Good evening everyone
In previous post I mentioned phishing resistant MFA methods on admin accounts, so let's start with explaining what phishing resistant MFA method is first.
Phishing resistant MFA is designed to protect against phishing attacks by ensuring that authentication methods are not easily compromised.
Phishing resistant methods available for Entra ID users:
Passkeys - These are device-bound credentials stored on computers or mobile devices. They enable users to perform phishing-resistant authentication using the devices they already have, for example Windows devices or mobile devices. This method use Windows Hello on Windows devices.
FIDO2 Security keys - These are hardware devices that users can plug into their computers or connect via NFC or Bluetooth. They use public key cryptography to authenticate users without transmitting sensitive information that could be phished
Windows Hello for Business - This method uses biometric data (like facial recognition or fingerprints) or a PIN to authenticate users. It is tied to the device, making it difficult for attackers to replicate
Certificate-based Authentication (CBA)- This method uses X.509 certificates on smart cards or devices to authenticate users. It requires the user to have a physical certificate, which adds an extra layer of security
But is it enough to have just one registered phishing-resistant method on a privileged accounts today? No, absolutely not.
You should enforce a phishing-resistant method with a Conditional Access policy. Note that you must first register a phishing-resistant method on this accounts, before enforcing the method. If you enforce this before registration, you won’t be able to register the method on the account when signing in after the policy activation.
Privileged accounts should not have excessive rights. You don’t need Global Admin rights on accounts if work can be done with for example Conditional Access Administrator rights. Use RBAC (Role Based Access Control) in PIM to assign specific roles to your accounts. An admin account should not stay active 24/7/365 either. Use PIM (Privileged Identity Management) and JIT (Just-In-Time Access) functions to request access when you need it. Note that PIM functions can only be used with an Entra ID P2 license, which is included in the E5 license or can be purchased separately with E3 or Business Premium licenses.
Another method worth mentioning is blocking logins from countries where admin access is not needed. For example, if everyone who needs admin access works from Norway, it is sufficient to allow logins only from Norwegian IP addresses, or even stronger, only from the IP addresses you define. This can be done using Named Locations in Conditional Access and by creating a Conditional Access policy. Don't forget to exclude your emergency account / break glass accounts from your Conditional Access policies.
Don't allow persistent browser sessions for admin accounts and set sign-in frequency to an minimum, for example 1 hour. This can be done be creating Conditional Access policy.
Require compliant devices to access admin portals. This method can be used as well and it's very recommended if you don't want / can't use use phishing resistant MFA methods on your admin accounts for some reason. Your device needs to have a compliance policy enforced by Microsoft Intune and meet the compliance requirements to allow you to access admin portals. Use Conditional Access and create a compliant device policy for your admin accounts.
Monitor your privileged accounts with sign in / audit log manually, or use tools like Azure Log Analytics, Defender for Identity / Cloud Apps, Microsoft Sentinel or Azure Monitor. Create sign in risk policies for medium and high risk admin accounts in Conditional Access by for example blocking access when this risks are met.
Stay secured everyone and thanks for reading
コメント