Byte-Sized Video: Minimize the Impact of Basic Auth
It’s a pretty common situation: organizations spend their resources on maintaining legacy software and legacy protocols. Today, this is often supported by hybrid domain joined devices and Microsoft Azure AD. But did you know that this can actually lead to a lax security posture?
In this type of setup, any time your users log in to a Windows 10 device, it will request and receive a primary refresh token (PRT) without any prompt for multi-factor authentication (MFA). This is because Azure AD uses basic rather than modern authentication so as to support legacy protocols. This also applies to older protocols such as WS Trust. This means that traffic destined for your domain requires only a username and password to obtain access—and with the high volume of data breaches that occur today, that’s just not enough.
Fortunately, Okta understands this need. With our Custom User Agent String available in the O365 application, you can create specific, selective policies for different types of user agents from your various devices and applications. This way, if you have Windows 10 machines connected in a hybrid domain joined architecture, or your company is still dependent on WS Trust for a few trusted user agents, you can still allow basic authentications for them. And that’s without compromising the security of everything else. Check out the byte-sized video below to see it in action:
Since the default policy for the Okta Microsoft Office 365 app is to block basic authentications—and this affects all Azure AD authentications—adding a selective solution like Custom User Agent String is the the best way to make sure your favorite tools, such as Autopilot, Conditional Access, and Windows Hello for Business, are both secure and accessible. This can be accomplished without blocking logins from your legacy Windows machines and protocols. To learn more about securing your O365 environment, check out our Securing Office 365 with Okta whitepaper. Or if you’d like to learn more about the Hybrid Domain Joined environment and Okta, just click here. You can also talk to our team to learn even more about how Okta is the ideal IdP to support your Microsoft architecture.