Your Conditional Access Is Stuck in 2018

You get a phone call from a client one Sunday morning in February. One of their bookkeepers had clicked an invoice link the previous Friday afternoon, signed in like normal, and gone home for the weekend. By Monday, the attacker had set up an inbox rule, watched a fortnight of email traffic, and sent a payment-redirect note to a supplier — from the bookkeeper’s actual mailbox. Eighty thousand dollars walked out the door before anyone noticed the wire details had quietly changed.

The tenant had MFA enforced. It had a Conditional Access policy. It had cyber insurance, renewed in January on the strength of those two things. None of that mattered.

The attack moved. The configuration didn’t.

Adversary-in-the-middle phishing kits don’t try to beat the MFA prompt anymore. They wait for the user to complete it, then steal the session token and replay it from somewhere else. Microsoft’s threat intel team disclosed an April campaign that hit thirty-five thousand users across thirteen thousand organisations in twenty-six countries — a single month, a single operator. Every one of those users had MFA. None of them had session controls tuned to actually defend the session.

This is the bit MSPs need to sit with. Conditional Access in Entra was never built as an MFA tickbox. It is the session control surface — the place where you decide what a signed-in user can do, from where, on what device, for how long. The grant and session controls in that same blade — the ones most SMB tenants have never opened — are what break this attack. We have spent five years building a defence for 2018 and leaving it deployed in 2026.

Four switches, all in the same blade

There are four controls inside Conditional Access that meaningfully change the outcome of a token theft, and most Business Premium tenants pay for all of them and use none.

Sign-In Frequency, set deliberately rather than left at its sliding ninety-day default, collapses the lifetime of a stolen token. Most tenants I look at have it set backwards — managed users get prompted constantly while unmanaged sessions ride for weeks.
Require-compliant-device on Exchange Online forces the attacker’s browser session to fail at the grant, not the prompt.
Phishing-resistant authentication strength — passkeys, FIDO2, Windows Hello — closes off the credential path to begin with.
Token Protection, even in report-only on Windows native apps, gives you the telemetry to spot a session being replayed from a country your user has never visited.

None of this is theoretical. Microsoft auto-rolled Conditional Access into more than half a million tenants in late 2023 specifically because tenants were not configuring it themselves. That auto-rollout sets the floor. The four controls above sit above the floor, and they are the ones that change the renewal conversation with your insurer.

The unit economics finally work

The honest reason most MSPs haven’t retuned their CA baseline is that per-tenant identity work used to be uneconomic. That changed. With GDAP and Microsoft Lighthouse, an MSP can review CA policy, push report-only changes, and watch sign-in telemetry across every client tenant from one pane. Pair that with a Loop page or a Teams channel for your security pod and the review cadence stops being a heroics exercise.

The bookkeeper followed her training to the letter. What let her down was a tenant configured for the threat landscape we had four years ago. When the next breach lands in one of your tenants, it will not be the MFA prompt that failed. It will be the session controls nobody touched. That is where the work is now.

Create an EntraID app to allow user enablement

After a recent incident, I decided that it would be a good idea to have an EntraID app that I could use to re-enable a users inside a tenant if I needed. This will allow me to login to EntraID without being depended on a user account as I would be logging in using this app directly.

The first step in that process is to navigate to EntraID as an administrator in the Azure portal and select App registrations from the menu on the left and then New registration on the right as shown above.

Simply give the app a name and select Register as shown above.

When you will then be taken to new app overview page as shown above. Take a moment to record the:

– Application (client ID)

– Object ID

– Directory tenant ID

Next, select Certificates & secrets from the menu on the left as shown above.

Select New client secret on the right as shown above.

Give the secret a name and select the duration for that secret from the list available as shown.

Take a moment to copy this secret as this is the only time that it will be available. If you don’t take a copy here you’ll need to generate a new secret.

From the menu on the left select API permissions as shown above. Then select Add a permission on the right.

Select the option for the Microsoft Graph as shown.

Select Application permissions.

Add the following permissions:

– User.ManageIdentities.All

– User.EnableDisableAccount.All

– User.ReadWrite.All

– Directory.ReadWrite.All

Select Grant admin consent.

Select Yes in the dialog that appears.

You should now see all the permissions have been consented to as shown above.

The EntraID app has now been created and is ready for use. This will used to login to with PowerShell and then enable any disabled user.

Disable Linkedin integrations in Microsoft 365

The first place to disable Linkedin integration in Microsoft 365 is inside the Azure portal.

Navigate to Microsoft Entra ID, then select Users as shown above.

Select User settings on the left and set the Linkedin account connections to No.

Remember to Save your settings before existing this page.

Now navigate to the Exchange Online administration portal. Expand the Roles option on the left and then select Outlook Web Apps policies.

Typically, there will only be one OWA policy as shown above. If there are more, then you will need to repeat this process with each.

Select the policy name, here OwaMailboxPolicy-Default..

From the window that appears on the right select Manage features as shown above.

Ensure Linkedin contact sync is unselected as shown above.

Save your settings before you exit.

Need to Know podcast–Episode 319

Lots of Ai and security news since the last episode. We are also on the cusp of Microsoft Build so we expect even more shortly. Although I’m a tad under the weather (apologies for sounding a bit nasal) but I felt I needed to get this episode out before the deluge of information we expect shortly from build. I think the OpenAI announcements along with those from Google are the most worthy to pay attention to here but I’m sure there should be something to interest everyone here. Listen on and enjoy!

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-319-ai-gets-a-voice/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

Don’t forget to give the show a rating as well as send me any feedback or suggestions you may have for the show.

Brought to you by www.ciaopspatron.com

Resources

@directorcia

Join my shared channel

CIAOPS merch store

Become a CIAOPS Patron

Project Astra: our Vision of the Future of AI assistance

Security above all else—expanding Microsoft’s Secure Future Initiative

RSA news: What’s new in Defender XDR?

Public preview: Expanding passkey support in Microsoft Entra ID

Microsoft introduces passkeys for consumer accounts

Public preview: External authentication methods in Microsoft Entra ID

Teams enhancements to the Presenter window while screensharing

Email Protection Basics in Microsoft 365 Part Five: Mastering Overrides

Protect your data and recover from insider data sabotage

SharePoint Roadmap Pitstop: April 2024

What’s New in Microsoft Teams | April 2024

What’s new in Microsoft Intune: April 2024

What’s New in Copilot | April 2024

Unveiling the Newest OneDrive Capabilities

Summary of podcast episode straight from Copilot for Microsoft 365:

Key topics:

Key Topics:

GPT-4 announcement and demo: Robert highlighted the impressive features and capabilities of the new AI model from Open AI and how it might integrate with Microsoft products. 2:23
Google Project Astra and augmented reality: Robert shared his interest in the Google demo of AI vision and voice and how it could revive the Google Glass concept. 6:47
Microsoft Build and security initiatives: Robert anticipated some major announcements from Microsoft around AI and security at the Build conference and mentioned the Secure Future initiative to address recent breaches. 8:03
Passkeys and passwordless authentication: Robert encouraged the listeners to try out the new passkeys feature for Microsoft 365 and consumer accounts to enhance their security and convenience. 12:18
Teams enhancements and features: Robert reviewed some of the new and improved functionalities in Teams, such as presenter window, voice isolation, multiple accounts, and guest sharing with Loop. 15:28
Copilot updates and improvements: Robert showcased some of the ways that Copilot can help with creating summaries, FAQs, notebooks, and templates across different Microsoft 365 apps. 21:47
OneDrive for Business capabilities: Robert summarized some of the new and enhanced features in OneDrive for Business, such as media view, offline mode, coloured folders, and export sync reports. 24:40

Time to enable more logging

Having logs enabled is a good thing because it allows you to track down information after the fact. This is especially handy when you are performing a security investigation. Here is some additional logging that I recommend you enable.

Start by navigating to:

https://entra.microsoft.com

You’ll need to login with an administrative account that has rights. Expand the menu on the left of the screen until you see Monitoring & health and shown above.

Under this option you will find the menu item Diagnostic settings as shown above, which you select. This will display your diagnostic settings on the right. Here you can see that I am currently sending logs to a Log Analytics workspace, which is linked to Microsoft Sentinel for analysis. If you aren’t already sending your logs to a Log Analytics workspace you can set one up via the Add diagnostic setting hyperlink. I will assume here you already have something set up.

Select the Edit settings hyperlink and under Edit settings column on the right, as shown above.

Scroll down the categories of logs listed and ensure they are all select so the logging data will be sent to Microsoft Sentinel via the Log Analytics workspace.

If you have already enabled this logging I suggest you go back in and check that all categories are selected as Microsoft has now added some additional items:

– EnrichedOffice365Auditlogs

– MicrosoftGraphActivityLogs

– RemoteNetworkHealthLogs

which I had to enable.

When you have completed your category selections press the Save button in the menu bar at the top of the window to update your preferences.

This now means that you’ll have even more data in your Sentinel environment to help keep you secure.

Joined devices not appearing in Intune

If you have correctly joined your devices to EntraID and you have an Intune license, then these devices should appear in the Intune Management console, as shown above.

If they don’t, then go into the Azure Portal and select EntraID. Select the Mobility (MDM and WIP) as shown above. Then select Microsoft Intune.

Ensure that both settings are set to All. If they have been set to None, then this will be the issue as EntraID is not handing off device management to Intune.

Once you have set both of these settings to All as shown, ensure you save these settings before exiting the page.

Any device that is now joined to the tenant should appear in Intune, however existing devices that were added prior to this update being made won’t automatically enrol in Intune. They will need to be unjoined and re-joined to EntraID or re-enrolled via a script.