๐ผ Management Samenvatting
Microsoft Accounts moeten optional zijn (niet verplicht) zodat Azure AD accounts preferred zijn voor enterprise authentication en governance.
Aanbeveling
IMPLEMENT
Risico zonder
Medium
Risk Score
4/10
Implementatie
1.5u (tech: 0.5u)
Van toepassing op:
โ Windows 10
โ Windows 11
โ Windows 11
ACCOUNT TYPE PREFERENCE: Personal Microsoft accounts (@outlook.com, @hotmail.com) vs Azure AD accounts (@company.com). ENTERPRISE NEEDS AZURE AD: Centralized identiteitsbeheer, Conditional Access beleidsregels, MFA enforcement, audit logging, Device compliance. PERSONAL MSA RISKS: No corporate control, No MFA enforcement, Data sync to consumer cloud, Account mix-ups. POLICY: maken MSA optional (not required) โ Forces Azure AD usage in enterprise scenarios.
PowerShell Modules Vereist
Primary API: Intune / Group Policy
Connection:
Required Modules:
Connection:
RegistryRequired Modules:
Implementatie
Set MSAOptional is 1: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\MSAOptional is 1. EFFECT: Apps can request Azure AD account (preferred), MSA still possible maar not forced, Enterprise apps gebruiken Azure AD.
Vereisten
- Windows 10/11
- Azure AD tenant
Implementatie
Gebruik PowerShell-script allow-microsoft-accounts-to-be-optional-is-set-to-enabled.ps1 (functie Invoke-Remediation) โ Set MSA optional.
Intune: System โ MSAOptional is 1 (ingeschakeld)
Monitoring
Gebruik PowerShell-script allow-microsoft-accounts-to-be-optional-is-set-to-enabled.ps1 (functie Invoke-Monitoring) โ Verify MSAOptional is 1.
Compliance en Auditing
- CIS - identiteitsbeheer
- BIO 09.01
Remediatie
Gebruik PowerShell-script allow-microsoft-accounts-to-be-optional-is-set-to-enabled.ps1 (functie Invoke-Remediation) โ Herstellen.
Compliance & Frameworks
- BIO: 09.01.01 - Toegangscontrole en authenticatie
- ISO 27001:2022: A.9.2.1 - User registration
Automation
Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).
PowerShell
<#
.SYNOPSIS
Intune Security Options: Microsoft Accounts Optional
.DESCRIPTION
CIS - Microsoft accounts moet optional (prefer Azure AD).
.NOTES
Filename: msa-optional.ps1|Author: Nederlandse Baseline voor Veilige Cloud|Registry: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\MSAOptional|Expected: 1
#>
#Requires -Version 5.1
#Requires -RunAsAdministrator
[CmdletBinding()]param([switch]$WhatIf, [switch]$Monitoring, [switch]$Remediation, [switch]$Revert)
$ErrorActionPreference = 'Stop'; $RegPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"; $RegName = "MSAOptional"; $ExpectedValue = 1
function Connect-RequiredServices { $p = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); return $p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) }
function Test-Compliance {
$r = [PSCustomObject]@{ScriptName = "msa-opt.ps1"; PolicyName = "MSA Optional"; IsCompliant = $false; CurrentValue = $null; ExpectedValue = "Optional"; Details = @() }; function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue }
try { if (Test-Path $RegPath) { $v = Get-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue; if ($v -and $v.$RegName -eq $ExpectedValue) { $r.IsCompliant = $true; $r.Details += "MSA optional" }else { $r.Details += "MSA: $($v.$RegName)" } }else { $r.IsCompliant = $true; $r.Details += "Default" } }catch { $r.Details += "Error: $($_.Exception.Message)" }; return $r
}
function Invoke-Remediation { if (-not(Test-Path $RegPath)) { New-Item -Path $RegPath -Force | Out-Null }; Set-ItemProperty -Path $RegPath -Name $RegName -Value $ExpectedValue -Type DWord -Force; Write-Host "Microsoft accounts optional" -ForegroundColor Green }
function Invoke-Monitoring { $r = Test-Compliance; Write-Host "`n$($r.PolicyName): $(if($r.IsCompliant){'COMPLIANT'}else{'NON-COMPLIANT'})" -ForegroundColor $(if ($r.IsCompliant) { 'Green' }else { 'Red' }); return $r }
function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue }
try { if (-not(Connect-RequiredServices)) { exit 1 }; if ($Monitoring) { $r = Invoke-Monitoring; exit $(if ($r.IsCompliant) { 0 }else { 1 }) }elseif ($Remediation) { if (-not $WhatIf) { Invoke-Remediation } }elseif ($Revert) { Invoke-Revert }else { $r = Test-Compliance; exit $(if ($r.IsCompliant) { 0 }else { 1 }) } }catch { Write-Error $_; exit 1 }
Risico zonder implementatie
Risico zonder implementatie
Medium: medium risico: MSA required is users forced to personal accounts instead of corporate Azure AD.
Management Samenvatting
Set MSA optional (MSAOptional=1). Schakelt in Azure AD preference. Implementatie: 30-90 min.
- Implementatietijd: 1.5 uur
- FTE required: 0.01 FTE