Posted on

Conditional Access- Require MFA for All Cloud Apps

Every organization should require MFA for all cloud apps or only office 365 apps to greatly improve its security posture. Requiring MFA makes it more difficult for attackers to gain access to your data. Even if an attacker is able to steal a user’s password, they will still need to provide a second factor of authentication, such as a temporary pass code from their phone, in order to log in.

In addition to improving security, requiring MFA for all cloud apps can also reduce the risk of data breaches and help organizations comply with industry regulations. For example, the financial services industry requires MFA for access to customer data. I recommend requiring passwordless MFA, as it is more convenient and one of the most secure second factor authentication methods for users. Passwordless MFA methods, such as Microsoft Authenticator phone sign-in, do not require users to remember a password.

There are several reasons why you might want to require MFA when accessing any cloud app for Intune:

  • Improved security: MFA adds an extra layer of security to your cloud apps, making it more difficult for attackers to gain access to your data. Even if an attacker is able to steal a user’s password, they will still need to provide a second factor of authentication, such as a code from their phone, in order to log in.
  • Reduced risk of data breaches: Data breaches are a major concern for businesses of all sizes. By requiring MFA for cloud apps, you can help to reduce the risk of a breach occurring, even if an attacker is able to obtain a user’s credentials.
  • Compliance with industry regulations: Many industries have regulations that require businesses to implement MFA for certain types of data. For example, the financial services industry requires MFA for access to customer data. By requiring MFA for all cloud apps, you can help to ensure that you are complying with all relevant regulations.

Goal: Establish a conditional access policy to require MFA for users accessing cloud apps.

Require Passwordless MFA for all Cloud Apps

The policy has grant control with a custom authentication strength called Passwordless+TAP MFA that only accepts passwordless methods and TAP (temporary access pass). This policy triggers a MFA requirement whenever user tries to access any Cloud apps using company account on mobile device. The user must re authenticate every 20 days if they are still signed in compared to the 90 day default value.

The policy excludes Microsoft Intune and Apple Business Manager in order to avoid issues with enrollment. It also excludes Microsoft Azure management since I have a separate policy that targets Microsoft Azure management for IT Administrator accounts.

To create the policy: Navigate to Intune portal > device > conditional access > policies > new policy.

Name:[iOS_Android_BYOD_COBO] Passwordless-MFA_All_Cloud_Apps
Assignments:
Users:
Include: All Users
Exclude: 
Groups: Break glass group, Service Accounts
Directory Roles: Global Administrator group, Directory Synchronization Accounts 
Guest or External Users: (If any)

Target resources:
Include: All Cloud apps
Exclude: Microsoft Intune, Apple Business Manager

Conditions:
Device Platforms: iOS, Android
Location: Include any location, Exclude Trusted location

Access control:
Grant: Require authentication strength [Passwordless MFA+ TAP]

Session:
Sign-in frequency - 20 days

What does all Cloud Apps target?

When you select the All cloud apps target, your policy will apply to all of the following:

  • Microsoft-owned cloud apps, such as Microsoft 365, Azure, and Dynamics 365
  • Third-party cloud apps that are integrated with Azure AD, such as Salesforce, Google Workspace, and Dropbox
  • Custom cloud apps that are developed by your organization and integrated with Azure AD

It is important to note that the All cloud apps target is a very broad target. The target is enforced for all tokens issued to web sites and services. This option includes applications that aren’t individually targetable in Conditional Access policy, such as Microsoft Entra ID.

 If you are not careful, you could inadvertently block user access to essential apps or services. For this reason, it is important to carefully consider your requirements before using the All cloud apps target. Always test this policy out with a small group before enabling it for all users.

User experience

User will encounter passwordless MFA challenge when they attempt to sign into Microsoft apps or third party cloud apps integrated with Entra. 

Example: 
1. User try to sign into Microsoft whiteboard- https://app.whiteboard.microsoft.com/
2. Enters their password
3. Must satisfy second factor number matching.

Source

https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps

https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa

Leave a comment