1.4 Ensure modern authentication for SharePoint applications is required

Information

Modern authentication in Microsoft 365 enables authentication features like multifactor authentication (MFA) using smart cards, certificate-based authentication (CBA), and third-party SAML identity providers

Rationale:

Strong authentication controls, such as the use of multifactor authentication, may be circumvented if basic authentication is used by SharePoint applications. Requiring modern authentication for SharePoint applications ensures strong authentication mechanisms are used when establishing sessions between these applications, SharePoint, and connecting users.

Impact:

Implementation of modern authentication for SharePoint will require users to authenticate to SharePoint using modern authentication. This may cause a minor impact to typical user behavior.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To set SharePoint settings, use the Microsoft 365 Admin Center:

Under Admin centers select SharePoint.

Expand the Policies section then select Access control.

Select Apps that don't use modern authentication

Select the radio button for Block access.

Click Save.

To set Apps that don't use modern authentication is set to Block, use the SharePoint Online PowerShell Module:

Connect to SharePoint Online using Connect-SPOService -Url https://tenant-admin.sharepoint.com replacing tenant with your value.

Run the following Sharepoint Online PowerShell command:

Set-SPOTenant -LegacyAuthProtocolsEnabled $false

See Also

https://workbench.cisecurity.org/files/3729

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), 800-53|IA-2(2), CSCv7|16.3

Plugin: microsoft_azure

Control ID: a2ac999d915e85cb5efabb70c6e21c2baf89bb34bbe23407df78aefb1f1f497c