Posts

Showing posts from April, 2023

MFA activation from a user's perspective

Image
After enforcing MFA for Cracky, a new window will appear after his next successful login, telling him that his organization needs more information to protect his account, as shown in Figure 1.1: Figure 1.1 – New message at the first login after enforcing MFA Cracky now only has two options: Use a different account to log in or click Next to proceed through the MFA activation process. With that being said, you should inform your users before activating MFA to let them know what's going to happen and to reduce the number of support tickets required! Let's look at what happens if Cracky decides to complete the process: 1. Cracky decides to proceed, so he clicks the Next button. 2. On the following screen, Cracky is asked to download the Microsoft Authenticator app to his smartphone. Once finished, he clicks Next. Figure 1.2 – Downloading the Microsoft Authenticator app 3. The next screen gives Cracky a short intro into what's coming, and he presses Next again. Figure 1.3 – Kee...

How to enable MFA in Azure AD

Image
 From an administrator's perspective, MFA activation in Azure AD is straightforward: 1. In the Azure portal, navigate to Azure Active Directory and select the Users navigation pane. In the upper navigation pane, select Per-user MFA, as shown in Figure 1.1: Figure 1.1 – MFA activation in the Azure portal 2. You will be redirected to a retro-style portal at the windowsazure.com domain, in which you can enable or disable MFA for single users or bulk-update them by selecting several accounts or using a CSV file in the users tab. 3. Before you enable MFA for all user accounts, first switch from the users tab to the service settings tab to configure some custom settings for your environment, as shown in Figure 1.2: Figure 1.2 – Service settings for MFA The first option is to allow or disallow users to create app passwords for legacy non-browser apps that do not support MFA. Outlook used to be such an application back in the days; however, nowadays, most applications should be able to aut...

Understanding MFA

Image
There are few technical features that protect your accounts more than using MFA. With MFA, it is not enough to know a username and a password; you are also challenged to prove who you are using another authentication factor. With MFA, you generally need to be able to log in with the following: • Something you are, such as your user account name or a biometric attribute • Something you know, such as a password • Something you have, such as an additional authentication factor (smartcard, smartphone app, or security key) Given the fact that an MFA challenge is only triggered following a successful login attempt, it is still reliant on passphrases that are not easy to guess. In other words, if an MFA challenge is triggered, the respective username/password combination has already been successfully validated (refer to the following screenshot for reference): Today, there are several options for using MFA in Azure AD: • A push message from the Microsoft Authenticator smartphone app • A one-t...

Dictionary attacks and password protection in Microsoft Azure AD

Image
Dictionary attacks, such as brute-force and password spray attacks, still find success every  day. In a dictionary attack, attackers try combinations of usernames and well-known and  often-used passwords against an authentication service. The brute-force attack is more  noisy and easier to recognize. With brute force, an attacker will try lots of passwords for   a single user account, hoping that one of the attacks will be successful. In the backend, you  will see lots of failed login attempts, so you can easily react to them. However, a password   spray attack is way more sensitive since an attacker will only use a small set of passwords  against lots of user accounts. If the attacks are very slow and widely distributed, it is very  hard to notice an attack. To avoid successful password spray and brute-force attacks in the  cloud and, to be more precise, in Azure AD, there are some easy best practices: • Encourage your users to u...