How in improve your Office 365 tenant security by configuring Security Defaults.
All Office 365 customers can now significantly improve the security of their tenant regardless of which licenses they have. Previously this kind of configuration required an Azure AD Premium P1 license or a bundle containing this such as EMS, so this is great news for smaller customers with only Office 365 Business or E3 licenses without Azure AD Premium. All of these type of customers should enable this as soon as possible, as we are doing for our clients.
Before you enable Security Defaults, which you absolutely should if you aren’t implementing something similar yourself with Conditional Access, then you need to be aware of the impact on users:
- All users in must register for multifactor authentication (MFA) within 14 days, starting from the next time users log in. Typically this will require SMS verification, or using a mobile authenticator app.
- Administrator roles will be required to use MFA every time they log in.
- Normal users will require MFA occasionally when Microsoft detect a ‘risky’ sign in.
- Blocking legacy (basic) authentication – this blocks Outlook 2010, IMAP, SMTP and POP3. This does not affect ActiveSync clients.
- Users accessing Azure portal, Azure PowerShell, or the Azure CLI will require MFA.
See https://aka.ms/securitydefaults for more info.
Default Security is simple to enable:
- Login to the Azure AD portal using a global admin account at https://aad.portal.azure.com
- Click on Properties on the left
- Click on Manage Security Defaults link at the bottom
- Click Yes to enable
- Click Save:
Note that if you have Baseline policies or Conditional Access policies enabled, you will receive a warning that they will be removed:
If you are licensed for CA then you should stick with your customer policies, just make sure you have some sensible policies configured. They can get complicated, see https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common for a good place to start.