Security Defaults: Microsoft changes baseline security requirements
Microsoft looks to secure 60 million vulnerable accounts by making Security Defaults like multi-factor authentication standard. Learn what it means for you.
Microsoft have announced that they are changing the security defaults for existing customers who have not yet updated security defaults or Azure AD Conditional Access.
It’s inevitable that despite the identity protocols and safeguards people put in place to block attacks, there’s always a risk that some will get through. Every one of these breaches has the potential to cause significant business harm. Many of these could be stopped with improved identity security hygiene. Requiring multi-factor authentication (known as MFA) is one of the most effective methods in stopping attacks.
In fact, when Microsoft look at compromised accounts, over 99.9% of them did not have MFA, meaning these accounts are vulnerable to popular hacking methods like password reuse, phishing, and password spray.
Having a dedicated team of security experts is not a luxury most companies can afford. Often, smaller companies may have no in-house IT team at all. Even if they know MFA is important, a company may not have the means or expertise to implement it. This makes these organisations the most vulnerable and means they experience the most compromises.
Microsoft decided to do something about this issue. In 2019, they enabled Security Defaults for new tenants, meaning that all new customers are provided with basic security measures automatically.
Security Defaults allow you to protect your organisation more easily against identity-related attacks, with pre-configured security settings that:
- Require all users to register for Azure AD MFA
- Require administrators to perform MFA
- Require users to perform multiple authentication when needed
- Block outdated authentication protocols
- Secure protected activities, such as access to the Azure Portal.
Most of these organisations just leave Security Defaults on, while others add even more security with Conditional Access, when they’re ready.
Fast forward to 2022 and more than 30 million organisations enjoy this level of protection. The companies are subject to 80% fewer compromises than Microsoft’s overall tenant population.
Now Microsoft is tackling the Azure tenants created before the introduction of Security Defaults, who may not have these features turned on since they need to manually enable them.
Historically, these customers would have to explicitly turn on features such as Identity Protection, Conditional Access, and MFA. But many companies were completely unaware that these options existed, all while the external environment for attacks became increasingly dangerous.
Microsoft is targeting around 60 million accounts created before 2019 that have not changed any of their security settings since the initial implementation. That’s a lot of accounts that will become much more secure.
What happens next?
Security Defaults prompts users for MFA when necessary, based on factors such as location, device, role and task. Because of the rights administrators have to make changes to your environment, they are required to perform MFA every time they log on.
Other users may not be prompted for MFA if, for example, their location and device are unchanged. This means that if you regularly log in on Monday mornings using your MacBook in the office or at home, you won’t have to log in with MFA each time you continue with this pattern of activity.
As mentioned above, Microsoft will not be rolling out this change centrally on a set date. Instead, they will roll it out incrementally, initially targeting organisations that are a ‘good fit’ for Security Defaults. What does a ‘good fit’ mean? In this case, Microsoft is referring to organisations that have not used Security Defaults before, that have not enabled Conditional Access and that are not using outdated authentication clients.
Notifications about these changes will be sent via e-mail to the Global Admins of the Microsoft environments. This might already be happening. By the end of June, Microsoft will start with the notification and Global Admins will see prompts when logging in, asking them to enable Security Defaults. This notification also warns that the Security Defaults will be automatically enabled within 14 days from then on.
Once the administrator has enabled the Security Defaults, all users will be prompted to register for MFA using the Microsoft Authenticator.
I don’t want to activate Security Defaults, what can I do?
There may be cases where an organisation doesn’t want to enable Security Defaults. If this applies to you, and you understand the risks associated with removing this basic level of security, it is possible to do so. An administrator can disable Security Defaults in the Azure AD properties or through the M365 administration centre.
Conditional Access instead of Security Defaults
If Security Defaults doesn’t give you enough flexibility, you can choose to disable it and use Conditional Access instead. Please note that you can’t use both.
Who should use Conditional Access?
If your organisation has complex security requirements, you should consider Conditional Access.
The modern security perimeter now extends beyond an organisation’s network to include the identity of users and devices. Organisations can use identity-driven signals as part of their access control decisions.
Conditional Access brings signals together to make decisions and enforce organisational policies. Azure AD Conditional Access is the heart of the new identity-driven control plane.
At their simplest, Conditional Access policies are if-then statements. If a user wants to access a resource, they must perform an action.
Example: A member of the Accounts team wants to access your payroll application. MFA is required before they gain access.
Administrators are faced with two primary objectives:
- Enable users to be productive anywhere, anytime
- Protect the organisation’s assets.
Use Conditional Access policies to apply the appropriate access controls, when needed, to keep your organisation safe.
IF signals that Conditional Access may use to make a policy decision include:
- User or group membership
- IP location information
- Real-time and calculated risk detection: Signal integration with Azure AD Identity Protection enables Conditional Access Policies to identify risky login behaviour. Policies can force users to change their password, carry out MFA, or block access until an admin reviews and takes manual action.
- Microsoft Defender for Cloud Apps: Enables real-time monitoring and management of user application access and sessions, increasing visibility and control over activity in your cloud environment.
Common THEN decisions that Conditional Access will consider include:
- Block access
- Grant access
Granted access may still require one or more of the following options:
- Require MFA
- Require device to be marked as compatible
- Require Hybrid Azure AD connected device
- Require approved client apps
- Require app security policy (preview).
Conditional Access policies can also help with common access issues such as:
- Require MFA for users with administrator roles
- Require MFA for Azure administration tasks
- Blocking logins for users trying to use legacy authentication protocols
- Requiring trusted locations for Azure AD MFA registration
- Block or grant access from specific locations
- Block risky login behaviour
- Require organisation-managed devices for specific applications.
To learn more about Security Defaults or Conditional Access, please contact us today. We’re happy to ask any questions you may have, and we can even implement Conditional Access for you.
Our specialists have the answer