Authentication strength in Conditional Access Policies

[g-psantos]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

This is a feature request for authentication strength to be supported by Terraform-managed Conditional Access Policies. From the Microsoft documentation:

Authentication strength is a Conditional Access control that allows administrators to specify which combination of authentication methods can be used to access a resource. For example, they can make only phishing-resistant authentication methods available to access a sensitive resource. But to access a nonsensitive resource, they can allow less secure multifactor authentication (MFA) combinations, such as password + SMS.

As traditional authentication factors like SMS and push notifications become vulnerable to attack vectors such as SIM swapping and push notification fatigue, organizations must increasingly adopt phishing-resistant authenticators such as FIDO2 keys. The authentication strength grant control in Azure AD's Conditional Access Policies enables administrators to configure policies to that effect.

Note that the authentication strength API endpoints are still in public preview. However, given the value offered by this control, it would be great if the Terraform provider could offer it before it reaches GA.

New or Affected Resource(s)

• azuread_conditional_access_policy should be updated to include an authentication_strength_policy attribute under grant_controls
• azuread_authentication_strength_policy should be added as a resource
• data.azuread_authentication_strength_policy should be added as a data source

Potential Terraform Configuration

resource "azuread_conditional_access_policy" "this" {
  display_name = "Sensitive Apps: Require Phishing-Resistant MFA"
  state        = "enabled"

  conditions {
    # This is only a partial set of conditions to demonstrate the essential
    # aspects of this sample policy
    client_app_types = ["all"]
    applications {
      included_applications = var.sensitive_apps
    }
  }

  grant_controls {
    # Note that `built_in_controls`, which are currently required, should be
    # optional insofar as `authentication_strength_policy`, `terms_of_use`, or
    # `custom_authentication_factors` are defined

    # Using a built-in policy provided by Microsoft
    authentication_strength_policy = data.azuread_authentication_strength_policy.phishing_resistant.id

    # Using a custom policy
    authentication_strength_policy = azuread_authentication_strength_policy.custom.id
  }
}

data "azuread_authentication_strength_policy" "phishing_resistant" {
  # This is a built-in policy that allows authentication only through Windows
  # Hello for Business, FIDO2 security keys, and Azure AD Certificate-Based
  # Authentication
  name = "Phishing-resistant MFA strength"
}

resource "azuread_authentication_strength_policy" "custom" {
  display_name = "Weak policy"
  description  = "Allow authentication with password and second factor"
  allowed_combinations = [
    # The Graph API specifies that each allowed combination should be provided
    # as a comma-separated list of values, e.g. `password, hardwareOath`. I'm
    # suggesting that the corresponding Terraform resource would instead accept
    # a "set of sets" and perform the necessary conversions before submitting
    # the request to the Graph.
    ["password", "email"],
    ["password", "hardwareOath"],
    ["password", "softwareOath"],
  ]
}

References

• Microsoft Docs: Conditional Access authentication strength
• Microsoft Graph: conditionalAccessGrantControls
• Microsoft Graph: authenticationStrengthPolicy

[JonasBak]

I'd like to work on this if no one else is doing it 🙋

[manicminer]

Hi @g-psantos, thank you very much for the detailed feature request and the documentation links. We'd like to support this addition to conditional access policies in the provider, however this will unfortunately have to wait until the feature is made generally available.

Whilst we can often support preview/beta features in this provider, the main exception to this is with conditional access policies. If an existing policy is updated using the beta API, this unfortunately incurs a breaking change and that policy can no longer be managed with the stable API until it is deleted and replaced. As such, we are precluded from using the beta API for CA policies as this will break a lot of existing users.

Accordingly, I have marked this feature as blocked for now, but once this becomes generally available in the v1.0 API, we should be able to add support for it.

[catorar]

Just a heads up that MS has announced GA for this feature today

[catorar]

@manicminer This has been out of preview for almost a month. Can you provide an update?

[bubbletroubles]

@catorar It still isn't supported by the v1.0 API - its only accessible via the /beta API. I believe this is blocked until Microsoft make it available via the v1.0 API.

[n3662]

@bubbletroubles this is available in V1.0 https://learn.microsoft.com/en-us/graph/api/resources/authenticationstrengths-overview?view=graph-rest-1.0

[bubbletroubles]

@eda364 my bad - I was looking at the Conditional Access authentication strength page which still uses the beta API paths. You're correct, the v1.0 API is now supported.

[zach-griffin]

@manicminer Thank you for helping with this, but do we have an eta of when this would be ready? This would be super useful to us!