Protect all users with MFA
This is the starting point of securing your environment
Last updated
This is the starting point of securing your environment
Last updated
Most companies started an MFA registration campaign to make sure that all users use MFA when signing in. Many have also trained their end-users in how to detect phishing and so on.
One big problem is to handle all the inactive users, service accounts, resources and such. It's common to allow end-user to register MFA from anywhere. The password is then the only protection of those accounts. These accounts are then vulnerable for password sprays.
If the account to your previous CFO that left the company 7 years ago wasn't deleted due to issues in the offboarding routine, is that account protected with registered MFA?
Token theft is also popular amongst the evil ones. Helping your end-users to protect themselves by providing phishing resistant MFA or passwordless sign-in would prevent tokens being stolen by fake/malicious websites and other phishing attacks. Adopting a passwordless and phishing resistant strategy is easier than you might think. Jonathan Edwards created a great video for inspiration/demo on how to achieve Phishing Resistant MFA for New Users in Microsoft 365.
MFA is the fundament in securing your environment, and we encourage everyone to spend an hour watching John Savill explaining Protecting Against Credential and Token Theft
Normal user accounts should be protected from time of creation, meaning you should ensure no one else than the person/service account was created for could start using the account by guessing the correct username and password.
Some organisations choose to create the users with extremely long and complex passwords, some creates them as disabled and end-users needs contact support to get them enabled and some preregister an authentication method like phone or sms.
Using Temporary Access Pass (TAP) in combination with MFA requirement to register security information could be a great way of enhancing your process on onboarding new users
Many accounts like meeting rooms, shared resources and service accounts doesn't support a traditional two factor. You should protect these accounts by creating specific conditional access rules to protect the usage of these accounts.
Bsure Insights - Security - Authentication Methods report will list all accounts available for everyone guessing the correct username and password:
Create conditional access rule to enforce MFA in your organization
Require that all users register MFA regardless of location
Provide only the MFA methods you want to support
Exceptions only for service accounts and location based users. Create specific network locations and create separate conditional access rules to allow usage of these accounts from specific ip
Ensure that the security information registration page is protected. Guessing correct username and password will then not be sufficient to take over an unused identity within your Entra ID.
Create a conditional access policy to require MFA ever time user want to register security information. https://learn.microsoft.com/en-gb/entra/identity/conditional-access/howto-conditional-access-policy-registration
Under session - add sign-in frequency = Every time
Make sure you exclude all guest accounts (already taken care of if you use the securing security information template provided)
Requires that users are allowed to change their password in Entra ID if passwords are needed.
Create new users as you always done but with a crazy long and complex password that you just forget.
Create and provide a temporary access pass when the user or manager requests it.
End-user goes to https://aka.ms/mysecurityinfo and type in username and gets asked for temporary access pass:
Sign in and follow wizard to register security information
When done, user should set a new password if needed using the link provided on https://mysignins.microsoft.com/security-info
Follow the self service password reset instructions
This way you ensure that inactive accounts without MFA registration completed can't be taken over by attackers.