đź“„ Lab539 Managed Service

Setting up the Lab539 hosted Conditional Access service

This post details how to utilise the Lab539 Adversary in The Middle service in order to subscribe to the conditional access service and benefit from a real time updated named location feed.

Description

The hosted conditional access feed service is a service operated by Lab539 which, in real time, updates a named location within your Microsoft Azure environment. This ensures that you always have the most up to date data for protecting your environment.

Whilst there are multiple named location feeds now available, this post will focus on the AiTM feed, but the information is directly transferable to other feeds.

The AiTM feed is a feed of backend AiTM infrastructure which is performing the authentication component of an AiTM attack. i.e. it is the IP addresses that you will see logging into your Microsoft environment if a user is successfully targeted. This will often not correspond to the IP address of frontend infrastructure (e.g. the phishing website). Blocking access to this backend infrastructure will not prevent it from authenticating to your environment, but blocking access from it will. This is why we use conditional access policies in order to achieve this.

The Lab539 service does not configure any conditional access policies for you. But it provides access to named locations that you can use in your conditional access policies and it keeps those named locations up to date for you.

The curation of the named location data is important. Named locations can only hold a finite amount of data, which is much less than the amount of infrastructure that we track. We therefore perform some logic based upon a number of factors in order to fit within the constraints that Microsoft pose.

The named location data is available in a curated form from the API if you prefer to host and operate a named location update service yourself.


Video Overview

This short video shows the process for enrolling and enabling the conditional access/named location service:

⚠️

Some aspects of this video are slightly out of date, it's all still accurate but you'll see a slightly older portal with fewer feeds. (there is no audio)



Initial Enrolment

In order to utilise the service you must authorise teh service. This can be done from within the “Conditional Access, Named Location Management” section of the portal (https://portal.lab539.io). If you have not yet logged into the portal you can do so using the email address you specified during registration. 

Configuring a user is done by clicking the icon in the top right that looks like a user with a cog. This will direct you to the Microsoft authentication service where you can select, or enter, the user account which you would like to use to authorise this service:

You should select a user account that has the permission to grant admin consent, as the account will be displayed an admin consent screen which will need to be accepted. This does not need to be the user that you are logged into the portal as. The only requirement is that the user holds the Conditional Access Administrator permission. Due to the nature of this service there is also a requirement to grant admin consent the first time a user in your tenant is configured.


Application Permissions

The "Lab539 AiTM Conditional Access Service" application requires the following permissions in order to operate:

  • Policy.ReadWrite.ConditionalAccess

  • Policy.Read.All

  • CrossTenantInformation.ReadBasic.All

The first two permissions are essential. Whilst the service never reads or writes any conditional access policies Microsoft do not currently provide the granularity of permissions required in order to specify to read/write only named locations and so we must request broader permissions than we actually need.

The CrossTenantInformation.ReadBasic.All permission is simply so that we can obtain a "friendly name" for your Microsoft tenant to display when you have authenticated the service, rather than relying on your tenantID. We only use this on initial registration, so you are welcome to revoke that once you are registered.

⚠️
Occasionally, despite granting permissions to read basic tenant information some users are finding their tenant ID is displayed instead. This is because Microsoft Graph can be a little slow on occasions. This can usually be rectified by re-authenticating the application.


Consent

The consent screen will request that you grant the following consent:

Because the service operates in the background, updating named locations in real time, it requires the “offline_access” permission (Maintain access to the data you have given it access to).


Successful Registration

If all permissions are in order you will see the users identity displayed with a green tick as below:

You are now able to enable and disable the named location feeds available within your subscription by simply toggling them on/off. Any feeds you enable will be immediately written to your named locations which can be found here: https://portal.azure.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/NamedLocations

Don't forget that having named locations is only one part of the picture, you also need to include them in your conditional access policies for them to achieve anything.


Enabling / Disabling Feeds

If you no longer wish to receive updates for a particular named location then you can disable it by toggling it to off and we will stop providing you updates - but you can enable it again at any time. 

When you disable feeds that were once active we maintain a reference to those named locations in case you should enable them again. To delete both the reference and the named location you can do this by clicking the trash can icon next to the feed:

If you delete a named location in this way it will be deleted within your Azure portal. If you re-enable the feed after deleting the named location it will create a new named location. Whilst this will have the same name it will have a different identifier within Microsoft Graph and so this new named location will nee to be added to your conditional access policies agian.

đź’ˇ

You cannot delete named locations that are used within your conditional access policies. If you wish to do this then you must first log into the Azure portal and remove the named location from any policy it is included in.


Revoking Permissions

If at any time you would like to revoke the access you have granted you can do this from your Microsoft Azure dashboard: https://portal.azure.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview

The services is as follows:

Name: Lab539 AiTM Conditional Access Service

ApplicationID: a5279797-c740-4a7a-b758-3d9669723e5b

Under the “Manage” menu on the right, select “Properties” and then click the “Delete” button.

Obviously deleting the service will mean that we are no longer able to update the named locations you are subscribed to. 

We recommend that you delete your named locations from within the AiTM Feed portal before deleting the app registration. This will ensure that our service does not attempt to update named locations that it no longer has permissions to update.