As attackers are finding new ways to get around multifactor authentication in Microsoft 365, conditional access is becoming more important. Conditional access refers to a set of policies in M365 that control under what conditions a user can authenticate.
One common example of a conditional access policy is one that blocks access to M365 from devices that are not on the corporate network. Another might restrict access from devices that have not received recent patches. Yet another could limit access from any Android device. Conditional access policies are designed to give organizations the flexibility to tailor access to their specific needs. But when implemented incorrectly, conditional access creates a false sense of security and can represent a ticking timebomb.
We often encounter institutions that have gaps in their M365 conditional access policies. Attackers have automated tools to discover these gaps and will use the tools in combination with others that circumvent multifactor authentication to gain access to an employee email account. Because of this, we urge institutions to audit their conditional access rules to ensure that gaps are closed.
One of the most useful tools to audit conditional access rules is the Microsoft Azure AD Conditional Access “What-if” tool. This tool, located at the top of the Policies screen in the Microsoft Azure Conditional Access portal, allows administrators to test whether a user meeting specific conditions will be able to connect to M365. Conditions they can define in the what-if scenario include:
- Apps being accessed.
- IP address of the user.
- Country/Region of the user.
- Type of device being used to access (Windows, Android, MacOS, etc.).
- Application on device being used to access (browser, M365 app).
- State of device (whether device is domain-joined, etc.).
Once a what-if scenario is run, the tool will tell the administrator what policies would and would not have applied to the scenario, as well as what action would have been taken by M365 in that scenario. This allows the administrator to identify any gaps and to tune conditional access policies to fill the gaps.
If you want to chat about conditional access policies or any other cybersecurity topic, we are here to help! Please contact us at support@bedelsecurity.com.