Climbing the Auth Ladder in Azure AD: Rung 1

This blog post is part 2 in a series. You can find part 1 HERE.

There really are a lot of features within Azure Active Directory that are there to secure you authentication. Makes sense that Microsoft would invest heavily in security, but I think a lot of IT professionals do not take the time to think of authentication deeply enough, I know I have been guilty of that.

This “Climbing the Auth Ladder” series of blog posts I am doing is my attempt to rectify that, at least for myself.

Rung 1 on the Azure AD auth ladder is Multi-Factor Authentication, so that is where this blog post is going to focus.

Rung 1: Multi-factor Authentication

Sticking with the silly ladder analogy, MFA is the first rung. The more I get into this series, the more I like that analogy. Rung 1 is where the ladder starts, and in my somewhat-less-than-humble-opinion, the minimum you must achieve to even be on the ladder.

There are a lot of different resources I could use to make the point, but I am going with the following session from the 2020 RSA conference.

Lee Walker, Principal Architect, Microsoft Alexander Weinert, Director of Identity Security, Microsoft Corporation You must break free of password vulns but ...

Here are some of the claims Microsoft makes in that session.

  • In January 2020 Microsoft found 1,200,000 compromised accounts in their cloud

  • 99.9% of those accounts did not have MFA turned on

  • 11% of enterprise users have EVER had an MFA claim in January 2020

I would like you to take a minute and read those bullet points a couple of times. Please just sit with those numbers for a minute, I mean it.

How does your stomach feel at this point? Mine is queasy, and I know ever account in my Azure AD tenant has MFA turned on.

Here are some more bullet points from that session

  • 40% of those accounts compromised in January 2020 were compromised by password spray attack

  • Statistically 1 in 100 attempts at a password spray attack will work using just 15 of the most common passwords

  • 99.7% attempts at password spray attacks use legacy auth protocols

  • Another 40% of compromised accounts were found by replay attacks

  • 97% of relay attacks focus on legacy protocols

  • SMTP is the most compromised legacy auth protocol breached

Scared yet?

Here is a link to a super easy to use SMTP based password cracking tool. You should probably assume it has been used against your tenant. Go ahead and give it a go against your tenant (or mine I guess).

Is that enough to convince you to turn on MFA and turn off legacy auth in your tenant? I will say it one more time, any account that can authenticate into you’re Azure AD tenant without MFA is a potentially easy open door for compromise into your whole organization.

Modern Auth

I should take a brief aside to talk about modern auth vs legacy auth

Modern authentication is an umbrella term for a combination of authentication and authorization methods between a client (for example, your laptop or your phone) and a server, as well as some security measures that rely on access policies that you may already be familiar with

In the world of Azure, when we talk about legacy auth we are talking about protocols that are not capable of using MFA. Protocols that can not use MFA are a potential easy way into your Azure AD tenant, even if you have MFA turned on for all accounts.

Why don’t organization enforce MFA?

This is a question I ask myself often. My job as a consultant is to tell my customers how to best use the technology they are already have. If you have an Azure AD tenant, you have MFA available for all accounts. There is no ad-on licensing for MFA. It is there, it is available, you can turn it on for every single account in your tenant right now. I would place a shockingly high wager that most of the organizations represented by the people who read this post do not have MFA enforce for more than a small percentage of the accounts in their tenant. The reason for this is simple, almost every organization has at least one application the business relies on that will break is MFA is universally enforced.

Saying that again, if you enforce MFA across your organization right now you will almost certainly cause a business impacting outage. And as we all know…

Business >> Security

I do not want that statement to be true, and it looks kind of terrible to write it out that way, but it is a fact of life. If you try to implement even the most reasonable security policies within your organization those policies will not last if they impact the business.

How do I enforce MFA and keep my job?

That’s the question, isn’t it? It would be easy for me to type out a bunch of scary statistics about account breaches then say, “Best practices require MFA for all authentication into your organization”. The hard part is providing useful guidance for how to get there from here.

Here is my advice –

  1. Make sure management understands the threat – You can not properly secure authentication based on username/password.

  2. Plan – Get approval on a plan to implement MFA.

  3. Be ready to adjust the plan – Every plan must be flexible enough to change. Understand that your original plan and timeline probably will not survive a full push to rollout

  4. Keep pushing – When you hit problems with your MFA rollout, adjust your plan and keep pushing

It will not be that easy in practice. It will take a lot of work, and you’ll probably break multiple applications within your organization environment. I recommend making management aware of this before you start your MFA implementation, and of course collect as much data as you can about how critical applications authenticate within your organization.

Is all MFA created equal in Azure AD?

Keeping the discussion to Azure AD MFA, the answer is no.

Azure AD can use 4 different factors for authentication.

  • Authenticator app

  • OATH Hardware token

  • SMS

  • Voice call

The most secure factor on that list is an Authenticator app. All the Microsoft documentation refers to the “Microsoft Authenticator app”, but other authenticator apps also work. The second most secure option is an OATH Hardware token. I assume both options are equally secure, but the authenticator app option is easier for end-users to use so I rate that option slightly higher.

Both SMS and voice call options have considerable weaknesses. Recently there have been several attacks that revolve around spoofing SIM cards. I’m not going to go into those here, but it appears to me that it is much easier to get access to someone’s SMS messages and intercept voice calls to cell phones than it is to hack into an authenticator app.

My recommendation is to use the Microsoft Authenticator app for Azure AD MFA wherever possible. If you need to allow users to use SMS/voice calls for MFA that is better than not using MFA, but less secure.

What MFA features are available in Azure AD by license level?

While MFA is available for all Azure AD accounts, there are additional features and functionality that is available at higher licensing levels.

The chart below shows MFA options available at 4 different licensing levels.

chart1.png

This next chart shows features by license levels.

chart2.png

Recommendations for Rung 1

Here are my recommendations for how to handle auth at the Rung 1 level of our metaphorical Azure AD auth ladder:

  1. MFA should be turned on for all accounts in Azure AD. Plan to get it done.

  2. Understand that the best plans need to change during execution.

  3. If you have accounts that cannot use MFA, plan for handling those exceptions.

  4. Disable legacy auth everywhere you can.

Simple, right? Of course it’s not, but that is what we get paid for.

 

Nathan OBryanComment