Listen to this Post
Introduction:
Conditional Access policies in Microsoft Entra ID are the cornerstone of a modern Zero Trust security architecture. However, a pervasive and dangerous misconfiguration—bypassing Multi-Factor Authentication (MFA) for “Trusted Locations” like the corporate office IP—creates a critical vulnerability, effectively handing attackers the keys to your kingdom from inside your own network.
Learning Objectives:
- Understand the critical security flaw of IP-based MFA bypass and its contradiction of Zero Trust principles.
- Learn how to leverage modern authentication tokens like the Primary Refresh Token (PRT) for a seamless yet secure user experience.
- Master the commands and configurations to audit, identify, and remediate this misconfiguration in your own Entra ID tenant.
You Should Know:
- Auditing Your Conditional Access Policies for MFA Bypass
The first step to remediation is discovery. You must identify any policies that grant access based solely on network location.
Azure AD / Entra ID PowerShell Module Command:
Connect-MgGraph -Scopes "Policy.Read.All"
Get-MgIdentityConditionalAccessPolicy | Where-Object {$<em>.GrantControls.BuiltInControls -contains "mfa" -and $</em>.Conditions.Locations.IncludeLocations -eq "AllTrusted"} | Format-List DisplayName, State, Id
Step-by-step guide:
This PowerShell script uses the Microsoft Graph PowerShell module to connect to your Entra ID tenant and list all Conditional Access policies. It filters the results to show only policies that:
– Include MFA as a control (-contains "mfa")
– Include “All Trusted Locations” as a condition (-eq "AllTrusted")
Running this will display the name, state (enabled/disabled), and unique ID of any non-compliant policies, allowing you to target them for immediate review and deactivation.
2. Enumerating All Defined “Trusted Locations”
Trusted Locations are the network perimeter definitions you must scrutinize. This command lists them all.
MSOnline PowerShell Module Command (Legacy but effective):
Connect-MsolService Get-MsolTrustedIpAddress | Select-Object IpAddress, RangeStart, RangeEnd | Format-Table
Step-by-step guide:
This command connects to Azure AD using the older MSOnline module, which still provides a clear view of configured trusted IPs. It outputs each trusted IP range, showing the specific address or the start and end of a range. Review this list critically: is every single IP range still necessary and secure? Any range that encompasses general office subnets is a prime candidate for removal.
3. Leveraging Device Compliance for Secure Access
Instead of trusting a network, trust the device’s security posture. This is a core Zero Trust principle.
Conditional Access Policy Configuration (Azure Portal):
Navigate to: Microsoft Entra Admin Center > Protection > Conditional Access > New policy
Under Conditions > Device platforms: Configure for applicable platforms (Windows, macOS, etc.).
Under Conditions > Client apps: Select modern authentication clients (Browser, Mobile apps, desktop clients).
Under Grant: Select “Require device to be marked as compliant”.
Step-by-step guide:
This GUI-based configuration creates a policy that grants access only if the device attempting to sign in is managed and compliant with your Intune security policies (e.g., encryption enabled, firewall on, OS version supported). This ensures access is granted based on the identity of the device, not the network it’s on, which is far more secure and aligns with Zero Trust.
- Implementing Continuous Access Evaluation for Real-Time Session Security
Continuous Access Evaluation (CAE) automatically revokes access in real-time based on critical events, making long-lived network-based trusts obsolete.
Check CAE Status via Microsoft Graph API Call:
curl -X GET "https://graph.microsoft.com/beta/policies/continuousAccessEvaluationPolicy" -H "Authorization: Bearer {ACCESS_TOKEN}"
Step-by-step guide:
This API call fetches the current CAE policy for your tenant. CAE can shorten token lifespans and react instantly to threats like password changes or user disablements. By enabling CAE (configurable in the Entra ID portal under Security > Continuous access evaluation), you reduce dependency on long-standing network-based sessions, mitigating the risk if an attacker does gain access to your internal network.
- Configuring Windows Hello for Business for Seamless MFA
Windows Hello for Business (WHfB) is a strong, phishing-resistant credential that satisfies MFA requirements transparently for the user.
Verify WHfB Configuration via Intune (PowerShell):
Get-MgDeviceManagementDeviceConfiguration | Where-Object {$_.AdditionalProperties.'@odata.type' -eq 'microsoft.graph.windows10PoliciesConfiguration'} | Select-Object DisplayName
Step-by-step guide:
While full WHfB deployment is configured in Intune profiles, this command helps you find relevant device configuration policies. WHfB uses asymmetric key cryptography. The private key is secured by the device’s TPM (Trusted Platform Module), and the public key is registered with Entra ID. When a user signs in with WHfB (via PIN or biometrics), it cryptographically proves identity, creating a Primary Refresh Token (PRT) that includes the MFA claim. This eliminates user MFA prompts on trusted devices without resorting to insecure network-based bypasses.
- Utilizing Temporary Access Pass (TAP) for Secure Device Provisioning
For scenarios like Autopilot provisioning where a user needs to authenticate on a new device, use a time-limited TAP instead of permanently excluding service accounts.
Create a Temporary Access Pass in Entra ID (PowerShell):
New-MgUserAuthenticationTemporaryAccessPassMethod -UserId "[email protected]" -IsUsableOnce:$false -LifetimeInMinutes 60
Step-by-step guide:
This command generates a Temporary Access Pass for a specified user, valid for 60 minutes and usable multiple times within that window. During the Autopilot Out-of-Box Experience (OOBE), the user enters their username and this TAP instead of a password. They are then guided to set up Windows Hello for Business and complete MFA registration. This is infinitely more secure than creating permanent MFA exemptions for powerful IT service accounts, which are high-value targets for attackers.
- Monitoring for Risky Sign-Ins with Entra ID Identity Protection
Proactive monitoring is essential. Identity Protection detects sign-ins from anonymized IPs, which attackers use even from within a corporate network.
KQL Query for Microsoft Sentinel for Anonymous IP Sign-Ins:
AuditLogs | where OperationName == "Sign-in (interactive)" | where ResultType == "0" | where IPAddress has "anonymous" | project TimeGenerated, UserPrincipalName, IPAddress, AppDisplayName, Location
Step-by-step guide:
This Kusto Query Language (KQL) query runs in Microsoft Sentinel to hunt for successful sign-ins (ResultType == "0") originating from anonymous proxy IP addresses (IPAddress has "anonymous"). An attacker who has breached your internal network may route traffic through such proxies to bypass IP-based controls. Finding this activity indicates a potential breach that your “trusted location” policy would have entirely missed.
What Undercode Say:
- The Perimeter is Dead, Stop Defending It: The concept of a “trusted internal network” is a dangerous anachronism. Modern attacks, including sophisticated phishing and supply chain compromises, originate from inside this perimeter. By configuring policy based on this false sense of security, you are systematically weakening your entire defensive posture for the sake of minor user convenience.
- User Experience is Not a Valid Excuse for Weak Security: The argument that “users don’t want to cope with MFA” is negated by technologies like the Primary Refresh Token (PRT) and Windows Hello for Business. These provide a frictionless and secure sign-in experience. Leveraging them correctly demonstrates that security and usability are not mutually exclusive but are instead complementary goals in a mature Zero Trust architecture.
Prediction:
The continued reliance on network-based trust models will be a primary attack vector in the coming years, leading to a significant rise in “inside-out” breaches. Threat actors, aware of this common misconfiguration, will increasingly pivot to targeting corporate networks directly through unpatched vulnerabilities, social engineering of remote employees, or compromised guest Wi-Fi. Once inside, they will operate with impunity, as the organization’s own Conditional Access policies will grant them trusted access to critical data and applications. The organizations that proactively eliminate these IP-based trusts and fully embrace device-based and user-based conditional access will be the ones to mitigate this looming wave of attacks successfully.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Lewis Barry – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
