Forum Discussion
Issues with setting up AiTM phish prevention using conditional access
AlexShxW1 Hi Alex,
Register one the these methods:
Windows Hello for Business or FIDO2 Security Key or Azure AD CBA Certificate-Based Authentication (Multi-Factor)
Then you should choose Require Authentication Strength, and choose Phishing-resistant MFA.
As an alternative option, you may Require Hybrid Azure AD Joined Device or Require device to be marked as compliant (this will require Intune, and intune will use a certificate to authenticate the device).
Before creating a policy requiring phishing-resistant multifactor authentication, ensure your administrators have the appropriate methods registered. If you enable this policy without completing this step you risk locking yourself out of your tenant.
Reference:
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-strengths
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-strengths
- This is a good read
https://jeffreyappel.nl/aitm-mfa-phishing-attacks-in-combination-with-new-microsoft-protections-2023-edt/
Intune Compliance may be a way to go. Keep in mind that you can have different compliance policies and you determine what is compliant. Best to have the min than none. For example, you might want one for Windows AD Joined but if you have AD registered that are not hybrid joined, you may copy the joined policy and remove the score piece, that way you can get compliant faster. (AD registered will fail scoring-) You also don't want end users or hackers enrolling devices either, so block that. For compliance, set "non compliant immediately."
Same thing for phones, only Intune enrolled devices. (F3 licensing for mobile only users, under 10.9 inch screen, or Business Premium for office people will get you there)
Also, you may consider reading https://argonsys.com/microsoft-cloud/library/cloud-app-security-block-tor-browser-anonymous-ip/. This really is not as intuitive as it seems. To implement this I created a VM and used a user with other conditional access rules removed and signed in via Brave Browser's Tor mode to provoke the app to appear in Cloud Defender. This took me a few hours to get working. Let whomever monitors your stuff know alerts will come in during this process.
