Aug 14 2023 01:10 PM
Aug 14 2023 01:10 PM
We are a managed IT company and AiTM phishes (the ones that reverse proxy the true sign in page and steal session cookies) have been everywhere. We've started experimenting with User-Risk and Sign-In risk policies, and what I thought we had set up made sense to me, but I was doing some more indepth testing and found that what I set up has been basically useless/harmful?
We have the basic conditional access environment:
MFA: MFA enforced for every sign in
Sign-In Risk: MFA Enforced for Risk Signing with Session Control "Every Time" for all levels of sign-in risk
User-Risk: Require password change for Medium/High Risk
My understanding was that particularly, the sign in risk policy, would apply an "Every Time" control to the session cookie, that way when it was stolen via a reverse-proxy, and re-imported to their browser it would request them to sign in again, because in my mind every time their session is reevaluated it should ask them to sign in. This document says to use this control when I want to reauthenticate everytime, which is what I want to have happen when the session has risk.
Issue is it looks like it doing in my environement instead:
All I am trying to do is impose stringent session controls on these AiTM/reverse-proxy phishing and now I worry that I have been doing more harm than good because I basically set it to "remediate" the risk the very second it occurred.
Any help in pointing me in the right direction is greatly appreciated.
Aug 25 2023 04:31 AM
@AlexPettigrew Hi Alex,
Register one the these methods:
Windows Hello for Business or FIDO2 Security Key or Azure AD CBA Certificate-Based Authentication (Multi-Factor)
Then you should choose Require Authentication Strength, and choose Phishing-resistant MFA.
As an alternative option, you may Require Hybrid Azure AD Joined Device or Require device to be marked as compliant (this will require Intune, and intune will use a certificate to authenticate the device).
Before creating a policy requiring phishing-resistant multifactor authentication, ensure your administrators have the appropriate methods registered. If you enable this policy without completing this step you risk locking yourself out of your tenant.
Aug 28 2023 08:52 AM