Azure AD Security Defaults
Security has become an increasingly important and talked about topic. Even within the small business community where cybersecurity expertise is minimal. Especially when regarding the primary method of communication for the majority of all businesses; email and productivity suites such as Microsoft 365.
Over the years, Microsoft has developed a set of “defaults” which are regularly updated and contain pre-configured settings for security. A while back, Microsoft made these defaults, now coined “Security Defaults” available to all tenants via Azure AD. Enabling these defaults and enhancing the security posture of your Microsoft 365 environment is as easy as logging into Azure AD and turning them on.
Security Defaults replace the Baseline Conditional Access Policies which used to be the go-to to enforce multi-factor authentication (MFA) and other settings related to security. These settings, however, did not include access to the Microsoft Authenticator App and had no straightforward way to deploy.
There are a few downsides to Security Defaults that you should know about. Primarily, conditional access policies. With Security Defaults, it is all or nothing. Meaning, once you enable them, every account will be forced to the same standard. If your organization requires features such as conditional access (reasons discussed later in this article), then Security Defaults is not for you.
What are Azure AD Security Defaults?
Security Defaults are a great solution for small organizations or those who do not require conditional access policies for their organization. This allows for routinely adjusted security policies to be distributed to every Microsoft 365 user in your organization with the single to security defaults in Azure AD.
The policies which are enforced by security defaults currently include:
- Multi-Factor authentication for administrators and end-users, required within 14 days of the next sign-in after enablement
- Legacy authentication will be blocked, restricting access from older clients, like Office 2010, IMAP, POP3, SMTP, ActiveSync clients that don’t support Modern Auth, and traditional methods of managing Exchange Online using Remote PowerShell.
- Immediate MFA protection for “privileged” Azure AD actions via the Azure Resource Manager API (such as Azure Portal Access, Azure PowerShell and the Azure CLI).
Enabling and Disabling Security Defaults
In order to enable or disable Security Defaults, you’ll first want to navigate to your Azure AD portal and log in as Global Admin. Once logged in, to get to the right settings: Azure Active Directory > Properties > Manage Security defaults then click “yes”.
You’ll see this prompt to enable security defaults:
Security Defaults Enabled by Default
On many new (as of January 2020) Microsoft 365 tenant environments, security defaults is enabled already. However, it is something that you should verify. It is our belief that Microsoft will keep the security defaults updated with the latest and greatest in terms of the recommended default security baseline. However, to get additional coverage for security, subscriptions will likely be required. For now, and for many small businesses, security defaults is a much needed enhancement.
Our customers & Azure AD Security Defaults
As of December 2020, all of our managed services customers (for which we also manage their Microsoft 365 tenant environment) now have security defaults enabled automatically. As a part of our onboarding process and/or routine security checks, we ensure that security defaults are enabled and configured properly.
In circumstances where conditional access is needed, we take the time to identify the rules, conditions, and users affected and deploy the correct configuration. We do this while also ensuring that every mail box is protected to the highest extent possible.
For non-managed customers or those whom would like to have us audit their Microsoft 365 tenant environment, we offer consulting and engineering services. We are able to quickly identify areas where your security configurations are lacking and recommend (and implement) the necessary changes to further protect your productivity and critical business information and communications. Contact us for more information or to receive a quote.
