Best practices for deploying multi-factor authentication on Microsoft networks

Microsoft will soon change the mandate to multi-factor authentication (MFA) with changes to Microsoft 365 defaults. As Microsoft points out, “When we look at hacked accounts, more than 99.9% don’t have MFA, making them vulnerable to password spray, phishing and password reuse. “Based on usage patterns, we’ll start [mandating MFA] with organizations that are a good fit for security defaults. Specifically, we will start with customers who aren’t using Conditional Access, haven’t used security defaults before, and aren’t actively using legacy authentication clients.”

Microsoft will notify global admins of eligible tenants by email. “After security defaults are enabled, all users in the tenant are asked to register for MFA. Again, there is a grace period of 14 days for registration. Users are asked to register using the Microsoft Authenticator app, and global administrators are additionally asked for a phone number.” If you haven’t started MFA deployments, this is the time to do so. Attackers are using phishing attacks to go after unprotected accounts and MFA is a key way to protect user access.

Can you still disable multi-factor authentication should you decide to accept the risk? Yes, but this means your firm will be low-hanging fruit for phishing campaigns. User accounts and logins are the new entry point for many attacks in a network.

Determine multi-factor authentication method

MFA deployment means that you need to determine which authentication process you will support. Researchers often claim that SMS messages aren’t secure. Years ago attackers were able to bypass SMS based MFA using a reverse-proxy component. In reality, you just need to be secure enough.

As with many security decisions, you need to perform a risk analysis of who needs best, better and good-enough security. If you believe that some of your users will be targeted the use of MFA applications, you can use devices such as Yubikeys. Users and consultants might point out that MFA is not bulletproof. It can be attacked and spoofed. The idea is that you want to just be a little bit better than the next domain or cloud deployment.

Use conditional access rules

If you add Azure Active directory P1 license (already included in Microsoft 365 Business premium subscribers), you can add conditional access rules that allow you to provide for whitelisting locations. Thus, you can set up MFA for only remote users to protect remote email access. These conditional access policies can be more granular to allow users to resources while balancing the needs for MFA. For example:

Copyright © 2022 IDG Communications, Inc.

News Credit

%d bloggers like this: