Avoid MFA fatigue attacks in Microsoft 365

A MFA fatigue attack is where an attacker will constantly attempt to login as the user causing an MFA request to appear on the users device. If this request is simply to deny or approve, and with enough requests, the user eventually approves to make theses requests go away. Such an attack recently provided very successful at Uber. You can read more about that incident here:

https://www.uber.com/newsroom/security-update

With MFA in Microsoft 365 and the Microsoft Authenticator app you can avoid this by enabling number matching for push notifications. Here’s how to do it:

image

Navigate to the Azure portal as an administrator and then to Azure Active Directory. Here, select Security from the menu on the left as shown above.

image

Here, select Authentication methods as shown above on the left.

image

Now select Microsoft Authenticator on the right.

image

Select Configure at the top of the page and ensure all the options listed are Enabled for all users. You may want to exclude any break-glass accounts though.

image

Back on the Basic tab, as shown above, ensure you have Enable set to Yes and you target all the desired users with Passwordless.

IMG_1151

Now, when users are prompted for MFA they will see the above on their devices and need to type the number that is on the screen into their device to approve the login. They will also see the geographic location the request came from and application requesting as shown above.

If you want to check yoru environment for MFA fatigue attacks you can use this KQL query in Sentinel:

https://github.com/reprise99/Sentinel-Queries/blob/main/Azure%20Active%20Directory/Identity-PotentialMFASpam.kql

Online security is something that requires constant adjustment as the bad actors adapt to the protection methods put in place. Number matching in Microsoft 365 is quick and easy to set up using the Microsoft Authenticator and the recommended approach you should take to avoid MFA fatigue attacks.

Techwerks 17

bw-car-vehicle

I am happy to announce that Techwerks 17 will be held in Melbourne CBD on Thursday September 29th 2022

The course is limited to 20 people and you can sign up and reserve your place now! You reserve a place by completing this form:

http://bit.ly/ciaopsroi

or by sending me an email (director@ciaops.com) expressing your interest.

The content of these all day face to face workshops is driven by the attendees. That means we cover exactly what people want to see and focus on doing hands on, real world scenarios. Attendees can vote on topics they’d like to see covered prior to the day and we continue to target exactly what the small group of attendees wants to see. Thus, this is an excellent way to get really deep into the technology and have all the questions you’ve been dying to know answered. Typically, the event produces a number of best practice take aways for each attendee. So far, the greatest votes are for deeper dives into the Microsoft Cloud including Microsoft 365, Azure, Intune, Defender for Endpoint, security such as Azure Sentinel and PowerShell configuration and scripts, with a focus on enabling the technology in SMB businesses.

Recent testimonial – “I just wanted to say a big thank you to Robert for the Brisbane Techworks day. It is such a good format with each attendee asking what matters them and the whole interactive nature of the day. So much better than death by PowerPoint.” – Mike H.

The cost to attend in Melbourne is:

Gold Enterprise Patron = Free

Gold Patron = $33 inc GST

Silver Patron = $99 inc GST

Bronze Patron = $176 inc GST

Non Patron = $399 inc GST

I hope to see you there.

Go get Defender EASM

As the MS documentation says:

Microsoft Defender External Attack Surface Management (Defender EASM) continuously discovers and maps your digital attack surface to provide an external view of your online infrastructure.

Basically you plug in your resources like:

  • Domains

  • Hostnames

  • Web Pages

  • IP Blocks

  • IP Addresses

  • ASNs

  • SSL Certificates

  • WHOIS Contacts

Defender EASM will then use these as a ‘seed’ to search through public information and report back.

Screenshot of Overview Dashboard

You’ll then discover not only if you have any vulnerabilities in things like routers, web sites, etc but you’ll also probably find a whole swag of information that you didn’t know was out there.

In short, Defender EASM, acts as kind of a scheduled ‘penetration test’ for your environment, which I think is super handy

image

As you can see above, it ain’t very expensive either! To me that makes it a no-brainer. In my environment I have 40 odd discovered assets making the cost 64 cents a day and just over $19 per month! Peanuts for what it provides. Best of all, you also get a a free 30 day trial to see what it is all about.

Like Microsoft Sentinel back in the day, it is still early days for this service and I expect it to improve rapidly so now is the time to jump on board and start using it to get a feel for what it is all about. I certain have, and I encourage you to do the same.

Microsoft has documentation here:

Defender EASM Overview

if you want to read more.

Join my Teams Shared Channel

Microsoft now has the capability to create a Shared Channel. I have created a Shared Channel in my own tenant that I am freely making available to anyone who wants an invite to see what Shared Channels are all about.

If you are keen on participating then you’ll need to take some actions in your own tenant first to allow the connection.

As an administrator open the Azure portal.

image

In the top search box inside the Azure portal search for Azure Active Directory. Then select the service matching that when it appears as shown above.

image

From the menu that appears on the left select External Identities.

image

On the screen that appears, select Cross-tenant settings from the menu on the left. Then select Organizational settings on the right as shown above.

image

Now select Add organization either from the menu at the top or the button at the bottom as shown.

image

From the dialog that appears from the right enter either the domain ciaops365.com or the tenant id 5243d63d-7632-4d07-a77e-de0fea1b77a4. You see the name as CIAOPS after this is completed successfully. When it does appear as shown above, select the Add button.

image

A CIAOPS entry should now appear as shown above.

image

Select the hyperlinked text under the Outbound access heading which will say Inherit from default.

image

Select B2B direct connect from the menu across the top. Then select Customize settings. Finally, select Allow access as shown above.

image

Select the External applications tab. Then Allow access. Finally, select Save at the bottom of teh screen.’

If you take a moment to read the top of the screen before you press Save you’ll see:

Outbound access settings determine how your users and groups can interact with apps and resources in external organizations. The default settings apply to all your cross-tenant scenarios unless you configure organizational settings to override them for a specific organization. Default settings can be modified but not deleted.Learn more

B2B direct connect lets your users and groups access apps and resources that are hosted by an external organization. To establish a connection, an admin from the external organization must also enable B2B direct connect. When you enable outbound access to an external organization, limited data about your users is shared with the external organization, so that they can perform actions such as searching for your users. More data about your users may be shared with an organization if they consent to that organization’s privacy policies.Learn more

In short, you have allowed your tenant to access my shared Teams channel from just my tenant (ciaops365.com).

image

When you do press Save you see the above message. Press Yes to continue and accept.

That is all the configuration you need to do inside your tenant. What you then need to do is send me an email (director@ciaops.com) letting me know you’d like to be added to my shared channel. When I receive this I will add you.

image

After I’ve added you the shared channel should appear in your Teams environment as shown above without the need to switch tenants.

Once you are in my shared channel encourage you to participate and get involved with the content that is there. More details are inside my shared channel. To get things started post a message about why you are in the shared channel and say hello to everyone else.

Feel free to let others know about this offer as I’d like to make my shared channel a free resource for people to come and share information about the Microsoft Cloud.

Power Automate Azure Key Vault access inconsistencies

I’m in the process of building a Flow that connects to a Dataverse database inside a Microsoft Team. When you create this you get the ability to create Cloud Flows (aka Power Automate).

image

However, there is an issue when you try and use something like Azure Key Vault actions here.

image

In the above, you can see that I’m in my default Power Automate environment and the Get secret action of Azure Key Vault is accessible as expected and shows all the items I have inside the vault.

image

However, if I swap to another environment that was created as part of a Team (here an environment called Automation), you’ll see that I can add the Azure Key Vault action Get Secret but I no longer see the items inside that vault as I did before! I am using the same user in both cases.

It has clearly something to do with the connection,

image

which shows up as invalid as you can see above.

image

If I try and add a new connection, I see the above dialog but can’t make any changes or enter any information. Looks like I might need to investigate the Connect with a service principal option perhaps?

However, for now, there seems to be a limit when you use the Azure Key vault actions inside anything that is not the default environment for the Power Platform in your tenant. I will assume this is because these environments are limited to Microsoft Teams and have innate restrictions that I’ll need to find information on. If you know what this is, I’d love to hear from you.

Enabling security defaults will enforce MFA on external users

A really good questions that I came across was whether enabling security defaults on a tenant will enforce MFA for external guest users.

Here is the documentation for security defaults:

Security defaults in Azure AD

and when enabled one of the things it will do is:

Require all users to register for Azure AD Multi Factor

which says:

All users in your tenant must register for multi-factor authentication (MFA) in the form of the Azure AD Multi-Factor Authentication. Users have 14 days to register for Azure AD Multi-Factor Authentication by using the Microsoft Authenticator app. After the 14 days have passed, the user can’t sign in until registration is completed. A user’s 14-day period begins after their first successful interactive sign-in after enabling security defaults.

The question is does “all users” include external guest users who have been invite into a tenant for collaboration on Microsoft Teams say? This is important because Microsoft is starting to enforce security defaults on all tenants.

Interestingly, none of the documentation seems to call out specifically whether “all users” does in fact include external guest users. After some digging I came across this post:

All users should be changed to all “member” users · Issue #78194 · MicrosoftDocs/azure-docs (github.com)

which has a response from someone at Microsoft and it says:

“Follow up from the product group… Security defaults should apply to guest users as well.”

So it looks as though it does indeed appear that security defaults applies to external guest users but I wanted to be sure.

image

I took a generic Gmail account I use and invited that user into a demo tenant that didn’t have security defaults enabled.

image

That user went through the expected process of connecting to the tenant.

image

using the email code verification process.

image

until they could access the tenant.

image

I also verified that they appeared in the Azure AD for that tenant.

image

So everything as expected so far.

image

Next, I invited that same user to a Microsoft Team inside that tenant.

image

and they could access that Team using the normal email code authentication process. I tried this a few times to ensure they could access the Team without needing anything but the usual email code. So far, so good still.

image

I then went in an enabled security defaults for the tenant.

image

After a few minutes wait to let the policies kick in I tried to login as the external guest user again to Microsoft Teams directly, and after providing a login and getting an email code I was prompted to enable MFA for the user as seen above.

image

Selecting Next will take you through the standard MFA registration process as you see above.

It is therefore the case that if you enable security defaults for a tenant, all users, INCLUDING any external guest users, will be REQUIRED to enable MFA to access resources inside that tenant.

Why this is important is because Microsoft will be enabling security defaults on ALL tenants as detailed here:

Raising the Baseline Security of all organizations in the World

which says:

“Based on usage patterns, we’ll start with organizations that are a good fit for security defaults. Specifically, we will start with customers who aren’t using Conditional Access, haven’t used security defaults before, and aren’t actively using legacy authentication clients.

Global admins of eligible tenants will be notified through email and the Microsoft 365 Message Center. Then, starting in late June [2022], they’ll receive [a] following prompt during sign-in”

Being it is now June 2022, this process has commenced. You can disable security defaults if you wish, even after they have been enabled, if desired per the details in the above link.

Given that I couldn’t find a specific answer about global external users being impact by security defaults, hopefully this now provides a reference for other looking for the same information.

Get your Azure invoice emailed to you

image

If you need a copy of the Azure invoice emailed to you then you can configure that inside your Azure portal be navigating firstly to the Cost Management + Billing.

image

Then select Invoices from the menu on the left.

image

Finally, select Invoice email preferences from the menu on the right then enter the desired email address on the right in the dialog that appears. Remember to save your changes and from now on that email address will receive a copy of your Azure invoice monthly.

Set up PAYG for Power Platform

The Power Platform now has the ability to be Pay As You Go (PAYG) for licensing. This is a great option to get access to many advanced capabilities on demand. When you configure this option the billing is done via Azure rather than Microsoft 365. This means, prior to setting up PAYG for the power Platform, you’ll need to have an Azure subscription in place. As I have highlighted before:

Deploy Office 365 and Azure together

Once you have the Azure subscription in place, inside the same tenant where you want to enable PAYG for the Power Platform, you’ll need to have or create an Azure Resource group that will be associated with the PAYG option. You need to create this ahead of time. The following will show you how to create one if you need to:

Manage Azure resource groups by using the Azure portal

image

You’ll then need to visit the Power Platform admin center which is at:

https://admin.powerplatform.microsoft.com/

then select Billing policies. From the top menu now select New billing policy as shown above.

image

Give the policy a name, the name needs to be at least 10 alphanumeric characters. Select Next to continue.

image

Now select the Azure subscription you want the billing ties to. Then select the Resource Group that you want to use, the must already be in your Azure subscription as aI noted earlier. Finally select the region and press Next to continue.

image

Now add any environment to the subscription and press Next to continue.

image

Here select Create Billing Policy.

image

The policy should now be created and displayed as shown above.

You create additional billing policies if you wish by simply repeating the above process. Doing so would allow you to tie that policy to a different Azure subscription and/or Resource Group for billing and management if needed.

For more details on the Power Platform PAYG option see:

Set up pay-as-you-go