Step 5. Set up mobile device management: top 10 actions to secure your environment

Microsoft Malware Protection Center - Thu, 02/14/2019 - 12:00pm

The Top 10 actions to secure your environment series outlines fundamental steps you can take with your investment in Microsoft 365 security solutions. In Step 5. Set up mobile device management, youll learn how to plan your Microsoft Intune deployment and set up Mobile Device Management (MDM) as part of your unified endpoint management (UEM) strategy.

In Steps 1-4 of the series, we provided tips for securing identities with Azure Active Directory (Azure AD). In the next two posts (Step 5 and Step 6), we introduce you to ContosoCars to illustrate how you can deploy Microsoft Intune as part of your UEM strategy for securing company data on devices and applications.

ContosoCars is an automotive company with 1,000 employees that work in the corporate headquarters, and 4,000 that work in several branches across the U.S. Another 2,000 service centers are owned by franchises. To stay competitive, IT needs to support a fleet of cloud-connected devices for secure, remote access to Office 365 and SaaS apps and sensitive customer data. With their expanding business, franchise sales staff need access to ContosoCars customer data as well, but ContosoCars does not own those devices.

They have defined the following goals:

  • Deliver the best Windows 10 experience for all their corporate PCs.
  • Allow employees to use personal devices and mobile phones at work.
  • Protect the network from unknown or compromised users and devices.
  • Secure data on tablet devices shared by several shop floor workers that are often left in public areas of the shop.
  • Prevent employees from accessing and maintaining corporate data if they leave the company.
Plan your Intune deployment

Once ContosoCars defines their goals, they can begin to set up use-case scenarios to align their goals with user types and user groups (Figure 1). ContosoCars wants to provide corporate devices for their employees at headquarters and branches. They will not supply devices to their franchise sales staff, but they need to make sure staff-owned tablets can use Office 365 apps to securely access company data.

Figure 1. ContosoCars’ defined Intune use-case scenarios and requirements.

You can find more information on setting goals, use-case scenarios, and requirements in the Intune deployment planning, design, and implementation guide. The guide also includes recommendations for a design plan that integrates well with existing systems, a communication plan that takes into account the different channels your audience uses to receive information, a rollout plan, and a support plan.

Set up Mobile Device Management (MDM)

Once planning is complete, ContosoCars can move onto implementing their Intune plan. ContosoCars uses Azure AD to fully leverage Office 365 cloud services and get the benefits of identity-driven security (see Step 1. Identify users). Before employees can enroll their devices to be managed by Intune, IT admins will need to set MDM authority to Intune in the Azure portal.

In order to manage the devices, ContosoCars can add and deploy configuration policies to enable and disable settings and features such as software delivery, endpoint protection, identity protection, and email. ContosoCars can also use configuration policies to deploy Windows Defender Advanced Threat Protection (ATP), which provides instant detection and blocking of advanced threats. Once IT admins set up Intune, users can enroll devices by signing in with their work or school account to automatically receive the right configuration profiles for their device.

ContosoCars can configure devices to meet business requirements and enable security features, such as Windows Hello, which allows users to sign in to their computer using a combination of biometrics and a PIN.

Manage personal devices

Next on the rollout plan are the personal iPhones and Android phones used by the staff to keep up with work email and data. ContosoCars will manage these devices by requiring employees to enroll their devices with Intune before allowing access to work apps, company data, or email using enrollment requirements guidance. ContosoCars can set up configuration policies for these devices just as they did the Windows 10 PCs, and they can add additional security controls by setting up device compliance policies. Using Azure AD you can allow or block users in real-time if their compliance state changes. These policies ensure only known and healthy devices enter the network.

Some examples include:

  • Require users to set a password to access devices; password must be of certain complexity.
  • Require users to set a PIN to encrypt the device; PIN must be of certain complexity.
  • Deny access to jail-broken or rooted devices, as they may have unknown apps installed.
  • Require a minimum OS version to ensure security patch level is met.
  • Require the device to be at, or under, the acceptable device-risk level.

With Windows 10, conditional access policies are integrated with Windows Defender ATP. Microsoft works with leading mobile threat defense technology partners to provide comprehensive device-risk assessment on all platforms.

Learn more

Check back in a few weeks for our next blog post, Step 6. Manage mobile apps, where we explore the use of Intune app protection policies to allow only approved applications to access work email and data. We will also learn how ContosoCars keeps sensitive customer data secure on shared franchise devices on the shop floor.

Get deployment help now

FastTrack for Microsoft 365 provides end-to-end guidance to set up your security products. FastTrack is a deployment and adoption service that comes at no charge with your subscription. Get started at FastTrack for Microsoft 365.


The post Step 5. Set up mobile device management: top 10 actions to secure your environment appeared first on Microsoft Secure.

Categories: Microsoft

The evolution of Microsoft Threat Protection, February update

Microsoft Malware Protection Center - Wed, 02/13/2019 - 12:00pm

February is an exciting month of enhancements for Microsoft Threat Protection. For those who have followed our monthly updates (November, December, and January), youre aware that Microsoft Threat Protection helps provide users optimal security from the moment they sign in, use email, work on documents, or utilize cloud applications. IT administrators benefit from minimal complexity while staying ahead of threats to their organization. Microsoft Threat Protection is one of the few available services helping provide comprehensive security across multiple attack vectors. This month, we share enhancements to identity protection, the launch of the Microsoft 365 security center, and another example of Microsoft Threat Protection mitigating a real-world attack.

Enhancing identity protection

Currently, 81 percent of all cyberattacks are due to weak or compromised credentials. Weak identity protection exposes all other attack surfaces to cyberthreats. With this in mind, Microsoft has invested heavily in identity protectionensuring it continues as one of our fundamental strengths and differentiators. Microsoft Threat Protection leverages Azure Active Directory (Azure AD) Identity Protection, to provide comprehensive, industry leading identity protection for hundreds of millions of users. This month, were excited to announce enhancements to our identity protection capabilities with the following updates to Azure AD Identity Protection:

  • An intuitive and integrated UX for Azure AD Identity Protectionincluding security insights, recommendations, sign-ins report integration, and the ability to filter, sort, and perform bulk operations (Figure 1).
  • Powerful APIs that allow you to integrate all levels of risk data with ticketing or SIEM systems.
  • Improved risk assessment based on continuously tuning our heuristic and machine learning systems to bring you even more accurate risk analysis to drive your prevention and remediation strategy.
  • Service-wide alignmentacross risky users and risky sign-ins.

Figure 1. The new Azure AD Identity Protection Security – Overview dashboard.

Each of these updates is based on customer feedback and our deep domain expertise. With these updates, we continue to improve and build on securing identities for thousands of customers. In fact, several customers such as The Walsh Group, Abtis, Identity Experts, and BDO Netherlands have already experienced the benefits of these new enhancements. We hope you try the refreshed Azure AD Identity Protection. Get the full details of these updates in our blog postand please share your thoughts via the in-product prompts.

Reducing complexity with the Microsoft 365 security center

Microsoft Threat Protection is built on the Microsoft Intelligent Security Graph, which provides a deep and broad threat signal and leverages machine learning for intelligent signal correlation. Many of our customers have often asked us to provide a “single pane of glass” that provides a centralized experience across their Microsoft security services and helps correlate signals from disparate sources, to provide richer insights that lead to intelligent security decisions.

To address this critical customer ask, we recently launched the Microsoft 365 security center (Figure 2), which helps surface much of these correlated signals in a detailed and elegant user interface, helping reduce the complexity of an organizations security environment. The new Microsoft 365 security center (which can be accessed at provides security administrators (SecAdmins) a centralized hub and specialized workspace to manage and take full advantage of most Microsoft Threat Protection services. Admins will gain the visibility, control, and guidance necessary to understand and act on the threats currently impacting their organization, as well as information on past and future threats.

Figure 2. The new Microsoft 365 security center (

The Microsoft 365 security center also provides experiences for security operators (SecOps) through the integration of incident response capabilities such as a centralized alert view and powerful hunting capabilities enabling ad-hoc investigations. Well be making continuous enhancements to the Microsoft 365 security center and providing updates on its progress.

Microsoft Threat Protection secures think tanks, non-profits, and the public sector from unidentified attackers

While our updates on new features and enhancements hopefully convey our focus and investment in providing best-in-class security, Microsoft Threat Protections ability to stop real-world threats is ultimately the truest test. Recently, Microsoft Threat Protection helped secure several public sector institutions and non-governmental organizations like think tanks, research centers, educational institutions, private-sector corporations in the oil and gas, chemical, and hospitality industries from a very aggressive cyberattack. Some third-party security researchers have attributed the attack to CozyBear, though Microsoft does not believe there is yet enough evidence to attribute the attack to CozyBear. Figure 3 shows the full attack chain.

Figure 3. Attack chain of recent threat to public sector and other non-government agencies by unidentified attacker.

Customers using the completeMicrosoft Threat Protectionsolution were secured from the attack. Behavior-based protections in multiple Microsoft Threat Protection components blocked malicious activities and exposed the attack at its early stages.Office 365 Advanced Threat Protection detected emails with malicious URLs, blocking them, including samples which had never been seen before. Meanwhile, numerous alerts inWindows Defender Advanced Threat Protection (ATP)exposed the attacker techniques across the attack chain.

Due to the nature of the victims, and because the campaign features characteristics of previously observed nation-state attacks, Microsoft took the added step of notifying thousands of individual recipients in hundreds of targeted organizations. As part of theDefending Democracy Program, Microsoft encourages eligible organizations to participate inMicrosoft AccountGuard, a service designed to help these highly targeted customers protect themselves from cybersecurity threats. Learn about the full analysis in our recent blog.

Experience the evolution of Microsoft Threat Protection

Take a moment to learn more about Microsoft Threat Protection, read our previous monthly updates, and visit Integrated and automated security. Organizations have already transitioned to Microsoft Threat Protection and partners are leveraging its powerful capabilities.

Begin trials of the Microsoft Threat Protection services today to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for the modern workplace.

The post The evolution of Microsoft Threat Protection, February update appeared first on Microsoft Secure.

Categories: Microsoft

Solving the TLS 1.0 problem

Microsoft Malware Protection Center - Mon, 02/11/2019 - 12:00pm

The use of Transport Layer Security (TLS) encryption for data in transit is a common way to help ensure the confidentiality and integrity of data transmitted between devices, such as a web server and a computer. However, in recent years older versions of the protocol have been shown to have vulnerabilities, and therefore their use should be deprecated.

We have been recommending the use of TLS 1.2 and above for some time. To help provide guidance, we are pleased to announce the release of the Solving the TLS 1.0 Problem, 2nd Edition white paper. The goal of this document is to provide the latest recommendations that can help remove technical blockers to disabling TLS 1.0 while at the same timeincreasing visibility intothe impact of this change to your own customers.Completing such investigations can help reduce thebusinessimpact of the next security vulnerability in TLS 1.0.

In the second edition update we added the following:

  • Updates covering all of the new products and features Microsoft has shipped since the first version of the white paper, including IIS custom logging fields for weak TLS detection, TLS 1.2 backports to legacy OSes, and more.
  • Introduction of the Office 365 Secure Score Customer Reporting Portal to help Office 365 tenant admins quantify their customers own weak TLS usage.
  • Much more detail on .NET recommendations and best practices to ensure the usage of TLS 1.2+.
  • Pointers to DevSkim rules for detection and prevention of TLS hardcoding.
  • Tips for using PowerShell with TLS 1.2.

Read the Solving the TLS 1.0 Problem, 2nd Edition white paper to learn more.

The post Solving the TLS 1.0 problem appeared first on Microsoft Secure.

Categories: Microsoft

Securing the future of AI and machine learning at Microsoft

Microsoft Malware Protection Center - Thu, 02/07/2019 - 1:00pm

Artificial intelligence (AI) and machine learning are making a big impact on how people work, socialize, and live their lives. As consumption of products and services built around AI and machine learning increases, specialized actions must be undertaken to safeguard not only your customers and their data, but also to protect your AI and algorithms from abuse, trolling, and extraction.

We are pleased to announce the release of a research paper, Securing the Future of Artificial Intelligence and Machine Learning at Microsoft, focused on net-new security engineering challenges in the AI and machine learning space, with a strong focus on protecting algorithms, data, and services. This content was developed in partnership with Microsofts AI and Research group.Its referenced in The Future Computed: Artificial Intelligence and its role in society by Brad Smith and Harry Shum, as well as cited in the Responsible bots: 10 guidelines for developers of conversational AI.

This document focuses entirely on security engineering issues unique to the AI and machine learning space, but due to the expansive nature of the InfoSec domain, its understood that issues and findings discussed here will overlap to a degree with the domains of privacy and ethics. As this document highlights challenges of strategic importance to the tech industry, the target audience for this document is security engineering leadership industry-wide.

Our early findings suggest that:

  1. Secure development and operations foundations must incorporate the concepts of Resilience and Discretion when protecting AI and the data under its control.
  • AI-specific pivots are required in many traditional security domains such as Authentication, Authorization, Input Validation, and Denial of Service mitigation.
  • Without investments in these areas, AI/machine learning services will continue to fight an uphill battle against adversaries of all skill levels.
  1. Machine learning models are largely unable to discern between malicious input and benign anomalous data. A significant source of training data is derived from un-curated, unmoderated public datasets that may be open to third-party contributions.
  • Attackers dont need to compromise datasets when they are free to contribute to them. Such dataset poisoning attacks can go unnoticed while model performance inexplicably degrades.
  • Over time, low-confidence malicious data becomes high-confidence trusted data, provided that the data structure/formatting remains correct and the quantity of malicious data points is sufficiently high.
  1. Given the great number of layers of hidden classifiers/neurons that can be leveraged in a deep learning model, too much trust is placed on the output of AI/machine learning decision-making processes and algorithms without a critical understanding of how these decisions were reached.
  • AI/machine learning is increasingly used in support of high-value decision-making processes in medicine and other industries where the wrong decision may result in serious injury or death.
  • AI must have built-in forensic capabilities. This enables enterprises to provide customers with transparency and accountability of their AI, ensuring its actions are not only verifiably correct but also legally defensible.
  • When combined with data provenance/lineage tools, these capabilities can also function as an early form of AI intrusion detection, allowing engineers to determine the exact point in time that a decision was made by a classifier, what data influenced it, and whether or not that data was trustworthy.

Our goal is to bring awareness and energy to the issues highlighted in this paper while driving new research investigations and product security investments across Microsoft.Read the Securing the Future of Artificial Intelligence and Machine Learning at Microsoft paper to learn more.

The post Securing the future of AI and machine learning at Microsoft appeared first on Microsoft Secure.

Categories: Microsoft

Announcing the new Security Engineering website

Microsoft Malware Protection Center - Mon, 02/04/2019 - 12:00pm

To meet users expectations for security when using a product or cloud service, security must be an integral part of all aspects of the lifecycle. We all know this, and yet time has proven that this is far easier said than done because there is no single approach nor silver bullet that works in every situation. However, Microsofts long commitment to security has demonstrated that there are a number of security practices that have survived the passage of time, and when applied flexibly in harmony with many approaches, will improve the security of products or cloud services.

We are sharing the results of our experiences through our new Security Engineering website, which includes updated Microsoft Security Development Lifecycle (SDL) practices that focus on development teams and what we believe to be the basic minimum steps for addressing security concerns when using open source. Additionally, weve included more specific Operational Security Assurance (OSA) practices, aligned with the operational lifecycle of cloud services, and we touch on how these can be brought together to deliver Secure DevOps.

There are four main sections to the new site:

Security Development Lifecycle (SDL)

The new The Security Development Lifecycle (SDL) site offers updated practices that should be used during the development process, to build more secure software by reducing the number and severity of vulnerabilities accidentally introduced into software. The practices cover a broad range of topics, from training and threat modeling, to managing the security risk of using third-party components, and security testing.

Operational Security Assurance (OSA)

The Operational Security Assurance (OSA) section outlines aligned practices to apply during the operational lifecycle of cloud services, making them more resilient to attack from real and potential cybersecurity threats. These include elements such as using Multi-Factor Authentication (MFA), protecting secrets, protecting against DDOS attacks, and penetration testing.

Secure DevOps

The Secure DevOps model provides a great foundation to improve security. SDL and OSA practices aligned with automation, monitoring, collaboration, and fast and early feedback provide a great opportunity to improve security. Practices outlined here include tooling and automation and continuous learning and monitoring.

Open Source Security

The Open Source Security section outlines the minimum steps necessary to begin to address security concerns when using open source components. Here the practices cover topics such as inventorying open source, updating components, and aligning security response processes, and aligns with the SDL practice of managing the security risk of using third-party components.

Throughout the site you will find useful references and resources to help. There are even consulting services offerings if you need them. See our Security documentation, where many of these resources can be found along with other useful security research papers, guides, and references. We hope you find the new Security Engineering site useful and encourage you to explore and share with your development and operations teams.

The post Announcing the new Security Engineering website appeared first on Microsoft Secure.

Categories: Microsoft

Defending critical infrastructure is imperative

Microsoft Malware Protection Center - Fri, 02/01/2019 - 12:00pm

The Cybersecurity Tech Accords upcoming webinar and the importance of public-private partnership

Today, cyberattacks from increasingly sophisticated actors threaten organizations across every sector, and whether a Fortune 500 company or a local bakery, organizations of all sizes need to take steps to limit the dangers posed by these threats. This is the core of cybersecurity risk managementunderstanding potential threats and actively working to mitigate them. But while organizations large and small should protect themselves against such threats, the owners and operators of critical infrastructure have a unique additional obligation to understand risks and improve their cyber resilience in the interests of the communities, and even whole societies, that rely on their industries.

Critical Infrastructure refers to the industries and institutions whose continued operation is necessary for the security and stability of a society. Energy, water, and healthcare sectors are often deemed critical infrastructure, as are essential government organizations, transportation sectors, and even entire elections systems. The organizations that own and operate this infrastructure have a responsibility to keep it up and, running in the face of any challenge, require even more careful attention to security, particularly cybersecurity.

It is with this responsibility in mind that we are excited for the upcoming webinar from the senior malware researcher at the IT security firm, ESET, on the latest and most potent cyberthreats to critical infrastructure. The webinar is free to attend and will be hosted by the Cybersecurity Tech Accord on February 4, 2019.

As a signatory to the Cybersecurity Tech Accord, Microsoft is glad to see this diverse coalition of technology companies taking time to address this important issue and highlight the most significant cyberthreats to critical infrastructure. These are the types of challenges that the tech industry should be working collaboratively to address. In fact, Microsoft recently published a white paper titled Risk Management for Cybersecurity: Security Baselines on how policies can improve critical infrastructure protection by establishing outcome-focused security baselines. Such policies mandate how secure critical infrastructure systems must be while allowing industry to innovate and evolve their approaches as necessary to achieve those goals.

Critical infrastructure protection requires cooperation between the public and private sectors because, while the resilience of these sectors is a national security priority, the critical infrastructure itself is most often owned and operated by private industry and dependent on the technologies that are developed and maintained by private companies. In this dynamic, governments play an indispensable role in identifying security needs and standards for success, while industry understands its own technology and how to best meet security objectives.

The benefits of this collaboration are highlighted in the recently published report by the Organization of American States (OAS), developed in partnership with Microsoft, Critical Infrastructure Protection in Latin America and the Caribbean 2018. The report is a tremendous resource for policymakers in the region, as OAS was able to acutely identify the cybersecurity priorities and challenges of its Latin American and the Caribbean member states, while Microsoft was able to provide technical insights on how to best enable critical infrastructure owners and operators to protect their systems based on those priorities.

The upcoming webinar from ESET will doubtlessly shed additional light on the ever-changing nature of cybersecurity threats, especially as they relate to critical infrastructure, further underscoring the importance of cooperative relationships between sectors moving forward. We invite you to attend the live event; and for those who cannot attend on February 4, 2019, the webinar will be recorded and made available on the Cybersecurity Tech Accord website in the days that follow.

For a full list of upcoming webinars, and to access previous sessions on demand, visit the Cybersecurity Tech Accord website.

The post Defending critical infrastructure is imperative appeared first on Microsoft Secure.

Categories: Microsoft

CISO series: Talking cybersecurity with the board of directors

Microsoft Malware Protection Center - Thu, 01/31/2019 - 2:15pm

In todays threat landscape, boards of directors are more interested than ever before in their company’s cybersecurity strategy. If you want to maintain a boards confidence, you cant wait until after an attack to start talking to them about how you are securing the enterprise. You need to engage them in your strategy early and oftenwith the right level of technical detail, packaged in a way that gives the board exactly what they need to know, when they need to know it.

Cyberattacks have increased in frequency and size over the years, making cybersecurity as fundamental to the overall health of the business as financial and operational controls. Todays boards of directors know this, and they are asking their executive teams to provide more transparency on how their company manages cybersecurity risks. If you are a technology leader responsible for security, achieving your goals often includes building alignment with the board.

Bret Arsenault, corporate vice president and chief information security officer (CISO) for Microsoft, was a recent guest on our CISO Spotlight Series, where he shared several of his learnings on building a relationship with the board of directors. Weve distilled them down to the following three best practices:

  • Use the boards time effectively.
  • Keep the board educated on the state of cybersecurity.
  • Speak to the boards top concerns.
Use the boards time effectively

Members of your board come from a variety of different backgrounds, and they are responsible for all aspects of risk management for the business, not just security. Some board members may track the latest trends in security, but many wont. When its time to share your security update, you need to cut through all the other distractions and land your message. This means you will want to think almost as much about how you are going to share your information as what you are going to share, keeping in mind the following tips:

  • Be concise.
  • Avoid technical jargon.
  • Provide regular updates.

This doesnt mean you should dumb down your report or avoid important technical information. It means you need to adequately prepare. It may take several weeks to analyze internal security data, understand key trends, and distill it down to a 10-page report that can be presented in 30 to 60 minutes. Quarterly updates will help you learn what should be included in those 10 pages, and it will give you the opportunity to build on prior reports as the board gets more familiar with your strategy. No matter what, adequate planning can make a big difference in how your report is received.

Keep the board educated on the state of cybersecurity

Stories about security breaches get a lot of attention, and your board may hope you can prevent an attack from ever happening. A key aspect of your role is educating them on the reasons why no company will ever be 100 percent secure. The real differentiation is how effectively a company responds to and recovers from an inevitable incident.

You can also help your board understand the security landscape better with analysis of the latest security incidents and updates on cybersecurity regulations and legislation. Understanding these trends will help you align resources to best protect the company and stay compliant with regional security laws.

Speak to the boards top concerns

As you develop your content, keep in mind that the best way to get the boards attention is by aligning your messages to their top concerns. Many boards are focused on the following key questions:

  • How well is the company managing their risk posture?
  • What is the governance structure?
  • How is the company preparing for the future?

To address these questions, Bret sticks to the following talking points:

  • Technical debtAn ongoing analysis of legacy systems and technologies and their security vulnerabilities.
  • GovernanceAn accounting of how security practices and tools measure up against the security model the company is benchmarked against.
  • Accrued liabilityA strategy to future-proof the company to avoid additional debts and deficits.

When it comes to effectively working with the board and other executives across your organization, a CISO should focus on four primary functions: manage risk, oversee technical architecture, implement operational efficiency, and most importantly, enable the business. In the past, CISOs were completely focused on technical architecture. Good CISOs today, and those who want to be successful in the future, understand that they need to balance all four responsibilities.

Learn more

Be sure to check out the interview with Bret in Part 1 of the CISO Spotlight Series, Security is Everyones Business, to hear firsthand his recommendations for talking to the board. And in Part 2, Bret walks through how to talk about security attacks and risk management with the board.

The National Institute of Standards and Technology (NIST)Cybersecurity Framework is a great reference if you are searching for a benchmark model.

To read more blogs from the series, visit theCISO series page.

The post CISO series: Talking cybersecurity with the board of directors appeared first on Microsoft Secure.

Categories: Microsoft

Step 4. Set conditional access policies: top 10 actions to secure your environment

Microsoft Malware Protection Center - Wed, 01/30/2019 - 12:00pm

The Top 10 actions to secure your environment series outlines fundamental steps you can take with your investment in Microsoft 365 security solutions. In Step 4. Set conditional access policies, youll learn how to control access to your apps and corporate resources using conditional access policies, and how these policies can block legacy authentication methods and control access to SaaS apps.

In todays workplace, users can work from anywhere, on any device. Whether using a company-provided laptop at the office, working from home, traveling for business, or using a personal mobile phone, employees expect to seamlessly access what they need to get work done. While the need for productivity may not change with circumstances, the level of risk of each sign-in does. Not all devices, apps, or networks are equally secure, and hackers will exploit any vulnerability that will give them access to your users and resources. It is critical to safeguard your identities, but it is not enough. You also need flexible security policies that are responsive to conditions.

Set up Azure Active Directory (Azure AD) conditional access policies

Azure AD conditional access lets you apply security policies that are triggered automatically when certain conditions are met. You can block access if the data suggests the user has been compromised or if its highly unlikely that the user would sign in under those conditions. You can enforce additional authentication requirements when the system detects a medium risk based on the sign-in conditions (see “Sign-in risk” below).

We recommend that you apply polices that are appropriate for your organization for the following conditions:

  • Users and user groups: To reduce the risk that sensitive data is leaked, define which users or user groups can access which applications or resources, paying careful attention to sources of highly sensitive information such as human resources or financial data.
  • Sign-in risk: Azure AD machine learning algorithms evaluate every sign-in and give it a risk score of low, medium, or high depending on how likely it is that someone other than the legitimate owner of the account is attempting to sign in. Anyone with a medium risk should be challenged with Multi-Factor Authentication (MFA) at sign-in. If the sign-in is a high risk, access should be blocked. This condition requires Azure AD Identity Protection, which you can read about in Step 3. Protect your identities.
  • Location: A location can be risky if its in a country with limited security policies or if the wireless network is unsecure or simply because its not a location where the organization typically does business. You can modify access requirements for sign-ins from locations that are not on an IP safe list or that are risky for other reasons. Users accessing a service when they’re off the corporate network should be required to use MFA.
  • Device platform: For this condition, define a policy for each device platform that either blocks access, requires compliance with Microsoft Intune policies, or requires the device be domain joined.
  • Device state: Use this condition to define policies for unmanaged devices.
  • Client apps: Users can access many cloud apps using different app types such as web-based apps, mobile apps, or desktop apps. You can apply security policies if an access attempt is performed using a client app type that causes known issues, or you can require that only managed devices access certain app types.
  • Cloud apps: This condition specifies unique policies for sensitive apps. For example, you can require that HR apps like Workday are blocked if Azure AD detects a risky sign-in or if a user tries to access it with an unmanaged device.

When a condition is met, you can choose what policy Azure AD will enforce:

  • Require MFA to prove identity.
  • Change the actions the user can take in cloud apps.
  • Restrict access to sensitive data (for example: limit downloads or sharing functionality).
  • Require a password reset.
  • Block access.

Once set, these policies will apply automatically without any manual intervention (Figure 1).

Figure 1. Azure AD automatically applies the policies you set based on condition.

Block legacy authentication and control access to highly privileged accounts

Old apps that use a legacy authentication method, such as POP3, IMAP4, or SMTP clients, can increase your risk because they prevent Azure AD from doing an advanced security assessment and dont allow more modern forms of authentication, such as MFA. We recommend you use client application conditional access rules (Figure 2) to block these apps entirely.

Figure 2. Apply conditional access rules to block client apps using legacy authentication methods.

You can also use conditional access rules to reduce the risk that highly privileged accounts or service accounts are compromised. For example, if your HR system uses a service account to access the email account, you can make sure it can only run against the service from a specific IP at the appropriate time of day.

Enhance conditional access with Intune and Microsoft Cloud App Security

Azure AD integrates with Intune, so that conditional access policies can consider the Intune device state as part of the policy, letting you set access controls for devices that have old operating systems or other security vulnerabilities. You can also use conditional access in Intune to make sure that only apps managed by Intune can access corporate email or other Office 365 services. Azure AD will enforce these rules.

Cloud App Security Conditional Access App Control extends conditional access to your SaaS apps. You can block downloads from apps, limit activities in the app, monitor risky users, or block access to the app entirely.

Once you have policies in place, we recommend that you use the Azure AD What If tool to simulate possible sign-in scenarios that your users may confront. The What If tool allows you to select a user, the app that user is trying to access, and the conditions of that sign-in to see which policies will apply. (Figure 3.) This step will give you a better sense of how your policies will impact your users. You can also check what policies do not apply to a specific scenario.

One final precaution: Be sure to set up an exception group for each conditional access policy, so you dont lock yourself out.

Figure 3. The Azure AD What If tool gives you a better sense of how your policies will impact your users.

Learn more

Check back in a few weeks for our next blog post, Step 5. Set up mobile device management, where well dive into how to plan your Intune deployment and set up mobile device management as part of your Unified Endpoint Management strategy.

Get deployment help now

FastTrack for Microsoft 365 provides end-to-end guidance to set up your security products. FastTrack is a deployment and adoption service that comes at no charge with your subscription. Get started at FastTrack for Microsoft 365.


The post Step 4. Set conditional access policies: top 10 actions to secure your environment appeared first on Microsoft Secure.

Categories: Microsoft