Security Tools Optimization Spotlight: Microsoft Entra ID Conditional Access

June 18, 2024

Zach Marks

Zach Marks

x minute read

Ready or Not: Credential Compromise is Coming in 2024

According to Google Cloud’s 2023 Threat Horizon report, an astounding 86% of breaches involve stolen credentials. Earlier this year, Midnight Blizzard—a Russian-state sponsored threat actor—compromised high-profile email accounts, using them as a springboard to exfiltrate sensitive data. Just last week, Mandiant reported that data was exfiltrated from Snowflake customer instances in an attack by threat actor UNC5537 that originated from compromised customer credentials. It’s time we change our perspective on identity-based attacks and credential compromise from “if it happens" to “when it happens”.

Security Tools Optimization with Microsoft Entra ID Conditional Access

Enter Microsoft Entra ID Conditional Access, a quintessential business enabler often relegated to an afterthought in security controls management. It enables IT to streamline business operations through SSO and app access. Yet, rich security authentication attributes frequently remain underutilized.

(Reader Note: While we focus on Microsoft Entra ID Conditional Access here, it’s important to recognize that similar considerations apply to other leading tools in the identity management space, such as Okta Adaptive MFA and SSO, Duo Security, ForgeRock, and Ping Identity. Each of these platforms offers unique features that enhance security and streamline access management, and they can be optimized in much the same way.)

To enhance your IAM security posture with Conditional Access, it’s crucial to fully understand the capabilities you’re licensed for, identify what’s currently being utilized, and leverage untapped features to mitigate risks.

Step 1: Understand Your Licensed Capabilities

Entra ID provides a range of sign-on attributes under both the P1 and P2 licenses, essential for mitigating credential compromise risks:

Examples of P1 Features:
  • Session Controls: Reduce the default session time for added security.
  • Named Locations: Implement policies based on the geolocation of sign-in attempts.
  • User Actions: Enforce MFA checks following specific user actions, such as device registration.
  • Phishing-Resistant MFA: Equip high-profile users, like administrators, with phishing-resistant tools such as YubiKeys.
Examples of P2 Enhancements:
  • Includes all P1 features, plus:some text
    • User Risk: Assessed by Microsoft's threat intelligence to indicate the likelihood of identity compromise.
    • Sign-in Risk: Also defined by Microsoft, indicating the authenticity of sign-in attempts.

Step 2: Model Licensed Capabilities to Address Risk Hotspots

After assessing available features, focus on those with the greatest potential to mitigate risks. This understanding can help advocate for the deployment of specific capabilities to IT or justify ROI from a risk reduction standpoint when considering license upgrades (e.g. P1 to P2).

Step 3: Construct and Deploy Risk-Mitigating Sign-on Policies

Consider a scenario with a P2 licensed organization aiming to block high risk sign-ins for users that are disproportionately attacked, but only if their login originates from an unmanaged device. Steps include:

  • Identify high-risk users by analyzing varied security data sources like email, EDR, IAM and network logs.
  • Monitor these users within Entra, noting changes over time.
  • Implement a custom, risk-based sign-on policy for these users.

After taking care of steps 1 and 2 (covered in our identity-centric approach to Tools Rationalization blog) we can use automation capabilities in Reach Quests to action on deployment.

Create a sign-on policy that blocks high risk sign-ins from untrusted devices.
Create a sign-on policy that blocks high risk sign-ins from untrusted devices.
Apply to the ~4% of our knowledge workers that account for 80% of our risk.
Apply to the ~4% of our knowledge workers that account for 80% of our risk.
Track in ticketing system with a change guide.
Track in ticketing system with a change guide.
Stage configurations as default ”off” to test or preview instance after approvals are given.
Stage configurations as default ”off” to test or preview instance after approvals are given.
Review staged policy within Conditional Access.
Review staged policy within Conditional Access.
Flip to ”on” and take advantage of risk/contextual based sign-in attributes included in your license.
Flip to ”on” and take advantage of risk/contextual based sign-in attributes included in your license.
Track progress and report upward on capability consumption, utilization, and risk reduction value realized.
Track progress and report upward on capability consumption, utilization, and risk reduction value realized.

Conclusion: Assume Credential Compromise

Conditional Access contains simple yet powerful sign-on attributes that can be tailored to your business with a risk-based approach. Whether you're undergoing security tool consolidation efforts or embarking on an IAM hardening project, consider starting with a series of tailored sign-on policies that address risk where most breaches start.

More About Reach Security

Reach is a leader in Automated Security Control Assessment (ASCA) with its purpose-built AI-driven platform to reprogram your security infrastructure based on who you are and how you’re attacked. Going beyond traditional security assessments, Reach provides actionable insights and seamless integrations that transform findings into real-world defenses. By emphasizing the 'last mile' of security, Reach ensures that organizations get the best protection possible from the tools they already own.