🚀Launch Week 04, May 13th - 17th, 2024!🚀
Powerpipe Hub 
Hub
Mods
turbot/microsoft365_compliance
Overview
4Dashboards
80Controls
21Queries
2Variables
GitHub
Loading controls...

Control: 1.1.6 Enable Conditional Access policies to block legacy authentication

Description

Use Conditional Access to block legacy authentication protocols in Office 365.

Legacy authentication protocols do not support multi-factor authentication. These protocols are often used by attackers because of this deficiency. Blocking legacy uthentication makes it harder for attackers to gain access.

Remediation

To setup a conditional access policy to block legacy authentication, use the following steps:

  1. Log in to https://admin.microsoft.com as a Global Administrator.
  2. Go to Admin centers and click on Azure Active Directory.
  3. Select Azure Active Directory then Security.
  4. Select Conditional Access.
  5. Create a new policy by selecting New policy.
  6. Set the following conditions within the policy.
    • Select Conditions then Client apps enable the settings for and Exchange ActiveSync clients and other clients.
    • Under Access controls set the Grant section to Block access.
    • Under Assignments enable All users.
    • Under Assignments and Users and groups set the Exclude to be at least one low risk account or directory role. This is required as a best practice.

Default Value: Legacy authentication is enabled by default.

Note: For more granularity the following Audit/Remediation procedure could be utilized.

To disable basic authentication, use the Exchange Online PowerShell Module:

  1. Run the Microsoft Exchange Online PowerShell Module.
  2. Connect using Connect-ExchangeOnline.
  3. Run the following PowerShell command:

Note: If a policy exists and a command fails you may run Remove-AuthenticationPolicy first to ensure policy creation/application occurs as expected.

$AuthenticationPolicy = Get-OrganizationConfig | Select-Object DefaultAuthenticationPolicy


If (-not $AuthenticationPolicy.Identity) { $AuthenticationPolicy = New-AuthenticationPolicy "Block Basic Auth" Set-OrganizationConfig -DefaultAuthenticationPolicy $AuthenticationPolicy.Identity }


Set-AuthenticationPolicy -Identity $AuthenticationPolicy.Identity - AllowBasicAuthActiveSync:$false -AllowBasicAuthAutodiscover:$false - AllowBasicAuthImap:$false -AllowBasicAuthMapi:$false - AllowBasicAuthOfflineAddressBook:$false -AllowBasicAuthOutlookService:$false -AllowBasicAuthPop:$false -AllowBasicAuthPowershell:$false - AllowBasicAuthReportingWebServices:$false -AllowBasicAuthRpc:$false -
AllowBasicAuthSmtp:$false -AllowBasicAuthWebServices:$false


Get-User -ResultSize Unlimited | ForEach-Object { Set-User -Identity $_.Identity -AuthenticationPolicy $AuthenticationPolicy.Identity - STSRefreshTokensValidFrom $([System.DateTime]::UtcNow) }

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v140_1_1_6

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v140_1_1_6 --share

SQL

This control uses a named query:

azuread_legacy_authentication_disabled

Tags

category = Compliance
cis = true
cis_item_id = 1.1.6
cis_level = 1
cis_section_id = 1.1
cis_type = automated
cis_version = v1.4.0
microsoft_365_license = E3
plugin = microsoft365
service = Azure/ActiveDirectory