Menu
Modern Workplace Blog
  • Home
  • About: Kenneth van Surksum
  • Cookie Policy
Modern Workplace Blog
November 21, 2022November 23, 2022

Conditional Access public preview functionality reviewed (22H2) – Part 1: Authentication Strength

In the last couple of months, Microsoft released new functionality for Azure AD Conditional Access. All of this functionality is still in public preview, so please read the following article on what to expect from Preview functionality: Preview Terms Of Use | Microsoft Azure

In these series of articles I will go through the following new functionality:

  • Part 1: Authentication Strength (this article)
  • Part 2: Conditional Access filters for Apps and Workload Identities
  • Part 3: Granular control for external user types

Authentication Strength

On October 19th, Alex Weinert the Director of Identity Security at Microsoft announced the public preview of authentication strength. Authentication Strength is a new Grant access control option available when you create or modify an existing Conditional Access policy.

Authentication Strength Grant control

With Authentication Strength we have the option to distinct between the Multi Factor Authentication (MFA) method that can be used to fulfil the Access Control eventually granting access to the targeted resource app that you define in your conditional access policy.

Fact is today that not all MFA methods can be considered equally secure, and in my opinion, customers should start moving away from these lesser secure authentication methods like SMS, phone call, but also only letting users allowing/denying an MFA request they receive in the authenticator app which gets exploited nowadays as well. If you want to know a bit more about this specific subject, I want to suggest that your read this excellent article written by Jeffrey Appel: How to mitigate MFA fatigue and learn from the Uber breach for additional protection (jeffreyappel.nl)

As you can see from the screenshots, you have the ability to choose between different Authentication strengths configurations. Three built-in configuration are provided by Microsoft, but you can also create your own. Let’s go through the built-in ones first, which are:

  • Multi-factor authentication
  • Passwordless MFA
  • Phishing-resistant MFA
Predefined authentication strength methods

Multi-factor authentication

Microsoft calls the Multi-factor authentication authentication strength a medium assurance authentication strength that includes multi-factor, for example password + SMS.

The Multi-factor authentication authentication strength when used allows the following methods:

  • Windows Hello for Business
  • FIDO2 Security Key
  • Certificate Based Authentication (Multi-factor)
  • Microsoft Authenticator (Phone Sign-in)
  • Temporary Access Pass (One-time use)
  • Temporary Access Pass (Multi-use)
  • Password + Microsoft Authenticator (Push Notification)
  • Password + Software OATH token
  • Password + Hardware OATH token
  • Password + SMS
  • Password + Voice
  • Federated Multi-Factor
  • Federated Single Factor + Microsoft Authenticator (Push Notification)
  • Federated Single Factor + Software OATH token
  • Federated Single Factor + Hardware OATH token
  • Federated Single Factor + SMS
  • Federated Single Factor + Voice

Passwordless MFA

Microsoft calls the Passwordless MFA authentication strength a high assurance authentication strength that includes methods with Cryptographic keys, for example FIDO2 security key.

The Passwordless MFA authentication strength when used allows the following methods:

  • Windows Hello for Business
  • FIDO2 Security Key
  • Certificate Based Authentication (Multi-Factor)
  • Microsoft Authenticator (Phone Sign-in)

Phishing-resistant MFA

Microsoft calls the Phishing-resistant MFA authentication strength a method that is phishing resistant that includes methods like FIDO2 and Windows Hello for Business

The Phishing resistant MFA authentication strength when used allows the following methods:

  • Windows Hello for Business
  • FIDO2 Security Key
  • Certificate Based Authentication (Multi-Factor)

Creating your own Authentication Strength Method

You can also define your own Authentication Strength method(s), by clicking on “+ Authentication Strength” which will start the New authentication strength wizard.

Create custom authentication strength

In the custom authentication strength wizard you can choose methods from the following categories:

  • Phishing-resistant multifactor authentication
    • Windows Hello for Business
    • FIDO2 Security Key
    • Certificate Based Authentication (Multi-factor)
  • Passwordless multifactor authentication
    • Microsoft Authenticator (Phone Sign-in
  • Multifactor authentication
    • Temporary Access Pass (One-time use)
    • Temporary Access Pass (Multi-use)
    • Password + Microsoft Authenticator (Push Notification)
    • Password + Software OATH token
    • Password + Hardware OATH token
    • Password + SMS
    • Password + Voice
    • Federated Multi-Factor
    • Federated Single Factor + Microsoft Authenticator (Push Notification)
    • Federated Single Factor + Software OATH token
    • Federated Single Factor + Hardware OATH token
    • Federated Single Factor + SMS
    • Federated Single Factor + Voice
  • Single-factor authentication
    • Certificate Based Authentication (Single Factor)
    • SMS
    • Password
    • Federated Single-Factor

Configure specific allowed FIDO2 keys

For the FIDO2 Security key you can even specify the allowed FIDO2 keys by specifying their Authenticator Attestation GUIDs (AAGUIDs). In the example below I’m configuring the Feitan AllinPass Fido 2 as allowed FIDO2 method

Provide specific allowed FIDO2 keys

Authentication Strength use cases

The Authentication Strength option allows for all kinds of new scenario’s which can be accomplished using Conditional Access.

Personally I would start with making sure that Administrative accounts can only sign in using Password-less MFA options, removing legacy MFA factors like SMS and Phone voice call if still in use and you are not able to turn those off on the global level. Another interesting option is to combine Authentication Strength with Authentication Context, so that you can require a specific MFA method, when a SharePoint site with a specific sensitivity label gets accessed, or when a certain session control policy is triggered in Microsoft Defender for Cloud Apps (MDCA).

A first look at Azure AD Conditional Access authentication context

We could also leverage authentication strength when user risk or sign-in risk as part of Azure AD identity protection is High. Another option is to use Authentication Strength in combination with cross-tenant settings as configured in Azure AD.

Authentication Strength in action

Before you start exploring Authentication Strength, make sure to read the known issues, which are documented here: Overview of Azure Active Directory authentication strength (preview) – Known issues.

In my case, I tried building the following scenario:

See what happens if an Administrator role eligible user logs in with an authentication method, which isn’t supported as an authentication method after elevating to its administrator role using Privileged Identity Management (PIM).

While building this solution I learned the following:

  • If for example SMS is turned off in the Global Settings, it’s not available for the user to use if it’s included in the Authentication Strength policy.
  • It’s not possible to combine Multi Factor Authentication and Authentication Strength as grant controls in your Conditional Access policy, this is also noted when you create the policy.
You cannot combine MFA with Authentication Strength
  • You cannot combine Authentication Strength as a grant access control, while still having applicable Conditional Access policies using the “Multi Factor Authentication” access control. All applicable policies must use the Authentication Strength method, if one of them is using MFA you will receive a message similar like the one below.
Error in Conditional Access
  • When having multiple Conditional Access policies setting Authentication Strength, but with different authentication strengths set, the outcome can become unreliable. Say for example you have One CA policy with the “Multi-factor Authentication” authentication strength and another with the “Passwordless MFA” authentication strength, and both are applicable to the scenario, the outcome of the applied authentication strength can differ on a per scenario basis, making the use case unreliable.
  • I also had issues with using the Authentication App, when making the Passwordless MFA default option available to the CA policy requiring MFA for the Admin roles. In this case after elevating my rights, I was prompted for MFA but couldn’t use the Phone sign-in which I configured on my admin account in the Microsoft Authenticator App, resulting in the “Let’s try something else” method. I could use another method (my configured FIDO2 security key) successfully luckily. The only way for me to make this scenario work was to make the a new Authentication Strength policy and include the Password + Microsoft Authenticator (Push Notification) option as well.
Conditional Access logging from the Azure AD sign-in logs

Authentication Strength Conclusion

Authentication Strength is a welcome addition to the Conditional Access Grant access control options already available and will eventually replace the current “Require MFA” option. Most ideally you want to configure your Conditional Access policies in such a way that all MFA required policies are enforced in the most secure way. Authentication Strength can help to setup a phased approach in order to move your users to these new secure ways of accessing your company apps and data, and provide you with options to enforce stronger authentication methods in certain use cases.

Be careful though with the current caveats causing authentication loops and thoroughly test your modified/new Conditional Access policies before deploying this new grant control.

Tweet
Follow me
Tweet #WPNinjasNL

4 thoughts on “Conditional Access public preview functionality reviewed (22H2) – Part 1: Authentication Strength”

  1. Pingback: Conditional Access public preview functionality reviewed (22H2) – Part 2: Conditional Access filters for Apps and Workload Identities | Modern Workplace Blog
  2. Pingback: Azure MFA, SSPR, Authn methods – Jacques Dalbera's IT world
  3. Pingback: Conditional Access public preview functionality reviewed (22H2) – Part 3: Granular control for external user types | Modern Workplace Blog
  4. Pingback: Intune Newsletter - 25th November 2022 - Andrew Taylor

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Founding member of:

Recent Posts

  • Azure AD Conditional Access authentication context now also available for Azure AD Privileged Identity Management
  • December 2022 update of the conditional access demystified whitepaper and workflow cheat sheet.
  • Conditional Access public preview functionality reviewed (22H2) – Part 3: Granular control for external user types
  • Conditional Access public preview functionality reviewed (22H2) – Part 2: Conditional Access filters for Apps and Workload Identities
  • Conditional Access public preview functionality reviewed (22H2) – Part 1: Authentication Strength

Books

System Center 2012 Service Manager Unleashed
Amazon
System Center 2012 R2 Configuration Manager Unleashed: Supplement to System Center 2012 Configuration Manager
Amazon
System Center Configuration Manager Current Branch Unleashed
Amazon
Mastering Windows 7 Deployment
Amazon
System Center 2012 Configuration Manager (SCCM) Unleashed
Amazon

Archives

  • February 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • May 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • August 2019
  • July 2019
  • November 2016
  • November 2015
  • June 2015
  • May 2015
  • November 2014
  • July 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
  • November 2013
  • August 2013
  • April 2013
  • March 2013
  • January 2013
  • December 2012
  • November 2012
  • August 2012
  • July 2012
  • June 2012

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

Categories

  • ABM (3)
  • Advanced Threat Protection (4)
  • Announcement (42)
  • Azure (3)
  • AzureAD (65)
  • Certification (2)
  • Cloud App Security (3)
  • Conditional Access (50)
  • Configuration Manager (24)
  • Events (11)
  • Exchange Online (7)
  • Identity Protection (3)
  • Intune (17)
  • Licensing (2)
  • Microsoft Endpoint Manager (35)
  • Mobile Application Management (1)
  • Modern Workplace (65)
  • Office 365 (10)
  • Overview (10)
  • Power Platform (1)
  • PowerShell (2)
  • Presentations (7)
  • Privileged Identity Management (5)
  • Role Based Access Control (2)
  • Security (50)
  • Service Manager (4)
  • Speaking (22)
  • Troubleshooting (4)
  • Uncategorized (11)
  • Windows 10 (14)
  • Windows 11 (4)
  • Windows Update for Business (3)
  • WMUG.nl (16)
  • WPNinjasNL (30)

Tags

#AzureAD #community #conditionalaccess #ConfigMgr #IAM #Intune #m365 #MEM #MEMCM #microsoft365 #modernworkplace #office365 #security #webinar #wmug_nl ATP AzureAD Branding Community Conditional Access ConfigMgr ConfigMgr 2012 Configuration Manager Email EXO Identity Intune Licensing M365 MCAS Modern Workplace Office 365 OSD PIM Policy Sets Presentation RBAC roles Security Service Manager SSP System Center troubleshooting webinar Windows 10

Recent Comments

  • Kenneth on December 2022 update of the conditional access demystified whitepaper and workflow cheat sheet.
  • John Barnes on December 2022 update of the conditional access demystified whitepaper and workflow cheat sheet.
  • Intune Newsletter - 24th February 2023 - Andrew Taylor on Azure AD Conditional Access authentication context now also available for Azure AD Privileged Identity Management
  • Azure AD Conditional Access authentication context now also available for Azure AD Privileged Identity Management | Modern Workplace Blog on A first look at Azure AD Conditional Access authentication context
  • Kenneth on Intune: Choosing whether to assign to User or Device Groups

This information is provided “AS IS” with no warranties, confers no rights and is not supported by the author.

Copyright © 2021 by Kenneth van Surksum. All rights reserved. No part of the information on this web site may be reproduced or posted in any form or by any means without the prior written permission of the publisher.

Shorthand: Don’t pass off my work as yours, it’s not nice.

©2023 Modern Workplace Blog | Powered by WordPress and Superb Themes!
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT