🛡️ How to enable Azure AD Security Defaults in Microsoft 365?
What is Azure AD Security Defaults
Azure AD Security Defaults is a security feature in Azure Active Directory (Azure AD) that automatically enables recommended security settings for new tenants in Azure AD. These settings are designed to improve the security of the tenant and to protect users from known security threats.
Azure AD Security Defaults include:
- Mandatory password policy: A policy that requires passwords to be complex, unique, and regularly changed.
- Multi-factor authentication (MFA): A layer of security that requires users to confirm their identity using multiple methods, such as a code sent via SMS or a fingerprint reader.
- Brute force attack protection: A security measure that causes a temporary block to be placed on the account after a certain number of failed login attempts.
Azure AD Security Defaults is enabled by default for new tenants and can't be disabled. As an administrator, if you want to adjust the settings or enable additional security features, you can use the security features in Azure AD manage.
In this article, you can read at the bottom how to Azure AD Security Can enable defaults.
1. Registration of Multi-Factor Authentication
All users in your Tenant will need to register for Multi-Factor Authentication (MFA)
Users have 14 days to sign up for Multi-Factor Authentication using the Microsoft Authenticator app.
After these 14 days , the user should only sign in with MFA after the registration registration is complete.
2. Enforce Multi-Factor Authentication for all users
After the above registration with Multi-Factor Authentication is complete, the next 9 Azure AD administrators will need to perform additional authentication each time they sign in. (default behavior)
- Global Administrator
- Conditional Access Admin
- Security Administrator
- Helpdesk administrator or password manager
- Billing Admin
- User Administrator
- Administrator Authentication
3. Secure all users with MFA
We usually think that admin accounts are the only accounts that need extra layers of security. Administrators have tremendous access to sensitive information and can make changes to settings for the entire organization.
When these hackers gain access, they can claim access to the organization on behalf of the holder of the original account. They can download the entire directory to launch a phishing attack on your entire organization. (phishing mail)
A common method for improving the security of all users is to require a stronger form of account verification. MFA.
4. Blocking legacy authentication
Older Office clients that can't use modern authentication (for example, an Office 2010 client).
Any client that uses older email protocols, such as IMAP, SMTP, or POP3.
What is pop3? POP3 (Post Office Protocol) is a protocol for retrieving mail thanks to an e-mail program such as Microsoft Outlook. With POP3 you always have your mailbox on your own PC. Upon retrieval, all incoming email messages are deleted.
What is IMAP? IMAP can be configured on any computer without any mails being 'pulled' into the email client. Imap is a protocol that is often used by applications. Ordinary Office 365 users don't need POP3 or IMAP.
Most attempts to sign in, with legacy authentication. Legacy authentication doesn't support Multi-Factor Authentication.
After the security defaults are enabled in your Tenant, all authentication requests made by a parent protocol are blocked. Security defaults do not block ExchangeActiveSync. But maybe you also use the Outlook application. https://365tips.be/?p=289
5. Conditional Access
You can also start with Conditional Access on groups and user roles. Then it's best not to choose this configuration.
If you want to do it yourself, you can't use the defaults and you have to disable it.
Conditional Access = Conditional access to a service. IF="Unmanaged device"
6. How to Azure AD Security Enable default?
To enable security defaults in your Directory:
Navigate to -> Azure Active Directory -> properties.
Select Manage security defaults.
Set the Enable Default Settings option to Yes.