Increase your Office 365 security for free with Security Defaults (for admins)

How to improve your Office 365 tenant security by configuring Security Defaults. This is a guide for Office 365 administrators.

Update: Microsoft are now enabling Security Defaults for new tenants.

All Office 365 customers can now significantly improve the security of their tenant regardless of which licenses they have. Previously this kind of configuration required an Azure AD Premium P1 license or a bundle containing this such as EMS, so this is great news for smaller customers with only Office 365 Business or E3 licenses without Azure AD Premium. All of these type of customers should enable this as soon as possible, as we are doing for our clients.

Before you enable Security Defaults, which you absolutely should if you aren’t implementing something similar yourself with Conditional Access, then you need to be aware of the impact on users:

• All users in must register for multifactor authentication (MFA) within 14 days, starting from the next time users log in. MFA must be set up using push notifications to the Microsoft authenticator app, although other types can be added as well (SMS, phone call etc).
• Administrator roles will be required to use MFA every time they log in.
• Normal users will require MFA occasionally when Microsoft detect a ‘risky’ sign in.
• Blocking legacy (basic) authentication – this blocks Outlook 2010, IMAP, SMTP and POP3. This does not affect ActiveSync clients. I have however seen some users get quarantined in Exchange Online, so watch out for that.
• Users accessing Azure portal, Azure PowerShell, or the Azure CLI will require MFA.

See https://aka.ms/securitydefaults for more info.

Check if you have Modern Authentication enabled

Before enabling Security Defaults, and if this is not a brand new teanant, make sure to check if you have modern auth enabled. Connect to Exchange Online using PowerShell – https://docs.microsoft.com/en-us/powershell/exchange/mfa-connect-to-exchange-online-powershell?view=exchange-ps

Check if it is enabled:

Get-OrganizationConfig | Format-Table Name,OAuth* -Auto

and if it is set to false, you need to enable it:

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

Check for users with MFA enforced

Now, login to the portal at https://admin.microsoft.com/

Click Users > Active Users > Multi-Factor authentication

This window is the old way of enabling MFA, since you will be using security defaults you need to turn this off. You should also do that if you are using Conditional Access based MFA.

So filter to Enforced and click Disable for any users who have MFA enforced (otherwise they will still be prompted every single time rather than only occasionally).

Enable Security Defaults

• Login to the Azure AD portal using a global admin account at https://aad.portal.azure.com
• Click on Properties on the left
• Click on Manage Security Defaults link at the bottom
• Click Yes to enable
• Click Save:

Note that if you have Baseline policies enabled, you will receive a warning that they will be removed:

If you have created your own conditional access policies, you will receive a similar warning. If you are licensed for CA then you should stick with your customer policies, just make sure you have some sensible policies configured. They can get complicated, see https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common for a good place to start.

Also see https://cloudrun.co.uk/office365/increasing-your-account-security-with-office-365-security-defaults-for-users/ for the user impact of enabling security defaults.

Note that once MFA is enabled, users can modify their phone numbers etc by visiting http://aka.ms/mfasetup. Also note that if you look at users MFA settings (e.g. via portal.office.com / Users / Multi Factor Authentication), then users will not shows as having MFA enabled. This is because it uses conditional access based MFA rather than user enforced MFA. You can see if users are enrolled using PowerShell:

See who has not enrolled yet:

Get-MsolUser -all | Where{!$_.StrongAuthenticationMethods} | select UserPrincipalName

Or list all users with their status:

Get-MsolUser -all | Sort-Object Userprincipalname |ft Userprincipalname,StrongAuthenticationMethods