About Tools Blog
Angelique Dawnbringer

Microsoft & Office 365 - Improve Your Security Baseline + Enforce MFA!

Microsoft Windows, PowerShell and Office are quite old and have had lots of previous versions. A lot of things like authentication compatibility between versions makes the product a lot less safe than it actually could be. By disabling these legacy protocols & features like app-passwords; plus enabling auto-updating to upgrade everyone to the latest stable version, one drastically reduces attack-vectors of the organisation.

The code is half-way-down Disclaimer: You will break stuff so read carefully... TLDR: Are you using W10+Office 365+MFA you are fine. If you use W7, Office 2013 etc or don't have admin MFA, stuff will break.

Background: Office 365 authentication not (as) secure by default!

"Modern Authentication" makes use of OAuth2 to authenticate. New and existing users will no longer need to enter credentials into Office to connect to Office 365. This helps enormously with credential exposure but also makes migration a lot easier! Corporate enrolled devices can have clients be configured to do Single-Sign-On (SSO), SAML, and MFA via Modern Authentication! In the (very near) future, you can add location and more granular context-aware policies.

Currently; Exchange and Skype for Business Online tenants are not enabled for Modern Authentication by default. You have to enable it via PowerShell. The steps and code for this is enlisted below!

Modern Authentication brings ADAL, Active Directory Authentication Library to Office 365. This enables sign-in features like Multi-factor Authentication (MFA), SAML-based third-party identity providers with office client applications, smart card and certificate-based authentication. It also removes the need for the basic authentication protocol. That last one... Let's call it Legacy authentication that should NEVER have existed in the first place...

All modern mobile outlook apps, have support for "Modern Authentication". All newer Office versions (2016+) have Modern Authentication support enabled by default and require no further action once enabled using PowerShell. Office 2013 can be on-boarded with registry values, but I "suggest" (read: urge you) upgrading to Windows 10/Office 2019 with auto-update and/or LTS if you really need to; instead.

Four new; must-have-enabled powerful policies (old)

Microsoft has added 4 new extremely powerful must-have features to Microsoft Intune under Conditional Access. These features will break app-passwords that people have gotten used to. Previously you would use app-passwords and legacy authentication for resources not able to do "Modern Authentication". App-passwords bypass(ed) MFA and are dangerous, especially for Administrators as these allow full elevated access without MFA.

2020-08-31: The conditional access policies mentioned here don't exist anymore. These 4 mentioned policies can be replaced with the 2 suggested must-have-enabled policies I have provided on the bottom of this post. I left the text to explain/illustrate the principles that were introduced.

Baseline policy: Block legacy authentication (outdated)

This policy blocks all sign-ins using legacy authentication protocols that don’t support multi-factor authentication (such as IMAP, POP, SMTP). The policy does not block Exchange ActiveSync.

  • Office 2013 (without registry keys)
  • Office 2010
  • Thunderbird client
  • Legacy Skype for Business
  • Native Android mail client

Baseline policy: End user protection (outdated)

This policy protects users by requiring multi-factor authentication (MFA) during risky sign-in attempts to all applications. Users with leaked credentials are blocked from signing in until a password reset.

Once the policy is enabled, users are required to register for MFA within 14 days of their first login attempt. The default method of MFA registration is the Microsoft Authenticator App.

Baseline policy: Require MFA for Service Management (outdated)

This policy requires users logging into services that rely on the Azure Resource Manager API to perform multi-factor authentication (MFA).

Services requiring MFA include:

  • Azure Portal
  • Azure Command Line Interface (CLI)
  • Azure PowerShell Module

Baseline policy: Require MFA for admins (outdated)

The most powerful and important one of the new policies! This policy requires multi-factor authentication (MFA) for the following directory roles:

  • Global Administrator
  • SharePoint Administrator
  • Exchange Administrator
  • Conditional Access Administrator
  • Security Administrator
  • Helpdesk Administrator/Password Administrator
  • Billing Administrator
  • User Administrator

This policy also blocks legacy authentication (finally!).

Secure Office 365 by enforcing MFA and disabling legacy authentication

I call these low-hanging fruit, which requires some knowledge and understanding of risk but create real value for companies/people. Besides the usual hardening, the following harden administrative access quite a bit.

This guide takes it for granted that you have MFA enabled on your account. The instructions tell you how to do it for an MFA enabled account only!

Inside Intune: Enable the Conditional Access - Policies (old)

2020-08-31: These 4 policies cannot be enabled anymore, nor are they enforced. (sads). Add the 2 policies I have provided on the bottom of this post to achieve the same effect as these 4.

Word of caution: When you activate some of these settings preemptively and without MFA enabled on your account, it WILL lock you out. So please, for the love of god, add MFA to your account first!

  • Baseline policy: Require MFA for admins (Preview)
  • Baseline policy: Block legacy authentication (Preview)
  • Baseline policy: End user protection (Preview)
  • Baseline policy: Require MFA for Service Management (Preview)

It might take up to 24 hours before "Modern Authentication" starts to work everywhere. Usually it is enabled everywhere in less than an hour, but I have seen it take as much as next "business" day! Verify your enabled setting and let it be. It takes time to propagate!

Steps to enable "Modern Authentication" in Exchange Online

There are two ways of doing this. One is in the Admin Center (GUI), the other via powershell (recommended way and below the GUI section)

GUI / Browser

  1. Go & login to Microsoft Admin Portal: https://admin.microsoft.com/Adminportal/
  2. Click Show all > Settings > Service & add-ins > Modern Authentication.
  3. Tick Enable Modern Authentication
  4. Click Save changes

Powershell

Start Powershell in Administrator mode for the initial installation of the modules

Take note of the following settings for ExecutionPolicy

# You need this setting-value later for clean-up / re-securing your local device
PS> Get-ExecutionPolicy
# Set ExecutionPolicy to RemoteSigned to enable "relatively safe" import of scripts etc
PS> Set-ExecutionPolicy RemoteSigned
PS> Get-Module
# Install the AzureAD Powershell Module
PS> Install-Module -Name AzureAD

This will result in telling you, you need to trust and import the sources. Type “Y” to install and import the NuGet provider and such. You can also download these packages manually from the Powershell Gallary

Source: https://www.powershellgallery.com/packages/AzureAD/ 

# Warning Only in case you want to trust PSGallery
Set-PSRepository -Name PSGallery -InstallationPolicy Trusted

# Install the ExchangeOnline Powershell Module
PS> Install-Module -Name Microsoft.Exchange.Management.ExoPowershellModule

Source: https://www.powershellgallery.com/packages/Microsoft.Exchange.Management.ExoPowershellModule/

Now it is time to log in and start the remote PowerShell session with MFA-enabled.

# Enable MFA session with Powershell to Exchange Online, login will pop-up!
PS> $EXOSession = New-ExoPSSession
# Import all functionality/scripts and the session
PS> Import-PSSession $EXOSession

You are now logged in. You can try basic commands to check if you can see your mailboxxes and/or users etc. with commands like Get-User, Get-Mailbox or check in case of errors Get-Module, to see if everything is loaded correctly. In case of errors, check illustration for example.

Important step

# The actual step enabling modern authentication for Exchange Online
PS> Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

Clean-Up

Important step

# Reset the Execution Policy back to ?restricted? Check your initial value
PS> Set-ExecutionPolicy Restricted

Legacy support: Office 2013

Now Office 2013 with SP does have the ability to enable ADAL e.g. Modern Authentication. I do highly recommend simply upgrading to 365/2019 e.g. latest in one go... But should you have some weird legacy issues, here you have the command-line code to get it to work. Please note that Outlook 2013 needs to be closed before executing it as some keys might get overwritten on exit.

# Run from elevated command-line
CMD> reg add HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity /v EnableADAL /t REG_DWORD /d 1 /f
CMD> reg add HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity /v Version /t REG_DWORD /d 1 /f

These lines add the following to the local windows registry

Key Value Type Data
HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity EnableADAL DWORD 1
HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity Version DWORD 1

Nicer would be to add this to your Office 2013 installation and/or version bump scripts instead of running these from the command line. At this point in time, there are no Administrative Templates available for this specific setting. Again... Upgrade to latest instead!

Legacy: Skype for Business

See what I did there in the title? Still you can ask: what about skype for business?... You said it doesn't have "Modern Authentication" out of the box either... Yes! You are absolutely right and while I could help you out with that too... Once more, I urge you to look at the newer versions e.g. Microsoft Teams, instead. It allows for collaboration in a safe and much more secure and granular way compared to Skype for Business. Ok, I warned you, let us continue!

Pre-Requisits

Follow the above mentioned Exchange Online principles but skip the Exchange Online specific parts

PowerShell

Configuring Skype for Business Online first requires installing the Skype for Business Online PowerShell Module which is not available in the PSGallery (because it is Legacy->Teams). You will have to follow the official Microsoft Documentation(opens in new tab)

Afterwards, you can then; like Exchange Online, connect to your Office 365 tenant and enable OAuth2 with the help of Set-CsOAuthConfiguration.

# Install Skype Online PS-Module from the MS-Website
# Did you read and do the above line? If so; continue.
PS> Import-Module SkypeOnlineConnector
#Establish a MFA enabled session.
PS> $Session = New-CsOnlineSession
# Get the scrips and session. Note: You need to have Exec-Policy RemoteSigned enabled for this.
PS> Import-PSSession $Session

Now lets enable "Modern Authentication" for Skype for Business!

# Verify/check for ClientAdalAuthOverride : Disallowed
PS> Get-CsOAuthConfiguration

# Enable "Modern Authentication" for Skype for Business
PS> Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed

# Verify/check that the setting was applied ClientAdalAuthOverride : Allowed
PS> Get-CsOAuthConfiguration

Clean-up

Now, be a good responsible person and delete the PS Skype Online add-ons you just installed. You don't need it anymore, so please follow proper hygiene routines and remove it from your system. Also remember to set your Execution Policy back to the proper "sanitized" setting. ExecutionPolicy unrestricted is NOT the proper setting.

Done!

Even though you are done with enabling ADAL/Modern Authentication for Skype for Business, please look into using Teams instead and enable proper governance of information streams, have data-loss-prevention/DLP policies enabled by default and know enable proper collaboration.

Two new; must-have-enabled powerful policies (updated)

(Updated 2020-08-31) These two policies, effectively replace the preview policies which were available as click-and-forget. As too many people had issues because it was an all-or-nothing-setting, they provided a similar workaround for this. There is another option called Security Defaults, but it does not give you as strong a protection out-of-the-box compared to these two.

Disable legacy access for all users

  1. Browse to EndPoint Manager > Endpoint Security or Azure Active Directory > Security > Conditional Access.
  2. Select New policy.
  3. Give your policy a name. Something like: Baseline Policy: Disable Legacy Access.
  4. Under Assignments, select Users and groups
    1. Under Include, select All users.
    2. Under Exclude, select Users and groups and choose any accounts that must maintain the ability to use legacy authentication. Exclude at least one account to prevent yourself from being locked out. If you do not exclude any account, you will not be able to create this policy.
    3. Select Done.
  5. Under Cloud apps or actions, select All cloud apps.
    1. Select Done.
  6. Under Conditions > Client apps, set Configure to Yes.
    1. Check only the boxes Exchange ActiveSync clients and Other clients. To deploy Exchange ActiveSync Conditional Access policy in Azure, the user must also be a Global Administrator.
    2. Select Done.
  7. Under Access controls > Grant, select Block access.
    1. Select Select.
  8. Confirm your settings and set Enable policy to On.
  9. Select Create to create to enable your policy.
  10. This will throw a warning to make you double-check and exclude settings. Verify and continue. After verification, remove yourself from the exclude list.

Require MFA for all users

Word of caution: When you activate this policy and you're without MFA enabled on your account, it WILL lock you out. So please, for the love of god, add MFA to your account first!( ... or initially exclude yourself. The warning message in that panel you saw in the previous step is made for this/such reason(s) only)

  1. Browse to EndPoint Manager > Endpoint Security or Azure Active Directory > Security > Conditional Access.
  2. Select New policy.
  3. Give your policy a name. Something like: Baseline Policy: Require MFA for All Users - Including Administrators.
  4. Under Assignments, select Users and groups
    1. Under Include, select All users
    2. Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.
    3. Select Done.
  5. Under Cloud apps or actions > Include, select All cloud apps.
    1. Under Exclude, select any applications that do not require multi-factor authentication. (You shall NOT click or add any)
  6. Under Conditions > Client apps (Preview), under Select the client apps this policy will apply to leave all defaults selected and select Done.
  7. Under Access controls > Grant, select Grant access, Require multi-factor authentication, and select Select.
  8. Confirm your settings and set Enable policy to On.
  9. Select Create to create to enable your policy.
  10. This will throw a warning to make you double-check and exclude settings. Verify and continue. After verification, remove yourself from the exclude list.

This setting also requires MFA for Guest Users and External Users (not B2C) added to services like teams etc. In some use-cases, you might consider exluding them... But that defeats the point of MFA... I just wanted to hint that sometimes this is a problem. Under Exclude, you would then tick Guest Users. This is not required for the Legacy part, only here.

Because of people locking themselves out, the default recommended action is to exclude the user adding the policy to these two policies. Please verify the correct workings of the policies and remove yourself from the exclude lists. By doing it this, Microsoft support will "love you" for reading the instructions and warning texts...

Author: Angelique Dawnbringer Published: 2019-08-30 19:42:09 Keywords:
  • Baseline
  • Security
  • MFA
  • Multi-Factor-Authentication
  • Office 365
  • Microsoft 365
  • Powershell
  • ADAL
Modified: 2020-08-31 22:41:45