Enable Fraud alert in Azure as a counter measure against threats like MFA fatigue

-

With the recent spate of IT security breaches involving #okta #mfafatigue to name a few, the importance of implementing strong security measures has been put into question once again. Through this blog, I wanted to cover enabling Fraud alert as one of the counter measures, especially against MFA fatigue. 

So what is MFA fatigue?

In simple terms, MFA fatigue is tricking users into allowing device access due to overload of push notifications through Authenticator App. There are many ways one can about addressing this. Ideally organizations should consider going password-less by replacing push notifications with phone sign-in to thwart threats like MFA fatigue. In case this is not an option or the organization is not ready to implement it right away, then you can consider implementing fraud alert as a counter measure.

What is a Fraud Alert?

As the name suggests, the fraud alert feature lets users report fraudulent attempts being made to access corporate resources using their credentials. When an unknown and suspicious MFA prompt is received, users can report the fraud attempt by using the Microsoft Authenticator app or through their phone.

There are currently 2 ways to report a fraud:

1. Automatically block users who report fraud - If a user reports fraud, the Azure AD Multi-Factor Authentication attempts for the user account are blocked for 90 days or until an administrator unblocks the account.

2. Code to report fraud during initial greeting - When users receive a phone call to perform multi-factor authentication, they can provide the configured code followed by # key. Default is 0# to report a Fraud and just pressing # allows normal sign-in.

Enable Fraud Alert

Enabling Fraud alert is simple task and can be done in a matter of a couple of steps:

1. Navigate to Azure Active Directory > Security > MFA > Fraud alert.
2. Set Allow users to submit fraud alerts to On.
3. Set Automatically block users who report fraud to On.
4. Set Code to report fraud during initial greeting to 0 or digit of your choice. Note: For this to work, Call phone will need to be enabled as one of the verification method against MFA. I have covered the steps in the blog below to enable it.

4. Select Save.

To enable Call phone as a verification method see below:

1. Navigate to Azure Active Directory > Security > MFA > Additional cloud-based MFA settings.
2. Under Verification options, selection Call to phone.
3. Hit Save.


Enable Fraud Alert Notifications

It is advisable to alert Fraud alert notifications for real time reporting. This way security administrators can swing into action immediately.

To configure fraud alert notifications:

1. Navigate to Azure Active Directory > Security > Multi-Factor Authentication > Notifications.
2. Enter the email address to send the notification to.
3. Hit Save.

End User Experience & validation

When users suspects fradulent activity, depending on the method of MFA authentication, they will be presented with the options to report a fraud.

Denying MFA Authenticator App push notification and then reporting a fraud.




With the 'call to phone' MFA authentication option, the user will receive a call with a greeting informing the user about the option of reporting a fraud if they suspect fraudalent activity using their credentials. At this stage, the user can press 0# and report a fraud. I cannot demonstrate it here, but the fraud alerts will be captured in both Azure sign-ins & audit logs.





At this stage, the administrators will revice the Fraud alert mail notification and can also directly take action against the reported account under Blocked accounts under Security -> MFA->Block/unblock users.



Conclusion

In my opinion, it just makes sense to enable and configure Fraud alert regardless of how your MFA is configured. There are other security measure that you can take like enabling password-less, but more on that later. Until next time..

Comments

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

-
Image
Every now and then it so happens that BitLocker recovery keys do not escrow in AAD. The usual culprits are incorrect BitLocker policies and\or the device hardware configuration failing to meet the minimum requirements. The other scenario and something I recently experienced is when everything is setup right and still the recovery key doesn’t escrow in AAD. As I understand, this can happen if the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so. try{ $BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive         $KPID=""         foreach($KP in $BitlockerVol.KeyProtector){             if($KP.KeyProtectorType -eq "RecoveryPassword"){                 $KPID=$KP.KeyProtectorId                 break;             }         }        $o
Read more

Intune: Configure Printers for Non-Administrative Users

-
Image
Configuring printers for end users or giving them the ability to do it themselves is a normal requirement for organizations. Now if your users are Administrators, then the configuration can be straight forward, but in case of Non-Administrators there are additional steps required as Non-Administrators will not be able to add a driver in the driver store despite being able to install a printer. In this blog, I will cover the steps that I took to address this requirement using Intune. The setup involves 2 steps -  1. Setup registries. 2. Install the driver and configure the printer Setting up registries – The registries that need to be configured are actually part of a GPO setting – Allow non-administrators to install drivers for these device setup classes It can be found under: Computer Configuration -> Policies -> Administrative Templates -> System -> Driver Installation I used a Powershell script to set the values and wrapped it in a Win32 application. $Path1
Read more

Intune: UAC Elevation Prompt Behavior for Standard Users

-
Image
Implementing and maintaining a good security posture is an integral part of overall IT security governance for most organizations now. While you want to harden the security of infrastructure and give least number of privileges to your end users, sometimes you may need to cut back on the restrictions to ensure a good user experience and an effective IT support process. Recently, I had a requirement where the customer wanted to ease the restriction on the end user devices to make the helpdesk support process more efficient. This involved easing the UAC level access for the Standard users and if you are managing your devices using Intune, then this blog may just help you. Let us see what all is involved and some of the ways that you can use to implement this easily. Policy CSP – LocalPoliciesSecurityOptions LocalPoliciesSecurityOptions has many CSP settings and if you are managing these settings at an individual level, then the CSP that we need to concern ourselves with here is U
Read more