Conditional Access

Show Notes

In this episode, we break down what Conditional Access is, country restrictions and ensuring that MSPs secure their MFA.

Simon has written a blog where he breaks down everything around Conditional Access which can be found below:
http://blog.sembee.co.uk/post/podcast-conditional-access

Luke Betteridge from Inbay hosts the Cyber Anxiety Podcast, with regular speakers including Daniel Welling from Welling MSP and Simon Butler from Sembee. We created this podcast to help support MSPs through the ever-evolving field of the digital world. The goal is to give tangible tips and strategies that MSPs and others in the tech industry can use while releasing the built-up anxiety around the sector. 

Transcript

00:00:02:29 - 00:00:22:17
Luke B
Hi, everyone, and welcome back to another Inbay podcast. I'm welcomed again with the two regular guests Daniel Welling and Simon Butler. Thank you again for joining us. This is another episode in our Cyber Anxiety series. And today we're going to be focusing on conditional access, which is a basically a certain type of access allowed by Azure and Microsoft 365.

00:00:22:17 - 00:00:42:25
Luke B
So I have very basic knowledge of this. I sold it when I used to work for an MSP. And my understanding from a very simple term was that actually it allowed the customer to essentially have multi-factor authentication whenever they were outside the office. But the office was basically a secure hub that allowed people to log in without using multi-factor authentication.

00:00:43:09 - 00:00:54:00
Luke B
But there's obviously so much more that conditional access can offer. So what I'll do is I'll hand over to Simon to kind of give us a bit of an overview of what conditional access is and how it can benefit MSPs.

00:00:55:20 - 00:01:25:17
Simon B
Thank you, Luke. Okay. So conditional access basically is exactly as the word says. It allows you to place conditions on how clients access your tenant. Office 365 and Azure the conditions can be multiple. This can include things like location and that could be IP address or country location for mobile devices. It can also allow you to apply rules too that can access.

00:01:25:19 - 00:01:50:03
Simon B
So that can mean that the only allowing certain devices to access all the devices need to be secure. And it is one of the best ways of securing both your tenant as an MSP and also your clients tenants against malicious actors, because a lot of malicious actors will be located outside of the UK. Now before we start, talking about conditional access.

00:01:50:04 - 00:02:16:04
Simon B
The first thing you're going to need to do if you're going to start looking at conditional access is set up a break glass account. This is effectively an account that allows you to get back into your tenant If you make a mistake with your conditional access rules and lock yourself out. There is a blog post to accompany this series and I have put the link to how to create Emergency Access account in that blog post and that is the first thing you should do.

00:02:16:04 - 00:02:37:12
Simon B
Set that up. And then when you start looking at the conditional access rules, when you're doing the rule you put that account in as an exception. So if you do lock yourself out, you can get back in again. So what are we going to do with conditional access? So when you start doing with conditional access, the first thing you will do is put it on report only.

00:02:38:02 - 00:03:02:02
Simon B
This is an excellent way to scare your clients into what is actually happening without actually it causing a problem. So when I deploy conditional access, the first time I build a UK only rule, put it on report only, and then I go to the client and say, Look at all these attempts that are coming from outside of the United Kingdom and that can be a massive wake up call for the client.

00:03:02:10 - 00:03:27:18
Simon B
So we haven't actually done anything, we've not changed anything all we're now doing is we're just showing the client this is the value you can get from there, from protecting your business. Once we're sort of more happy with that, then we can start to look at potentially actually enabling the country control. But obviously that has a problem if you have staff who travel.

00:03:28:03 - 00:04:01:25
Simon B
So then you need to have a process for putting exceptions in to allow the staff to continue to access their email or SharePoint or whatever when overseas. And then also you mentioned right at the beginning, securing MFA. So another common thing we do with conditional access is we allow multi-factor authentication to be enforced when you're outside of the office and when you're inside the office, the enforcement is not so strict, but it also can be helped with the initial enrollment for multi-factor authentication.

00:04:02:13 - 00:04:32:13
Simon B
So something I have seen a lot of MSPs do is they don't enforce multi-factor authentication in the office, which is fine, but you then get staff members who are never outside of the office. They get Phished for their credentials, and the first thing the bad actor does is add a personal device but the bad actor controls to the account, which then means that they can access your tenant from anywhere, and they're using multi-factor authentication to basically get past your block.

00:04:32:13 - 00:04:42:10
Simon B
So that's sort of the beginning of what we can do in conditional access. There's a lot more we can do with it, but you know, at a basic level, that's that's how we would normally get started with it.

00:04:43:26 - 00:04:59:19
Luke B
I was gonna say so from there. And the key, like you said, is to actually do that reporting tool at the very beginning because like you said, you're not actually applying any of the rules. You're just showing them. Right. If we limit it to the UK here, is all the people that are trying to access from outside and then it's sort of a case of having that conversation saying, do you now want to enforce this?

00:04:59:26 - 00:05:15:21
Luke B
You know, you can see everyone who's trying to log in from outside the UK, Shall we enforce this rule where we, you know, lock it to the UK only. So is that what you're saying it’s probably a key place to start with the MSP is to do that reporting tool and just show their clients what's happening.

00:05:16:01 - 00:05:35:09
Simon B
And the most common accounts that will be being attacked will be the boss. Yeah. CEO account. I remember the first time I ever did it back when Conditional Access first came out and with one of my older clients and I got the report and I just put down on in front of him and I said, Look, this is the last 48 hours.

00:05:35:13 - 00:06:08:21
Simon B
And it was just constant hammering on his account from some of the really nice places in the world Nigeria, Uruguay, Brazil, Mexico, China, Russia, Ukraine, Philippines. I can’t remember. It was a few other African countries. And I sort of said this is you know, these are all the bad actors who are just trying to get at your account because you're the boss, you know, And it was, then made it quite an easy sell because he could actually physically say, you know, he's never been to any of these countries.

00:06:08:21 - 00:06:27:25
Simon B
You know, he goes, you know, go skiing and, you know, goes to Japan or whatever. But, you know, he doesn't go to Nigeria or anything like that. He has no reason to. So why is it, you know, people are just trying to constantly hammer away at the account And as with many things in I.T. if you can get buy in at the top level, it's easy to deploy it further down.

00:06:27:25 - 00:06:38:28
Luke B
Oh, definitely. Yeah. And I was going to say, how bespoke can these restrictions get off to? Obviously we talked about sort of country restrictions, but how kind of further down and how bespoke can we get when it comes to the restrictions on conditional access?

00:06:40:08 - 00:06:59:24
Simon B
Well, country is the most common one. And that the problem we have in the UK is you can get the multi-factor authentication prompt to show you the country or the location is coming from but IP address. Locating in the UK is not very reliable. Yeah, so a country is the most common one you can put it on to IP address if you're really paranoid.

00:07:00:29 - 00:07:25:11
Simon B
So if you've got complete control over everywhere that your your clients could connect to from, you know, many, many years ago I worked for a customer who effectively had all of their customers sorry, all of their staff coming in to their network from IP addresses that they controlled. Static IP addresses. So we could have just listed all of those IP addresses.

00:07:25:11 - 00:07:46:17
Simon B
You can then sort of start to control devices so you can say they have to be enrolled in Azure or they have to be secure or, you know, if you're only using Android, you could say, right, you cannot access this from an iPhone or vice versa. You know, you can then sort of, you know, sort of start to really kind of you can really lock it down quite hard.

00:07:46:17 - 00:08:07:01
Simon B
Obviously, the harder it gets, the more the rules start to get more complex. And then unfortunately, then you start having to put exceptions in and that's where it can start to get a bit too complex. And that's when you then, you know, you then start having to look at logs and see what role is being being applied that's keeping a user out.

00:08:07:01 - 00:08:25:27
Simon B
So it's it's one of these things I tried to sort of say, yeah, you make it, you make it complex, but not too complex because otherwise it becomes over the over the top almost, if you like. It becomes difficult for the MSP to manage.

00:08:25:27 - 00:08:40:24
Luke B
I was gonna say once it gets kind of messy that you're then going to start running to issues of people not being able to work, like we spoke about before, someone trying to go on holiday and trying to log in when their on the way and things like that. Like you said if you have too many exceptions, you're just going to run into more issues, I imagine.

00:08:41:01 - 00:08:47:26
Simon B
And what happens is that people, the MSP will put the exception in and then not remove it.

00:08:47:26 - 00:08:49:14
Luke B
Yeah, so you're opening yourself up again.

00:08:50:07 - 00:09:08:02
Simon B
Exactly. Yes. You know, particularly if you go and get some, you know, a heavy traveler or somebody, you know, who is away, unfortunately, like the CEO, you know, who goes on holiday quite a lot. And, you know, I've sat at, you know, MSPs conditional access rules and they've got, you know, an exception in there. And it's got, you know, half the countries of the world in there, you know, because they’re never cleaning it up.

00:09:08:18 - 00:09:14:17
Luke B
In which case it defeats the point of having it in the first place. If you're going to have an exception to half the world anyway. So.

00:09:14:24 - 00:09:35:08
Simon B
Yes, So that's why having robust processes in place again, this is the MSP having a robust process in to say right we put in a conditional access rule in for Spain for, you know, the sales director, he's away for two weeks. Therefore we need to have a process to remove that exception. After two weeks, for example.

00:09:35:08 - 00:09:54:28
Luke B
No that makes complete sense. And a question I've got for for both of you really is if you're an MSP who hasn't really kind of delved into looking at conditional access before and you want to approach your clients to discuss this. What do you believe is the best approach or that initial approach when speaking to your clients around conditional access.

00:09:54:28 - 00:10:51:04
Daniel W
Yeah, I'll field this one initially. Luke Yeah, I think really this is one of a number of topics. That should be, and more and more MSPs are today covering off in regular structured communication with their customers. we're all now very familiar with the term QBR or TBR if it's not a quarterly business review technology business review an MBR a monthly business review or whatever the frequency, but effectively having a process of educating the customer on all of the different attributes of their I.T that they must become more familiar with and for the for the MSP to educate them over time, starting with the, you know, the

00:10:52:04 - 00:11:26:13
Daniel W
the lowest cost, the biggest impacts, you know, whatever the prioritization is and that you establish with the customer based on what their appetite for risk is and what they eat, what they can afford to put in the budget to support it. So as we were talking before about, you know, MFA cuts out so much risk and is effectively such a simple low cost activity, conditional access builds on that.

00:11:26:13 - 00:12:14:07
Daniel W
But there there will always be more and more that you can do. And I think you didn't ask this question, but I'll mention it anyway. The elephant in the room here is not just knowledge of the MSP and the customer around this topic, but is also the commercial impact because all of this takes time. You know, adds complexity and the MSP now needs to be covering this off either via an additional charge or if they're including this activity within their base pricing, their base pricing it needs to allow for the time for this and one feeds the other.

00:12:14:07 - 00:12:37:21
Daniel W
So you demonstrate the value of your price points to the customer by explaining all of the things that you're doing. And so yes, that the MSPs I feel for are those that are operating at a low price point and not doing this and therefore having the concern themselves as to how they can tackle it.

00:12:37:21 - 00:12:57:02
Daniel W
And of course for their customers that aren't getting the advice that they need. But yeah I think generally this is part of continued education of the customer and that and that needs to be baked into how the MSP works with their customer.

00:12:57:02 - 00:13:17:16
Luke B
Oh brilliant that makes yeah makes complete sense and like I said I think there's some key takeaways from this. Obviously the security side of conditional access is a key part, but it's also, like you said, there's a financial implication for the MSPs. And also like we said is a lot of stuff around process, There's a lot of focus on process and making sure that with MSPs you've got these processes right with your clients.

00:13:17:22 - 00:13:23:22
Luke B
You're working alongside your clients, educating your clients around that process to make sure that this is going to be a solution that works for everyone.

00:13:24:20 - 00:13:51:08
Daniel W
I think you've got it in one and any MSPs listening. I'd encourage them to check out Simon's blog post for some of the detail and yeah, and then set a target as to how to implement this within their customer base and yeah start the process.

00:13:51:08 - 00:14:21:20
Simon B
Well, I would say they need to start it on their own tenant to begin with. You know, as you know, you really as an MSP, you should be to use Microsoft’s phrase “eating your own dogfood” and you should have all of these restrictions on your own tenant to begin with. That should be a good learning curve for the MSP techs themselves so they realize, you know, how it impacts on their operations, which means it'll be easier for them to sell it for the want of

00:14:21:20 - 00:14:47:17
Simon B
A better word from a technical point of view, as well as a sales point of view to the customer. They can say, Look, we've had it running on our tenant for six months. It's had, you know, this amount of impact should be minimal if they’ve done it right. You know, But here's the report. You know, as I said at the beginning, the report, the reporting that Office 365 gives you is the best way of demonstrating the value to the customer, because it shows you the countries, it shows you the log in terms.

00:14:47:17 - 00:15:15:23
Simon B
It just shows you the constant attack that the tenant is almost certainly going to be under. And it's only the fact that without it, without MFA, she does the same thing. The what's the only thing that's stopping the bad actor from getting in, It's going to be a password. And if your password happens to be something pretty basic that's based on one of your kids names that they can find out from your LinkedIn profile, it's only a matter of time before that account gets compromised.

00:15:17:03 - 00:15:33:09
Luke B
I don't want to think about how many passwords are that easy to hack into. So but yeah no that's that's a very good point, actually, that the MSPs should be enabling this themselves. First, naturally when we talk about the processes, it's a good way to nail those processes is to do it in terms of yourself. And then, you know, when you bring it to the client, it's going to be a smooth process.

00:15:33:16 - 00:15:53:01
Luke B
You know, it's going to be kind of hopefully smooth sailing for that customer and you're not going to run into any issues where people are being locked out or you're exposing them when you're promising them this is a secure solution. So that's a great piece of advice. So thank you very much, guys. I really appreciate you joining us today for a podcast on Conditional Access.

00:15:53:10 - 00:16:03:15
Luke B
And again, obviously, make sure you check out Simon's blog post on this and please feel free to reach out to us if you have any questions around this or want to discuss it further. Thank you very much.

00:16:04:03 - 00:16:05:16
Daniel W
Thank you Luke