Conditional Access - Jasper Bernaers

Modern Workplace security: 5 steps to use Microsoft Teams in a safe way

By Jasper Bernaers | May 24, 2020 | Comments 0 Comment

In this blog I will go through 5 basic security improvement for organization that are shifting to Microsoft Teams. Also read my previous article: The Value Of Microsoft 365 E3 and E5.

Security improvements are embedded in Teams, it just needs activation

I’ve met a lot of organizations over the last months implementing Microsoft Teams, and I really love to see the fast-deployments, the big-activation, simple communication, dedicated onboarding.

Did you know that Microsoft Teams is not an addition to Office 365, but an integration of multiple services?
Did you know you can integrate the product better in your current workplace than ‘we’ think?
And thousand other possibilities – now that’s the problem, right? We do not really knew, before..
I know I’ve used Microsoft 365 E5 licenses. You can figure something out without CASB and with Azure Premium P1 + EndPoint Manager.

Introduction: Microsoft Teams Architecture

Did you know that Microsoft Teams is part of Office 365 or Microsoft 365 and is using: Azure AD, OneDrive, SharePoint, Exchange Online, SharePoint, Yammer, Stream, etc all out of the box. I mean, I suppose your organization will use deep integration when shifting to Microsoft Teams. Let’s dig into solutions now!

1. Identity Protection: MFA + Azure AD Conditional Access Policies + Risk Policy

The first step is to have a security-identity. Everything comes to Identity security and authentication – access management in general.

It’s still a best practice to activate Multi-Factor Authentication. I’ve written a lot about this in my previous article.
Activate Conditional Access to not get craziness of pop-ups and deliver a productive workplace.

Force a password change when assuming breach, risk-policies to be sure you can harbor save identities.

2. Registration for Windows 10: Device Onboarding

Make your Windows 10 devices known in the organization. So you have them in control, and you can do smart things with knowing.

Register or enroll your devices into Azure AD to provide an identity-token to the device. This identity is used to authenticate the device when a user signs in and apply conditional access rules that require domain-joined or compliant PCs.

Hybrid Azure AD Join: Enables devices in Active Directory to register in Azure AD For Access Management.

Go through Autopilot and let new devices join in Cloud-Only modus. With an Hybrid Identity. I’m not fan of doing registration only. It has value, but you can give than only Access Management. I’ve seen companies being able to go direct with Autopilot and shift to only Cloud Modern Management and have the devices in Azure AD only. It’s not a requirement Cloud or Hybrid. But it can help with straight-forward implementations.
Later you can do EndPoint Manager. Deploy Microsoft Teams, and the Office 365 suite to all endpoints.

3. Block downloading of document on non-trusted devices

If your device is not trusted. Accessing corporates data should be possibly (sometimes not, I know) but different than a real trusted device.

Set simple and transparent conditional access policies. Don’t make it to complex.
You could use this App Control (preview) to easily block downloading of ANY Office 365 document on a ‘non-trusted’, ‘non-compliant’ device.
Keep in mind, when using this. If you only select Exchange, it still impacts Teams, SharePoint as stated in the tip in the first screenshot.

4. Intune App Protection policies for Mobile Devices

You’ve covered your identity, your Windows 10 devices. You’ve covered your non-trusted devices and now your mobile devices.

I like to get feedback on this one. I’ve done App Protection policies on multiple customers without changing any definition of the standard policy you can create from: https://admin.microsoft.com – there is nothing wrong with standards. Better a policy activated than no policies.

Or you can use the App Protection Policy Data Protection Framework. It provides 3 levels op App data protection configuration. (github)

Level 1 enterprise basic data protection – Microsoft recommends this configuration as the minimum data protection configuration for an enterprise device.
Level 2 enterprise enhanced data protection – Microsoft recommends this configuration for devices where users access sensitive or confidential information. This configuration is applicable to most mobile users accessing work or school data. Some of the controls may impact user experience.
Level 3 enterprise high data protection – Microsoft recommends this configuration for devices run by an organization with a larger or more sophisticated security team, or for specific users or groups who are at uniquely high risk (as one example, one organization identified users who handle data whose theft would directly and seriously impact their stock price). An organization likely to be targeted by well-funded and sophisticated adversaries should aspire to this configuration.

Access requirements: You can find this in: EndPoint Manager

PIN for access: Require
PIN type: Numeric
Simple PIN Allow
Select minimum PIN length 4
Touch ID instead of PIN for access (iOS 8+/iPadOS): AllowOverride
More details in the 3 screenshots for iOS. I’ve also created a policy for Android.

5. Knowing the risks with Cloud App Security

You’ve covered your identity, your Windows 10 devices. You’ve covered your non-trusted devices and your mobile devices. If there is something slipping in between activation or something is missing. I suggest to use Cloud App Security to see data exfiltration, etc..

As you can see in your Cloud App Security portal the ‘possibility’ to understand the block download policy is there.

You can dig deeper to understand what happened. In the demo movie on the top I’ve showed left a trusted environment, on the right a non-trusted ‘personal computer’.

You can go further with automation from here. But I will not go deeper into this in this article. Because I believe that if you have these 5 steps you have already achieved somethings.

Next steps?

Identity protection(1) – automated remediation and creation of service-desk ticket to respond to your risky users.
Compliance policies(2) – to not let devices slip under the fingers of IT-departments. You need a process to be sure all devices are passing the same process. And are totally blocked if not.
Block downloads on non-trusted devices. (3) Go further, this implementation above is a great opportunity because of the easiness of implementation. Information protection is next. Because people can exfiltrate data when e-mailing, syncing, copying on their corp device, and their home device. And that’s a thing that should not be possible, anymore.
Automate actions with CASB. Label your exfiltration expert. And create processes IF there is something wrong. The right people in the chain of command are informed.

Next improvement is a future blog! Thanks for reading.

I hope you enjoyed reading. Please comment below!

The value of Multi-Factor Authentication – Get your story right!

By Jasper Bernaers | May 7, 2020 | Comments 0 Comment

I’ve tried something different last night. To write the story of Multi-factor authentication and bring the relation in the eco-system of Microsoft. Everything is connected. I would love a comment, share or a reply to see if this content is valuable for you! Thanks, Jasper

Creating the modern workplace! – Vision

Increase mobility: People are working from home. From clients and during travel. In regard to collaboration, 98% of information workers collaborate or communicate with someone else at work on a weekly basis.
Improve security and compliance. Most of the time there is no control of data compliance in the current on-premise environment. Security systems are complex and static without growing or proven improvements. Start with a Zero Trust model. Start with protection of your people.
Find more topics I’ve written in my previous article.

What is Multi-Factor Authentication – To know

Something you know, typically a password or a pincode.
Something you have, such as a trusted device that is not easily duplicated, like a phone or hardware key/token.
Something you are – biometrics like a fingerprint or face scan.

Cybersecurity Reference Architecture – The Cybersecurity vision to integrate deeply in Microsoft tech

Whoooaww, that’s a extreme reflex for doing our MFA implementation!! IS IT? Dear customer, colleagues. is it? I don’t think so. We need to see and understand that the small parts (Micro) are connected to the big parts. (Macro) Identity & Access management in crucial. Identity is the first step, is the bases, the baseline. We need to invest in the whole Cybersecurity frame and we need to start with the basics.

Next to the macro view of this Cybersecurity Reference architecture we need to dare to question the identity providers we have integrated in our current environment.

Foundation Infrastructure – The not so interesting part

The only way is up. Starting with your foundation. 1. Networking
2. Identity is the first investment before you ‘grow‘ to workloads and scenario’s.

Identity is a fundamental part of the workplace – The attack surface

As you can see in this figure all security mechanisms are built on the fundamentals of Identity Management. What can you protect IF you’re not able to enable MFA? It has his reasons. There are numbers out there to make you aware of this. We will come to that, later in this article.

Cloud Architecture Identity – MFA is part of something

Understanding identity management in the eco-system of Microsoft’s Identity management system is crucial to find the place where Multi-factor authentication (MFA) belongs. User Accounts – Identity management – Azure Active Directory – Azure/Microsoft365

Self-Service Password Reset – To help the people

Give people in your organization the ability to get some good because they ‘need’ to do MFA. This will ask people of your organization to change their password when there is a threshold higher or above the risk level. It will decrease the IT workload and more import it will make your customers happy. By the way, it’s very easy to configure go to Azure AD – Password Reset – Authentication Methods.

Force a password change when assuming breach – To prevent breaches AND decrease IT tickets

Go to Identity Protection in Microsoft Azure. Select your assignment. All users. Conditions. Select your requirement. And select Require Passwords Change. This will ask people of this organization to change their password when the threshold is at or above the risk level.

Did you know that: IT administrators can enable sign-in risk as a condition in multiple conditional access policies outside identity protection.
In case you don’t have MFA enrolled before this ‘risk policy’ – your account will be locked.

Azure AD Conditional Access – To make it easier

Conditional Access is a solution used by Azure Active Directory to bring signals together, to make decisions, and enforce organizational policies. Conditional Access is at the heart of the new identity driven control plane.

Keep user accounts safe by requiring strong authentication based on location and risks.
Keep data safe by only allowing managed devices.
Meet compliance requirements.
Create simple policies for everyone – not for groups, departments – make it simple!
Your modular dreams…

What if MFA fails like it did before? – Probably won’t

MFA failed 2 times? Less than 4 hours? Ever? Compared to your on-premise environment?
We like to kill MFA implementations because we don’t like it but we still want more security. DO IT. If security is a priority, you can fix this technically. What if that’s the real problem?
What if you did not have MFA and are breached? OR leave MFA enabled and still be in control of your data.
What if MFA failed and you had your devices and identities connected to your modern workplace because it was not a side-project and part of a strategic decision and were able to work when the service fails for some hours?
The reflex should to be prevent: Like a break glass account in case of a problematic situation.
Next to that write up a document that describes the action requires in case of MFA authentication problems. High risk user will get a unique passwords, low risk users may authenticate without password change. Risky users with medium risk and higher will get a password change.

The standard pitch doesn’t work – So stop telling this

99,9% compromised accounts did not have MFA.
Next to this fact the 50 accounts on 10.000 people that will be breached according the numbers of Microsoft is more and more understandable.
Your Pa$$word doesn’t matter
You can do internal phishing attacks and see that people are entering their passwords. It’s a fact. What’s the point of knowing again if it’s already known? Any fool can know, the point is to understand. Albert E.

These stories are well-known but will not trigger changes. Do’s & don’ts are judging. Don’t work on the ‘facts’. Work on the value and support and simplicity of modern technology. GIVE to the people. Don’t take things away.

99,9% compromised accounts did not have MFA

MFA is included in all licenses – It has been changed since a long time

Basic MFA is included in all Office 365 and Microsoft 365 licenses. It does not mean conditional access or other related features are included. Reference.

Passwordless authentication – To give to the people

Enablement of Passwordless authentication will activate authentication without a password – isn’t this great? Enablement of password Authentication in Azure AD is easy. Go to Azure Active Directory – Security – Authentication methods | Authentication method policy (Preview) – Enable.

Passwordless authentication is a feature that let us rethink our current MFA solution IF it’s not running in the cloud or third-party. As you can see the integration is deeper and deeper here.

The MFA Experience – It isn’t bad at all

The mobile experience shows 3 sign-in code’s to validate the sign-in. Your code needs to be validated. and you don’t need to enter the password.

Combined MFA and password reset registration – To make the onboarding smooth

Microsoft has announced that the combined security information registration is now generally available (GA). This new experience makes it easy for users to register for Multi-Factor Authentication (MFA) and Self-Service Password Reset (SSPR) in a simple step-by-step process.

Adoption and change management – To make everyone happy except the sponsor 😉

Make standards that are understandable for everyone, not only of the IT organization. Communicate MFA announcement and changes before the change – not after. Keep track of the change record. Explain very well how you’re using ‘standards’ in your organization. Put the guidelines on a place where all procedures are located. Communicate over multiple platforms. Make it about the end-user. Help end-users. It’s all about experience! And you are in control!

Published on the #WorldPasswordDay – Stay Save!

What are your thoughts after reading this article? Comment below! In case you were inspired by this article please share!

The top 10 security recommendations to consider while working from home!

By Jasper Bernaers | April 12, 2020 | Comments 0 Comment

Mobile working is a standard, today.
Companies are not longer protected by their infrastructure in their corp-environment.
Crucial document data is moving away from centralized systems because it’s easier to work on them on our own document systems.
The irrelevance of bombastic systems in corporate environment is holding collaboration down.
Does it sounds familiar?

the 10 security recommendations we should consider while working from home!

Identity Security / MFA
Install the latest patches and updates
Passwords and management
Build real-time reports of security risks
Create automated and intelligent alerts
Install antivirus on all endpoints
Secure devices and corporate devices (+ personal phones)
Evaluate regularly which users have access to data, devices and networks
Track, change and block access for temporary projects and when employees are leaving your company
Use information protection solutions to protect your data everywhere.

1. Identity protection

Some facts: 1.2 million of all Office 365 or Microsoft 365 accounts (each month) are compromised. This represents 0.5% of all accounts in your environment. Source: theregister-co-uk

Multi-factor authentication prevents 99.9% of all attacks.

Activate MFA, It’s easy.
Run a Microsoft Attack Simulator. It cost 2 hours. And will show the potential risk.
See which account has most likely been compromised through risky sign-ins.
IMAP, POP3 disablement and implementation of MFA in 1 click? Enable Azure AD Security Defaults

2. Patching & updates

Take control of all devices in your organisation with Microsoft EndPoint Manager.
Take control of Mobile Devices, or at least use Mobile Aplication Management and protect your corporate data. (iOS, Android, W10, MacOSX,..)

3. Passwords and management of authentication

Create a password policy. Check if 100% is during renewals. Enable MFA for everyone. In case you don’t do it create policy for example: IF not with MFA than set password +100 characters. (for applications, not users) etc..
Microsoft has advised to disable password renewals in this article. I think it’s possible IF you are doing multiple other steps of this article.
Start using Windows Hello For Business
Start using Passwordless Authentication
Start using Self-Service Password Management

4. Create real-time reporting of security vulnerabilities

Identity risks are in every organisation. Don’t think that your changes are low. Check the facts.
It is very easy to use ‘risky users‘, ‘risky-sign’ ins and ‘risk detection’ to find out real risks.
Integrate with Microsoft Defender ATP and ATP Sensors to have all intelligence in the Microsoft cloud.

5. Create automated and intelligent alerts

There is only 1 answer. Microsoft Cloud App Security.
Create alerts when 100 files are deleted. Copied to Dropbox for example.

6. Install antivirus on ALL endpoints + go beyond antivirus

Microsoft Defender ATP, sentinel-one, Norton, McAfee, it doesn’t really matter. As long as you are able to protect all endpoints.
The second factor is to make sure that your antivirus is enabled. Use a single console. OR use MDATP. Set security alerts so you know when you are at risk.
Use EDR monitors to detect and respond to advanced attacks in real time.

7. Secure private(personal) devices and corporate devices

workstations and portables (With W10 for example) are in control in most of the companies. Mobile devices are left unmanaged because we don’t know the options.
With Intune (EndPoint Manager) you can isolate and segment applications without having to manage the device. The corp. applications is under control. The organization’s data is protected. The most important thing is done!
Choose a fingerprint, faceID worst-case pincode in app protection.
Below you may find an example of the Outlook application which is protected by Mobile Application Management. In case organisations are not the owner of these devices this is a great option. And simple to implement.

8) Evaluate regularly which users have access to data, devices and physical network

Cloud App Security shows you exactly whether data is passing on all endpoints.
Document data, lateral movements, usage of applications, global traffic, count of applications in use in your organisation. Risk levels, GDPR proof applications..
Bring network devices logging in CASB to have more insights.

9. Track and block access for temporary projects or employees leave the company

governance without enforcement is just good advice.
Create simple written policies, enforce policies.
Create retention policies for example in a Microsoft Team that removes the team after 180 days.

10. Use information protection to protect your data everywhere

Use Information protection to protect document data. Even if you lose the document “physically”. There are still options to block this from opening and keep in secure from distribution, opening, editing,..
Create document data insights from on-premises and cloud solutions with Microsoft Information Protection Policies.

Conclusions

Security priorities are difficult. However, I would always start with MFA becasue this is fundamental identity security. Afterwards document and device security. Because companies are moving to Teams during Covid-19. And you don’t want data leakage during this time.
If your identity is not secure, and compromised, there is no point in doing information protection. Because a ‘hacker’ will use your accounts to access your corporate data.
Use Microsoft Securescore.microsoft.com as a guidance. Extract your priorities.
Let’s do it!

Protect apps with Microsoft Cloud App Security Conditional Access App Control

By Jasper Bernaers | January 5, 2020 | Comments 0 Comment

A lot of companies are struggling with data leakage when it comes to their exchange online environment. Easy fix! Enable: Microsoft Cloud App Security Conditional Access App Control! First, check the 7 seconds demo. It explains the unnecessary words!

Scenario:

You have all your devices enabled in Microsoft’s endpoint manager aka Intune
You are able to have an inventory and control of your hardware assets (CIS Control 1)
You are using Office 365 or Microsoft 365.
You don’t want users to download their e-mail attachments on a non-company owned device. (other scenario’s possible!)

Protect apps with Microsoft Cloud App Security Conditional Access App Control

It sounds so complex and i strongly believe this is making the implementations way to complex. So now the 2 Practical steps for the configuration.

Step 1: Choose the cloud application – select the condition!

Select cloud apps or actions: Microsoft Exchange
Select a condition – IF your device is marked as compliant. Based on a intune policy that is able to CHECK if the device is compliant. Users are able to just go their way on Exchange Online.

Step 2: select the Access Controls

IF not they are not able to download attachments to their environment. Block downloads. That’s it!

By natively integrating with Azure AD, any app that is configured with SAML or Open ID Connect can be self-onboarded.

In addition, the following apps are featured by Cloud App Security and are already onboarded and ready to use in any tenant: More apps: Here

Exchange Online
OneDrive for Business
Power BI
SharePoint Online
Microsoft Teams

Conclusions

It’s not because you block attachment downloads in Exchange or OneDrive from non-company owned devices that your organization is good to go! This practical example shows the flexibility to get conditions in your organizations which can prevent leakage of data in e-mail systems.
Blocking exchange download could shift that your organization will become aware they are still sending crucial information by mail which should be found in Microsoft Teams or SharePoint Online.
Microsoft Information protection could play a big role in this configuration but this enablement can be a first step in security maturity growth.
More options? YES: Notification when someone is downloading +10 documents, leaked credentials, impossible travel, File shared with unauthorized domain, New risky app, …

The Multi-factor-authentication struggle? AND the solution!

By Jasper Bernaers | January 3, 2020 | Comments 0 Comment

The struggle for a Multi-factor authentication implementation is REAL and most of the time, really frustrating? Some frequently asked questions and answers below! Let’s change problem into a solution.

We don’t want to use Multi-factor authentication – it’s too complex!

Ask the people in your organization if they use the same password as their corporate account for: Dropbox, Yahoo, Gmail, Facebook. Do they?
I know, it’s really bad advice. But type your ‘old’ password in Haveibeenpwned.com Is it still ‘safe’?
Do you have MFA on your Facebook account? Your iCloud account, You’re private mail? Is it that bad?

How to tackle the resistance!

END-USER AWARENESS: There are a lot of organizations helping with a great case which can help your organization (including Microsoft) to communicate well. Communicate – make people understand WHY – support them – give them more!
MEASURE THE NEED FOR MFA: Measure the impact in your organization. And make people understand WHY. You could send out a ‘false Payroll update’ and measure how many people are entering their credentials. Make them aware that they did very good not entering their corporate credentials. Don’t punish people because they did. Help them to identify and understand phishing mails. https://protection.office.com/attacksimulator

SELF-SERVICE: Give people in the organization the ability to get some pro’s because they ‘need’ to do MFA. For example: self service reset password possibilities. It could also mean that the workload of IT-teams will decrease because of self-service mechanisms. It’s nearly impossible (insecure) to deliver self-service without a trusted-second factor.
MODERN MANAGEMENT: Bring all your devices in a Azure AD in a state where they are at least Azure AD Joined so users will have pro’s like Single-Sign-On in Microsoft Edge. Other browsers are possible, but requires a little bit more time.
CONDITIONAL ACCESS: It’s simple to define a basic set of conditions where there shouldn’t be an second factor required. For example your work-environment. It creates a huge way of possibilities to have a better roll-out. Better have MFA with one condition then having no MFA at all.

PASSWORDLESS AUTHENTICATION: Deliver passwordless authentication. It will help your users to not struggle with their password. Implementation guide here.
MEASURE THE RISK(S): Login to your Azure AD portal and export all sign-in logs of the last 3 month. Filter on SUCCESS and filter on a country which your company is not in. (or filter out all locations you are in and work with the left-overs) You have leaked credentials. Mostly it’s clear after this simple exercise.
MICROSOFT AUTHENTICATOR APP: You could just use SMS as a factor but don’t bother and use the Authenticator App

AZURE ADVANCED THREAT PROTECTION: Work with Azure Advanced Threat Protection in a ‘Pilot’. This setup will cost you 60 minutes. Order a trial license of Microsoft 365 E5, go through the wizard of Azure ATP and add your domain controllers as a sensor.

After 30 days go to the console and export: Passwords exposed in clear text, lateral movement paths to sensitive accounts. I’m sure you can find something happening without knowing! This will bring insights where you had none before.

THIRD PARTY ASSESSMENT: Work with third-party tools to measure the security or cyber-security maturity of your organization.
CLOUD APP SECURITY: Measure that data is extracted to machines to understand the needs in your environment. This will prioritize the need of identity-protection (later data-control)

Advice to IT Administrators

Maintain an 8-character minimum length requirement (and longer is not necessarily better)
Eliminate character-composition requirements.
Eliminate mandatory periodic password resets for user accounts.
Ban common passwords, to keep the most vulnerable passwords out of your system.
Educate your users not to re-use their password for non-work-related purposes.
Enforce registration for multi-factor authentication.
Enable risk based multi-factor authentication challenges.

Microsoft Password guidance didn’t changed in years. It’s still great!

It isn’t only commercial talk..

Microsoft sees over 10 million username/password pair attacks every day. This gives them a unique vantage point to understand the role of passwords in account takeover. 99.9 percent of attacks on your accounts can be prevented. (and it is not)

Side nodes

MFA isn’t new: It’s there for almost 6 years.. https://www.microsoft.com/en-us/microsoft-365/blog/2014/02/10/multi-factor-authentication-for-office-365/
It’s not an IT project: The people need to understand the change. And need help.
Passwords Are Making You Weak: We need to act! Bye Bye Passwords: New Ways to Authenticate
Your Pa$$word doesn’t matter: Facts and Figures
One simple action you can take to prevent 99.9 percent of attacks on your accounts. – Microsoft Blog, they say. I’m sure it will make sence.

Tag: Conditional Access