The Need for Azure AD Security Defaults

Security Defaults is an Azure Active Directory feature that has been around since 2019. Microsoft enables Security Defaults by default for new tenants created after October 2019 and recently announced that they will enable Azure AD security defaults to existing tenants. This article explores what Security Defaults deliver in terms of functionality and if it is the right fit for your organization.

In the early days of Office 365, multifactor authentication was not enabled by default as the need for it was much lower. The number of phishing attacks and brute force attempts directed specifically to Office 365 was low as the platform was not as popular, thus lowering the need for multifactor authentication. Now, more organizations have moved to the cloud, which makes Office 365 a much more interesting attack surface for hackers.

As somebody who works in Microsoft 365 security daily, I am often surprised by the sheer amount of phishing and login attempts attackers make against my customers. Security (and especially multifactor authentication, or MFA) is not an afterthought anymore; it should be baked into every organization by default.

A plethora of tools are available to secure tenants, such as Conditional Access and Identity Protection. Unfortunately, these tools require Azure Active Directory (AAD) Premium licenses that not every organization can afford. With the introduction of security defaults, Microsoft hopes to make security available to every organization.

Introducing Azure AD Security Defaults

Security Defaults in Azure Active Directory is Microsoft’s way to ensure the security of identities within tenants (independent of their licensing status). Security Defaults is a single configuration that enables several preconfigured controls for a tenant. At the time of writing, five settings are used:

  1. Require the registration of multifactor authentication for every user
  2. Require an end-user to do MFA when deemed necessary
  3. Require Azure AD administrators to do multifactor authentication
  4. Require multifactor authentication for privileged tasks in the Azure portal
  5. Block legacy authentication

Microsoft deems these settings to be the absolute minimum set of controls to which every tenant should adhere. Before turning on Azure AD security defaults, let us investigate what the impact will be for your end-users and administrators.

The last control in the list “blocking legacy authentication,” is a no-brainer and is something every organization should already have on its roadmap. Microsoft will begin the process of removing basic authentication for seven email connection protocols starting October 1, 2022, which is a good indication of how important they believe it is that users should stop using basic authentication. If people use up to date Outlook clients (both on mobile and desktop platforms), there should not be much impact for this control. It is important to assess the impact on service accounts, for which you can use this blog from Steve Goodman to identify potential blockers.

Controls 3 and 4 (require MFA for Azure AD and Azure administrators) are extremely important controls because administrators are often a target for attackers. If an attacker compromises an administrator account, they can take control over a tenant and impact multiple users. Each time an account assigned a specific Azure AD role logs in or somebody logs into an Azure management tool, they must use multifactor authentication. Most administrators already use multifactor authentication on other platforms, so having them approve sign-in requests should not have a significant impact.

The main impact is on end-users: after enabling security defaults, users will be required to register authentication methods within fourteen days. This registration only allows the use of the Microsoft Authenticator app and does not support text (SMS) messages or calls. After registration, users are prompted ‘when necessary’. The wording ‘when necessary’ can be confusing as you have no way of predicting the impact. In the backend, Azure AD evaluates each sign-in for risk. When a sign-in is deemed risky, multifactor authentication will be required.

Check out the Top 10 Security Events to Monitor in Azure Active Directory and Office 365 in this eBook.

Is Azure AD Security Defaults Right for You?

The answer to the question ‘Is Security Defaults right for you?’ depends on your organization and how much control you want. The main downside is that there is no way to provide exclusions for security defaults. It is either turned on for the entire tenant or not. This can make the implementation difficult when you have certain applications or services which are incompatible with multifactor authentication.

Another downside of security defaults is the permitted authentication methods. A regular Conditional Access multifactor authentication roll-out supports the following methods:

  • App notification through the Microsoft Authenticator
  • App code through Microsoft Authenticator or a third-party application
  • Call to phone
  • Text message

After enabling Azure AD security defaults, users only have access to the first two authentication methods, which can be problematic during a roll-out. This is because:

  • People cannot create a backup method. If they lose access to their phone, the IT department must reset their authentication method and allow them to register again.
  • Some people do not want to install a company app (like Authenticator) on their personal phone. This means the company needs to provide an alternative to support these users.

One thing is for sure, when you have the option to use Conditional Access, it should always be your first choice. Conditional Access allows you to mimic every security control Security Defaults has through a custom policy and allows you to have much more granularity and control. It is why Security Defaults is incompatible with Conditional Access. If you currently use Conditional Access, you cannot enable security defaults.

So, when is Azure AD Security Defaults right for you? It is a perfect tool for smaller organizations who might not have the in-house knowledge to create a security policy, but still want to remain secure. For this type of organization, Security Defaults is an amazing feature that delivers a lot of value.

The Curse of Licensing

For some organizations, security defaults might be a solution for 99% of their users, but some applications or services might not be compatible with these rules. I have seen organizations that planned to purchase AAD Premium licensing for the accounts incompatible with Azure AD Security Defaults, to secure them and use security defaults for all other user accounts. Unfortunately, this is impossible as you cannot turn on Security Defaults if Conditional Access is in place.

Pushing organizations into an all-or-nothing scenario is an infuriating decision by Microsoft. Using Conditional Access for a few outliers but securing the rest of the organization with Security Defaults is a valid scenario, as it incurs minimal cost. But Microsoft blocks this implementation method, much to the chagrin of some customers.

Microsoft’s Latest Announcement

Before closing, I briefly want to touch upon the impact of Microsoft’s announcement where they inform customers that they will be enabling security defaults for existing tenants if they do not use Conditional Access.

Such a change can have a major impact if imposed on an organization without proper planning. If you fall into this category, I strongly recommend looking into Conditional Access and disabling Azure AD Security Defaults.

I applaud Microsoft’s effort in helping organizations secure their tenants better. Having a tenant without multifactor authentication is not an option anymore. This change will help many smaller organizations that probably don’t realize the benefits Security Defaults will bring. With this change, Microsoft will protect tenants where security is an after-thought.

Closing Off

The answer to the question ‘Is Security Defaults right for you?’ is a difficult one. Security Defaults delivers a lot of value with a few downsides. There is no customization available which makes it difficult to implement. I would love to see some exclusions possibility for Azure AD Security Defaults, but I fear Microsoft will not allow that because they want to push customers to buy Azure Active Directory Premium licenses. I do recommend looking into Azure AD P1 licensing as it offers a lot of benefits (not only related to multifactor authentication), but if you don’t have these licenses, Security Defaults is a valid alternative to secure your tenant.

Check out the Top 10 Security Events to Monitor in Azure Active Directory and Office 365 in this eBook.

About the Author

Thijs Lecomte

Thijs is a security consultant out of Belgium, working at The Collective, an MSSP with a Microsoft-focused Security Operations Center. His work consists out of leading the SOC team and implementing Microsoft Security solutions (such as Microsoft Sentinel and Defender) as a consultant. He is an MVP in the Security category and is a regular speaker at events and user groups. His best-known publication is as co-author of the 'Microsoft 365 Security for the IT Pro' ebook.

Leave a Reply