In the my last post I covered how to enable security defaults in Microsoft 365 (or Azure Active Director to be specific). It is really simple to do and you can view that article here. What wasn’t covered then is how you can plan, as your company’s M365 administrator, to enable security defaults in your organisation.
Why use Security Defaults?
Security defaults is a group of pre-configured settings to help protect your organisation. It covers controls such as Multi-factor authentication, using modern authentication and protects privileged access roles, such as administrators.
It is especially useful if you are unable to use premium features such as conditional access due to licencing constraints, as it allows you to protect your environment at no additional cost.
Need to knows!
- If your users have not registered for Multi-Factor authentication, they will be asked on the first login after you have enabled security defaults.
- Users will be required to use the Microsoft Authentication App on their mobile device.
- Users will be challenged occasionally for their Multi-factor authentication, based on certain factors such as location and task etc…
- All Microsoft 365 Administrators will have Multi-Factor enforced every time they sign in.
- Legacy protocols such as IMAP, POP and SMTP will be blocked. That means older mobile devices or mail clients may not function correctly.
- The Multi-Factor authentication status you see within Microsoft 365 may show as disabled, even with security defaults enabled. This is normal.
Before you enable security defaults
There are some steps you should consider before enabling security defaults and plenty of preparation that can be done. It can be broken down quite simply:
- You should communicate to staff the intended changes to your environment with valid reasoning, from the right person. This will hopefully prevent a lot of “why?” and “What for?”, getting people on board.
- You should set staff’s expectations: It is likely they will need to install the Microsoft Authenticator app on their personal mobile phone. Not all staff may want to use their personal device.
- Guide staff on registering for Multi-Factor authentication. You can provide directions to staff to enable Multi-Factor authentication in their own time on the build up to enabling security defaults. A useful short link is: https://aka.ms/MFASetup
- Review legacy platforms that are connected to your environment. Ensure you migrate/remove any platforms that connect to your Exchange environment using IMAP, POP or SMTP.
I have Azure AD Premium, should I use conditional access instead?
Simply from a control perspective, I think you should. Security defaults is great, but you will have less control over how you implement security. Conditional access will provide baseline or templated policies for you to deploy, as well as allow you to implement exceptions in certain policies where needed. You can take a look at the MS learn document on common conditional access policies.