User Profile
Kat-UK
Copper Contributor
Joined 2 years ago
User Widgets
Recent Discussions
Re: Azure AD Security Defaults MFA not working (as expected?)
After a bit more research I found this article which tested Security Defaults and is an interesting read: https://diligex.com/2021/01/are-microsoft-365-azure-security-defaults-sufficient/ Looks like if you want to protect users email and data and you only have 365 Basic or Standard licenses it's quite possibly a complete waste of time to use Security Defaults on it's own. Given that a user will eventually be phished for a login, no matter how often I email them advice on avoiding, then someone will get into your data. I'll be looking at going back to per user MFA, which is a bit of a pain. The skeptic in me thinks maybe MS has made Security Defaults fairly useless to try and push for more revenue from Premium or AAD P1 licenses, but some SMBs really don't have the money at present to fully move to Premuim 365 or ( Azure AD P1 licenses).16KViews0likes1CommentAzure AD Security Defaults MFA not working (as expected?)
Hi, We use Microsoft 365 Standard and have enabled Security Defaults (https://learn.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide) so thought that our accounts would be as secure as they could be without Conditional Access. One of our users was Phished and emails were sent from their account. Checking the Interactive sign-in logs I can see the attacker attempted to login from Nigeria (we don't operate from Nigeria) using Chrome on Windows 10 and was denied login due to MFA (which is as expected - part log shown below) Date (UTC): 2023-05-10T09:12:20Z Username: email address removed for privacy reasons Application: Microsoft Authentication Broker IP address: 105.112.183.103 Location: Lagos, Lagos, NG Status: Interrupted Sign-in error code: 50074 Failure reason: Strong Authentication is required Client app: Browser Browser: Chrome 112.0.0 Operating System: Windows 10 Multifactor authentication result: User needs to perform multi-factor authentication. There could be multiple things requiring multi-factor, e.g. Conditional Access policies, per-user enforcement, requested by client, among others Authentication requirement: Multifactor authentication Sign-in identifier: email address removed for privacy reasons Token issuer type: Azure AD 2 minutes after that attempt the attacker then tried using Safari on iOS 14 and this only asked for single factor authentication and let them in, which certainly wasn't expected! From there, they were able to monitor the email in this instance and send / modify emails until we detected them and locked them out. It could of been worse, we were lucky this time. The successful (part) log is shown below: Date (UTC): 2023-05-10T09:14:27Z Username: email address removed for privacy reasons Application: Microsoft Authentication Broker IP address: 105.112.183.103 Location: Lagos, Lagos, NG Status: Success Sign-in error code: Failure reason: Other Client app: Mobile Apps and Desktop clients Browser: Mobile Safari 14.1 Operating System: iOS 14 Multifactor authentication result: Authentication requirement: Single-factor authentication Sign-in identifier: email address removed for privacy reasons Token issuer type: Azure AD I have logged this with Microsoft but all they are concerned with is that the account is now secure and not the fact that with Security Defaults on and a phished account was accessed without MFA (and from a country we don't operate from). I have since done some more testing with another account and after revoking sessions and MFA, they could login to the same PC they normally use and access www.office.com without MFA prompts only finally being asked when going into Security Settings in My Account. I can accept as the location this was from is the main office it might be flagged as safe by MS. So then I used the same account to login from another clients office not associated with us (using a VM there) and again it was able to login to www.office.comwithout any MFA prompts, which again is quite concerning. I wondered if anyone had any insights into why this might have happened like this? As far as I can see Security Defaults isn't really doing a very good job. Thanks Rob
Recent Blog Articles
No content to show