Azure AD Security Defaults is a protection that is enabled in all new tenants. This is created to raise the security in Microsoft 365 to a better level. When security defaults is enabled you are not able to use Conditional Access. If to want better control and choose the rule by your self, the Conditional Access is the right solution. Microsoft has is today deprecated the 4 standard rules in Conditional Access and replaced is with security defaults.
Before an organization can enabled security defaults you need to consider what will be changed and if you have any solution that is depend on this change. It is not possible to made any change of settings, then you need to use Conditional Access. All organization that not have correct license and are in Small And Midsize Business should consider to enable security defaults.
What licenses do we need?
- Security Defaults is free to use for all users
- Conditional Access require Azure AD Premium 1 for all users
Whats is included in security defaults?
- Unified Multi-Factor Authentication registration
- Protecting administrators
- Protecting all users
- Blocking legacy authentication
- Protecting privileged actions
Unified Multi-Factor Authentication registration
All users in your tenant must register for multi-factor authentication (MFA). They have 14 days until the cannot sign-in anymore without registration for MFA. You only have the option to choose “Notification through mobile app”. If you need more authentication methods then enable Conditional Access.
Users with below administrator roles will be required to perform additional authentication every time they sign in.
- Global administrator
- SharePoint administrator
- Exchange administrator
- Conditional Access administrator
- Security administrator
- Helpdesk administrator or password administrator
- Billing administrator
- User administrator
- Authentication administrator
Protecting all users
After users complete Multi-Factor Authentication registration, they’ll be prompted for additional authentication whenever necessary.
Blocking legacy authentication
To disabled bypass for MFA we need to disabled basic authentication based on MFA is not supported for that protocol. Before you enabled this block you need to get rid of all legacy application/protocol.
- Older Office clients that don’t use modern authentication (for example, an Office 2010 client)
- Any client that uses older mail protocols such as IMAP, SMTP, or POP3.
Protecting privileged actions
After you enable security defaults in your tenant, any user who’s accessing the Azure portal, Azure PowerShell, or the Azure CLI will need to complete additional authentication. This policy applies to all users who are accessing Azure Resource Manager, whether they’re an administrator or a user.
- Azure portal
- Azure PowerShell
- Azure CLI
Enabling security defaults
1, Sign in to the Azure portal as a security administrator, Conditional Access administrator, or global administrator.
2, Browse to Azure Active Directory > Properties.
3, Select Manage security defaults.
4, Set the Enable security defaults toggle to Yes.
5, Select Save.