Back in July 2018, Microsoft started work on baseline security policies for Azure AD, these included core policies for:
- Require MFA for Service Management
- Require MFA for admins
- Block Legacy authentication
- Require MFA for users
Security Defaults only enable basic/core level of protection; Additional/Advanced configuration can be achieved with Conditional Access which is part of Azure AD Premium.
Security Defaults is the generally available version of Azure Active Directory Baseline Protection policies and is available today to all tenants. Microsoft will be gradually replacing Baseline Protection policies with Security Defaults starting February 29th, 2020.
This message is associated with Microsoft 365 Roadmap ID 55688.
How does this affect me?
If you’ve enabled or are using Azure Active Directory Baseline Protection policies, these policies will stop being enforced from February 29th, 2020. You will need to either move to Security Defaults or configure equivalent Conditional Access policies.
If you are interested in protecting your organisation from identity related attacks, tenant admins will be able to implement the basic level of identity security in their tenant with just one-click. Enabling Security Defaults will do the following:
- Require all users and admins to register for Multi-Factor Authentication (MFA)
- Challenge users whenever our systems indicate it’s necessary – mostly when users show up on a new device or app, but more often for critical roles and tasks
- Prevent users from using legacy authentication clients, which can’t do multi-factor authentication. Security Defaults will soon block authentication requests made from Exchange Active Sync basic authentication.
To learn more about Security Defaults review: What are security defaults?
What do I need to do to prepare for this change?
Migrating off Baseline Protection
Baseline protection policies will stop being enforced from February 29th, 2020. If you are using one or more Azure Active Directory Baseline Protection policies, you will need to move off baseline protection before then. If you are looking to enable similar identity security protection in your tenant, you can enable Security Defaults or configure equivalent Conditional Access policies.
Enabling Security Defaults
Security Defaults has administrative controls to enable and disable. This feature is usually switched off by default, but you might have it on if your tenant was created on or after October 22nd, 2019. Security Defaults can be enabled/disabled by going to Azure Portal -> Properties -> Manage Security Defaults.
Security Defaults prevents users from using legacy authentication clients, which can’t do multi-factor authentication. These are normally authentication requests that are made using IMAP, SMTP, and POP3. In the coming month, Security Defaults will begin to block Exchange Active Sync basic authentication as well. Before enabling Security Defaults, be sure to go through the legacy authentication guide to understand how to prepare for this block and move over to modern authentication.
To learn more about Security Defaults and these changes, please see the Additional Information.
If you need any help or assistance, please contact your Ultima Account Manager, or call us on: 0333 015 8000.
Written by Michael Skitt, Solutions Architect