Hey everyone! We've been transitioning our team from using SSLVPN/IPSec remote access with OTP to Azure VPN via Entra Authentication, and so far it's been going great for enterprise access. Recently, I saw that Sophos introduced Entra SSO for VPN access, which got me thinking about the risk of token theft. If an attacker steals an MFA token like they do to get into Office 365, does that create a significant vulnerability for accessing our Azure VPN? I know we could explore conditional access, but it doesn't seem detailed enough to enforce MFA challenges per application. Plus, geoblocking might just be a temporary fix for IP issues. Would it be smarter to stick with OTP through the firewall vendor instead? What are your thoughts on this? Am I missing something important?
4 Answers
This is where Virtual Desktop Infrastructure (VDI) really shines; it keeps the data secure by not allowing it on non-company devices.
You can configure Conditional Access to require reauthentication every 15 minutes. I'd recommend using phishing-resistant MFA, like passkeys from an Authenticator App; these are much safer than regular MFA options. You can also set CAP to need compliant devices for VPN access, which is really tough for hackers to bypass.
There are many capabilities you can leverage with Conditional Access tailored to Azure VPN. Enforce phishing-resistant MFA methods like Windows Hello or YubiKey, adjust sign-in frequency to minimize token lifespan, and ensure your devices are compliant or hybrid-joined. If you haven't already, consider looking into Entra P2 licensing, as it unlocks the ability to implement these protective policies.”,
Going the conditional access route could help you restrict the VPN to corporate-owned devices. Just be aware that if Microsoft doesn't flag the stolen token as suspicious, that's definitely a vulnerability to highlight.
Related Questions
Cloudflare Origin SSL Certificate Setup Guide
How To Effectively Monetize A Site With Ads