Active Directory then Security.
  4. Select Conditional Access.
  5. Create a new policy by selecting New policy.
  6. Set the following conditions within the policy.
    • Select Conditions then Client apps enable the settings for and Exchange ActiveSync clients and other clients.
    • Under Access controls set the Grant section to Block access.
    • Under Assignments enable All users.
    • Under Assignments and Users and groups set the Exclude to be at least one low risk account or directory role. This is required as a best practice.

Default Value: Legacy authentication is enabled by default.

Note: For more granularity the following Audit/Remediation procedure could be utilized.

To disable basic authentication, use the Exchange Online PowerShell Module:

  1. Run the Microsoft Exchange Online PowerShell Module.
  2. Connect using Connect-ExchangeOnline.
  3. Run the following PowerShell command:

Note: If a policy exists and a command fails you may run Remove-AuthenticationPolicy first to ensure policy creation/application occurs as expected.

$AuthenticationPolicy = Get-OrganizationConfig | Select-Object DefaultAuthenticationPolicy
If (-not $AuthenticationPolicy.Identity) {
$AuthenticationPolicy = New-AuthenticationPolicy "Block Basic Auth"
Set-OrganizationConfig -DefaultAuthenticationPolicy $AuthenticationPolicy.Identity
}
Set-AuthenticationPolicy -Identity $AuthenticationPolicy.Identity -AllowBasicAuthActiveSync:$false -AllowBasicAuthAutodiscover:$false -AllowBasicAuthImap:$false -AllowBasicAuthMapi:$false -AllowBasicAuthOfflineAddressBook:$false -AllowBasicAuthOutlookService:$false -AllowBasicAuthPop:$false -AllowBasicAuthPowershell:$false -AllowBasicAuthReportingWebServices:$false -AllowBasicAuthRpc:$false -AllowBasicAuthSmtp:$false -AllowBasicAuthWebServices:$false
Get-User -ResultSize Unlimited | ForEach-Object { Set-User -Identity $_.Identity -AuthenticationPolicy $AuthenticationPolicy.Identity -STSRefreshTokensValidFrom $([System.DateTime]::UtcNow) }

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v150_1_1_6

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v150_1_1_6 --share

SQL

This control uses a named query:

azuread_legacy_authentication_disabled

Tags