We're a company of 290 users, all on Business Premium, and we've experienced multiple phishing attempts recently. Although our Barracuda Sentinel alerts us quickly, we still want to strengthen our security. Right now, we're using multi-factor authentication with varying methods, and we've hybrid joined every computer. We're also in the process of enrolling mobile devices in Intune. Our policies in Entra include blocking access for unsupported devices, allowing only certain countries, and requiring MFA for all users—though I wonder about redundancy for admins since they're counted in the all-users policy.
Now, I want to enable a template policy that requires a compliant or hybrid Azure AD joined device or MFA for all users. My question is, if we don't want users to log in from any device other than their company laptops or mobile devices, does that template allow access from any device as long as they pass MFA? Do I need to modify this policy to make sure only managed devices can access resources? Any tips on setting up these policies correctly to block session hijacking attacks would be greatly appreciated!
2 Answers
To really block phishing, you need to implement phishing-resistant MFA methods. Since you're all Windows, have you thought about using Windows Hello for Business? It’s super convenient and FIDO2 certified, which is a bonus. Also, make sure everyone moves away from SMS for MFA really fast—attackers can intercept those messages easily.
For your policies, blocking access based on location can be tricky since users can VPN anywhere. Ideally, you shouldn't relax MFA requirements for users in trusted locations. As for your concern with the template policy, you can customize it! Just focus on requiring that only compliant or hybrid Azure AD joined devices get access, and it’s cool to remove the MFA part if that’s what you want. Ultimately, you want to ensure all sign-ins are controlled by your policies to minimize risk.
Definitely look into customizing your policies for your specific needs. You're not limited to just the templates. For your specific use case, ensuring only the devices you manage can access your resources will help significantly.
I’d also recommend looking into token protection, as it offers an additional layer of security for your resources. Even though it's limited in support, it's available to P1 customers, like you. Just keep pushing toward having 100% of sign-ins covered with Conditional Access to close any gaps in security.
Great advice! I’ll definitely customize the policies as per our requirements. Token protection sounds like it could add more security for us, so I’ll look into that too.
Thanks for the tips! We’re already moving users away from SMS. Regarding the location-based requirements, I plan to tighten it once all devices are enrolled. I just want to make sure that if a hybrid device accesses resources, it’s considered compliant.