Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Integrate CISA review feedback into aad baseline #671

Merged
merged 20 commits into from
Nov 20, 2023
Merged

Integrate CISA review feedback into aad baseline #671

Changes from 1 commit
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
7050e74
revised section 2 to match Word doc
tkol2022 Nov 12, 2023
a88ae9e
revised section 1 to match Word doc
tkol2022 Nov 12, 2023
5d3d994
revised section 4 to align with Word doc
tkol2022 Nov 13, 2023
c319621
revised section 4 to align with the Word doc
tkol2022 Nov 13, 2023
cc12c74
revised section 5 to align with Word doc
tkol2022 Nov 13, 2023
d9016a6
revised sections 6 and 7 to align with Word doc
tkol2022 Nov 13, 2023
159a19a
removed unnecessary whitespace in Acknowledgements
tkol2022 Nov 13, 2023
36f7f5f
revised appendices to align with Word doc
tkol2022 Nov 13, 2023
e63f5b5
replaced AAD with Azure AD per the Word doc
tkol2022 Nov 14, 2023
55c3aa5
fixed leftover capitalization of Instructions
tkol2022 Nov 14, 2023
b8e03d4
added TLP marking
tkol2022 Nov 14, 2023
97df9d9
revised acknowledgements to align with Defender
tkol2022 Nov 14, 2023
b08af8e
synched the License comp section with Defender
tkol2022 Nov 14, 2023
e5f1ee2
synched assumptions and terms with Defender
tkol2022 Nov 14, 2023
dea7d28
removed duplicate word Note:
tkol2022 Nov 14, 2023
255a08f
Add the text explaining CISA privileged role list is referenced throu…
tkol2022 Nov 15, 2023
5f3e9be
edits based on PR feedback
tkol2022 Nov 16, 2023
9ec8e9a
Merge branch '532-integrate-cisa-review-feedback-into-aad-baseline' o…
tkol2022 Nov 16, 2023
479b95c
changed all AAD hyperlinks to new Entra links
tkol2022 Nov 16, 2023
56fce71
Remove extra (M365) from terms section
schrolla Nov 17, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
revised section 1 to match Word doc
  • Loading branch information
@tkol2022
tkol2022 committed Nov 12, 2023
commit a88ae9e501fcb6388cd8aa754d1d34c423614246
12 changes: 6 additions & 6 deletions baselines/aad.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,13 +57,14 @@ This section provides policies that reduce security risks related to legacy auth
### Policies
#### MS.AAD.1.1v1
Legacy authentication SHALL be blocked.

<!--Policy: MS.AAD.1.1v1; Criticality: SHALL -->
- _Rationale:_ The security risk of allowing legacy authentication protocols is they do not support multi-factor authentication (MFA). By blocking legacy protocols the impact of user credential theft is minimized.
- _Rationale:_ The security risk of allowing legacy authentication protocols is they do not support MFA. Blocking legacy protocols reduces the impact of user credential theft.
- _Last modified:_ June 2023

### Resources

- [Conditional Access: Block Legacy Authentication](https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-block-legacy)
- [Common Conditional Access policy: Block legacy authentication](https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-block-legacy)

- [Five steps to securing your identity infrastructure](https://learn.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity)

Expand All @@ -73,12 +74,11 @@ Legacy authentication SHALL be blocked.

### Implementation

#### MS.AAD.1.1v1 instructions:
#### MS.AAD.1.1v1 Instructions

1. Before blocking legacy authentication across the entire application
base, follow [these instructions](https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication#identify-legacy-authentication-use) to determine if any of the agency’s existing applications are presently using legacy authentication.
- [Determine if an agency’s existing applications use legacy authentication](https://learn.microsoft.com/en-us/entra/identity/conditional-access/block-legacy-authentication#identify-legacy-authentication-use) before blocking legacy authentication across the entire application base.

2. Follow [the instructions on this page](https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-block-legacy) to create a conditional access policy blocking legacy authentication.
- Create a [Conditional Access policy to block legacy authentication](https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-block-legacy).

## 2. Risk Based Policies

Expand Down