Control: 1.1.6 Enable Conditional Access policies to block legacy authentication
Description
Use Conditional Access to block legacy authentication protocols in Office 365.
Legacy authentication protocols do not support multi-factor authentication. These protocols are often used by attackers because of this deficiency. Blocking legacy authentication makes it harder for attackers to gain access.
Remediation
To setup a conditional access policy to block legacy authentication, use the following steps:
- Log in to
https://admin.microsoft.comas aGlobal Administrator. - Go to
Admin centersand click onAzure Active Directory. - Select
Azure Active DirectorythenSecurity. - Select
Conditional Access. - Create a new policy by selecting
New policy. - Set the following conditions within the policy.
- Select
ConditionsthenClient appsenable the settings for andExchange ActiveSync clientsandother clients. - Under
Access controlsset theGrantsection toBlock access. - Under
AssignmentsenableAll users. - Under
AssignmentsandUsers and groupsset theExcludeto be at least one low risk account or directory role. This is required as a best practice.
- Select
Default Value: Legacy authentication is enabled by default.
Note: For more granularity the following Audit/Remediation procedure could be utilized.
To disable basic authentication, use the Exchange Online PowerShell Module:
- Run the Microsoft Exchange Online PowerShell Module.
- Connect using
Connect-ExchangeOnline. - Run the following PowerShell command:
Note: If a policy exists and a command fails you may run Remove-AuthenticationPolicy first to ensure policy creation/application occurs as expected.
$AuthenticationPolicy = Get-OrganizationConfig | Select-Object DefaultAuthenticationPolicy
If (-not $AuthenticationPolicy.Identity) { $AuthenticationPolicy = New-AuthenticationPolicy "Block Basic Auth" Set-OrganizationConfig -DefaultAuthenticationPolicy $AuthenticationPolicy.Identity}
Set-AuthenticationPolicy -Identity $AuthenticationPolicy.Identity -AllowBasicAuthActiveSync:$false -AllowBasicAuthAutodiscover:$false -AllowBasicAuthImap:$false -AllowBasicAuthMapi:$false -AllowBasicAuthOfflineAddressBook:$false -AllowBasicAuthOutlookService:$false -AllowBasicAuthPop:$false -AllowBasicAuthPowershell:$false -AllowBasicAuthReportingWebServices:$false -AllowBasicAuthRpc:$false -AllowBasicAuthSmtp:$false -AllowBasicAuthWebServices:$false
Get-User -ResultSize Unlimited | ForEach-Object { Set-User -Identity $_.Identity -AuthenticationPolicy $AuthenticationPolicy.Identity -STSRefreshTokensValidFrom $([System.DateTime]::UtcNow) }
Usage
Run the control in your terminal:
powerpipe control run microsoft365_compliance.control.cis_v150_1_1_6Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run microsoft365_compliance.control.cis_v150_1_1_6 --shareSQL
This control uses a named query:
with block_legacy_authentication as ( select tenant_id, count(*) from azuread_conditional_access_policy where client_app_types ?& array['exchangeActiveSync', 'other'] and built_in_controls ?& array['block'] and users -> 'includeUser' ?& array['All'] and jsonb_array_length(users -> 'excludeUser') != 0 group by tenant_id),tenant_list as( select distinct on(tenant_id) tenant_id, _ctx from azuread_user)select tenant_id as resource, case when (select count from block_legacy_authentication where tenant_id = t.tenant_id) > 0 then 'ok' else 'alarm' end as status, case when (select count from block_legacy_authentication where tenant_id = t.tenant_id) > 0 then tenant_id || ' has Conditional Access policies enabled.' else tenant_id || ' has Conditional Access policies disabled.' end as reason , t.tenant_id as tenant_idfrom tenant_list as t;