We will talk about securing data and information when they are transferred to online systems Ex SharePoint online, teams and exchange.
First part will be talking about modern authentication, what are legacy protocols, monitoring and blocking legacy Authentication systems EX Exchange online and on-prem.
Second part will be related to conditional access and best practices for assignments and access control and how to Enable MFA (optional).
We will talk about securing authentication and authorization for office 365 applications then labeling and monitoring data
Consideration before start
Before enabling blocking legacy authentication
- All authentication requests made by an older protocol will be blocked.
- legacy authentication doesn’t support MFA
- Older Office clients that don’t use modern authentication (for example, an Office 2010 client).
- Any client that uses older mail protocols such as IMAP, SMTP, or POP3.
Modern Authentication
- What is Modern Authentication and what are the features we need
- Protocols supporting basic and modern Authentication
- Tool for trouble shooting (Connectivity test tool)
- Start monitoring Basic Authentication (also known as Legacy Authentication)
- Enable Modern authentication for your Exchange
- Outlook 2013 with modern Authentication
MFA
- What is Multi-factor Authentication (MFA)
- Prerequisites before (MFA)
- Enable on (pilot users)
- Start enabling on all users using MFA Registration policy -user experience
Conditional access
- What is security defaults and baseline policies?
- Block legacy authentication Conditional access
- Force modern authentication for all applications
- Exclude services Accounts and Directory Synchronization Service Account
- Monitor using sing-ins
What is modern authentication and what are the features we need
Modern is a term widely used by Microsoft to describe new features in our case it is describing authentication and authorization
Authentication: MFA
Authorization: OAUTH
Conditional access policies: MAM and azure ad conditional access policies
Hybrid modern authentication overview
The authentication will work based on requests (tokens) this is the authorization process sent to the authentication provider (Azure AD )
rather than sending username and password over the network to the resource (Exchange Online, Skype, etc) and caching credentials locally.
The users will no longer need to enter credentials into Office 2013 and 2016 to connect to Office 365.
- Modern Authentication protocols will single sign on (SSO)
- Conditional access feature will not work when using the basic or legacy authentication
If you are on hybrid environment, you shall make checks to your system to know what is using other protocols (basic or legacy authentication) before blocking the legacy authentication.
EX : SharePoint, exchange and Skype
The following is an example for Exchange on-prem
Protocols supporting basic and modern Authentication
| Modern | Basic |
| SAML | SMTP |
| Oauth2 | POP3 |
| OpenID Connect | Imap4 |
| WS-Federation |
You can run the following command on exchange online power shell to know what the basic authentication are used for and you can set them to false
Get-AuthenticationPolicy | FL -Property *basi*
And use the following command to know if oauth is enabled in hybrid environment, for exchange on-prem it must be true if not just run the command
In the exchange PowerShell (on-prem) to enable
get-OrganizationConfig | FT oauth*
Set-OrganizationConfig -OAuth2ClientProfileEnabled:$True
Because of this change, automatically all your Office 2016 clients will start using Modern Authentication.
Users who were getting that basic popup asking for credentials when opening MS Outlook, will now have a SSO experience!
You can test before applying the modern authentication
For skype run the following
Get-CSOAuthConfiguration
Tool for trouble shooting
Connectivity test tool Microsoft Support and Recovery Assistant for Office 365
The following is list of Microsoft identity platform authentication protocols
Microsoft identity platform authentication protocols
for Hybrid modern authentication how
it works and what is the evoSTS
(a Security Token Service used by Azure AD) and what happens in the hybrid environment
the following article for how to configure the on-prem applications before enabling the Modern authentication
Hybrid modern authentication overview
Start monitoring Basic Authentication (also known as Legacy Authentication)
The following is the most important part
Legacy authentication here is named others, Go to azure Sign-ins, In the columns add the following and make sure client application is selected and in the filter choose client app
Then in the client app in the filter choose the —- other clients, These are the applications which is using legacy authentication clear text passwords
This means we still have users using basic authentication that must be fixed
You can know the details of what is using the other protocols form the details
Enable Modern authentication for your Exchange
Go to Microsoft 365 admin center
go to settings —-then settings —–
services search for —-modern authentication
then enable
note: don’t enable it till you review the prerequisites
Outlook 2013 with modern Authentication
By default all versions of office starting from 2016 supporting modern Authentication,For office 2013 add the following registry keys after monitoring
Ref:Enable Modern Authentication for Office 2013 on Windows devices
|
TABLE 1 |
||
| Registry key |
Type |
Value |
| HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL |
REG_DWORD |
1 |
| HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Version |
REG_DWORD |
1 |
MFA
What is MFA?
It is additional layer of security with something you have, like mobile 2 or more verification methods
Never enable unless you are sure no one is using basic authentication
Before enabling MFA
- All authentication requests made by an older protocol will be blocked.
- legacy authentication doesn’t support MFA
- Older Office clients that don’t use modern authentication (for example, an Office 2010 client).
- Any client that uses older mail protocols such as IMAP, SMTP, or POP3.
in our case our second authentication factor will be one of the following depending on the feature you need and the license you have
you can limit what option shall be used
I recommend the authenticator application
-
Phone Call
-
An SMS message that provides a one-time use code
-
Notification through mobile app
-
A push notification to a mobile device app
Enable on (pilot users)
And start choosing a user and enable on him
Choose what method of verification needed
MFA registration policy
User experience
Azure Active Directory Identity Protection will prompt your users to register the next time they sign in interactively and they will have 14 days to complete registration. During this 14-day period, they can bypass registration but at the end of the period they will be required to register before they can complete the sign-in process.
How To: Configure the Azure Multi-Factor Authentication registration policy
Policy configuration
Go to azure portal
Go to azure ad identity protection (must be enabled First)
-
Navigate to the Azure portal.
-
Browse to Azure Active Directory > Security > Identity Protection > MFA registration policy.
-
Add users or groups. Recommendation always create groups to exclude.
Conditional access policies
Policy based and security defaults
By default, all base line policies are deprecated
You can go and enable security defaults but for me I prefer creating one by one
The following are the security defaults you can create it one by one
-
Require Azure MFA registration – Requires Azure AD Identity Protection
Always create a group for exclusion with every policy
Note: exclude all services specially the sync service from the MFA policy
Create conditional access policy to block legacy authentication
Navigate to azure portal — conditional access create new one
Assignments all users and exclude services
- Exactly as the following don’t forget to exclude services accounts (Directory Synchronization Service Account)
- All cloud apps
- And under clients apps (preview) configure (yes) and for mobile apps and desktop clients choose other clients (legacy or basic clients)
- In the grant block
Force modern authentication for all applications
Navigate to azure
Conditional access
New as shown below for this one you can choose report-only till you make sure every thing is working fine from monitoring
What you should know is that blocking other clients might take 24 hours to be applied
Salainis
I had learned already many of the Outland methods of communicating by forest notes rather than trust to the betraying, high-pitched human voice.
None of these was of more use to me than the call for refuge. If any Outlier wished to be private in his place, he raised that call, which all who were within hearing answered.
Then whoever was on his way from that placed hurried, and whoever was coming toward it stayed where he was until he had permission to move on.
