Forslag til Conditional Access baseline
Crayon sitt forslag
Baseline CA policy:
- [Alle] - Blokker Activesync og legacy authenticaiton (Report Only)
- [Alle] – Grant- Mac – krev MFA
- [Alle] – Grant - Windows – krev MFA
- [Alle] – Grant - Mobil – krev MFA
- [Gjester] - Krev MFA (Report Only)
- [Admins] – Grant- Kreve MFA daglig og block persistant cookie
- [Service Accounts] – Block – Require trusted location
- [Alle] – Session – MFA 30 days
- BLOCK – Legacy Authentication
This global policy blocks all connections from insecure legacy protocols like ActiveSync, IMAP, POP3, etc. Blocking legacy authentication, together with MFA, is one of the most important security improvements your can do in the cloud.
- BLOCK – Unsupported Device Platforms
Block unsupported platforms like Windows Phone, Linux, and other OS variants. Note: Device platform detection is a best effort security signal based on the user agent string and can be spoofed. Always combine this with additional signals like MFA and/or device authentication.
- BLOCK – High-Risk Sign-Ins
This global policy blocks all high-risk authentications detected by Azure AD Identity Protection. This is called risk-based Conditional Access. Note that this policy requires Azure AD Premium P2 for all targeted users.
- BLOCK – High-Risk Users
Same as above but looks at the user risk level instead of the sign-in risk level. For example, many medium risk sign-ins can result in a high-risk user.
- BLOCK – Countries not Allowed
This global policy blocks all connections from countries not in the Allowed countries whitelist. You should only allow countries where you expect your users to sign in from. This is not a real security solution since attackers will easily bypass this with a proxy service, however, this effectively blocks a lot of the automated noise in the cloud.
- BLOCK – Service Accounts (Trusted Locations Excluded)
Block service accounts (real Azure AD user accounts used by services( from untrusted IP addresses. Service accounts can only connect from allowed IP addresses, but without MFA requirement. Only use service accounts as a last resort!
- BLOCK – Workload Identities (Trusted Locations Excluded)
Basically the same as the policy above but for workload identities, meaning services principals/app registrations in Azure AD. This policy makes sure they are used from trusted IP addresses only.
- BLOCK – Explicitly Blocked Cloud Apps
This policy can be used to explicitly block certain cloud apps across the organisation. This is handy if you want to permanently block certain apps, or temporary block unwanted apps, for example, if there is a known critical security flaw.
- BLOCK – Guest Access (Allowed Apps Excluded)
Block guests from using all apps, except excluded ones (default policy allows Office 365, My Apps, and Azure Information Protection only).
- GRANT – MFA for All Users
Protects all user authentications with MFA. This policy applies to both internal users and guest users on managed devices and unmanaged devices. Intune enrolment is excluded since MFA is not supported during enrolment of fully managed devices. You can change this if you have a another solution for MFA registration.
- GRANT – Mobile Apps and Desktop Clients
Requires mobile apps and desktop clients to be Intune compliant or Hybrid Azure AD Joined. BYOD is blocked and must use a browser instead.
- GRANT – Mobile Device Access Requirements
Requires An approved Microsoft app on iOS and Android. This blocks third-party app store apps. It also requires apps to be protected by Intune App Protection Policies (MAM).
- SESSION – Block Unmanaged File Downloads
Browsers on unmanaged devices can’t download files and attachments from SharePoint Online, OneDrive for Business, and Exchange Online. They can work with files in the Office web apps.
- SESSION – Admin Persistence
This policy disables token persistence for all accounts with admin roles assigned. It also sets the sign-in frequency to 9 hours. This is to protect against Primary Refresh Token stealing attacks by keeping such tokens few and short-lived. Always use separate cloud-only accounts for admin role assignments.
Publisert 11. mars 2022 11:25 - Sist endret 11. mars 2022 11:25