Make your organisation more secure with a single click thanks to Azure AD Security Defaults

Make your organisation more secure with a single click thanks to Azure AD Security  Defaults

Azure AD Security Defaults

Security standards in Azure Active Directory (Azure AD) make it easier to protect your organisation.

In this article you can read about the technical details of this standard implementation. A better alternative to the Azure AD Baseline Policy!

A perfect start in a migration to Office 365!

1. Registration Multi-Factor Authentication

All users in your Tenant will need to register for multi-factor authentication(MFA)

Users have 14 days to register for Multi-Factor Authentication using the Microsoft Authenticator app.

After these 14 days, the user must log on with MFA only after the registration has been completed.

2. Enforcing Multi-Factor Authentication

Securing administrators

After the above registration with Multi-Factor Authentication is complete , the following 9 Azure AD administrators will need to perform additional authentication each time they log on. (default behaviour)

  • Global administrator
  • SharePoint-manager
  • Exchange-manager
  • Conditional access manager
  • Security administrator
  • Helpdesk administrator or password administrator
  • Billing Manager
  • User Administrator
  • Administrator authentication

3. Secure all users

We tend to think that administrator accounts are the only accounts that need extra layers of security. Administrators have enormous access to sensitive information and can make changes to settings for the entire organisation. But attackers/hackers often target end-users.

When these hackers gain access, they can claim access to the organisation on behalf of the holder of the original account. They can download the entire directory to carry out a phishing attack on your entire organisation. (phishing mail)

A common method for improving the security of all users is to require a stronger form of account verification. MFA.

4. Blocking legacy authentication!

Older Office clients that cannot use modern authentication (e.g. an Office 2010 client).

Any client using older e-mail protocols, such as IMAP, SMTP or POP3.

What is pop3? POP3(Post Office Protocol) is a protocol for retrieving mail using an e-mail programme such as Microsoft Outlook. With POP3 you always have your mailbox on your own PC. All incoming e-mail messages are deleted when retrieving them.

What is IMAP? IMAP can be configured on any computer without mails being 'pulled' into the e-mail client. IMAP is a protocol that is often used in applications. Ordinary Office 365 users do not need POP3 or IMAP.

Most attempts to log on with outdated authentication. Legacy authentication does not support Multi-Factor Authentication.

After the default security settings are enabled in your Tenant, all authentication requests performed by an older protocol will be blocked. Default security settings do not block ExchangeActiveSync. But maybe you also use the Outlook application.

5. Conditional access

You can also start conditional access on groups and user roles yourself. In that case, it is best not to choose this configuration.

If you want to do it yourself, you cannot use the defaults and you have to disable it.

Conditional access = Granting access to a service on conditions. IF="Unmanaged device"
THEN="Require MFA"


6. How can you enable this default?

Enable default security settings in your Directory:

Sign in to theAzure Portal as a security administrator, conditional access administrator, or global administrator. -> Enable Security defaults - Microsoft Azure

Navigate to -> Azure Active Directory -> properties.

Select Manage default security settings.

Set the Enable default settings option to Yes.

Select Save.

Warning message that you may have default settings or conditional access

Every organisation should start with this implementation at the start of a Office 365 project.



Welcome to On this website you can read articles and experiences about Office 365 with focus on Microsoft Teams. Feel free to ask me a question and I will answer it in a blog post. Help others by giving feedback at the bottom of the articles. This blog is made in Dutch. The multilingual website is offered with best-effort machine translation.
0 0 votes
Product review
Please let us know if there are
0 Reactions
Inline feedbacks
See all comments
Would love to know your thoughts, please leave a comment.x