Day 11 #100DaysOfCloud

The benefit of Modern Auth

Modern Auth and MFA are often the goal for organisations looking to secure their users’ identities in the cloud.

Modern Auth does away with the traditional authentication protocols and moves to an approach covered by a combination of MFA, certificates and OAuth. This enables capabilities like Conditional Access and the ability to interrupt a user’s login after successful authentication has taken place.

Adoption

It seems like a simple thing (and it is, for some) but many organisations find themselves stuck – they know there will be some impact to their end users, but how much?

In some cases, it’s a case of preparing adequate end-user communications and socialising the concepts, inviting users to pre-register before registration is enforced. In others, targeted comms are required to ensure key users, such as VIPs, Partners and the C-suite aren’t negatively impacted.

Analysing the current state

Conditional Access Insights and Reporting (docs / portal) allows an organisation to visualise how their Conditional Access policies are (or would be) applied to users.
Sign In logs are shipped from AzureAD SignIns to a LogAnalytics workspace where the data can be viewed in handy pre-made dashboard-style tiles.

Digging into the data, an administrator can quickly identify trends and visualise the impact Conditional Access has (or will have).

Through the use of Conditional Access set to report only, the administrator can understand the current environment, and how enabling a particular policy would impact the users.

Taking the leap

There are a few steps to take before an organisation can be sure they’re enforcing Modern Auth within O365.

Modern Auth itself is enabled by default on all O365 environment since sometime in 2019, but unless it’s legacy counterpart is disabled, clients are permitted to fall back to legacy authentication and potentially bypass conditional access policies.

Not ready for the leap?

If it’s not possible to completely disable Modern Auth, it’s possible to configure Conditional Access policies to indirectly block it. By ensuring that CA policies are targeted at All Client Apps, legacy auth apps will be subject to the requirements within the policy and, when unable to comply, will fail the login.

Leave a Reply