Microsoft 365 E5 – Frustration-free Security

By Tom Bond, Managing Security Consultant at Orange Cyberdefense

Microsoft’s E5 security platform delivers all the building blocks needed so that an organisation can build authentication which is thorough, strong and ensures MFA throughout, whilst simultaneously removing MFA prompts from their users on both desktop and mobile devices.

 

---

 

When we think of multifactor authentication (MFA), we naturally think straight to a text code or authenticator app. The natural assumption is that “MFA”, means password + a code from somewhere.

Many enterprises build authentication and identity designs around this very tenet. We often see the notion that MFA must be enforced, and what this actually means for a user, is that they might be opening a computer in the morning and being asked for a password, and then MFA prompt, many times, as they authenticate to each application.

Leaving aside the security implications of “MFA fatigue”, where the user applies no consideration to the requests received, this is incredibly irritating! Every morning we cry inwardly (and if we didn’t have coffee yet, outwardly), “Just let me do my work!”

Meanwhile, the push for MFA from IT Security teams has become ever stronger. Quite rightly, they know that a password is easily compromised and offers utterly inadequate protection in the modern world, so they clamour to enhance that security to a level where it offers appropriate protection.

At first glance, this situation leaves users and IT Security fundamentally opposed in their needs. Thankfully, Microsoft offers a solution. Using the tools contained within the feature set of Microsoft 365 E5, or the E5 Security license, it is possible to have both a great user experience and be highly secure.

To understand how this is delivered, we must first free ourselves of the notion that MFA = password plus a code.

Multifactor Authentication means just that – Authentication delivered with more than one factor.

Authentication factors take many forms:

• Possession – Something you have (perhaps a physical token or authentication data stored on your computer)
• Knowledge – Something you know (a password or a PIN is a great example)
• Biometric – Something you are (for example fingerprint or face)

Of these, the weakest is the password which is why we have added the code-based MFA that is now so common.

Naturally, we can see that there are many other factors to replace that MFA code, but what about not having the password at all?

Microsoft can cater for all of these scenarios. The core is Entra ID (formerly Azure AD), which has conditional access. This is present in E3 and E5 license tiers of M365, but enhanced at E5.

Conditional access allows for policies requiring code-based MFA, but now also supports the concept of MFA strengths. These policies allow the admin to enforce a scenario where SMS is not permissible (because it can be attacked relatively easily), and instead move the user toward stronger methods such as Windows Hello for Business or a security key.

We can also enforce a Compliant Device, which brings Intune compliance into play, and we can configure options for how we handle a non-compliant device. Intune’s device compliance allows us to enforce antivirus, Defender for Endpoint risk, machine risk, encryption and others, meaning if we have a compliant device, we know that the device is up to the configured and enforced policies of the organisation.

Entra ID then brings its services to enable single sign-on (SSO). SSO permits the same user details to access multiple systems, but Entra ID takes this further with Seamless SSO. This does what you’d expect, and enhances SSO to remove the sign-in part, instead re-using the token granted centrally. The really great part is that it works on mobile devices and Mac endpoints, as well as Windows.

Using these tools, we can create a fantastic user experience – the user signs into their device using a PIN or biometrics, and then they can access the organisation’s application estate without further authentication. No password, no MFA code, no challenge. Happy users.

Now, this would be pretty meaningless if we’d compromised security, but let’s see what happens behind the scenes:

• When the user signs into their machine – We have multi factor authentication:
  • The Device – something the user has
  • The Biometric – Something the user IS
  • (OR) their PIN – Something the user knows

• When the user uses that token around the enterprise:
  • Compliant Device checks ensure that the device is, indeed, compliant
  • If not, we challenge – MFA strength can be enforced in Conditional Access with “Device OR MFA” rules

If we are handling sign-in from a non-compliant device, we can enforce Passwordless Sign-in, so the user is challenged on their device, with biometrics, again enforcing an MFA approach but very simply for the user. This is an awesome setup for Teams devices, for example, which can need a sign-in to access user resources. Passwordless is so much faster than tapping in a password on a touch screen!

Acting as a backstop to this is Entra Identity Protection. Taking data from the overall Microsoft cloud to assess risk, plus examinations of user accounts, sign-ins and other factors, Microsoft algorithms keep a close eye on user accounts, and can block or MFA challenge if risk is detected, thus again meaning we have no need for constant MFA challenges and short session times.

Microsoft’s E5 security platform is a fantastic way to modernise security, making users more efficient and also enhancing security. In a world of ever-more annoying security challenges, a setup with enhanced security, that a user never sees, is the nirvana. Microsoft’s platform can deliver it, and Orange Cyberdefense will help you build it, and then maintain it when it’s built.

Supersize the value of your Microsoft investment