Day 12 #100DaysOfCloud

In my last post I talked about how we can use the Insights and Reporting Workbook in Conditional Access to check how a set of CA policies would be applied.

I highlighted that unless legacy auth is disabled or forcibly prevented, authentication attempts are permitted to fall back from Modern Auth to Legacy Auth. This could either be because the client app doesn’t support Modern Auth, or because an attacker has purposefully crafted their login attempt to use one of the legacy protocols.

Which legacy protocols are actually being used?

With the Log Analytics workspace created (a prerequisite for the Insights and Reporting post), we get a tonne of other pre-made workbooks that give an additional insight into the current authentications methods in place.

Sign-ins using Legacy Authentication

If you fancy crafting your own query to dig deeper, simply head over to Azure AD > Logs, and use the built in editor to create a query. It uses Kusto Query Language, which is super simple to get to grips with.

However you manage it, the key thing is to reduce your attack surface by blocking Legacy Authentication.

/dean

Leave a Reply