Breaching Azure Intro
Introduction to Azure
Breaching SolarDrops
Breaching Bogus Bank

BA 09 – Entra Conditional Access Policy

Entra Conditional Access Policies are a set of rules and configurations that organizations can define to control and secure access to their Entra ID resources. These policies allow organizations to enforce specific conditions that must be met before users can access applications, data, or other resources. Conditional Access helps enhance security by providing adaptive controls based on various factors, such as user identity, device health, location, and more.

Some Best practices for configuring Entra ID Conditional Access policies include:

Implementing Multi-Factor Authentication (MFA): Require users to authenticate using multiple factors, such as passwords, biometrics, or security tokens, before accessing sensitive resources. 

Device Compliance Checks: Enforce policies that verify the compliance status of devices accessing Azure and/or Microsoft 365 resources, ensuring they meet security and configuration requirements specified by the organization. Devices that do not meet compliance standards can be blocked or restricted from accessing resources.

Location-Based Restrictions: Define policies that restrict access based on the geographical location of users or devices. This helps prevent unauthorized access from locations known for malicious activity or where the organization does not operate.

Risk-Based Policies: Leverage risk assessment capabilities to dynamically adjust access controls based on the perceived risk associated with user behavior, device health, or other contextual factors.

If Entra Conditional Access Policies are not configured correctly or not configured at all, it can have several significant impacts on the security of an organization’s environment.

In the example below, we’ve configured a Conditional Access policy to block access to all cloud applications from all device platforms except MacOS. 

As a result, users attempting to authenticate from Mobile, Windows, or Linux devices will be denied access. 

However, attackers can potentially bypass this restriction by altering their device’s user-agent to mimic a MacOS device. By doing so, they can evade the Conditional Access policy and gain unauthorized access to Azure resources.

Below are some User-Agent examples that can be used to evaluate conditional access policies:

Linux - Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36

MacOS - Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Safari/605.1.15

Android - Mozilla/5.0 (Linux; U; Android 4.0.2; en-us; Galaxy Nexus Build/ICL53F) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30

iPhone - Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1

Windows Phone - Mozilla/5.0 (Windows Phone 10.0; Android 6.0.1; Microsoft; Lumia 950) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Mobile Safari/537.36 Edge/15.15063

Windows - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19042

Additional Reading: