Sign-In Frequency (SIF) is a commonly misunderstood control, one many orgs use to inflict unnecessary suffering on their employees 😩

It probably doesn't work the way you think it does and is often used in less than ideal ways...

So let's look at how it works and when to use it

https://twitter.com/Xenoulis1/status/1985286647840481374

To understand authorization controls (Conditional Access), we need to understand the authentication tokens it evaluates

When we log into a Hybrid or Entra joined device, we authenticate to Entra and get a Primary Refresh Token (PRT) with the time of the event in it

The "issue":

PRTs renew at login/unlock if older than 4 hours, but only the factor used has the time updated

If we use a password to log in, the time for password is updated but not MFA... 💡

If we use a strong auth methods to log in, like Hello or passkeys, time of both factors are updated

Hello for Business works great with AD integrated apps (Kerberos/NTLM), but it requires setting up a trust model

Very poorly generalized, Hello uses certificates that AD doesn't understand, so we need a way to request a Kerberos ticket with the certs

This is crazy easy now 🧵

https://twitter.com/magnus133/status/1883097307463483657

Before I share how easy it is now, I want to share why people still hate Hello because its history was way more complicated

Originally we had certificate trust which required full PKI deploying certificates to all of your devices and AD

Doing this properly was really hard...

So with Server 2016, Microsoft introduced a massive improvement - key trust

This meant we only needed to put certificates on domain controllers

This was so much easier, but it still required PKI and setting up the templates

And a hybrid model was added to support Azure AD...

I think the most common misunderstanding of Conditional Access is its relationship to authentication, and this results in not understanding how the rest of the controls actually work

Conditional Access performs authorization by evaluating tokens from the authentication service

This provides important insights 💡

CA policies cannot block anything until AFTER authentication occurs

This means CA cannot help with password spray/credential stuffing. This is why we have Password Protection and Smart Lockout.

learn.microsoft.com/en-us/entra/id…
learn.microsoft.com/en-us/entra/id…

This also means an attacker blocked by a CA policy either has a valid username/password or has a stolen token

When we don't understand this, we don't monitor and respond, and we give attackers more time with valid credentials

Identity Protection helps here, but it isn't perfect

You likely aren't collecting all available events to the Unified Audit Log

First, not all events are enabled or retained optimally. Consider creating this policy in the Purview portal (leave users and record types blank to collect everything).

Retention is based on license...

This policy only applies to users with the Microsoft 365 Advanced Audit SKU assigned, audit records are retained for 1 year. Audit records for users without this SKU are retained for 180 days (thanks CISA for the bump up from 90 days!)

Second, this still doesn't get everything..

Next we have to enable all the records for mailbox auditing

But wait, Microsoft totally pinky promises that you don't need to manage these records because they enable them for you



It would be nice if they actually enabled everything, but they don't :-/ learn.microsoft.com/en-us/purview/…

A common ask I get often is:

I want to require fresh strong authenticaton from a compliant device (or specific devices) when someone activates a role via PIM

So let's walk through that scenario really quick

If anything is unclear, just try harder!

I'm kidding, ask away 😜

https://twitter.com/NathanMcNulty/status/1831864788789686540

First, if the built-in phishing resistant auth strength works for you, use it

If not, we can customize exactly what we want (avoid requiring one not allowed in another poilcy)

We can even define AAGUIDs to specify exact models of keys that must be used

learn.microsoft.com/en-us/entra/id…

Second, we need to create an authentication context

This is like a label used to tie PIM activation to a specific Conditional Access policy. The name can be changed any time 😉


In our access token, this is the 'acr' value
learn.microsoft.com/en-us/entra/id…
learn.microsoft.com/en-us/entra/id…

In this thread, I will provide Graph PowerShell commands to find synced users with admin privileges

Microsoft has been very vocal about not granting privileges to synced accounts for about 4 years now

Read this post by @Alex_T_Weinert:


Then check below techcommunity.microsoft.com/t5/microsoft-e…

https://twitter.com/_wald0/status/1820951605333950947

@Alex_T_Weinert For those with PIM, these two scopes will help us get what we need (remove the /'s):

Connect-MgGraph -Scopes 'RoleAssignmentSchedule./Read.Directory','RoleEligibilitySchedule./Read.Directory'

If you don't use PIM, I believe you only need: RoleManagement./Read.Directory

First, we can get a list of all synced users who have an active assignment:

# Get active assignments
Get-MgBetaRoleManagementDirectoryRoleAssignmentSchedule -ExpandProperty RoleDefinition,Principal,DirectoryScope -All | ForEach-Object {
if ($_.Principal.AdditionalProperties."@odata.type" -match '.user' -and $_.Principal.AdditionalProperties.onPremisesSyncEnabled -eq $true) {
Write-Output "$($_.RoleDefinition.DisplayName),$($_.Principal.AdditionalProperties.userPrincipalName)"
}
if ($_.Principal.AdditionalProperties."@odata.type" -match '.group') {
$roleName = $_.RoleDefinition.DisplayName
$members = (Get-MgGroupMember -GroupId $_.PrincipalId).AdditionalProperties.userPrincipalName
if ($members.Count -ne 0) { $members | ForEach-Object { Write-Output "$roleName,$_" }}
}
#if ($_.Principal.AdditionalProperties."@odata.type" -match '.servicePrincipal') {
#    Write-Output "$($_.RoleDefinition.DisplayName),$($_.Principal.AdditionalProperties.appId)"
#}
}