Forslag til Conditional Access baseline

Crayon sitt forslag

Baseline CA policy: 

  • [Alle] - Blokker Activesync og legacy authenticaiton (Report Only) 
  • [Alle] – Grant- Mac – krev MFA 
  • [Alle] – Grant - Windows – krev MFA 
  • [Alle] – Grant - Mobil – krev MFA 
  • [Gjester] - Krev MFA (Report Only) 
  • [Admins] – Grant- Kreve MFA daglig og block persistant cookie 
  • [Service Accounts] – Block – Require trusted location 
  • [Alle] – Session – MFA 30 days 

Tillegg forslag

Kilde:
Azure AD Conditional Access Policy Design Baseline with Automatic Deployment Support – Daniel Chronlund Cloud Tech Blog

  • BLOCK – Legacy Authentication
    This global policy blocks all connections from insecure legacy protocols like ActiveSync, IMAP, POP3, etc. Blocking legacy authentication, together with MFA, is one of the most important security improvements your can do in the cloud.
  • BLOCK – Unsupported Device Platforms
    Block unsupported platforms like Windows Phone, Linux, and other OS variants. Note: Device platform detection is a best effort security signal based on the user agent string and can be spoofed. Always combine this with additional signals like MFA and/or device authentication.
  • BLOCK – High-Risk Sign-Ins
    This global policy blocks all high-risk authentications detected by Azure AD Identity Protection. This is called risk-based Conditional Access. Note that this policy requires Azure AD Premium P2 for all targeted users.
  • BLOCK – High-Risk Users
    Same as above but looks at the user risk level instead of the sign-in risk level. For example, many medium risk sign-ins can result in a high-risk user.
  • BLOCK – Countries not Allowed
    This global policy blocks all connections from countries not in the Allowed countries whitelist. You should only allow countries where you expect your users to sign in from. This is not a real security solution since attackers will easily bypass this with a proxy service, however, this effectively blocks a lot of the automated noise in the cloud.
  • BLOCK – Service Accounts (Trusted Locations Excluded)
    Block service accounts (real Azure AD user accounts used by services( from untrusted IP addresses. Service accounts can only connect from allowed IP addresses, but without MFA requirement. Only use service accounts as a last resort!
  • BLOCK – Workload Identities (Trusted Locations Excluded)
    Basically the same as the policy above but for workload identities, meaning services principals/app registrations in Azure AD. This policy makes sure they are used from trusted IP addresses only.
  • BLOCK – Explicitly Blocked Cloud Apps
    This policy can be used to explicitly block certain cloud apps across the organisation. This is handy if you want to permanently block certain apps, or temporary block unwanted apps, for example, if there is a known critical security flaw.
  • BLOCK – Guest Access (Allowed Apps Excluded)
    Block guests from using all apps, except excluded ones (default policy allows Office 365, My Apps, and Azure Information Protection only).
  • GRANT – Terms of Use
    This global policy forces Terms of Use, like an acceptable use policy or NDA, on all users. Users must read and agree to this policy the first time they sign in before they’re granted access.
  • GRANT – MFA for All Users
    Protects all user authentications with MFA. This policy applies to both internal users and guest users on managed devices and unmanaged devices. Intune enrolment is excluded since MFA is not supported during enrolment of fully managed devices. You can change this if you have a another solution for MFA registration.
  • GRANT – Mobile Apps and Desktop Clients
    Requires mobile apps and desktop clients to be Intune compliant or Hybrid Azure AD Joined. BYOD is blocked and must use a browser instead.
  • GRANT – Mobile Device Access Requirements
    Requires An approved Microsoft app on iOS and Android. This blocks third-party app store apps. It also requires apps to be protected by Intune App Protection Policies (MAM).
  • SESSION – Block Unmanaged File Downloads
    Browsers on unmanaged devices can’t download files and attachments from SharePoint Online, OneDrive for Business, and Exchange Online. They can work with files in the Office web apps.
  • SESSION – Admin Persistence
    This policy disables token persistence for all accounts with admin roles assigned. It also sets the sign-in frequency to 9 hours. This is to protect against Primary Refresh Token stealing attacks by keeping such tokens few and short-lived. Always use separate cloud-only accounts for admin role assignments.
Publisert 11. mars 2022 11:25 - Sist endret 11. mars 2022 11:25