Securing your resources in the cloud should be paramount but it also doesn’t have to cost the earth or anything at all. In this post, we explore some options for securing your cloud resources for free.
Azure Active Directory Conditional Access is a feature that you get with Azure Active Directory Premium so you can manage who, where, when, and how users can sign-in to access your cloud-based services such as Office 365 and Microsoft Azure. Although it’s great and we’d recommend everyone look at it, for some, the cost it too much. In this post, we’ll explore what you can do when it comes to securing your cloud resources for free.
What do you get for free?
So let’s first start out by looking at what you get for free.
Starting in 2018, Microsoft said enough was enough. To tackle security issues with the cloud head-on, Microsoft started offering a free, baseline policy, to all Azure and Office 365 customers. Over time, this has grown into the four baseline policies that we have available today.
If you want to go direct to the Microsoft source, you can read about baseline policies at https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-baseline-protection.
So when it comes to securing your cloud resources for free, we can use these baseline policies to provide some basic, catch-all protections to our Microsoft Azure and Office 365 workloads. Today, there are four policies available for you to enable.
- Require MFA for admins
- End user protection
- Block legacy authentication
- Require MFA for Service Management
All for one and one for all
Something that needs to be understood early on with the baseline policies is that it it’s all for one and one for all, just like in Robin Hood. With paid-for Azure AD Conditional Access, you can create custom policies that apply to groups of users or conditions based on the cloud app or sign-in conditions of the user.
With the baseline policies, all policies apply to everyone in your Azure AD tenant and you don’t have any say in it [except for one]. What this means is that yes, these policies will help you in securing your cloud resources for free but they can also interrupt service when enabled if you aren’t careful.
Say we enable the Block legacy authentication policy to disable IMAP, POP3, and SMTP access but you have devices that are using SMTP to send email into Office 365, this will stop these from working.
The workaround for this is to not use the baseline policies but to instead, purchase Azure AD Premium to give you access to Azure AD Conditional Access and create custom policies with exclusions and specific targeting.
Creating a break-glass emergency account
We highly recommend that if you plan to use the baseline policies or any Azure AD Conditional Access policies that you create a break-glass account.
This account should be created as a Global administrator to give it permissions to access everything. Give the account a very strong password and store it securely somewhere.
The goal for this account is not to use it day-to-day but only in emergencies. If anything causes you to lose access to Azure, Office 365, or other cloud services, you can use this account without Conditional Access, multi-factor authentication, or anything else preventing you from gaining access.
We call this the break-glass account because it’s like a fire alarm where you have to break the glass to press it. We can offer a service whereby we set-up monitoring alerts to notify you when this account is used so that you can track when this highly sensitive account is accessed.
Baseline policies in detail
Let’s take a quick tour of what each of these four baseline policies does and can offer you to help with securing your cloud resources for free.
Require MFA for admins
Hopefully this policy is quite self-explanatory in what it does but the scope can be unclear. When a user is a member of one of the admin roles in Azure AD, the policy will affect them. Whenever this user attempts to sign-in to a service backed by Azure AD such as to the Azure Portal or to any of the Office 365 services, they will be required to provide multi-factor authentication (MFA).
End user protection
Arguably the most mis-understood of the policies on offer but also one of the most powerful, the end user protection policy applies to everyone in your Azure AD tenant.
This policy will require all users to enroll for the MFA service within 14 days of being enabled. Once enrolled, the user will be required to provide MFA verification for their sign-in activity when it is deemed to be suspicious: a risky sign-in as Azure AD calls it.
You can find out more about what Microsoft deem to be a risky sign-in by reading both https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-baseline-protection and https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies#choosing-acceptable-risk-levels .
Block legacy authentication
The Block legacy authentication policy is another extremely powerful but potentially damaging policy. Microsoft refer to legacy authentication as protocols which do not support Conditional Access features such as multi-factor authentication. Legacy authentication protocols are IMAP and POP3 which were commonly used by older email clients; and SMTP which is commonly used by systems that need to generate and send emails such as multi-function printers or corporate line or business systems.
Disabling these protocols is a good idea because there have been recent attempts observed by attackers to use IMAP and POP3 to gain access to people’s email.
Require MFA for Service Management
The last of the baseline policies is Require MFA for Service Management. This policy is really geared towards admins although it doesn’t only apply to admins.
What is enabled with this policy is that when a user tries to access Microsoft Azure through either the Azure Portal on the web or Azure using the PowerShell modules or the Azure CLI command line.
The reason that this policy is designed to apply to admins but doesn’t always apply to admins is that it’s obviously possible to assign permissions to access to Azure resources to non-admin users.
Enabling the baseline policies
Enabling the baseline policies to start securing your cloud resources for free is pretty easy and straightforwards. Using an account that as an admin, head to the URL https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies to access Azure AD Conditional Access.
Once you are there, you should see the four baseline policies listed. Simply select the policy that you want to enable and then select the option to turn it on. If you created a break-glass account, make sure that you specify it on the Require MFA for admins policy.
Extending Baseline Policies with Conditional Access
If you are already licensed for Azure AD Premium and want to use the full power of Azure AD Conditional Access or if you are interested in Azure AD Conditional Access please, let us know and get in touch. We can help you with ensuring that your cloud security policies are in order and providing you with the best possible protection.