v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/microsoft365_compliance
Overview
4Dashboards
80Controls
21Queries
2Variables
GitHub

Control: 1.1.6 Enable Conditional Access policies to block legacy authentication

Description

Use Conditional Access to block legacy authentication protocols in Office 365.

Legacy authentication protocols do not support multi-factor authentication. These protocols are often used by attackers because of this deficiency. Blocking legacy authentication makes it harder for attackers to gain access.

Remediation

To setup a conditional access policy to block legacy authentication, use the following steps:

  1. Log in to https://admin.microsoft.com as a Global Administrator.
  2. Go to Admin centers and click on Azure Active Directory.
  3. Select Azure Active Directory then Security.
  4. Select Conditional Access.
  5. Create a new policy by selecting New policy.
  6. Set the following conditions within the policy.
    • Select Conditions then Client apps enable the settings for and Exchange ActiveSync clients and other clients.
    • Under Access controls set the Grant section to Block access.
    • Under Assignments enable All users.
    • Under Assignments and Users and groups set the Exclude to be at least one low risk account or directory role. This is required as a best practice.

Default Value: Legacy authentication is enabled by default.

Note: For more granularity the following Audit/Remediation procedure could be utilized.

To disable basic authentication, use the Exchange Online PowerShell Module:

  1. Run the Microsoft Exchange Online PowerShell Module.
  2. Connect using Connect-ExchangeOnline.
  3. Run the following PowerShell command:

Note: If a policy exists and a command fails you may run Remove-AuthenticationPolicy first to ensure policy creation/application occurs as expected.

$AuthenticationPolicy = Get-OrganizationConfig | Select-Object DefaultAuthenticationPolicy


If (-not $AuthenticationPolicy.Identity) {
   $AuthenticationPolicy = New-AuthenticationPolicy "Block Basic Auth"
   Set-OrganizationConfig -DefaultAuthenticationPolicy $AuthenticationPolicy.Identity
}


Set-AuthenticationPolicy -Identity $AuthenticationPolicy.Identity -AllowBasicAuthActiveSync:$false -AllowBasicAuthAutodiscover:$false -AllowBasicAuthImap:$false -AllowBasicAuthMapi:$false -AllowBasicAuthOfflineAddressBook:$false -AllowBasicAuthOutlookService:$false -AllowBasicAuthPop:$false -AllowBasicAuthPowershell:$false -AllowBasicAuthReportingWebServices:$false -AllowBasicAuthRpc:$false -AllowBasicAuthSmtp:$false -AllowBasicAuthWebServices:$false


Get-User -ResultSize Unlimited | ForEach-Object { Set-User -Identity $_.Identity -AuthenticationPolicy $AuthenticationPolicy.Identity -STSRefreshTokensValidFrom $([System.DateTime]::UtcNow) }

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v150_1_1_6

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v150_1_1_6 --share

SQL

This control uses a named query:

azuread_legacy_authentication_disabled

Tags

category = Compliance
cis = true
cis_item_id = 1.1.6
cis_level = 1
cis_section_id = 1.1
cis_type = automated
cis_version = v1.5.0
microsoft_365_license = E3
plugin = microsoft365
service = Azure/ActiveDirectory