Enabling modern authentication and MFA


In this Article

We will talk about securing data and information when they are transferred to online systems Ex SharePoint online, teams and exchange.

Teams is a hub for work environment it integrates SharePoint, exchange, file transferring and other SAAS platforms So in this project we will secure all the products that integrates with teams

First part will be talking about modern authentication, what are legacy protocols, monitoring and blocking legacy Authentication systems EX Exchange online and on-prem.

Second part will be related to conditional access and best practices for assignments and access control and how to Enable MFA (optional).

We will talk about securing authentication and authorization for office 365 applications then labeling and monitoring data

Consideration before start

Before enabling blocking legacy authentication

  • All authentication requests made by an older protocol will be blocked.
  • legacy authentication doesn’t support MFA
  • Older Office clients that don’t use modern authentication (for example, an Office 2010 client).
  • Any client that uses older mail protocols such as IMAP, SMTP, or POP3.

Modern Authentication

  • What is Modern Authentication and what are the features we need
  • Protocols supporting basic and modern Authentication
  • Tool for trouble shooting (Connectivity test tool)
  • Start monitoring Basic Authentication (also known as Legacy Authentication)
  • Enable Modern authentication for your Exchange
  • Outlook 2013 with modern Authentication

MFA

  • What is Multi-factor Authentication (MFA)
  • Prerequisites before (MFA)
  • Enable on (pilot users)
  • Start enabling on all users using MFA Registration policy -user experience

Conditional access

  • What is security defaults and baseline policies?
  • Block legacy authentication Conditional access
  • Force modern authentication for all applications
  • Exclude services Accounts and Directory Synchronization Service Account
  • Monitor using sing-ins

What is modern authentication and what are the features we need

Modern is a term widely used by Microsoft to describe new features in our case it is describing authentication and authorization

Authentication: MFA

Authorization: OAUTH

Conditional access policies: MAM and azure ad conditional access policies

Hybrid modern authentication overview

The authentication will work based on requests (tokens) this is the authorization process sent to the authentication provider (Azure AD )

rather than sending username and password over the network to the resource (Exchange Online, Skype, etc) and caching credentials locally.

The users will no longer need to enter credentials into Office 2013 and 2016 to connect to Office 365.

  • Modern Authentication protocols will single sign on (SSO)
  • Conditional access feature will not work when using the basic or legacy authentication

If you are on hybrid environment, you shall make checks to your system to know what is using other protocols (basic or legacy authentication) before blocking the legacy authentication.

EX : SharePoint, exchange and Skype

The following is an example for Exchange on-prem

Protocols supporting basic and modern Authentication

Modern Basic
SAML SMTP
Oauth2 POP3
OpenID Connect Imap4
WS-Federation

You can run the following command on exchange online power shell to know what the basic authentication are used for and you can set them to false

Get-AuthenticationPolicy | FL -Property *basi*

And use the following command to know if oauth is enabled in hybrid environment, for exchange on-prem it must be true if not just run the command

In the exchange PowerShell (on-prem) to enable

get-OrganizationConfig | FT oauth*

Set-OrganizationConfig -OAuth2ClientProfileEnabled:$True

Because of this change, automatically all your Office 2016 clients will start using Modern Authentication.

Users who were getting that basic popup asking for credentials when opening MS Outlook, will now have a SSO experience!

You can test before applying the modern authentication

For skype run the following

Get-CSOAuthConfiguration

Tool for trouble shooting

Connectivity test tool Microsoft Support and Recovery Assistant for Office 365

The following is list of Microsoft identity platform authentication protocols

Microsoft identity platform authentication protocols

for Hybrid modern authentication how
it works and what is the evoSTS 
(a Security Token Service used by Azure AD) and what happens in the hybrid environment

the following article for how to configure the on-prem applications before enabling the Modern authentication     

Hybrid modern authentication overview

Start monitoring Basic Authentication (also known as Legacy Authentication)

The following is the most important part

Legacy authentication here is named others, Go to azure Sign-ins, In the columns add the following and make sure client application is selected and in the filter choose client app




Then in the client app in the filter choose the —- other clients, These are the applications which is using legacy authentication clear text passwords

This means we still have users using basic authentication that must be fixed

monitoring legacy connections

You can know the details of what is using the other protocols form the details

Enable Modern authentication for your Exchange

Go to Microsoft 365 admin center

Microsoft 365 admin center

go to settings —-then settings —–
services search for —-modern authentication

then enable

note: don’t enable it till you review the prerequisites



Outlook 2013 with modern Authentication

By default all versions of office starting from 2016 supporting modern Authentication,For office 2013 add the following registry keys after monitoring

Ref:Enable Modern Authentication for Office 2013 on Windows devices

TABLE 1

Registry key

Type

Value

HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL

REG_DWORD

1

HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Version

REG_DWORD

1

MFA

What is MFA?

It is additional layer of security with something you have, like mobile 2 or more verification methods

Never enable unless you are sure no one is using basic authentication

Before enabling MFA

  • All authentication requests made by an older protocol will be blocked.
  • legacy authentication doesn’t support MFA
  • Older Office clients that don’t use modern authentication (for example, an Office 2010 client).
  • Any client that uses older mail protocols such as IMAP, SMTP, or POP3.

in our case our second authentication factor will be one of the following depending on the feature you need and the license you have

you can limit what option shall be used

I recommend the authenticator application

  • Phone Call
  • An SMS message that provides a one-time use code
  • Notification through mobile app
  • A push notification to a mobile device app

Enable on (pilot users)

And start choosing a user and enable on him

Choose what method of verification needed

MFA registration policy

User experience
Azure Active Directory Identity Protection will prompt your users to register the next time they sign in interactively and they will have 14 days to complete registration. During this 14-day period, they can bypass registration but at the end of the period they will be required to register before they can complete the sign-in process.
How To: Configure the Azure Multi-Factor Authentication registration policy

Policy configuration

Go to azure portal

Go to azure ad identity protection (must be enabled First)

  1. Navigate to the Azure portal.
  2. Browse to Azure Active Directory > Security > Identity Protection > MFA registration policy.
  3. Add users or groups. Recommendation always create groups to exclude.

how to configure-mfa-policy

Conditional access policies

Policy based and security defaults

By default, all base line policies are deprecated

Security Defaults

You can go and enable security defaults but for me I prefer creating one by one

The following are the security defaults you can create it one by one

Always create a group for exclusion with every policy

Note: exclude all services specially the sync service from the MFA policy

Create conditional access policy to block legacy authentication

Navigate to azure portalconditional access create new one

Assignments all users and exclude services

  • Exactly as the following don’t forget to exclude services accounts (Directory Synchronization Service Account)
  • All cloud apps
  • And under clients apps (preview) configure (yes) and for mobile apps and desktop clients choose other clients (legacy or basic clients)
  • In the grant block

Force modern authentication for all applications

Navigate to azure

Conditional access

New as shown below for this one you can choose report-only till you make sure every thing is working fine from monitoring

What you should know is that blocking other clients might take 24 hours to be applied

Block Legacy Authentication

Salainis

I had learned already many of the Outland methods of communicating by forest notes rather than trust to the betraying, high-pitched human voice.

None of these was of more use to me than the call for refuge. If any Outlier wished to be private in his place, he raised that call, which all who were within hearing answered.

Then whoever was on his way from that placed hurried, and whoever was coming toward it stayed where he was until he had permission to move on.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.