I have previously mentioned in a blog post that MFA spraying is a common technique used to breach organizations. Hackers send multiple requests in succession, hoping that a user will accept. To better protect certain users, such as administrators, it is recommended to use additional authentication strengths.
By using authentication strengths, an additional factor can be required. In this case, we will require phishing-resistant MFA for administrators. By phishing-resistant MFA, we mean Windows Hello For Business, FIDO2 Security Key or Certificate-based Authentication (Multifactor). Today, we will be using a FIDO2 Security Key.
First, we need to ensure that users are able to register the FIDO2 security key as an authentication method.
Azure AD Premium P1 license is required to use Condtional Access
- Open https://portal.azure.com
- Open Azure Active Directory
- Open Security, then Authentication Methods
- Open under policies on the right-side of the screen FIDO2 Security Key
- Switch Enable to ON and save the configuration
Note: In this case, we are opening up the use of the FIDO2 key to all users, but it is possible to target this to a specific group.
Users are now able to configure FIDO2 key as an authentication method.
Registering FIDO2 key as an authentication method
- Open a private browsing window.
- Go to https://aka.ms/mfasetup
- Sign-in with relevant administrator account
- Choose in the security portal for Add Authentication Method – Security key
- Choose USB Device
- Choose External Securitykey
- Fill in a pincode
- Touch the key
- Fill in a descriptive name such as Securitykey
- As you can see, the Security key is now added as sign-in method
- Close the Private browser
Force Administrators to sign-in with phishing-resistant MFA
To enforce that administrators must authenticate with phishing-resistant MFA, we will use conditional access.
- Open https://portal.azure.com
- Open Azure Active Directory
- Open Security, then Conditional Access
- Create a New policy
- Fill in a descriptive name such as [All cloud apps] GRANT: Require Authentication Strength for Administrators and select the user which the policy needs to apply to.
- Under Cloud apps or actions choose All Cloud apps
- Under Conditions choose Require Authentication Strength: Phishing-resistant MFA
- Switch enable policy to on and click save
User experience
- Open a private browsing window.
- Go to https://portal.azure.com
- Sign-in with relevant administrator account
- As you can see, the user is now forced to use the securitykey
- Fill in the pincode and touch the key
- You are now logged in with the security key
Thank you for taking the time to read my blog. Kindly share it with others if you find it helpful!
Thanks , I’ve jսst been searching for info about this
subject for ages and yours is the grеateѕt Ӏ have came upon so far.
However, whаt in regɑrds to the concⅼusion? Are you positive about the supply?