This post details how to utilise the Lab539 Adversary in The Middle service in order to subscribe to the conditional access service and benefit from a real time updated named location feed.

Description

The hosted conditional access feed service is a service operated by Lab539 which, in real time, updates a named location within your Microsoft Azure environment. This ensures that you always have the most up to date data for protecting your environment.

Whilst there are multiple named location feeds now available, this post will focus on the AiTM feed, but the information is directly transferable to other feeds.

The AiTM feed is a feed of backend AiTM infrastructure which is performing the authentication component of an AiTM attack. i.e. it is the IP addresses that you will see logging into your Microsoft environment if a user is successfully targeted. This will often not correspond to the IP address of frontend infrastructure (e.g. the phishing website). Blocking access to this backend infrastructure will not prevent it from authenticating to your environment, but blocking access from it will. This is why we use conditional access policies in order to achieve this.

The Lab539 service does not configure any conditional access policies for you. But it provides access to named locations that you can use in your conditional access policies and it keeps those named locations up to date for you.

The curation of the named location data is important. Named locations can only hold a finite amount of data, which is much less than the amount of infrastructure that we track. We therefore perform some logic based upon a number of factors in order to fit within the constraints that Microsoft pose.

The named location data is available in a curated form from the API if you prefer to host and operate a named location update service yourself.

Video Overview

This short video shows the process for enrolling and enabling the conditional access/named location service:

Initial Enrolment

In order to utilise the service you must authorise a user. This can be done from within the “Conditional Access, Named Location Users” section of the portal (https://portal.lab539.io).

Configuring a user is done by clicking the icon in the top right that looks like a user with a cog. This will direct you to the Microsoft authentication service where you can select, or enter, the user account which you would like to authorise this service to operate as:

User Permissions

The user you select for this service does not need to be the user which you are logged into the portal as. It does not even need to be a user in the same tenant. The only requirement is that the user holds the Conditional Access Administrator permission. Due to the nature of this service there is also a requirement to grant admin consent the first time a user in your tenant is configured. This will need to be performed by a user with the Application Administrator permission, so granting the following roles to your user should suffice..

If you would like to specify roles then these are the permissions that are required:

Policy.ReadWrite.ConditionalAccess
Policy.Read.All

Consent

The consent screen will request that you grant the following consent:

Because the service operates in the background, updating named locations in real time, it requires the “offline_access” permission (Maintain access to the data you have given it access to).

Unfortunately, at the time of writing, Microsoft does not provide particularly granular permissions when it comes to conditional access policies If these permissions presents a problem then you should consider self hosting the service but pulling the curated data from our API.

Successful Registration

If all permissions are in order you will see the users identity displayed with a green tick as below:

You are now able to enable and disable the named location feeds available within your subscription. Any feeds you enable will be immediately written to your named locations which can be found here: https://portal.azure.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/NamedLocations

Error Codes

If your registration fails it may be for one of several reasons. These reasons are displayed in the URL. A successful registration will display this value:

https://portal.lab539.io/profile?error=success-nl-reg

Unsuccessful registrations may show one of the following errors instead:

error=failed-nl-reg&description=lacked-admin-consent - admin consent has not been granted (either manually grant this or grant the account “Application Administrator” rights (temporarily if preferred)
error=failed-nl-reg&description=user-declined-consent - you appear to have declined consent at the consent screen
error=csrf-failure - the Cross Site Request Forgery checks that we carry out appear to have failed. Refreshing the page and trying again should rectify this.

Revoking Permissions

If at any time you would like to revoke the access you have granted you can do this from your Microsoft Azure dashboard: https://portal.azure.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview

The services is as follows:

Name: Lab539 AiTM Conditional Access Service

ApplicationID: a5279797-c740-4a7a-b758-3d9669723e5b

Under the “Manage” menu on the right, select “Properties” and then click the “Delete” button.

Setting up the Lab539 hosted Conditional Access service