1.1.6 Enable Conditional Access policies to block legacy authentication

Information

Use Conditional Access to block legacy authentication protocols in Office 365.

Rationale:

Legacy authentication protocols do not support multi-factor authentication. These protocols are often used by attackers because of this deficiency. Blocking legacy authentication makes it harder for attackers to gain access.

Impact:

Enabling this setting will prevent users from connecting with older versions of Office, ActiveSync or using protocols like IMAP, POP or SMTP and may require upgrades to older versions of Office, and use of mobile mail clients that support modern authentication.

Solution

To setup a conditional access policy to block legacy authentication, use the following steps:

Log in to https://admin.microsoft.com as a Global Administrator.

Go to Admin centers and click on Azure Active Directory.

Select Azure Active Directory then Security.

Select Conditional Access.

Create a new policy by selecting New policy.

Set the following conditions within the policy.

Select Conditions then Client apps enable the settings for and Exchange ActiveSync clients and other clients.

Under Access controls set the Grant section to Block access

Under Assignments enable All users

Under Assignments and Users and groups set the Exclude to be at least one low risk account or directory role. This is required as a best practice.

Default Value:

Legacy authentication is enabled by default.

Additional Information:

NOTE: For more granularity the following Audit/Remediation procedure could be utilized.

AUDIT

To verify basic authentication is disabled, use the Exchange Online PowerShell Module:

Run the Microsoft Exchange Online PowerShell Module.

Connect using Connect-ExchangeOnline.

Run the following PowerShell command:

Get-OrganizationConfig | Select-Object -ExpandProperty DefaultAuthenticationPolicy | ForEach { Get-AuthenticationPolicy $_ | Select-Object AllowBasicAuth* }

Verify each of the basic authentication types is set to false. If no results are shown or an error is displayed, then no default authentication policy has been defined for your organization.

Verify Exchange Online users are configured to use the appropriate authentication policy (in this case Block Basic Auth) by running the following PowerShell command:

Get-User -ResultSize Unlimited | Select-Object UserPrincipalName, AuthenticationPolicy

REMEDIATION

To disable basic authentication, use the Exchange Online PowerShell Module:

Run the Microsoft Exchange Online PowerShell Module.

Connect using Connect-ExchangeOnline.

Run the following PowerShell command:

*Note: If a policy exists and a command fails you may run Remove-AuthenticationPolicy first to ensure policy creation/application occurs as expected.

$AuthenticationPolicy = Get-OrganizationConfig | Select-Object DefaultAuthenticationPolicy

If (-not $AuthenticationPolicy.Identity) {

$AuthenticationPolicy = New-AuthenticationPolicy 'Block Basic Auth'

Set-OrganizationConfig -DefaultAuthenticationPolicy $AuthenticationPolicy.Identity

}

Set-AuthenticationPolicy -Identity $AuthenticationPolicy.Identity -AllowBasicAuthActiveSync:$false -AllowBasicAuthAutodiscover:$false -AllowBasicAuthImap:$false -AllowBasicAuthMapi:$false -AllowBasicAuthOfflineAddressBook:$false -AllowBasicAuthOutlookService:$false -AllowBasicAuthPop:$false -AllowBasicAuthPowershell:$false -AllowBasicAuthReportingWebServices:$false -AllowBasicAuthRpc:$false -AllowBasicAuthSmtp:$false -AllowBasicAuthWebServices:$false

Get-User -ResultSize Unlimited | ForEach-Object { Set-User -Identity $_.Identity -AuthenticationPolicy $AuthenticationPolicy.Identity -STSRefreshTokensValidFrom $([System.DateTime]::UtcNow) }

See Also

https://workbench.cisecurity.org/files/3729

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), 800-53|IA-2(2), CSCv7|9.2

Plugin: microsoft_azure

Control ID: 04593cbc08e5a0155ea5e5a29d6f0b53c296bcd7452962021fa35456fa77efea