How to improve your Office 365 tenant security by configuring Security Defaults. This is a guide for Office 365 administrators.
Update: Microsoft are now enabling Security Defaults for new tenants.
All Office 365 customers can now significantly improve the security of their tenant regardless of which licenses they have. Previously this kind of configuration required an Azure AD Premium P1 license or a bundle containing this such as EMS, so this is great news for smaller customers with only Office 365 Business or E3 licenses without Azure AD Premium. All of these type of customers should enable this as soon as possible, as we are doing for our clients.
Before you enable Security Defaults, which you absolutely should if you aren’t implementing something similar yourself with Conditional Access, then you need to be aware of the impact on users:
- All users in must register for multifactor authentication (MFA) within 14 days, starting from the next time users log in. MFA can only use the push notifications to the Microsoft authenticator app, other MFA types such as SMS or phone call are not supported.
- Administrator roles will be required to use MFA every time they log in.
- Normal users will require MFA occasionally when Microsoft detect a ‘risky’ sign in.
- Blocking legacy (basic) authentication – this blocks Outlook 2010, IMAP, SMTP and POP3. This does not affect ActiveSync clients.
- Users accessing Azure portal, Azure PowerShell, or the Azure CLI will require MFA.
See https://aka.ms/securitydefaults for more info.
This is simple to enable:
- Login to the Azure AD portal using a global admin account at https://aad.portal.azure.com
- Click on Properties on the left
- Click on Manage Security Defaults link at the bottom
- Click Yes to enable
- Click Save:
Note that if you have Baseline policies enabled, you will receive a warning that they will be removed:
If you have created your own conditional access policies, you will receive a similar warning. If you are licensed for CA then you should stick with your customer policies, just make sure you have some sensible policies configured. They can get complicated, see https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common for a good place to start.
Also see https://cloudrun.co.uk/office365/increasing-your-account-security-with-office-365-security-defaults-for-users/ for the user impact of enabling security defaults.