Multifactor authentication (MFA) can be a mighty bulwark against unauthorized access, but there’s at least one method bad actors have employed to do a two-step around the defense: sneaking illegitimate two-factor devices into a Microsoft network. Here’s an example of how such a clever but dangerous intrusion happens: An email that appears to have been sent from a business on its legitimate account states that the company’s banking information is being updated for automated clearing house (ACH payments). Something about it seems fishy, so a review is conducted, which confirms that the email was indeed being sent out from an internal email account.
The trouble is, the authorized user claims to have sent no such email. Upon investigation, it is determined that an additional authentication device was added to the account in addition to the normal user’s Android application, leading to the compromise. How could this have happened? More importantly, how could an alert be created to ensure it never happens again and the company is better protected in the future?
Multifactor authentication is not the problem
Multifactor authentication is not the issue here — it remains a key method for keeping networks more secure. It ensures that only those users get authenticated on the network that you want authenticated. But like anything in technology, because we are moving more and more to two-factor authentication, attackers are finding ways to get around our defenses.
In the example above, attackers have realized that one way around MFA is (after they’ve gained base-level access to the network) to sneak an additional device into an account that can be used for two-factor. They then exploit the option that the main authentication application is not available and employ an alternative method to provide authentication, choosing the cellphone or device that has been surreptitiously added.
The bottom line is, no matter what authentication you have set up for your organization, to ensure that you are monitoring who and what is using it. It’s imperative to review who is logging in and what devices they are using to gain access to your firm.
The attackers are getting smarter and know that more and more organizations are deploying these solutions. If they target your organization and realize that you have two-factor or better as protective measures, they will evaluate their options and act accordingly. Make it harder for them to make you a target and monitor your protections.
How to review what devices are authorized in Entra ID
Digging into the Entra ID (formerly Azure AD) console you can review those devices that have been set up for use in authentication. In each user’s profile, under the authentication methods is a listing of all devices set up as authenticators against the system. Start by pulling in a report of all of your users that use multifactor or use the built-in reports noted on the console.
If you want a list of all users who have more than one multifactor device associated with their account you can look at the authentication method Graph API endpoints. For each method, you can query the list of configured devices. For example, authentication/phoneMethods will return the list of phone numbers registered and authentication/microsoftAuthenticatorMethods will list the devices on which Authenticator is configured. Alternatively, you can do an /authentication/methods query to view them all.
Add a conditional access policy for MFA
Next, consider adding a conditional access policy that restricts how MFA is enabled. You can use conditional access to block the ability of attackers to log in with your breached password and set up an additional two-factor device.
Ensuring that you only allow the setup of MFA in a specific manner or by specific devices is key to ensuring this malicious behavior doesn’t occur and requires users to be in certain locations or on certain devices to complete the security information registration. Consider this trusted location as a tier-0 security asset and monitor this setting as well as any activity from this location.
To set this policy, go to Entra ID (Azure AD), then navigate to Security and then to Conditional Access. You’ll want to create a new conditional access policy. Under Users or Workload Identities select a user account to test and ensure it works as you expect. Under Cloud Apps or Actions, select User Actions you’ll want to choose to register security information.
These locations should have previously been set up and deemed trusted in your environment. While you may have a firm that is cloud-first, there should be always a location or static IP address that your administration workstations work from. Ensure that you have set up at least one location that is deemed trusted.
These locations and the changes or settings that are set by this location should be regularly reviewed. Always have a change management process in place to ensure that only those specific settings, policies, and scripts are allowed.
Under typical Microsoft settings and group policies you can block access from those locations that are not rusted. Under Conditions, select to include All Locations and exclude All Trusted locations. Now under Access Controls, select Block.
In approximately 15 minutes, you should find that you are unable to visit some areas of the Microsoft 365 Portal, such as aka.ms/mfasetup or the Update Info section of My Profile. Once you have ensured the policy is working as you see fit, you can then roll out the policy to additional users. If you get into the situation where you must allow access and it’s in a location that is not trusted, use the process to allow a Temporary Access Pass and allow the user to sign in without using their MFA device.
If you want to proactively review the events for multifactor authentication, these are available in the Entra ID audit log. If you use other solutions for two-factor authentication, you’ll want to use similar processes to review for devices that are authorized for use. Solutions such as Duo.com allow you to review the listing of devices that are allowed for two-factor.
Make it a process to review access logs and ensure that your access is what you intended. In the case of Duo, you can also empower your users to report malicious prompts so you can review for malicious activity.