Industry trends and changes in the way we work usually span years, with organizations evolving at their own pace. But we're living in unusual times.
Organizations asking employees to work from home to slow the spread of COVID-19 are making huge organizational and process changes in a matter of weeks, not years. For them, quickly enabling remote work while keeping company data safe presents new challenges and amplifies old ones.
To help, we’d like to share best practices and tips, aligned with the principles of Zero Trust, that we’ve assembled from working closely with customers in these trying times.
Question: What’s the best way for users working from home to set up MFA?
We recommend using a Conditional Access policy to enable MFA for all users.
You have a couple of options for ensuring that users only keep files on devices you trust, depending on your endpoint management strategy and which features you’re already using. You can restrict file access to managed devices and applications, or you can limit file downloads and file access from unmanaged devices while still allowing app access.
Pro tip. If you use AD FS, be sure to expose your username mixed and certificate mixed endpoints (a frequently missed step), even if your environment already has Hybrid Azure AD devices. You may only experience issues when devices need to check in during their two-week sliding window. |
To start, we recommend reviewing our best practices guidance. Here are some highlights:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Identity|DisableADALatopWAMOverride value of 1
Organizations that don’t have time for in-depth analysis of which resources they should or shouldn’t block can implement Conditional Access in an ‘allow-list’ configuration, which blocks access to any Azure AD applications and resources not on the list. Keep in mind, however, that your organization may have dependencies on hundreds of services and endpoints within Azure AD, and that apps calling blocked services may exhibit unexpected behavior. If you need to take a block-all approach to enable remote work quickly, we recommend following best practices guidance.
Targeting the Office 365 suite will ensure that most Office 365 applications run as expected under a block-all policy. The policies listed in the table below enable access to Office 365 services from outside your corporate network while blocking external access to all other Azure AD services.
Policy Name |
Users and Groups |
Cloud apps or actions |
Conditions |
Grant |
|||
Include |
Exclude |
Include |
Exclude |
Include |
Exclude |
||
Block all apps excluding O365 |
All users |
Break glass accounts |
All applications |
Office 365 (preview) |
Any location |
All trusted locations |
Block access |
Access Office 365 externally from Hybrid joined or compliant device |
All users |
Break glass accounts |
Office 365 |
n/a |
(Select appropriate controls) |
|
Allow access: - Hybrid joined devices - Compliant devices - Require one of the selected controls |
We don’t recommend targeting all users and applications in a single rule. Policies applied to ‘all users’ will apply to users local to your tenant as well as any guest users invited to your tenant. If you take this approach, be sure to include some break-glass accounts. But if your security requirements allow for it, target individual group(s) of users instead of using the ‘All users’ option when you roll-out policy.
To ensure that your policy doesn’t block traffic from inside your network, you can exclude trusted network locations, as the “block all apps excluding O365” rule above does. Actively managing network locations within Azure AD will help you cover all internal networks. If you want to make other apps available externally, you can add them to the exclusion list in the first policy, and then either add them to the second policy or create another policy to apply different conditions.
It’s good practice to enforce MFA on VPNs in addition to all your apps. So that you can use Conditional Access, we recommend using a VPN that supports federated authentication to Azure AD with SAML or OpenID Connect. You can look for VPNs that support SAML authentication in the Enterprise Applications App Gallery, or you can add a custom SAML app in the Azure AD portal. As with any other Conditional Access policy, you can protect a VPN federated with Azure AD by requiring MFA or trusted devices. You can learn more about Azure AD hybrid access options here.
If your VPN doesn’t support federated authentication you can protect RADIUS authentication with Azure MFA using the Azure MFA NPS extension.
If you use location-based Conditional Access policies for users outside the corporate network, be sure to update your trusted name location IP ranges so that users quickly jumping between VPN and home IP addresses don’t trigger impossible travel or unfamiliar location events.
Pro tip. If you see an increase in VPN traffic and want to decrease the load, here’s how Microsoft IT has addressed this challenge. |
To remove dependencies on on-premises infrastructure, such as federation servers, to access 3rd party SaaS applications, consider integrating them into Azure AD.
Azure AD Application Proxy lets you publish an application or Remote Desktop, while integration with partners like Akamai, Citrix, F5 and ZScaler lets you leverage existing network and delivery controllers with Conditional Access.
Pro tips. · Azure AD App Proxy only uses OUTBOUND connectivity on port 80 and 443. · You can provide single sign-on to Integrated Windows Authentication applications by configuring Kerberos Constrained Delegation (KCD).App Proxy can translate URLs in the header or body. URL translation also supports wildcard URLs. · Don’t forget to check the full detailed deployment plan for Azure AD App Proxy and other features. |
We hope you find these recommendations helpful as you enable secure remote work for your employees. Please let us know via Twitter (@AzureAD) if you have any other questions or ideas.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.