Updated: Aug 20, 2021
This is the second blog in a series about actions your organization can take to improve the security of your Microsoft365 tenant. You can find the first introductory blog here.
The previous blog described the "Security Defaults" in Azure Active Directory (AAD) as a means to quickly implement MFA across your entire organisation. The ease of implementation however comes at a price: it's a "one-size-fits-all" strategy. So, this strategy may suit your organization's requirements and capabilities only if your organization and (external) users have a simple and modern IT infrastructure and you are are happy with using the free tier of Azure Active Directory.
In most situations a 'Compound MFA strategy' will be your right choice.
A compound MFA strategy
A 'Compound MFA strategy' will require a careful analysis of your user accounts and how your users work with the M365 Enterprise or Business environment. Azure AD's strong Conditional Access feature plays a central role in this strategy. But you will need to take additional steps and answer the following questions in order to implement a robust authentication strategy:
How to deal with your unlicensed user accounts?
What user accounts should always be excluded from MFA?
In what situations is MFA required from the (un)licensed users
Step 1 - Create a User Overview
This overview can be created by a user export from either the M365 Admin or from the Azure AD. The export and subsequent import in Excel includes information about:
users being blocked - that is they cannot log in using their credentials.
user principal names - this among others allows you to quickly identify external users
assigned licenses - this allows you to identify users on who Conditional Access policies will not be applied
display name - this will help you to identify among others administrative and service accounts
Step 2 - Block specific user accounts
In order to use certain M365 features - like Shared Mailboxes and Equipment - you need to create user accounts. These features / resources are used by other users, so the user account that is linked to the Share Mailbox or Equipment resources should never be used to log into M365. It's my experience that Microsoft's best practice - to 'block' these accounts - is often not (consistently) applied.
There are several ways to block an account from signing in, this blog by Practical365 gives a nice overview.
Furthermore it's also a good practice to regularly evaluate the accounts of external users and contractors and check if these users still need access to your M365 environment. Block them if access is no longer needed. It's not always necessary to delete these accounts, as at some time in the future some of these accounts may need access again. You can 'manually block accounts, but if your organization has a large and/or dynamic community of External Users, you can also use Azure AD's Entitlement Management. You will need some Azure AD Premium P2 licenses (or licenses that include AAD Premium P2 like M365 E5 or E5 Security) though.
Step 3 - Exclude specific user accounts from MFA
MFA is the best single barrier against unauthorized access. Most probably however, you may not want to apply it to all accounts. Some accounts you want to 'always' exclude from MFA, like:
Service Accounts that are not linked to a person but are users between applications.
Break Glass accounts that you need to fall back on in case your MFA solution breaks down.
Make 100% sure that these are excluded from the Conditional Access Policies that govern access for the other users. Otherwise you'r in for some nasty surprises.
As these accounts will seldom be used by a person, it's a good practice that these accounts have passwords that far exceed the length and complexity required from regular user accounts.
Step 4 - Determine your Conditional Access Policy for applying MFA
Conditional Access is the tool used by Azure Active Directory to bring signals together, to make decisions, and enforce organizational policies. As Microsoft says "Conditional Access is at the heart of the new identity driven control plane".
In short, a Conditional Access Policy is nothing more than an 'if-then-else' statement that governs access to one or more of your M365 or other IT resources.
The use of MFA in Conditional Access Policies is a common and well documented practice. Examples are:
There are many factors to consider when implementing a Conditional Access Policy. It's a good practice not to include to many conditions in a single Policy. Know that if you've got multiple Conditional Access Policies, a login attempt is subjected to all Policies. And that a 'block' condition overrides the 'let pass' conditions. I therefore advise to get implementation advise from an experienced business partner. Infotechtion can be of help.
The basis for your analysis will be the earlier created export of the users from your Microsoft 365 environment.
Step 5 - How to deal with non- and insufficiently-licensed users?
Be aware that only certain licenses - like M365 Business Premium, M365 E3 or higher, EMS E3 or higher, and Azure AD Plan 1 or higher - come with support for Conditional Access.
In the previous step you have determined your Conditional Access Policy or Policies for MFA. These will be applied to the selected user(groups), PERMITTED THESE USERS ARE ENTITLED. If a user has not been (sufficiently) licensed, his logon attempt will not be governed by a Conditional Access policy.
You should not be surprised if these insufficiently licensed users make up 25% or more of your user base. These insufficiently licensed often include:
external user accounts
This licensing issue is regularly overlooked by organizations, and one of the security gaps I most often encounter.
This entitlement gap can however be easily plugged by buying and assigning licenses that do entitle the accounts to be part of the Conditional Access policy.
As this can become quite an unforeseen and recurring investment, there is a cheaper alternative: assign the free Azure AD functionality that comes with your Azure AD environment to the user(s).
In the M365 User Admin and in Azure AD Admin Center you can manually assign the free MFA functionality to these insufficiently licensed users. Again the 'free' comes at a price: it's applied on every log-on attempt and it only support the Authenticator app. That's probably not such a big issue for these types of accounts. If you need more MFA functionality however, you've got to make the comparison and trade-off with a paid license.
By default you need to manually apply 'free MFA' per account. If you've got a large and fluctuating (external) user base, it's better to rely on PowerShell scripts to regularly get:
For organizations that cannot use Microsoft Azure AD's 'Security Defaults', a Compound MFA Strategy provides an excellent way to ensure internal and external users are authenticated before they get access to your valuable information assets.
Conditional Access is at the heart of this strategy, but it requires a certain level of licensing. Make sure you got sufficient and the right licenses.
If you do not want to manually fill the gaps (intentionally) left by Conditional Access, PowerShell scripts and / or additional licenses may help you out.
It's a good practice to involve experienced consultants to help you implement a watertight Compound MFA Strategy.