Control: 1.1.6 Enable Conditional Access policies to block legacy authentication
Description
Use Conditional Access to block legacy authentication protocols in Office 365.
Legacy authentication protocols do not support multi-factor authentication. These protocols are often used by attackers because of this deficiency. Blocking legacy uthentication makes it harder for attackers to gain access.
Remediation
To setup a conditional access policy to block legacy authentication, use the following steps:
- Log in to
https://admin.microsoft.com
as aGlobal Administrator
. - Go to
Admin centers
and click onAzure Active Directory
. - Select
Azure Active Directory
thenSecurity
. - Select
Conditional Access
. - Create a new policy by selecting
New policy
. - Set the following conditions within the policy.
- Select
Conditions
thenClient apps
enable the settings for andExchange ActiveSync clients
andother clients
. - Under
Access controls
set theGrant
section toBlock access
. - Under
Assignments
enableAll users
. - Under
Assignments
andUsers and groups
set theExclude
to be at least one low risk account or directory role. This is required as a best practice.
- Select
Default Value: Legacy authentication is enabled by default.
Note: For more granularity the following Audit/Remediation procedure could be utilized.
To disable basic authentication, use the Exchange Online PowerShell Module:
- Run the Microsoft Exchange Online PowerShell Module.
- Connect using
Connect-ExchangeOnline
. - Run the following PowerShell command:
Note: If a policy exists and a command fails you may run Remove-AuthenticationPolicy
first to ensure policy creation/application occurs as expected.
$AuthenticationPolicy = Get-OrganizationConfig | Select-Object DefaultAuthenticationPolicy
If (-not $AuthenticationPolicy.Identity) { $AuthenticationPolicy = New-AuthenticationPolicy "Block Basic Auth" Set-OrganizationConfig -DefaultAuthenticationPolicy $AuthenticationPolicy.Identity }
Set-AuthenticationPolicy -Identity $AuthenticationPolicy.Identity - AllowBasicAuthActiveSync:$false -AllowBasicAuthAutodiscover:$false - AllowBasicAuthImap:$false -AllowBasicAuthMapi:$false - AllowBasicAuthOfflineAddressBook:$false -AllowBasicAuthOutlookService:$false -AllowBasicAuthPop:$false -AllowBasicAuthPowershell:$false - AllowBasicAuthReportingWebServices:$false -AllowBasicAuthRpc:$false -AllowBasicAuthSmtp:$false -AllowBasicAuthWebServices:$false
Get-User -ResultSize Unlimited | ForEach-Object { Set-User -Identity $_.Identity -AuthenticationPolicy $AuthenticationPolicy.Identity - STSRefreshTokensValidFrom $([System.DateTime]::UtcNow) }
Usage
Run the control in your terminal:
powerpipe control run microsoft365_compliance.control.cis_v140_1_1_6
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run microsoft365_compliance.control.cis_v140_1_1_6 --share
SQL
This control uses a named query:
azuread_legacy_authentication_disabled