Entra ID Reduce the chance of successful password sprays - chadmcox/Azure_Active_Directory GitHub Wiki

1. Deploy password protection for on premise accounts

This involves setting up password protection policies that prevent the use of weak or commonly used passwords, which are easily exploited during password spray attacks. link

2. Deploy Identity Protection risk based conditional access policies

Enable a sign-in risk based conditional access policy

This policy requires users to complete MFA when a sign-in attempt is deemed risky, such as sign-ins from new devices or locations. link

Enable a user risk based conditional access policy

Similar to sign-in risk policies, user risk policies require users to perform actions like password changes or MFA if their account exhibits behaviors indicative of being compromised. link

3. Common conditional access policy - require MFA for all users

A baseline policy that mandates MFA for all users to reduce the likelihood of unauthorized access. link

4. Configure conditional access in Microsoft Defender for Endpoint

Conditional Access with Defender for Endpoint allows for the evaluation of device risk during the sign-in process, ensuring that only secure devices can access corporate resources. link

5. Create a device-based conditional access policy:

This policy restricts access to corporate resources to devices that meet your organization’s compliance standards, such as having up-to-date antivirus software or being managed by your organization. link

6. Block legacy authentication with Microsoft Entra conditional access

Legacy authentication protocols do not support MFA, making them vulnerable to password spray attacks. Blocking these protocols enhances security. link

7. Restrict access to known password spray PowerShell endpoints

Identifying and restricting access to PowerShell endpoints that are commonly targeted in password spray attacks can further protect against unauthorized access attempts. link