Protect all users with MFA

Problem description:

Most companies started an MFA registration campaign to make sure that all users use MFA when signing in. Many have also trained their end-users in how to detect phishing and so on.

One big problem is to handle all the inactive users, service accounts, resources and such. It's common to allow end-user to register MFA from anywhere. The password is then the only protection of those accounts. These accounts are then vulnerable for password sprays.

If the account to your previous CFO that left the company 7 years ago wasn't deleted due to issues in the offboarding routine, is that account protected with registered MFA?

Token theft is also popular amongst the evil ones. Helping your end-users to protect themselves by providing phishing resistant MFA or passwordless sign-in would prevent tokens being stolen by fake/malicious websites and other phishing attacks. Adopting a passwordless and phishing resistant strategy is easier than you might think. Jonathan Edwards created a great video for inspiration/demo on how to achieve Phishing Resistant MFA for New Users in Microsoft 365.

MFA is the fundament in securing your environment, and we encourage everyone to spend an hour watching John Savill explaining Protecting Against Credential and Token Theft

General considerations:

Normal user accounts should be protected from time of creation, meaning you should ensure no one else than the person/service account was created for could start using the account by guessing the correct username and password.

Some organisations choose to create the users with extremely long and complex passwords, some creates them as disabled and end-users needs contact support to get them enabled and some preregister an authentication method like phone or sms.

Using Temporary Access Pass (TAP) in combination with MFA requirement to register security information could be a great way of enhancing your process on onboarding new users

Many accounts like meeting rooms, shared resources and service accounts doesn't support a traditional two factor. You should protect these accounts by creating specific conditional access rules to protect the usage of these accounts.

Bsure Insights - Security - Authentication Methods report will list all accounts available for everyone guessing the correct username and password:

Bsure recommendations:

Require MFA for all users:

Create conditional access rule to enforce MFA in your organization

• Require that all users register MFA regardless of location

• Provide only the MFA methods you want to support

• Exceptions only for service accounts and location based users. Create specific network locations and create separate conditional access rules to allow usage of these accounts from specific ip

Protect registration of security information

Ensure that the security information registration page is protected. Guessing correct username and password will then not be sufficient to take over an unused identity within your Entra ID.

Create a conditional access policy to require MFA ever time user want to register security information. https://learn.microsoft.com/en-gb/entra/identity/conditional-access/howto-conditional-access-policy-registration

• Under session - add sign-in frequency = Every time

• Make sure you exclude all guest accounts (already taken care of if you use the securing security information template provided)

Change the process on how you onboard new users.

Requires that users are allowed to change their password in Entra ID if passwords are needed.

Create new users as you always done but with a crazy long and complex password that you just forget.

Create and provide a temporary access pass when the user or manager requests it.

End-user goes to https://aka.ms/mysecurityinfo and type in username and gets asked for temporary access pass:

Sign in and follow wizard to register security information

When done, user should set a new password if needed using the link provided on https://mysignins.microsoft.com/security-info

Follow the self service password reset instructions

This way you ensure that inactive accounts without MFA registration completed can't be taken over by attackers.