Microsoft rolls out Security Defaults for Azure AD to secure access

Microsoft announced recently they are starting to roll out Security Defaults for tenants who haven’t already turned them on or are using Conditional Access. Alex Weinhart, Director of Identity Security at Microsoft, wrote up a really good summary of the change that you should read first. 

Security Defaults primarily focuses on leveling up your basic security hygiene, turning on identity and access controls like Multi-Factor Authentication (MFA) for everyone and enforcing greater protection for privileged activities like admin actions or accessing Azure. For smaller IT teams, those without IT teams, or those that simply didn’t know where to start securing Azure AD, this is an incredibly powerful move toward improving their overall security. 

Admins of eligible tenants will receive an email giving them heads up of the change and then, according to Microsoft’s post, will get prompts to enable Security Defaults later this month, which they can defer for up to 14 days so you should let Azure admins and users in your company know ASAP - share this post with them and make sure they understand what to expect. Once enabled, users will then get a further 14 days to register for MFA.

For those of you who have already turned on these defaults or are using Conditional Access, nothing should change. If you’ve previously explicitly opted out of MFA and the other controls included in the defaults, Microsoft says you also won’t be affected. That said, you may also choose to opt out of this rollout – but please don’t! Microsoft has reported 99.9% of hacked accounts don’t have MFA so this change will prevent a lot of attacks.

What’s included in Security Defaults?

Microsoft has a detailed writeup on what Security Defaults means here. Primarily, it means all users have to register for MFA and they’ll be prompted to use it when necessary (“based on factors such as location, device, role and task”). Admins, or anyone accessing the Azure portal, have to use MFA on every login. 

Security Defaults also blocks legacy authentication protocols. Microsoft adds, “even if you have a Multi-Factor Authentication policy enabled on your directory, an attacker can authenticate by using an older protocol and bypass Multi-Factor Authentication.” Essentially, if you’re using legacy authentication, MFA really isn’t being enforced and is easily bypassed.

There are a few additional measures taken by the security defaults, so take a look at their full list to know what to expect. 

Do I need to do anything to prepare for the rollout?

We previously wrote some key points to consider when turning on Security Defaults and those are all still valid, so take a look at that post.

There are a few challenges to consider before enabling Security Defaults that we wanted to mention: 

1. Everyone needs to use the Microsoft Authenticator, which means everyone needs access to a smartphone they are willing to use to install the app.

2. MFA will be enforced for all accounts - no exceptions. 

3. Legacy authentication is blocked. This is a very very good thing, but it may cause some disruption if you aren’t prepared for it. Microsoft have said that they are going to initially target organizations who aren’t actively using legacy authentication, but you should still be prepared for the change if you are using it. If you aren’t sure, you can follow this guide to see if legacy authentication is still in use for your tenant. 

If any of those challenges are show stoppers for you, you’ll have to look at other MFA options for 365. Unfortunately, that means you need to make sure everyone has an Azure AD Premium P1 license so you can use Conditional Access. Or, you could opt-out of using Security Defaults, so nothing changes, but we wouldn’t recommend it - all the changes are being made with good reason. 

This is a good thing for security

Overall, this is a very powerful move for security and will level up the security hygiene for all those organizations who don’t have the resources to think hard about security - Microsoft estimates it will enhance the protection of around 60 million accounts! The only downside in our opinion is that to use granular controls (e.g. break glass accounts, enhanced protection for VIPs etc.) around MFA and access, you need to pay for the higher tier Azure AD Premium P1 license and use Conditional Access.

Microsoft’s rationale is that if you have those sorts of “complex requirements”, you should  already be on the higher tier since Security Defaults are intended for organizations who don’t have the resources to consider security.

Should tech leaders require that users pay more to get the strongest access controls to their product? I bet you can guess our answer to that question… Hit us up on Twitter to discuss.