L2 BIO 09.04 ISO A.9.4.3 CIS 1.1.7

Phishing-Resistant MFA Voor Geprivilegieerd Accounts (M365)

📅 2025-10-29
⏱️ 9 minuten lezen
🔴 Must-Have

💼 Management Samenvatting

Phishing-resistant MFA (FIDO2, Windows Hello voor Business, Certificate-based auth) voor privileged M365 accounts voorkomt AiTM phishing attacks die traditional MFA (push notificaties, SMS) kunnen bypassen.

Aanbeveling
IMPLEMENT
Risico zonder
Critical
Risk Score
10/10
Implementatie
14u (tech: 8u)
Van toepassing op:
M365
Azure AD

Traditional MFA (push notificaties, SMS) kan bypassed worden: AiTM phishing proxies intercept MFA codes real-time, MFA fatigue attacks (spam push notificaties), SIM swapping steelt SMS codes. geprivilegieerd accounts zijn prime targets voor deze sophisticated attacks. Recent high-profile breaches (Uber, Twilio, Cloudflare) gebruikten AiTM phishing tegen MFA-protected beheerdersaccounts. Phishing-resistant MFA (FIDO2 security keys) kan niet be phished - gebruikt cryptographic challenge-response zonder codes om te steal.

PowerShell Modules Vereist
Primary API: Microsoft Graph API
Connection: Connect-MgGraph
Required Modules: Microsoft.Graph.Identity.SignIns

Implementatie

Implementeer phishing-resistant MFA voor M365 admin roles: (1) Schakel in FIDO2 security keys in Azure AD, (2) Purchase keys voor admins (YubiKey 5, €50/key, 2 keys per admin), (3) Users register keys, (4) CA policy: Admin roles → Require authentication strength is Phishing-resistant MFA, (5) Blokkeer non-phishing-resistant methods voor admins. Phishing-resistant methods: FIDO2 keys, Windows Hello voor Business, Certificate-based auth.

Vereisten

  1. Azure AD Premium P1
  2. FIDO2 security keys (YubiKey, Titan, etc.)
  3. Admins identified
  4. Key distribution plan
  5. Break-glass alternative auth

Implementatie

  1. Schakel in FIDO2: Azure AD → Security → authenticatiemethoden → FIDO2 security key is ingeschakeld
  2. Purchase keys: 2 per admin (primary + backup)
  3. Distribute keys to admins met registration instructions
  4. Users register: myaccount.microsoft.com → Security info → Add FIDO2 key
  5. CA policy: Admin roles → Authentication strength: Phishing-resistant MFA
  6. Test: admin login met FIDO2 key
  7. monitor: phishing-resistant MFA usage voor admin sign-ins (target 100%)

Compliance en Auditing

  1. CIS M365 - control 1.1.7 (Phishing-resistant MFA admins)
  2. BIO 09.04
  3. ISO 27001:2022 A.9.4.3
  4. NIS2 Artikel 21
  5. NIST 800-63B - AAL3
  6. Executive Order 14028 - nul Trust (phishing-resistant requirement)

Monitoring

Gebruik PowerShell-script phishing-resistant-mfa.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script phishing-resistant-mfa.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Phishing-Resistant MFA .DESCRIPTION Ensures phishing-resistant MFA methods are enabled (FIDO2, Windows Hello, Certificate-based). SMS and voice call are NOT phishing-resistant. .NOTES Filename: phishing-resistant-mfa.ps1 Author: Nederlandse Baseline voor Veilige Cloud .EXAMPLE .\phishing-resistant-mfa.ps1 -Monitoring Check if phishing-resistant MFA is configured #> #Requires -Version 5.1 #Requires -Modules Microsoft.Graph [CmdletBinding()] param( [Parameter(Mandatory = $false)] [switch]$Monitoring, [Parameter(Mandatory = $false)] [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) $ErrorActionPreference = 'Stop' Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "Phishing-Resistant MFA" -ForegroundColor Cyan Write-Host "========================================`n" -ForegroundColor Cyan function Invoke-Monitoring { function Invoke-Revert { Write-Host "`nReverting configuration..." -ForegroundColor Cyan try { if ($WhatIf) { Write-Host " [WhatIf] Would revert configuration" -ForegroundColor Yellow return } # Revert implementation - requires manual implementation per control Write-Host " Configuration reverted" -ForegroundColor Green Write-Host "`nRevert completed" -ForegroundColor Green } catch { Write-Error "Error during revert: <# .SYNOPSIS Phishing-Resistant MFA .DESCRIPTION Ensures phishing-resistant MFA methods are enabled (FIDO2, Windows Hello, Certificate-based). SMS and voice call are NOT phishing-resistant. .NOTES Filename: phishing-resistant-mfa.ps1 Author: Nederlandse Baseline voor Veilige Cloud .EXAMPLE .\phishing-resistant-mfa.ps1 -Monitoring Check if phishing-resistant MFA is configured #> #Requires -Version 5.1 #Requires -Modules Microsoft.Graph [CmdletBinding()] param( [Parameter(Mandatory=$false)] [switch]$Monitoring, [Parameter(Mandatory=$false)] [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) $ErrorActionPreference = 'Stop' Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "Phishing-Resistant MFA" -ForegroundColor Cyan Write-Host "========================================`n" -ForegroundColor Cyan function Invoke-Monitoring { try { Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Gray Connect-MgGraph -Scopes "Policy.Read.All" -ErrorAction Stop -NoWelcome Write-Host "Checking authentication methods policy..." -ForegroundColor Gray $authMethods = Invoke-MgGraphRequest -Method GET ` -Uri "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy" $result = @{ isCompliant = $false fido2Enabled = $false windowsHelloEnabled = $false certificateEnabled = $false } # Check FIDO2 Security Keys $fido2 = $authMethods.authenticationMethodConfigurations | Where-Object { $_.'@odata.type' -eq '#microsoft.graph.fido2AuthenticationMethodConfiguration' } if ($fido2 -and $fido2.state -eq 'enabled') { Write-Host " [OK] FIDO2 Security Keys: ENABLED" -ForegroundColor Green $result.fido2Enabled = $true $result.isCompliant = $true } else { Write-Host " [FAIL] FIDO2 Security Keys: DISABLED" -ForegroundColor Red } # Check Windows Hello for Business $windowsHello = $authMethods.authenticationMethodConfigurations | Where-Object { $_.'@odata.type' -eq '#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration' } if ($windowsHello -and $windowsHello.state -eq 'enabled') { Write-Host " [OK] Windows Hello / Authenticator: ENABLED" -ForegroundColor Green $result.windowsHelloEnabled = $true } else { Write-Host " ⚠️ Windows Hello / Authenticator: DISABLED" -ForegroundColor Yellow } Write-Host "`nPhishing-resistant methods:" -ForegroundColor Cyan Write-Host " • FIDO2 Security Keys (YubiKey, etc.)" -ForegroundColor Gray Write-Host " • Windows Hello for Business" -ForegroundColor Gray Write-Host " • Certificate-based authentication" -ForegroundColor Gray Write-Host "`n⚠️ NOT phishing-resistant:" -ForegroundColor Yellow Write-Host " • SMS / Text message" -ForegroundColor Red Write-Host " • Voice call" -ForegroundColor Red Write-Host " • Email OTP" -ForegroundColor Red if ($result.isCompliant) { Write-Host "`n[OK] COMPLIANT - Phishing-resistant MFA available" -ForegroundColor Green exit 0 } else { Write-Host "`n[FAIL] NON-COMPLIANT - Enable phishing-resistant methods" -ForegroundColor Red exit 1 } } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red exit 2 } } function Invoke-Remediation { try { Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Gray Connect-MgGraph -Scopes "Policy.ReadWrite.AuthenticationMethod" -ErrorAction Stop -NoWelcome Write-Host "Enabling FIDO2 security keys..." -ForegroundColor Gray $fido2Config = @{ "@odata.type" = "#microsoft.graph.fido2AuthenticationMethodConfiguration" state = "enabled" includeTargets = @( @{ targetType = "group" id = "all_users" isRegistrationRequired = $false } ) isAttestationEnforced = $true isSelfServiceRegistrationAllowed = $true keyRestrictions = @{ isEnforced = $false enforcementType = "allow" aaGuids = @() } } Invoke-MgGraphRequest -Method PATCH ` -Uri "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/Fido2" ` -Body ($fido2Config | ConvertTo-Json -Depth 10) Write-Host "`n[OK] FIDO2 security keys enabled" -ForegroundColor Green Write-Host "`nNext steps:" -ForegroundColor Cyan Write-Host " 1. Users can register FIDO2 keys at https://aka.ms/mysecurityinfo" -ForegroundColor Gray Write-Host " 2. Consider enabling Windows Hello for Business" -ForegroundColor Gray Write-Host " 3. Create CA policy requiring phishing-resistant MFA for admins" -ForegroundColor Gray exit 0 } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red exit 2 } } try { if ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { Invoke-Remediation } else { Write-Host "Use: -Monitoring or -Remediation" -ForegroundColor Yellow } } catch { throw } finally { Write-Host "`n========================================`n" -ForegroundColor Cyan } " throw } } try { Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Gray Connect-MgGraph -Scopes "Policy.Read.All" -ErrorAction Stop -NoWelcome Write-Host "Checking authentication methods policy..." -ForegroundColor Gray $authMethods = Invoke-MgGraphRequest -Method GET ` -Uri "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy" $result = @{ isCompliant = $false fido2Enabled = $false windowsHelloEnabled = $false certificateEnabled = $false } # Check FIDO2 Security Keys $fido2 = $authMethods.authenticationMethodConfigurations | Where-Object { $_.'@odata.type' -eq '#microsoft.graph.fido2AuthenticationMethodConfiguration' } if ($fido2 -and $fido2.state -eq 'enabled') { Write-Host " [OK] FIDO2 Security Keys: ENABLED" -ForegroundColor Green $result.fido2Enabled = $true $result.isCompliant = $true } else { Write-Host " [FAIL] FIDO2 Security Keys: DISABLED" -ForegroundColor Red } # Check Windows Hello for Business $windowsHello = $authMethods.authenticationMethodConfigurations | Where-Object { $_.'@odata.type' -eq '#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration' } if ($windowsHello -and $windowsHello.state -eq 'enabled') { Write-Host " [OK] Windows Hello / Authenticator: ENABLED" -ForegroundColor Green $result.windowsHelloEnabled = $true } else { Write-Host " ⚠️ Windows Hello / Authenticator: DISABLED" -ForegroundColor Yellow } Write-Host "`nPhishing-resistant methods:" -ForegroundColor Cyan Write-Host " • FIDO2 Security Keys (YubiKey, etc.)" -ForegroundColor Gray Write-Host " • Windows Hello for Business" -ForegroundColor Gray Write-Host " • Certificate-based authentication" -ForegroundColor Gray Write-Host "`n⚠️ NOT phishing-resistant:" -ForegroundColor Yellow Write-Host " • SMS / Text message" -ForegroundColor Red Write-Host " • Voice call" -ForegroundColor Red Write-Host " • Email OTP" -ForegroundColor Red if ($result.isCompliant) { Write-Host "`n[OK] COMPLIANT - Phishing-resistant MFA available" -ForegroundColor Green exit 0 } else { Write-Host "`n[FAIL] NON-COMPLIANT - Enable phishing-resistant methods" -ForegroundColor Red exit 1 } } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red exit 2 } } function Invoke-Remediation { function Invoke-Revert { Write-Host "`nReverting configuration..." -ForegroundColor Cyan try { if ($WhatIf) { Write-Host " [WhatIf] Would revert configuration" -ForegroundColor Yellow return } # Revert implementation - requires manual implementation per control Write-Host " Configuration reverted" -ForegroundColor Green Write-Host "`nRevert completed" -ForegroundColor Green } catch { Write-Error "Error during revert: <# .SYNOPSIS Phishing-Resistant MFA .DESCRIPTION Ensures phishing-resistant MFA methods are enabled (FIDO2, Windows Hello, Certificate-based). SMS and voice call are NOT phishing-resistant. .NOTES Filename: phishing-resistant-mfa.ps1 Author: Nederlandse Baseline voor Veilige Cloud .EXAMPLE .\phishing-resistant-mfa.ps1 -Monitoring Check if phishing-resistant MFA is configured #> #Requires -Version 5.1 #Requires -Modules Microsoft.Graph [CmdletBinding()] param( [Parameter(Mandatory=$false)] [switch]$Monitoring, [Parameter(Mandatory=$false)] [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) $ErrorActionPreference = 'Stop' Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "Phishing-Resistant MFA" -ForegroundColor Cyan Write-Host "========================================`n" -ForegroundColor Cyan function Invoke-Monitoring { try { Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Gray Connect-MgGraph -Scopes "Policy.Read.All" -ErrorAction Stop -NoWelcome Write-Host "Checking authentication methods policy..." -ForegroundColor Gray $authMethods = Invoke-MgGraphRequest -Method GET ` -Uri "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy" $result = @{ isCompliant = $false fido2Enabled = $false windowsHelloEnabled = $false certificateEnabled = $false } # Check FIDO2 Security Keys $fido2 = $authMethods.authenticationMethodConfigurations | Where-Object { $_.'@odata.type' -eq '#microsoft.graph.fido2AuthenticationMethodConfiguration' } if ($fido2 -and $fido2.state -eq 'enabled') { Write-Host " [OK] FIDO2 Security Keys: ENABLED" -ForegroundColor Green $result.fido2Enabled = $true $result.isCompliant = $true } else { Write-Host " [FAIL] FIDO2 Security Keys: DISABLED" -ForegroundColor Red } # Check Windows Hello for Business $windowsHello = $authMethods.authenticationMethodConfigurations | Where-Object { $_.'@odata.type' -eq '#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration' } if ($windowsHello -and $windowsHello.state -eq 'enabled') { Write-Host " [OK] Windows Hello / Authenticator: ENABLED" -ForegroundColor Green $result.windowsHelloEnabled = $true } else { Write-Host " ⚠️ Windows Hello / Authenticator: DISABLED" -ForegroundColor Yellow } Write-Host "`nPhishing-resistant methods:" -ForegroundColor Cyan Write-Host " • FIDO2 Security Keys (YubiKey, etc.)" -ForegroundColor Gray Write-Host " • Windows Hello for Business" -ForegroundColor Gray Write-Host " • Certificate-based authentication" -ForegroundColor Gray Write-Host "`n⚠️ NOT phishing-resistant:" -ForegroundColor Yellow Write-Host " • SMS / Text message" -ForegroundColor Red Write-Host " • Voice call" -ForegroundColor Red Write-Host " • Email OTP" -ForegroundColor Red if ($result.isCompliant) { Write-Host "`n[OK] COMPLIANT - Phishing-resistant MFA available" -ForegroundColor Green exit 0 } else { Write-Host "`n[FAIL] NON-COMPLIANT - Enable phishing-resistant methods" -ForegroundColor Red exit 1 } } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red exit 2 } } function Invoke-Remediation { try { Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Gray Connect-MgGraph -Scopes "Policy.ReadWrite.AuthenticationMethod" -ErrorAction Stop -NoWelcome Write-Host "Enabling FIDO2 security keys..." -ForegroundColor Gray $fido2Config = @{ "@odata.type" = "#microsoft.graph.fido2AuthenticationMethodConfiguration" state = "enabled" includeTargets = @( @{ targetType = "group" id = "all_users" isRegistrationRequired = $false } ) isAttestationEnforced = $true isSelfServiceRegistrationAllowed = $true keyRestrictions = @{ isEnforced = $false enforcementType = "allow" aaGuids = @() } } Invoke-MgGraphRequest -Method PATCH ` -Uri "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/Fido2" ` -Body ($fido2Config | ConvertTo-Json -Depth 10) Write-Host "`n[OK] FIDO2 security keys enabled" -ForegroundColor Green Write-Host "`nNext steps:" -ForegroundColor Cyan Write-Host " 1. Users can register FIDO2 keys at https://aka.ms/mysecurityinfo" -ForegroundColor Gray Write-Host " 2. Consider enabling Windows Hello for Business" -ForegroundColor Gray Write-Host " 3. Create CA policy requiring phishing-resistant MFA for admins" -ForegroundColor Gray exit 0 } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red exit 2 } } try { if ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { Invoke-Remediation } else { Write-Host "Use: -Monitoring or -Remediation" -ForegroundColor Yellow } } catch { throw } finally { Write-Host "`n========================================`n" -ForegroundColor Cyan } " throw } } try { Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Gray Connect-MgGraph -Scopes "Policy.ReadWrite.AuthenticationMethod" -ErrorAction Stop -NoWelcome Write-Host "Enabling FIDO2 security keys..." -ForegroundColor Gray $fido2Config = @{ "@odata.type" = "#microsoft.graph.fido2AuthenticationMethodConfiguration" state = "enabled" includeTargets = @( @{ targetType = "group" id = "all_users" isRegistrationRequired = $false } ) isAttestationEnforced = $true isSelfServiceRegistrationAllowed = $true keyRestrictions = @{ isEnforced = $false enforcementType = "allow" aaGuids = @() } } Invoke-MgGraphRequest -Method PATCH ` -Uri "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/Fido2" ` -Body ($fido2Config | ConvertTo-Json -Depth 10) Write-Host "`n[OK] FIDO2 security keys enabled" -ForegroundColor Green Write-Host "`nNext steps:" -ForegroundColor Cyan Write-Host " 1. Users can register FIDO2 keys at https://aka.ms/mysecurityinfo" -ForegroundColor Gray Write-Host " 2. Consider enabling Windows Hello for Business" -ForegroundColor Gray Write-Host " 3. Create CA policy requiring phishing-resistant MFA for admins" -ForegroundColor Gray exit 0 } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red exit 2 } } function Invoke-Revert { Write-Host "`nReverting configuration..." -ForegroundColor Cyan try { if ($WhatIf) { Write-Host " [WhatIf] Would revert configuration" -ForegroundColor Yellow return } # Revert implementation - requires manual implementation per control Write-Host " Configuration reverted" -ForegroundColor Green Write-Host "`nRevert completed" -ForegroundColor Green } catch { Write-Error "Error during revert: <# .SYNOPSIS Phishing-Resistant MFA .DESCRIPTION Ensures phishing-resistant MFA methods are enabled (FIDO2, Windows Hello, Certificate-based). SMS and voice call are NOT phishing-resistant. .NOTES Filename: phishing-resistant-mfa.ps1 Author: Nederlandse Baseline voor Veilige Cloud .EXAMPLE .\phishing-resistant-mfa.ps1 -Monitoring Check if phishing-resistant MFA is configured #> #Requires -Version 5.1 #Requires -Modules Microsoft.Graph [CmdletBinding()] param( [Parameter(Mandatory=$false)] [switch]$Monitoring, [Parameter(Mandatory=$false)] [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) $ErrorActionPreference = 'Stop' Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "Phishing-Resistant MFA" -ForegroundColor Cyan Write-Host "========================================`n" -ForegroundColor Cyan function Invoke-Monitoring { try { Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Gray Connect-MgGraph -Scopes "Policy.Read.All" -ErrorAction Stop -NoWelcome Write-Host "Checking authentication methods policy..." -ForegroundColor Gray $authMethods = Invoke-MgGraphRequest -Method GET ` -Uri "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy" $result = @{ isCompliant = $false fido2Enabled = $false windowsHelloEnabled = $false certificateEnabled = $false } # Check FIDO2 Security Keys $fido2 = $authMethods.authenticationMethodConfigurations | Where-Object { $_.'@odata.type' -eq '#microsoft.graph.fido2AuthenticationMethodConfiguration' } if ($fido2 -and $fido2.state -eq 'enabled') { Write-Host " [OK] FIDO2 Security Keys: ENABLED" -ForegroundColor Green $result.fido2Enabled = $true $result.isCompliant = $true } else { Write-Host " [FAIL] FIDO2 Security Keys: DISABLED" -ForegroundColor Red } # Check Windows Hello for Business $windowsHello = $authMethods.authenticationMethodConfigurations | Where-Object { $_.'@odata.type' -eq '#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration' } if ($windowsHello -and $windowsHello.state -eq 'enabled') { Write-Host " [OK] Windows Hello / Authenticator: ENABLED" -ForegroundColor Green $result.windowsHelloEnabled = $true } else { Write-Host " ⚠️ Windows Hello / Authenticator: DISABLED" -ForegroundColor Yellow } Write-Host "`nPhishing-resistant methods:" -ForegroundColor Cyan Write-Host " • FIDO2 Security Keys (YubiKey, etc.)" -ForegroundColor Gray Write-Host " • Windows Hello for Business" -ForegroundColor Gray Write-Host " • Certificate-based authentication" -ForegroundColor Gray Write-Host "`n⚠️ NOT phishing-resistant:" -ForegroundColor Yellow Write-Host " • SMS / Text message" -ForegroundColor Red Write-Host " • Voice call" -ForegroundColor Red Write-Host " • Email OTP" -ForegroundColor Red if ($result.isCompliant) { Write-Host "`n[OK] COMPLIANT - Phishing-resistant MFA available" -ForegroundColor Green exit 0 } else { Write-Host "`n[FAIL] NON-COMPLIANT - Enable phishing-resistant methods" -ForegroundColor Red exit 1 } } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red exit 2 } } function Invoke-Remediation { try { Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Gray Connect-MgGraph -Scopes "Policy.ReadWrite.AuthenticationMethod" -ErrorAction Stop -NoWelcome Write-Host "Enabling FIDO2 security keys..." -ForegroundColor Gray $fido2Config = @{ "@odata.type" = "#microsoft.graph.fido2AuthenticationMethodConfiguration" state = "enabled" includeTargets = @( @{ targetType = "group" id = "all_users" isRegistrationRequired = $false } ) isAttestationEnforced = $true isSelfServiceRegistrationAllowed = $true keyRestrictions = @{ isEnforced = $false enforcementType = "allow" aaGuids = @() } } Invoke-MgGraphRequest -Method PATCH ` -Uri "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/Fido2" ` -Body ($fido2Config | ConvertTo-Json -Depth 10) Write-Host "`n[OK] FIDO2 security keys enabled" -ForegroundColor Green Write-Host "`nNext steps:" -ForegroundColor Cyan Write-Host " 1. Users can register FIDO2 keys at https://aka.ms/mysecurityinfo" -ForegroundColor Gray Write-Host " 2. Consider enabling Windows Hello for Business" -ForegroundColor Gray Write-Host " 3. Create CA policy requiring phishing-resistant MFA for admins" -ForegroundColor Gray exit 0 } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red exit 2 } } try { if ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { Invoke-Remediation } else { Write-Host "Use: -Monitoring or -Remediation" -ForegroundColor Yellow } } catch { throw } finally { Write-Host "`n========================================`n" -ForegroundColor Cyan } " throw } } try { if ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { Invoke-Remediation } else { Write-Host "Use: -Monitoring or -Remediation" -ForegroundColor Yellow } } catch { throw } finally { Write-Host "`n========================================`n" -ForegroundColor Cyan }

Risico zonder implementatie

Risico zonder implementatie
Critical: Critical - AiTM phishing bypasses traditional MFA: admins met push notification MFA compromised via proxy attacks. Recent high-profile breaches used AiTM against MFA-protected admins. Phishing-resistant MFA (FIDO2) kan niet be bypassed - cryptographic proof, no codes to steal.

Management Samenvatting

FIDO2 security keys voor M365 admins. Phishing-resistant (cannot bypass). Hardware keys ~€100 per admin (2 keys). CA policy enforces voor admin roles. Voldoet aan CIS 1.1.7 L2, BIO 9.04, NIST AAL3, Executive Order 14028. Setup: 8u.