Press "Enter" to skip to content

New baseline rules in the Azure AD

Published 18. May 2019 by Raphael

Frameworks and processes are important to have good governance and thus a good set of rules in your IT landscape. These enable a use in a more secure framework. Microsoft is now adding three new baselines to the preview:

As you can see the following baseline policies have been added:

  • Baseline policy: End user protection (Preview)
  • Baseline policy: Block legacy authentication (Preview)
  • Baseline policy: Require MFA for Service Management (Preview)

Documentation: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/baseline-protection

Baseline policy: Require MFA for admins

This policy was initially the first and only policy in the Azure AD. The preview phase is now a few days ago and I also have this policy for my tenants in use. In this policy some administrator roles have been added and extended.

It is important that these administrators always have to use MFA, i.e. verify themselves via their service martphone with a second factor (e.g. SMS). This protects these accounts additionally. Interesting is this policy that the administrators themselves can not take this rule, unless they push themselves into the exceptions of this policy in the Azure AD. But for this they need the rights and it is tracked. You could also put a notification on this event.

Baseline policy: End user protection (Preview)

This new policy protects users by requiring multi-factor authentication (MFA) for risky logon attempts for all applications. Users with “lost” or “leaked” credentials are blocked from login to password reset.

Once the policy is activated, users must register for MFA within 14 days of their first login attempt. The default method for MFA registration is the Microsoft Authenticator App.

This is the end user, the classic user.

Baseline policy: Block legacy authentication (Preview)

This policy blocks all logons with legacy authentication protocols that do not support multi-factor authentication (such as IMAP, POP, SMTP). The policy does not block Exchange ActiveSync.

Examples:

  • Office 2013 (without registry key)
  • Office 2010
  • Thunderbird Client
  • Legacy Skype for Business
  • Android native mail client

Baseline policy: Require MFA for Service Management (Preview)

This policy requires users to log in to services that rely on the Azure Resource Manager API to perform multi-factor authentication (MFA).

Services that require MFA include:

  • Azure Portal
  • Azure Command Line Interface (CLI)
  • Azure PowerShell Module

Published in All, Cloud and Security