The code had been written when basic authentication was the only option for automated scripts-but it was at least storing the credentials in an Azure Key Vault, rather than in plain text in the function code. This account was tracked to an existing Azure Functions app that was pulling information from Azure using the Security & Compliance PowerShell endpoint. In a client environment in which I was working, audits of basic authentication to AAD had identified a service account that was using basic authentication. Even newer scripts can suffer from basic authentication if appropriate development guidelines have not been communicated to ensure that developers leverage the certificate-based authentication that most modules now support.
Older versions of the PowerShell modules for these services did not support any other mechanism for authentication, so scripts using these legacy modules are configured for basic authentication. Organizations are therefore highly encouraged to identify and remediate its use.Ī common source of basic authentication occurs in PowerShell scripts that authenticate to AAD (e.g., to perform operations in SharePoint or Exchange Online). Microsoft discourages the use of basic authentication in fact, Microsoft will block basic authentication in Exchange Online in October 2022.
In addition, basic authentication exposes an organization to security vulnerabilities such as password spraying attacks and simple password leaks. I also cover how to use certificate authentication with the Microsoft Exchange Online PowerShell V2 (EXO V2) module, which has its own quirks.īasic authentication to Azure Active Directory (AAD) does not support modern security controls such as Conditional Access policies and multi-factor authentication (MFA).
App Registration,” as well as Part 2 and Part 3.) In this blog, I discuss remediating basic authentication in a different environment: an Azure Functions app. (See “ Authentication Options for Automated Azure PowerShell Scripts, Part 1: Service Account vs. In a previous blog series, I discussed how to use certificate authentication for PowerShell scripts running in a standard Windows environment.
0 kommentar(er)
