We get a lot of alerts about unauth VPN usage and by and large it’s free VPN services or the occasional Norton/Express/Nord VPN. The default process we have now is when someone signs in successfully to their 365 account and they’ve previously never used a VPN, it blocks sign in and resets all sessions. Since every idiot on facebook is selling a vpn, we’re seeing a steady uptick in VPN usage and subsequent account lockouts until we review the issue, ask them if they are using a VPN “oh, yes, i just installed it because I was told it would make me more secure…” Anyone thoughts on this subject from the r/msp braintrust? My main problem is blanket allow means we just lessened controls around unauth access attempts from those now allowed VPN services. Maybe a plan to only allow paid ones, but then there is the whole free trial they all have (just like RAT tool trials being abused.)
Additional info based on comments. Customers in question are small businesses with no compliance obligations save maybe pci and state privacy laws.
The VPN software is being installed only on personal devices.
a. Yes, we do talk about limiting access to company owned devices, but small biz likes to not buy laptops and phones for staff.
MS 365 licenses in use where this problem is occurring are using standard/basic. No CA options. Yes, I’d love to move all to premium or higher. I’d also like a pony, not happening right now.
Seems the best option for now is communicate that personal vpn access to 365 will be blocked by 365 monitoring services we already have in place.
Block VPNs, and roll out your own solution. An unmanaged VPN is basically a potential MITM attack, so it’s important to communicate that risk to your client VIPs.
This is something that “App Governance in Defender for Cloud Apps” can control, but it does require a “5-Series” license that adds ~$32/user/month to Bus Premium
VERY powerful. Tens of thousands of apps that can be approved/denied for a tenant, and most of the common consumer VPNs can be blocked from here.
But, I’m assuming there’s “no room in the IT budget” based on your other notes.
Option 4 is your best bet. If their accounts keep getting blocked, eventually users will get the hunt and uninstall those VPNs.
EDIT: Also, public WiFi can add unknown hosting providers, which can also be triggered to block an account. Most common scenario here is a user driving by a with their Outlook signed in, then all the sudden their account is seeing a hosting provider sign into their account from across the country.
are the alerts coming from Microsoft itself or from a different service? I’d presume it’s not Microsoft since you mentioned most of your clients don’t have P1/P2
I think the first question that needs to be answered is why users have privileges on managed computers to install VPN clients or network adapters? This seems to me to be a greater risk than the VPN itself. Or are you talking about users connecting through unmanaged VPN from their BYOD mobile devices?
My philosophy is the client should have the decision. My role is to educate and advise them in the right direction, but ensure I have the appropriate protection in place if they fail to take my advice.
So my first step would be to communicate with the client(s) about the risks associated with allowing unmanaged VPN access, the myths and legitimate use cases about VPN’s, and what options can be provided to mitigating this risk. Explain that allowing unmanaged VPN weakens the effectiveness of other controls intended to restrict access to geolocations a legitimate user might connect from, and makes identifying and blocking malicious activity more nearly impossible. Options could be configuring VPN or ZTNA access using an existing or upgraded perimeter firewall, adding a ZTNA service provider or private VPN server, or adding Entra Suite to utilize Microsoft Global Secure Access/Secure Service Edge.
When the client decides on a strategy and a deadline for compliance, then work on the configuration, client software, config and certificate roll-out, and testing, while communicating to the client’s users about the risks and upcoming access changes, and training on how to use the new secure access. Then monitor compliance and send email reminders with links to repeat the training to users that don’t comply. And finally use conditional access policies to block access if not using the approved secure access technology, and remove unapproved VPN client software from user devices.
If the client decides to not take any action, I’d require them to sign a simple waiver of liability.
What are your intune compliance policies for byod phones like? We had issues where a device would show non compliant, but we couldn’t effectively troubleshoot it or even determine if it was a true or false positive.