turbot/microsoft365_compliance

Control: 1.1.11 Enable Conditional Access policies to block legacy authentication

Description

Azure AD supports the most widely used authentication and authorization protocols including legacy authentication. This authentication pattern includes basic authentication, a widely used industry-standard method for collecting user name and password information.

The following messaging protocols support legacy authentication:

  • Authenticated SMTP - Used to send authenticated email messages.
  • Autodiscover - Used by Outlook and EAS clients to find and connect to mailboxes in Exchange Online.
  • Exchange ActiveSync (EAS) - Used to connect to mailboxes in Exchange Online.
  • Exchange Online PowerShell - Used to connect to Exchange Online with remote PowerShell. If you block Basic authentication for Exchange Online PowerShell, you need to use the Exchange Online PowerShell Module to connect. For instructions, see Connect to Exchange Online PowerShell using multifactor authentication.
  • Exchange Web Services (EWS) - A programming interface that's used by Outlook, Outlook for Mac, and third-party apps.
  • IMAP4 - Used by IMAP email clients.
  • MAPI over HTTP (MAPI/HTTP) - Primary mailbox access protocol used by Outlook 2010 SP2 and later.
  • Offline Address Book (OAB) - A copy of address list collections that are downloaded and used by Outlook.
  • Outlook Anywhere (RPC over HTTP) - Legacy mailbox access protocol supported by all current Outlook versions.
  • POP3 - Used by POP email clients.
  • Reporting Web Services - Used to retrieve report data in Exchange Online.
  • Universal Outlook - Used by the Mail and Calendar app for Windows 10.
  • Other clients - Other protocols identified as utilizing legacy authentication.

Legacy authentication protocols do not support multi-factor authentication. These protocols are often used by attackers because of this deficiency. Blocking legacy authentication makes it harder for attackers to gain access.

NOTE: As of October 2022 Microsoft began disabling basic authentication in all tenants, except for those who requested special exceptions it should no longer be available in most tenants beyond Dec 31, 2022. Despite this CIS recommends the CA policy to remain in place to act as a defense in depth measure.

Remediation

To setup a conditional access policy to block legacy authentication, use the following steps:

  1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/.
  2. Click to expand Azure Active Directory > Protect & secure select Conditional Access.
  3. Create a new policy by selecting New policy.
  4. Set the following conditions within the policy.
  • Select Conditions then Client apps enable the settings for and Exchange ActiveSync clients and other clients.
  • Under Access controls set the Grant section to Block access.
  • Under Assignments enable All users.
  • Under Assignments and Users and groups set the Exclude to be at least one low risk account or directory role. This is required as a best practice.

Default Value: Basic authentication is disabled by default as of January 2023.

NOTE: For more granularity the following Audit/Remediation procedure could be utilized.

To disable basic authentication, use the Exchange Online PowerShell Module:

  1. Run the Microsoft Exchange Online PowerShell Module.
  2. Connect using Connect-ExchangeOnline.
  3. Run the following PowerShell command:

Note: If a policy exists and a command fails you may run Remove- AuthenticationPolicy first to ensure policy creation/application occurs as expected.

$AuthenticationPolicy = Get-OrganizationConfig | Select-Object DefaultAuthenticationPolicy
If (-not $AuthenticationPolicy.Identity) {
$AuthenticationPolicy = New-AuthenticationPolicy "Block Basic Auth" Set-OrganizationConfig -DefaultAuthenticationPolicy
$AuthenticationPolicy.Identity
}
Set-AuthenticationPolicy -Identity $AuthenticationPolicy.Identity - AllowBasicAuthActiveSync:$false -AllowBasicAuthAutodiscover:$false - AllowBasicAuthImap:$false -AllowBasicAuthMapi:$false - AllowBasicAuthOfflineAddressBook:$false -AllowBasicAuthOutlookService:$false -AllowBasicAuthPop:$false -AllowBasicAuthPowershell:$false - AllowBasicAuthReportingWebServices:$false -AllowBasicAuthRpc:$false - AllowBasicAuthSmtp:$false -AllowBasicAuthWebServices:$false
Get-User -ResultSize Unlimited | ForEach-Object { Set-User -Identity $_.Identity -AuthenticationPolicy $AuthenticationPolicy.Identity - STSRefreshTokensValidFrom $([System.DateTime]::UtcNow) }

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v200_1_1_11

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v200_1_1_11 --share

SQL

This control uses a named query:

azuread_legacy_authentication_disabled

Tags