lacework-global-517
1.2.2 Ensure that an exclusionary Geographic Access Policy is considered (Manual)
Profile Applicability
• Level 1
Description
CAUTION: If these policies are created without first auditing and testing the result, misconfiguration can potentially lock out administrators or create undesired access issues.
Conditional Access Policies can be used to block access from geographic locations that are deemed out-of-scope for your organization or application. The scope and variables for this policy should be carefully examined and defined.
Rationale
Conditional Access, when used as a deny list for the tenant or subscription, is able to prevent ingress or egress of traffic to countries that are outside of the scope of interest (e.g.: customers, suppliers) or jurisdiction of an organization. This is an effective way to prevent unnecessary and long-lasting exposure to international threats such as APTs.
Impact
Azure AD Premium is required. Limiting access geographically will deny access to users that are traveling or working remotely in a different part of the world. A point-to-site or site to site tunnel such as a VPN is recommended to address exceptions to geographic access policies.
Audit
From Azure Portal
- From Azure Home open the Portal menu in the top left, and select
Azure Active Directory
. - Scroll down in the menu on the left, and select
Security
. - Select on the left side
Conditional Access
. - Select the policy you wish to audit, then:
- Under
Assignments
, Review theUsers and Groups
for the personnel the policy will apply to - Under
Assignments
, Review theCloud apps or actions
for the systems the policy will apply to - Under
Conditions
, Review theInclude
locations for those that should be blocked - Under
Conditions
, Review theExclude
locations for those that should be allowed (Note: locations set up in the previous recommendation for Trusted Location should be in theExclude
list.) - Under
Access Controls
>Grant
- Confirm thatBlock Access
is selected.
- Under
From Azure CLI
As of this writing there are no subcommands for Conditional Access Policies within the Azure CLI
From Azure PowerShell
$conditionalAccessPolicies = Get-AzureADMSConditionalAccessPolicy
foreach($policy in $conditionalAccessPolicies) {$policy | Select-Object @{N='Policy ID'; E={$policy.id}}, @{N="Included Locations"; E={$policy.Conditions.Locations.IncludeLocations}}, @{N="Excluded Locations"; E={$policy.Conditions.Locations.ExcludeLocations}}, @{N="BuiltIn GrantControls"; E={$policy.GrantControls.BuiltInControls}}}
Make sure there is at least 1 row in the output of the above PowerShell command that contains Block
under the BuiltIn GrantControls
column and location IDs under the Included Locations
and Excluded Locations
columns. If not, a policy containing these options has not been created and is considered a finding.
Remediation
From Azure Portal
Part 1 of 2 - Create the policy and enable it in Report-only
mode.
- From Azure Home open the portal menu in the top left, and select
Azure Active Directory
. - Scroll down in the menu on the left, and select
Security
. - Select on the left side
Conditional Access
. - Click the
+ New policy
button, then: - Under
Assignments
, selectUsers and Groups
then:- Under
Include
, selectAll users
- Under
Exclude
, only select emergency access accounts and service accounts (NOTE: Service accounts are excluded here because service accounts are non-interactive and cannot complete MFA)
- Under
- Under
Assignments
, selectCloud apps or actions
then:- Under
Include
, selectAll cloud apps
- Leave
Exclude
blank unless you have a well defined exception
- Under
- Under
Conditions
:- Select
Include
, then add entries for locations for those that should be blocked - Select
Exclude
, then add entries for those that should be allowed (IMPORTANT: Ensure that all Trusted Locations are in theExclude
list.)
- Select
- Under
Access Controls
, selectGrant
and Confirm thatBlock Access
is selected. - Set
Enable policy
toReport-only
and clickCreate
.
NOTE: The policy is not yet 'live,' since Report-only
is being used to audit the effect of the policy.
Part 2 of 2 - Confirm that the policy is not blocking access that should be granted, then toggle to On
.
- With your policy now in report-only mode, return to the Azure Active Directory blade and click on
Sign-ins
. - Review the recent sign-in events - click an event then review the event details (specifically the
Report-only
tab) to ensure:- The sign-in event you're reviewing occurred after turning on the policy in report-only mode
- The policy name from step 4 above is listed in the
Policy Name
column - The
Result
column for the new policy shows that the policy wasNot applied
(indicating the location origin was not blocked)
- If the above conditions are present, navigate back to the policy name in Conditional Access and open it.
- Toggle the policy from
Report-only
toOn
.
From Azure PowerShell
First, set up the conditions objects values before updating an existing conditional access policy or before creating a new one. You may need to use additional PowerShell cmdlets to retrieve specific IDs such as the Get-AzureADMSNamedLocationPolicy
which outputs the Location IDs
for use with conditional access policies.
$conditions = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessConditionSet
$conditions.Applications = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessApplicationCondition
$conditions.Applications.IncludeApplications = <"All" | "Office365" | "app ID" | @("app ID 1", "app ID 2", etc...>
$conditions.Applications.ExcludeApplications = <"Office365" | "app ID" | @("app ID 1", "app ID 2", etc...)>
$conditions.Users = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessUserCondition
$conditions.Users.IncludeUsers = <"All" | "None" | "GuestsOrExternalUsers" | "Specific User ID" | @("User ID 1", "User ID 2", etc.)>
$conditions.Users.ExcludeUsers = <"GuestsOrExternalUsers" | "Specific User ID" | @("User ID 1", "User ID 2", etc.)>
$conditions.Users.IncludeGroups = <"group ID" | "All" | @("Group ID 1", "Group ID 2", etc...)>
$conditions.Users.ExcludeGroups = <"group ID" | @("Group ID 1", "Group ID 2", etc...)>
$conditions.Users.IncludeRoles = <"Role ID" | "All" | @("Role ID 1", "Role ID 2", etc...)>
$conditions.Users.ExcludeRoles = <"Role ID" | @("Role ID 1", "Role ID 2", etc...)>
$conditions.Locations = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessLocationCondition
$conditions.Locations.IncludeLocations = <"Location ID" | @("Location ID 1", "Location ID 2", etc...) >
$conditions.Locations.ExcludeLocations = <"AllTrusted" | "Location ID" | @("Location ID 1", "Location ID 2", etc...)>
$controls = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessGrantControls
$controls._Operator = "OR"
$controls.BuiltInControls = "block"
Next, update the existing conditional access policy with the condition set options configured with the previous commands.
Set-AzureADMSConditionalAccessPolicy -PolicyId <policy ID> -Conditions $conditions -GrantControls $controls
To create a new conditional access policy that complies with this best practice, run the following commands after creating the condition set above
New-AzureADMSConditionalAccessPolicy -Name "Policy Name" -State <enabled|disabled> -Conditions $conditions -GrantControls $controls
References
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-location
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-report-only
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-7-restrict-resource-access-based-on--conditions
Additional Information
These policies should be tested by using the What If tool in the References. Setting these can and will create issues with logging in for users until they use an MFA device linked to their accounts. Further testing can also be done via the insights and reporting resource in References which monitors Azure sign ins.