Creating the modern workplace! – Vision

What is Multi-Factor Authentication – To know

Cybersecurity Reference Architecture – Deep integration for future secops

I think we need to see and understand that the small parts (Micro) are connected to the big parts. (Macro) Identity & Access management is crucial. Identity is the first step. It is the baseline to configure well. Next to the macro view of this Cybersecurity Reference architecture we need to dare to question the identity providers we have integrated in our current environment.

Microsoft Cybersecurity Reference Architecture — full overview
Microsoft Cybersecurity Reference Architecture

Foundation Infrastructure – The not so interesting part

Starting with your foundation.

1
Networking — the physical and logical backbone of everything you build.
2
Identity — the first investment before you 'grow' to workloads and scenarios.
Microsoft 365 Foundation Infrastructure — workloads pyramid showing Networking and Identity as base layers
Foundation Infrastructure — workloads build on top of Networking & Identity

Identity is a fundamental part of the workplace – The attack surface

As you can see in this figure all security mechanisms are built on the fundamentals of Identity Management. What can you protect IF you're not able to enable MFA? It has its reasons. There are numbers out there to make you aware of this. We will come to that, later in this article.

Microsoft Threat Protection — Identities, Endpoints, User Data, Cloud Apps, Infrastructure
Microsoft Threat Protection — Identity is the first pillar

Cloud Architecture Identity – MFA is part of something

Understanding identity management in the eco-system of Microsoft's Identity management system is crucial to find the place where Multi-factor authentication (MFA) belongs.

User Accounts → Identity management → Azure Active Directory → Azure / Microsoft 365
Azure Active Directory architecture — On-premises infrastructure, User accounts, Devices, Partner collaboration, Application integration, Administration
Azure Active Directory — the identity backbone of Microsoft 365

Self-Service Password Reset – To help the people getting less frustrated when having Password problems

Give people in your organization the ability to get some advantages because they 'need' to do MFA. This will ask people of your organization to change their password when there is a threshold higher or above the risk level. It will decrease the IT workload and more importantly it will make your customers happy.

By the way, it's very easy to configure — go to Azure AD → Password Reset → Authentication Methods.
Azure AD Password Reset — Authentication Methods configuration in the Azure portal
Azure AD → Password Reset → Authentication Methods
Azure AD SSPR — Authentication methods options: Mobile app notification, Mobile app code, Email, Mobile phone, Office phone, Security questions
SSPR authentication method options available to users

Force a password change when assuming breach – To prevent breaches AND decrease IT tickets

Go to Identity Protection in Microsoft Azure. Select your assignment. All users. Conditions. Select your requirement. And select Require Password Change. This will ask people of this organization to change their password when the threshold is at or above the risk level.

Did you know that: IT administrators can enable sign-in risk as a condition in multiple conditional access policies outside identity protection. In case you don't have MFA enrolled before this 'risk policy' – your account will be locked.
Azure Identity Protection — Conditions: User risk — Medium and above
Identity Protection — User risk policy conditions (Medium and above)
Azure Identity Protection — User risk policy: Assignments All users, Conditions User risk, Controls Require password change, Enforce Policy On
Identity Protection — User risk policy with Require Password Change enforced

Azure AD Conditional Access – To make it easier

Conditional Access is a solution used by Azure Active Directory to bring signals together, to make decisions, and enforce organizational policies. Conditional Access is at the heart of the new identity driven control plane.

Your modular dreams…

Conditional Access flow — Signal, Decision, Enforcement
Conditional Access — Signal → Decision → Enforcement
Azure AD Conditional Access — IF conditions (user risk, session risk) THEN access controls (Allow, Require MFA, Force password reset, Deny)
Azure AD Conditional Access — IF/THEN logic for risk-based access

What if MFA fails like it did before? – Probably won't

MFA failed 2 times? Less than 4 hours? Ever? Compared to your on-premise environment? We like to kill MFA implementations because we don't like it but we still want more security. DO IT. If security is a priority, you can fix this technically. What if that's the real problem? What if you did not have MFA and are breached? OR leave MFA enabled and still be in control of your data.

What if MFA failed and you had your devices and identities connected to your modern workplace because it was not a side-project and part of a strategic decision — and were able to work when the service fails for some hours?

The reflex should be to prevent: like a break glass account in case of a problematic situation. Next to that, write up a document that describes the action required in case of MFA authentication problems.

The standard pitch of factual motivation

For me it has always been a big challenge to pitch the facts when it comes to activation or enrolling of MFA. Still these are the valid statistics and elevator pitches about single password, compromised accounts…

99.9% of compromised accounts had no MFA
50 accounts per 10,000 users will be breached (Microsoft)
Your Pa$$word doesn't matter. You can do internal phishing attacks and see that people are entering their passwords. It's a fact. What's the point of knowing again if it's already known?
"Any fool can know, the point is to understand."— Albert Einstein
99.9% of compromised accounts did not have MFA — RSAC statistic slide
>99.9% of compromised accounts did not have MFA enabled — Microsoft / RSAC
MFA is included in all Office / Microsoft 365 licenses. Basic MFA is included in all Office 365 and Microsoft 365 licenses. It does not mean Conditional Access or other related features are included.

Passwordless authentication – To give people a great advantage

Enablement of Passwordless authentication will activate authentication without a password – isn't this great? Enablement of password Authentication in Azure AD is easy.

Go to Azure Active Directory → Security → Authentication methods → Authentication method policy (Preview) → Enable.

Passwordless authentication is a feature that lets us rethink our current MFA solution IF it's not running in the cloud or third-party. As you can see the integration is deeper and deeper here.

Azure AD Authentication methods policy — Passwordless: FIDO2 Security Key, Microsoft Authenticator passwordless, Text message
Azure AD → Authentication methods → Passwordless configuration

The MFA Experience – It isn't bad at all

The mobile experience shows 3 sign-in codes to validate the sign-in. Your code needs to be validated — and you don't need to enter the password.

Microsoft Authenticator MFA experience — Approve sign in with number matching, Passwordless enabled, One-time password code on mobile
MFA mobile experience — Approve sign-in with number matching in Microsoft Authenticator

Combined MFA and password reset registration – To make the onboarding smooth

Microsoft has announced that the combined security information registration is now generally available (GA). This new experience makes it easy for users to register for Multi-Factor Authentication (MFA) and Self-Service Password Reset (SSPR) in a simple step-by-step process.

Adoption and change management – To make everyone happy and included

It's all about experience! You are in control.
← back to terminal 💼 follow on LinkedIn ☕ buy me a coffee