With custom security attributes and conditional access, enforce MFA for web apps!

MVP

 

Dear Microsoft Azure Friends,

 

The use of multifactor authentication (MFA) has become indispensable in today's world. With the help of conditional policies (CA), we can set up MFA in a very targeted manner. But what about when a new web app is set up and deployed? Does it now need a new CA every time?

 

In this article I will show you the custom security attributes with an example where exactly this scenario is addressed. But what exactly are custom security attributes?

 

From Microsoft Documenation:
"Custom security attributes in Azure Active Directory (Azure AD) are business-specific attributes (key- value pairs) that you can define and assign to Azure AD objects. These attributes can be used to store information, categorize objects, or enforce fine-grained access control over specific Azure resources."

 

What are custom security attributes in Azure AD? (Preview)
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/custom-security-attributes-ove...

 

However, before you can work with or create custom security attributes, you need the necessary permissions. You can find all the necessary information in the above mentioned article.

CA_RBAC.png

 

At this point it is worth mentioning that not even a "Global Admin" by default has the right to create the attributes. The ingenious thing is that the roles are divided. One person can create the attributes, another person does the assignment.

 

Now we navigate to Azure Active Directory to the custom security attributes.

CA_Custom_Attr.png

 

Here you can create an attribute set and specify the key values.

CA_Custom_Attribute.png

 

Then, in Enterprise Applications, find your app and assign the custom security attributes.

CA_App_Attribute.png

 

Now we can create the conditional access policy. After you have selected the name, you can now select for whom the policy should apply. I have used a group named "Bitcoin" for this example.

CA_Settings_User.png

 

This group includes the Tina Muff.

CA_Group_Member.png

 

Now comes the exciting part. In "Cloud apps or actions", we do not select a specific app in "include" but use the filter function. This function is on the preview and first you need to set the switch to configured. After that you can select your custom security attributes. At this point, use exactly the same key value pair that you selected for your enterprise app.

CA_Cloud_Apps.png

 

Next, you can define how the access should take place at "Access controls". I have selected that access is allowed but only with multifactor authentication.

CA_Access_Control.png

 

Now when Tina Muff calls the WebApp, she will be prompted to apply MFA (this account is a test account, so the MFA setup has not been done). Sorry it's in german ;-).

CA_MFA_Setup.png

 

So what's the point of all this effort? If you now continue to set up and provide WebApps in the future. You simply have to assign your custom security attributes to the WebApp again with the corresponding key value pair, and you already have to work with MFA when you call the app because the CA is already present.


I realize that this was not necessarily spectacular. It was simply important for me to share my experience with you. Nevertheless, I hope that this article was helpful. Thank you for taking the time to read the article.


Best regards, Tom Wechsler

 

P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler

0 Replies