End user protection :
End User Protection is a risk based MFA baseline policy that protects all users in a directory, including all administrator roles. Enabling this policy requires all users to register for MFA using the authenticator App. Users can ignore the MFA registration prompt for 14 days, after which they will be blocked signing in until they register for MFA. Once registered for MFA, users will be prompted for MFA only during risky sign-in attempts. Compromised user accounts are blocked until their password is reset and risk events have been dismissed.
Block legacy authentication to Azure AD with conditional access:
To give your users easy access to your cloud apps, Azure AD supports a broad variety of authentication protocols including legacy authentication. however, legacy protocols dont support multi-factor authentication. MFA is in many environments a common requirement to address identity theft.
Baseline policy: Require MFA for service management:
you might be using a variety of azure services in your organization. These services can be managed through Azure Resource Manager API.
1. Azure Portal
2. Azure PowerShell
3. Azure CLI
Using Azure Resource Manager to manage your services is a highly privileged action. Azure Resource Manager can alter tenant-wide configurations, such as service settings and subscription billing. Single factor authentication is vulnerable to a variety of attacks like phishing and password spray. Therefore, its important to verify the identity of users wanting to access azure resources manager and update configurations, by requiring multi-factor authentication before allowing access.
Require MFA for service management is a baseline policy. that will require MFA for any user accessing Azure portal, Azure PowerShell, or Azure CLI. This policy appiles to all users accessing Azure Resource Manager, regardless of if they are an administrator.
No comments:
Post a Comment