Account/Authentication - Azure Active Directory - Ensure Sign-in Frequency is Enabled and Browser Sessions are not Persistent for Administrative Users
Summary
If a time out for MFA is forced, then, it will ensure that the sessions are not kept alive for an indefinite period of time, which will help in preventing drive-by attacks in web browsers along with the creation and saving of session cookies leaving nothing for an attacker to take.
Administrative roles this should apply to include those such as:
- Global Administrator
- Billing Administrator
- Exchange Administrator
- SharePoint Administrator
- Password Administrator
- Skype for Business Administrator
- Service Support Administrator
- User Administrator
- Dynamics 365 Service Administrator
- Power BI Administrator
NOTE- The frequency at which MFA is prompted will be determined by your organization's policy and need.
Reason
Making sure that these additional controls are present for Administrative users adds an extra layer of defense against drive-by attacks as well as some ransomware attacks.
What If?
Users with Administrative roles will be prompted at the frequency set for MFA.
How to?
To enable the multifactor timeout and persistent browser settings are set for administrators, use the Microsoft 365 Admin Center:
- Login to https://admin.microsoft.com as a Global Administrator.
- Go to Admin centers then choose Azure Active Directory.
- Now select Enterprise applications and then, under Security, select Conditional Access.
- Click New policy.
- Now, you have to go to Assignments > Users and groups > Include > Select users and groups > and check Directory roles.
- At a minimum, select following roles: Billing admin, Conditional Access admin, Exchange admin, Global admin, Helpdesk admin, Security admin, SharePoint admin, and User admin.
- Targeting any role with the term admin will ensure that any users with additional privileges will be targeted.
Monitor:
To verify the multifactor timeout and persistent browser settings are set for administrators, use the Microsoft 365 Admin Center:
- Login to https://admin.microsoft.com as a Global Administrator.
- Go to Admin centers then choose Azure Active Directory.
- Now select Enterprise applications and then, under Security, select Conditional Access.
- Click New policy.
- Now review the list of policies and make sure that there is a policy that contains Sign-in frequency set to the time determined by your organization and that Persistent browser session is set to Never persistent.
NOTE- After creation make sure that the policy is set to enabled.
Comments
Post a Comment