Does your organisation want to improve its security posture, but you’re unsure how or where to start? Is your organisation using the free tier of Azure Active Directory licensing? If so, then this blog about Microsoft Security Defaults is for you.
What are Microsoft Security Defaults?
Microsoft Azure AD Security Defaults are a set of baseline security settings, designed to introduce a basic security posture at no extra cost.
Recent changes
For the past decade, Microsoft has been working towards a security minimum standard for all user accounts, and most of those technologies became available to the Azure AD in 2014.
These improvements have been successful: according to Microsoft more than 99.9% of organisation account compromises can now be prevented by using multi-factor authentication (MFA).
Sadly, the adoption of the technology hasn’t been as successful as Microsoft would have hoped. Only 9% of users ever see an MFA prompt. To counter these challenges, Microsoft decided to raise the bar for best-practice security posture by providing increased organisational security on user accounts by default.
Microsoft’s ambition is to make security defaults available to everyone because as we know, managing security can be difficult and it’s often not the highest priority. By means of these Security Defaults, Microsoft wants to ensure that every organisation has at least a basic level of security enabled at no extra cost.
These default policies include:
- Requiring all users and admins to register for multi-factor authentication using the Microsoft Authenticator app or any third-party application using OATH TOTP, which is a time-limited one time password.
- Challenging users with MFA, mostly when they show up on a new device or app, but more often for critical roles and tasks.
- Disabling authentication from legacy mail protocols (IMAP, POP3, and SMTP) that can’t handle MFA.
- Protecting admins by requiring extra authentication every time they sign in.
This focus on user authentication continues to extend with biometrics and updates to MFA to make sure only authorised users have access to sensitive data. It’s important to note that the risk of fatigue through MFA requests has become a very real threat. If you are interested to know how you can defend your users from MFA fatigue attacks, click here.
Microsoft Security Default benefits
- Help protect your company’s user accounts from identity-related attacks like password spray, replay, and phishing, which are common in today’s environment. More than 99.9% of these attacks are prevented by using MFA and blocking legacy authentication.
- Make it easier to enable MFA and other security features without needing to configure complex Conditional Access policies or pay for additional licences.
- Provide a default level of security for all organisations, especially those who don’t have the resources or expertise to manage their own security settings.
- Simplify the management and administration of your IT services, as you can access your resources securely from the Azure portal without needing an additional client, agent, or software.
Microsoft Security defaults vs Conditional Access
The main difference is that Microsoft Security Defaults is free to use for all users and Conditional Access require Azure AD Premium for all users.
Microsoft Security Defaults and Conditional Access are two options to help you secure your identity and access management in Azure AD. Security Defaults are a simple and free way to enable basic security settings, such as MFA and modern authentication protocols, for all users and admins.
Conditional Access offers more advanced and flexible policies that allow you to customise your security settings based on various conditions and scenarios. You can only use one of these options at a time, so you need to decide which one suits your needs and requirements better. If you have a premium licence and want to have more control and granularity over your security settings, you should use Conditional Access. If you have a free licence or want to have a quick and easy way to enable security settings, you should use Security Defaults. Either way, you should always keep your security settings up to date and monitor your identity and access activities regularly.
How to enable Microsoft Azure AD Security Defaults?
Microsoft announced that security defaults will be enabled at creation for all tenants created after October 2019. If your tenant was created before this point, you may need to enable it manually. Here is how you can enable Microsoft Azure AD Security Defaults:
- Sign into the Azure portal as a security administrator, Conditional Access administrator, or global administrator.
- Go to Azure Active Directory > Properties.
- Select Manage security defaults.
- And finally set Security defaults to **Enabled ** and click ‘Save’.
!Note: If you’re already using conditional access policies or other settings that conflict, you will get a warning.
How to disable Microsoft Azure AD Security Defaults?
If you have the option to use Conditional Access policies instead of the Security Defaults, you must disable them. Here is how.
- Sign in to the Azure portal as a security administrator, Conditional Access administrator, or global administrator.
- Go to Azure Active Directory > Properties.
- Then select ‘Manage security defaults’.
- Set Security defaults to Disabled (not recommended) and click ‘Save’.
Intelogy are dedicated to providing its customers with the best digital security. From encryption to network security and everything in between, we cover all the bases to keep your data safe and secure. Interested to find out more about our Microsoft 365 Security Services? Click here >
