Office 365 & AAD baseline security one-sliders

Tips

  • The following one-sliders (kinda) work also together:
    • Authentication, authorization and session compartments align with the triangle when you place the inverted triangle to side-by-side with the bottom slide
Click picture for larger version
Click picture for larger version

External references

https://docs.microsoft.com/en-us/office365/enterprise/microsoft-cloud-it-architecture-resources

https://aka.ms/M365GoldenConfig

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2MHP5

https://gallery.technet.microsoft.com/Cybersecurity-Reference-883fb54c

https://cloudblogs.microsoft.com/microsoftsecure/2019/01/10/best-practices-for-securely-using-microsoft-365-the-cis-microsoft-365-foundations-benchmark-now-available/

Creating Custom Multi-Factor Authentication Client with Azure Functions

I used to do a quite a bit of availability testing in past, but never got to test how virtual login flows would work with transient (non-persistent) one time passwords.

It wasn’t until recently I got assignment to do something that monitors MFA system. During the assignment I stumbled on something called PyOTP, which pairs quite well with Azure functions. After the assignment was over I decided to write this blog to share some details:

This blog covers creation of MFA client using Azure Functions and PYOTP.  If you’re interested how One-Time-Passwords do work, then check the RFC’s below for in depth information:

Disclaimer: The information in this weblog is provided “AS IS” with no warranties and confers no rights.

How does it work?

Prerequisites:

  1. Azure Subscription with possibility of creating Azure Functions
  2. Your MFA implementation is compatible with RFC4226 and RFC6238
    • Examples Microsoft MFA, RCdevs OpenOTP and many others

Azure Functions

  • Create New Azure Function (consumption plan will suffice)
  • Locate platform features, and select Advanced Tools (Kudu)

Locations

Platform features

  • Update Python version to 3.5.2 using guide Azure Functions Python
    • I opted to install ’python-3.5.2-embed-win32’
      • Bit earlier or later versions, I suppose do work just as well
    • Drag & Drop the correct packet to d:\home\site\tools (It will unzip automatically)

AzureFunctions2

Drag&Drop

PYOTP

This part covers installation of PyOTP, which is a Python library for generating and verifying one-time passwords. /Read more @ https://github.com/pyotp/pyotp 

  • Install PYOTP with Powershell, or CMD console in KUDU

Python -m pip install pyotp --target=d:\home\site\tools

PIP 2

installing PyOTP

Fetch the key from your MFA solution;

In the example I use Microsoft MFA

  •  Use the URL MFA Enroll
    • Select ’Configure app with notifications’ and take note of the ’Secret Key’

Kuvaesitys vaatii JavaScriptin.

  • Create Python HTTP trigger
    • Remember to toggle ’Experimental Language Support = Enabled’

BlogF

Create new HTTP Trigger

  • Test the function with the ”MFA key” fetched from MFA, and inserted into the code.
    • In production code you might not want to have the secret key in plaintext, for this prototype I opted for the low hanging fruit :)…
import os
import json
import platform
print("Python == ", platform.python_version())
import pyotp
totp = pyotp.TOTP('YourMFAKeyHere')
s = totp.now()
str(s)

response = open(os.environ['res'], 'w')
response.write(s)
response.close()
  • Output should now display the OTP in the response

Funcss

Function editor

Response

Call example

Consuming OTP’s

  • Choose your coding /scripting language and just add simple REST call to it:
    • Get the key to call the function from ’Get function URL’, and implement it to the part of the code where you fetch the OTP, and deliver it for the verification

      PY

      URI for the function

    • if possible, limit the call to only certain range of IP’s (this is not required for this thing to work, but its something you might want to consider)

Below is the snippet of that part where the OTP is delivered to the login form:

  • PowerShell is just too easy, and keeps my from learning new languages :)… so I opted for it (once again) to create the prototype:
$OTP=Invoke-RestMethod -UseBasicParsing -Uri "APIURIHERE" -Method Post
$keys = $OTP -split "" | where {$_ -ne ""}
[Microsoft.VisualBasic.Interaction]::AppActivate($ieProc.Id);Start-Sleep -Seconds 1

foreach ($key in $keys)
{
Start-Sleep -Milliseconds 20
[System.Windows.Forms.SendKeys]::SendWait("{$key}");
}

 

Hope this helps somebody 🙂 – I for sure had a blast doing it!
Br,
Joosua