Switch on “Security Defaults” to secure your Azure AD tenant
Switch on Security Defaults
One switch to enable the recommended security settings that will protect your tenant from common attacks.
Baseline Policies
Microsoft have had the intention of protecting your Azure AD tenant for a few years and have allowed administrators to enable any or all of the four baseline policies automatically created in Conditional Access in Azure AD.
In 2014, we started making these technologies available to our Azure Active Directory (AD) organizational customers, and we’ve learned that they’re very effective – for example, our telemetry tells us that more than 99.9% of organization account compromise could be stopped by simply using MFA, and that disabling legacy authentication correlates to a 67% reduction in compromise risk (and completely stops password spray attacks, 100% of which come in via legacy authentication).
https://techcommunity.microsoft.com/t5/azure-active-directory-identity/introducing-security-defaults/bc-p/1099586#M1865
These four policies are due to be deprecated on the 29th February 2020 and replaced by something called “Security Defaults”.
The four baseline policies were:
- Require MFA for admins (preview)
- End user protection (preview)
- Block legacy authentication (preview)
- Require MFA for service management (preview)
Security Defaults
Security defaults contain all the settings pre-configured to protect organisations from common attacks such as:
- Requiring all users and admins to register for MFA.
- Challenging users with MFA – mostly when they show up on a new device or app, but more often for critical roles and tasks.
- Disabling authentication from legacy authentication clients, which can’t do MFA.
Microsoft will be adding more more over time, but they feel since MFA prevents 99.9% of account compromise, this is a good start.
Switch security defaults on
To switch security defaults on, you have to know where to find it. In Azure Active Directory under the “Manage” section on the left, click “Properties”. Or click here Then look for the “Manage Security defaults” hyperlink at the bottom of the page.
When you click on it, a fly-out on the right gives you that “one switch to rule them all”
Don’t forget to click save.
That’s it, unless…
Unless
There are instances where you can’t switch Security Defaults on, or where you are first warned about changes you are about to make.
- If you have already enabled any of the four baseline policies, you will be warned that enabling security defaults will remove all Baseline policies from your tenant. (This is a one way switch, you can’t go back to baseline policies once you do this because they are removed from the tenant)
- You can’t enable Security defaults if you have custom Conditional Access policies enabled (In other words you have Azure AD P1 or P2)
- You can’t enable security defaults if you have “Classic policies” enabled – Classic policies are Conditional Access policies, you have created in:
- The Azure classic portal
- The Intune classic portal
- The Intune App Protection portal
- If you have Identity Protection (an AAD P2 feature) you also can’t enable Security defaults
Who should enable Security defaults?
While Microsoft are providing and managing these security defaults on behalf of organizations, they are not for every organisation.
For people with Azure AD Free or Azure AD Office 365 Apps (Included with O365) your organisation will benefit from Security Defaults. Read more about Security defaults in the official documentation especially the deployment considerations.
If you have sophisticated security policies such as break-glass accounts, device compliance based MFA or other custom conditional access policies, you will want to use the rich granularity of conditional access policies which you only get if you have Azure AD P1 or P2 (Also part of Microsoft 365 E3 or E5 and EM+S E3 or E5). Be sure to implement the same security settings in your custom policies by following this handy guide
