deploy365

Category: Entra ID

  • MFA: Exploring the Three Methods and How They’re Applied

    MFA: Exploring the Three Methods and How They’re Applied

    Introduction

    In this blog I’ll go through the three different methods of implementing MFA protection for sign-ins to your Microsoft 365 tenant. I’ll summarise how those methods differ and which you should consider implementing. Lastly, I’ll demonstrate how to generate a report on which of your accounts have registered for MFA and the check which methods they’re using.

    To enable MFA controls in, you essentially have three options:

    • Security Defaults
    • Per User MFA
    • Conditional Access

    (The focus of this blog is around the method of providing MFA protection using Entra ID and not via federated identity via ADFS or 3rd parties)

    Security defaults

    This is a global setting. It’s fundamentally an on/off switch for providing MFA protection for all account on in your tenant. It provides MFA protection across the board to all your accounts and with no exceptions.

    In practice, when signing into a new account, the user would have 14 days (from initial sign-in) to set up an MFA method. The user could choose to skip that if they wish, but after 14 days they would be forced to set up their MFA method. Subsequent logins would then be subject to an MFA claim to access the tenant.

    Security defaults was introduced in October 2019 and was primarily aimed at providing a baseline protection for all newly provisioned M365 tenants. Prior to this, tenants were created without any MFA protection by default.

    Key points to note about security defaults.

    • It is free with no additional subscription required for MFA protection
    • It’s enabled by default on newly provisioned tenants
    • There are no exceptions in MFA protection – this is important to note if you require an account login which cannot complete an MFA prompt.
    • You cannot use SMS as a verification method – although this is generally discouraged now
    • User are required to register for and use the Microsoft Authenticator app

    Per-User MFA

    As its name suggests, it’s enabled on a per account basis. In comparison to security default, this does give you the flexibility to make exceptions to accounts. However, it’s benefit is also it’s Achilles’ heel. You must proactively enable per-user MFA on an account, either via script or via the admin console. If you don’t enable per-user MFA on that account, it will not have MFA protection.

    Key points to note about per-user MFA defaults

    • It is free with no additional subscription required for MFA protection
    • You control which accounts have MFA protection
    • There are no exceptions in MFA protection – this is important to note if you require an account login which cannot complete an MFA prompt

    Conditional Access

    By using conditional access to implement MFA protection you have far greater flexibility in the scenarios where MFA is required. For example, you could require MFA for all users, but make exclusions for accounts connecting from a particular location.

    By using conditional access policies, you can also go much further in your ruleset around MFA controls. For example, conditional access policies can used to require that only managed organisational devices can access certain M365 resources. The level of access can also be controlled to those resources. For example, restricting the ability to sync or download attachments in Exchange Online and Sharepoint (in combination with EXO and SPO settings).

    Unlike security defaults and per-user MFA, conditional access requires an Entra ID premium P1 license. This comes bundled in with Microsoft 365 E3 plans and above (a plan commonly in use for medium sizes businesses). It also comes bundled with Microsoft 365 business premium plans too.

    Key points to note about per-user MFA defaults:

    • Requires an Entra ID Premium P1 or above license for each user logging into the service
    • Can provide MFA for all accounts by default and allow exceptions in specific conditions
    • Provides greater flexibility in your conditions required
    • Can provide much more than just controls around MFA verification

    Which Method Takes Precedence?

    You would only use 1 of these 3 methods of providing MFA protection. The way they’re implemented is basically in order of three, so be aware if you’ve enabled more than 1 way to provide MFA protection.

    1. The method which takes precedence (if enabled) is security defaults. This is a broad brush on/off settings; so, if you have that enabled, then per-user MFA or a conditional access policy will not function as expected for a user’s login.
    2. If you want to use per-user MFA, you will need to switch off security defaults. You will then be using MFA on a per account basis.
    3. If you want to use conditional access for providing MFA protection, then the users scoped to your conditional access policies shouldn’t be enabled with per -user MFA. Although possible, I wouldn’t recommend using a mixture of per-user MFA protection for some accounts and conditional access MFA protection for others. This can be confusing for troubleshooting and will likely results in security gaps.

    Which Type To Use?

    For a new tenant, you would initially use security defaults. It’s turned on by default and you would use that protection at the start before deciding.

    If you tenant will have a relatively small number of users, and you didn’t have a license plan which included Entra ID Premium P1 or above, then security defaults is good option.

    If you want to get more flexibility, or if you want to have exceptions, then per user MFA is a better fit. But obvious negative is that you need to make sure that users are enabled for MFA as soon as you provision them.

    If you have you users licensed for Entra ID premium P1, then looking to adopt conditional access policies would make sense. This way you can have a policy that affects all users by default requires no manual tasks. Users would be enabled by MFA by default, but also gives you the flexibility of implementing exceptions for those as well.

  • Assigning Enterprise Licences to Entra Hybrid Joined Devices

    Assigning Enterprise Licences to Entra Hybrid Joined Devices

    Introduction

    Let’s set the scene of this scenario…

    You have a Windows estate running Windows 10 or 11 Pro. You have M365 licences in your tenant plan which includes Windows 10/11 Enterprise licences and you want to apply those Enterprise licences to your devices.

    From with Windows 10 version 1703, a feature called ‘Subscription Activation’ was provided. This enabled users to ‘step-up’ from a Windows Pro licence to Windows Enterprise licence automatically, so long as the users is assigned a Windows Enterprise E3 or E5 licence option in their M365 tenant.

    The Subscription Activation feature eliminates the need to manually deploy Windows Enterprise or Education images on each target device, and then later standing up on-prem key management services such as KMS or MAK based activation, entering GVLKs, and subsequently rebooting client devices.

    It’s important to note that the Windows Enterprise subscription activation is designed to ‘step-up’ a device from Windows Pro to Windows Enterprise. Therefore, your device is required to have a Windows Pro license activated as a foundation. For most device procured for business, the Windows Pro key is built-in to the firmware of the device – but it’s worth noting if you’re testing in a lab environment where your device isn’t initially assigned a Windows Pro licence.

    For Windows Enterprise Subscription Activation to function, there a several prerequisites which need to be in place. This blog is aimed at organisations which have Active Directory on premises and synchronise their AD objects to Entra ID (formerly Azure AD) via AAD Connect.

    Prerequisites

    The below provide a summary breakdown of the prerequisites required in the setup on AAD Connect:

    • AAD Connect | Setup Check/Update
    • AAD Connect | Entra Hybrid Join
    • AAD Connect | Review/Amend OU Sync Scope
    • Client Device | Internet Access to Entra ID via SYSTEM Account
    • Client Device | Internet Access to Entra ID via User Account
    • Client Device | SSO Local Intranet Settings
    • Client Device | Windows Pro Licensed and Activated
    • Entra ID | Valid Subscription Present
    • Entra ID | Applicable Users Licensed with Windows Enterprise

    AAD Connect | Setup Check/Update

    To facilitate Windows 10 Enterprise Subscription Activation, AAD Connect needs to be configured with the following:

    • Version of 1.1.819.0 or above (you need to be v2 now anyway)
    • Entra Hybrid Join enabled and configured
    • Sync scope to include the OU’s which contain the applicable computer objects

    AAD Connect | Hybrid Azure AD Join

    An Entra Hybrid Joined device is one that’s joined to Active Directory on premises and also sync and joined to Entra.

    Configuring Entra Hybrid Join via AAD Connect essentially creates a Service Connection Point in Active Directory on premises with details on your M365 tenant.  

    That SCP will be used by a client device as part of the Entra Hybrid Join process when enabled via AAD Connect.

    NOTE: Instead of configuring an SCP via AAD Connect, you can choose to control which devices attempt Entra Hybrid Join by using targeted deployment – This essentially lets you deploy two registry keys to the devices you wish to target for Hybrid Join. See the following for more details on that route – https://learn.microsoft.com/en-us/entra/identity/devices/hybrid-join-control .

    To deploy the SCP via AAD Connect. Within the AAD Connect wizard navigate to Configure Device Options:

    Below is an example of the where the SCP shows in Active Directory:

    AAD Connect | Review/Amend OU Sync Scope

    For a device to become Hybrid Azure AD Joined, the sync scope of AAD Connect needs to include the organisational units which contain the user accounts which will have a Windows 10 Enterprise licenses assigned and computer objects which require a Windows 10 Enterprise Subscription to be assigned.

    If required, amend the scope using the AAD Connect wizard as shown below:

    Client Device

    To allow user to carry out Windows 10 Enterprise Subscription Activation on a Windows device, the following needs to be configured on the client side:

    • Internet Access to Azure AD via SYSTEM account
    • Internet Access to Azure AD via User Account
    • SSO IE Local Intranet Settings
    • Device licensed and activated with Windows 10 Pro

    Client Device | Internet Access to Azure AD via SYSTEM Account

    Before a user can successfully obtain a Windows 10 Enterprise Subscription Activation, the device in question must be Hybrid Azure AD Joined.

    For a device to become Hybrid Azure AD Joined, the built-in SYSTEM account requires internet access to Azure AD for the following addresses:

    There is a scheduled task in Windows 10 under \Microsoft\Windows\Workplace Join called Automatic-Device-Join.  The task is scheduled to run as the SYSTEM user and run with the highest privileges.  The task is triggered to run every time somebody logs onto the workstation and every hour for the duration of 1 day.

    The main point of the scheduled task is to obtain a unique certificate which is then written to the UserCertificate attribute.  Without the UserCertificate attribute populated, the computer object will not synchronise from AD on premises to Azure AD.

    If your device has direct access to the internet this should function without an issue. If a proxy server is used to filter web traffic, this can cause issues where the SYSTEM account is unable to access Azure AD over the internet.

    Where a proxy server is in place and you don’t have direct internet access via your default gateway, you typically have the following options:

    1. Make network/proxy changes to allow traffic to Azure AD via the default gateway

    2. Make exceptions and push out proxy settings for computer objects via SYSTEM account for example via WPAD (Web Proxy Auto-Discovery) – https://docs.microsoft.com/previous-versions/tn-archive/cc995261(v%3dtechnet.10) 

    Automatic Device Join Scheduled Task

    Details on the scheduled task which obtains and writes the UserCertificate back to AD on premises are below:

    userCertificate Attribute

    In the example below you can see the userCertificate attribute is populated after the Automatic-Device-Join task has run:

    Before:

    After:

    AAD Connect Device Sync Rule Filter

    The below show the AAD Connect Sync rule which qualifies whether a computer object has the userCertificate attribute populated to qualify it for sync to Azure AD: 

    Test Azure AD Connection for SYSTEM account

    To test the connectivity to the internet under the context of the SYSTEM account, you can download and run the Test Device Registration Connectivity Script from Microsoft.  This creates a temporary scheduled task which runs as the SYSTEM account to test for successful connection to Azure AD.

    https://gallery.technet.microsoft.com/scriptcenter/Test-Device-Registration-3dc944c0

    Example where it fails:

    Example where it’s successful:

    Manually setting proxy for SYSTEM account

    Below is an example of how to set the proxy server to be used under the context of the SYSTEM account.  This is helpful for testing and troubleshooting:

    Entra Hybrid Join status

    Below is an example of a device showing as Hybrid Azure AD Joined in Azure AD:

    Client Device | Internet Access to Entra ID via User Account

    For a user to successfully obtain a Windows Enterprise Subscription Activation from an Entra Hybrid Joined machine, the user must have internet access.  This can be via a proxy server or direct internet access via the default gateway of the machine.

    Client Device | SSO IE Local Intranet Settings

    In order to provide Seamless SSO for the license subscription to works silently, the following URL’s should be added into the users Local Intranet zone in Internet Explorer:

    You must also enable Allow updates to status bar via script in the user’s Local Intranet Zone.

    Push Out Settings via Group Policy

    You can push out the Local Intranet Settings to users via a Group Policy.  Below is an example of the settings which need to be configured under the user context:

    Client Device | Windows Pro Licensed and Activated

    For the step-up in license from Windows Pro to Enterprise to occur, you’re required to have your device licensed and activated with Windows Pro as a foundation.

    Note, starting from Windows 10, version 1803 pulls activation keys directly from firmware where the device support firmware-embedded keys.  It is no longer necessary to run a script to perform the activation step on Windows Pro prior to activating Enterprise.

    Windows Edition Check

    Below is an example of how the Windows 10 Pro license should display prior to step-up in license.  Disregard the partial product key as this may be different prior to the step-up in licensing:

    Azure AD

    To allow a user to carry out the step-up in licensing from Windows Pro to Windows Enterprise the following needs to be in place in Entra ID:

    • An applicable license plan in the M365 tenant
    • A license assigned to the applicable users for the step-up in licensing

    Azure AD | Valid Subscription Present

    A valid subscription will need to be procured and showing as present in the Azure AD/Office 365.  This typically shows under a Microsoft 365 E3 or Microsoft 365 E5 but can also show as a different license plan.

    Azure AD | Applicable Users Licensed with Windows 10 Enterprise

    The user account that will used to carry out the license step-up activation need to have a Windows Enterprise license.

    An example from the Entra ID portal is below:

    Enable Licence Subscription

    The enabling licence subscription tasks can be found under scheduled tasks:

    Windows Subscription Activation

    With the previously outlined prerequisites in place, after a user has logged into the Windows Pro workstation, you should find the license has been updated to Windows Enterprise.

    • Note, in some places the license will still appears as Windows Pro.
    • Note, that the partial product key should show with the value 3V66T.
    • Note, a user can license up to 5 devices with their user account. The activation is like a queue, the 1st activated device will drop off the list when a 6th one is activated etc.
    • At the present time, there’s no documented way to verify which and how many devices have been licensed by user account in Entra ID.
    • Upon revoking the license from the user in M365, the license will downgrade back to Windows 10 Pro.