Unlocking Identity Security with Windows Hello for Business and Terraform ?????

Introduction

Windows Hello for Business (WHFB) is a robust, biometric-based authentication method offered by Microsoft. It replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential tied to a device and uses a biometric or PIN. It provides enhanced security through phish-resistant two-factor authentication, and built-in brute force protection. More details from Microsoft docs from here.

Advantages of WHFB

• Phishing-resistant: Unlike passwords, these credentials can’t be used on other devices or intercepted over the network.
• Two-factor authentication: It combines something you have (a registered device) with something you know (a PIN) or something you are (biometrics). It helps to strengthen protections against credential theft. An attacker must have both the device and the biometric or PIN, making it much more difficult to gain access without the user's knowledge
• Convenience: Users authenticate with a simple gesture such as a fingerprint swipe or a face recognition. Users get a simple and convenient authentication method (backed up with a PIN) that's always with them, so there's nothing to lose. The use of a PIN doesn't compromise security, since Windows Hello has built-in brute force protection, and the PIN never leaves the device.

Adding WHFB as an Authentication Strength in Entra ID

1. Navigate to the Entra ID admin center dashboard.

2. Go to the Protection -> Authentication Methods -> Authentication Strength section.

3. Click on 'New authentication strength'.

4. In the dropdown, select 'Windows Hello for Business'.

5. Click 'Save'.

Fetching ID for with Graph API

Microsoft Graph API allows developers to access data from Microsoft cloud services including Azure, Windows 10, and Office 365. More details on the API endpoints from here. To fetch the ID for WHFB authentication strength, you can use the following API call:

https://graph.microsoft.com/v1.0/policies/authenticationStrengthPolicies        

Note that you would need Policy.Read.All permissions to fetch the details on the Authentication strength policies.

As you can see in the response below, the authentication strength policies are fetched with the details.

Deploying Conditional Access Policy with Terraform

Now time to deploy our conditional access policy using Terraform as IaC.

Considerations -

Before implementing our policy in full force, it’s prudent to consider certain factors. There may be instances where certain applications are incompatible with WHFB. In such cases, these applications should be identified and added to our policy’s exclusion list.

Furthermore, it’s not advisable to apply the policy universally across all users in the organization. Instead, it should be targeted towards those users whose client devices are compatible with WHFB. This approach ensures a smoother transition and minimizes potential disruptions.

Also, roll-out the policy first in Report-Only / enabledForReportingButNotEnforced mode and observed in the Insights and Reporting section for at least 2 weeks to find the potential disruptions. Below you can see there are 10 failures for this policy in my case and it would be worth to review them.

The Terraform code for the policy would be as below -

resource "azuread_conditional_access_policy" "CA_1_Require_WHFB_and_Compliant_Device" {
    display_name    = "Require Hello For Business & Compliant Device"
    state                  = "enabledForReportingButNotEnforced"

    conditions {
        client_app_types        = ["all"]
        applications {
            included_applications    = ["All"]
            excluded_applications    = [ 
                "App GUID 1", //App 1
                "App GUID 2"  //App 2
                ]
        }
        users {
          included_users    = []
          excluded_users    = []
          included_groups     = [
                "Group Guid 1" //Included Group 1
            ]
          excluded_groups   = [
                "Excluded Group GUID 1"  //Excluded Group 1
          ]
        }
        platforms {
            included_platforms   = ["windows"]
        }
    }
    grant_controls {
            operator  = "AND"
            authentication_strength_policy_id   = "343e63-GUID-18301" //Windows Hello For Business
            built_in_controls               = [
            "compliantDevice"
        ]
    }
}        

Once deployed, you can see in Entra Portal that the conditional access policy now requires Windows Hello For Business as authentication strength in addition to the device being marked compliant.