Azure AD Security Defaults – What You Need to Know

Scenario 1: You are part of the IT team that is responsible for moving to the cloud. Your company/organization has chosen Microsoft’s cloud services as the provider of choice, for your new virtual datacenter. During the planning phase to migrate your current solutions to Azure and Microsoft 365, your risk department requests information about security and compliance, and how the shift from your current “private” datacenter to a public center will impact security. You end up Googling and stumble upon a Microsoft post that talks to Security defaults and what it is.

Scenario 2: You manage your companies cloud infrastructure and have been tasked with improving the security posture of your tenant. You stumble across the “Manage Security defaults” link in Azure Active Directory and wonder what it all does should you hit the “Enable” slider.

Naturally, since it's Microsoft, you trust the information, but does it really address all your needs as an organization? Let’s have a look at what “Security defaults” are and what they do.

Important note: Security Defaults apply to all users in your organization. ALL USERS.

Multifactor Authentication (MFA)

Probably the biggest component of Security defaults is multi-factor authentication. Its is the single most impactful security enhancement you can add to your public cloud datacenter. Adding another layer of authentication over that of the traditional username and password mechanism. A 2019 survey conducted by Microsoft reported that two factor authentication can reduce the risk of identity compromises by as much as 99.9 percent, over passwords alone.

Blocking Legacy Authentication

This goes hand in hand with MFA. Legacy or “Basic” Authentication is a term Microsoft uses to describe older authentication methods, in this case being the username and password method. Typically, it is used by an application that requires a logon token on behalf of the user. Think IMAP, POP3, SMTP. Phishing attacks are all the rage right now, and once an attacker has the users credentials, they can still bypass MFA if legacy authentication is enabled because 2FA (two-factor authentication) is not supported with legacy auth. Disabling/Blocking is slightly trickier due to organizations still using applications that use “Basic” authentication.

Protecting privileged activities

This feature forces the usage of MFA when accessing the Azure portal, PowerShell or CLI, including MFA on all administrative accounts. Security defaults will also only allow access to these actions/roles using the Microsoft Authenticator app.

There are a few caveats to all of this:

• Pre-2017 tenants have security defaults disabled by default.
• You will need to Turn on Modern Authentication for mail, as security defaults will disable basic authentication, which in turn will stop Outlook clients from logging in. Same goes if you are still running Skype for Business Online
• Its either Security Defaults or Conditional Access (Conditional Access features are only available with an Azure Active Directory Premium plan). They do not work together.

I would strongly encourage customers to make sure that security defaults are “enabled” when looking to bolster their security posture if they do not have an Azure Active Directory Premium Plan. It’s a huge step in the right direction. Right? But organizations are not that simple though.

What then, is the impact of switching it on?

Legacy Authentication is disabled

The figure below represents the settings of a tenant without security defaults enabled. Item 3 is available for administrators to configure should the organization still have applications that require it. You can enable Modern Authentication for Outlook clients but then decide what Legacy Authentication protocols you would still want to run for applications that require those services.

Ergo, applications that use those services will stop working if you switch on Security defaults. The option to granularly configure those settings are removed as well.

Conditional Access policies are disabled (License Dependent)

My favorite security feature from Microsoft; Conditional Access and its configurable policies allow organizations the granularity to decide who has access to what, from where and from what device. It’s based on the principles of Zero Trust and provides organizations with the freedom to extend security features to users far beyond that of the simple allow/deny rule of yesteryear.

With Conditional Access policies, organizations can not only enforce rules based on risk profiling but also identify and remediate any identity and access management flaws in their tenant. You might want to only allow legacy authentication from applications that you define as safe, or you may decide to not enforce MFA from your offices. All this can be done with Conditional Access.

Enabling Security Defaults

There are a few things you would want to check before you flip the switch:

• Which users are using legacy authentication – This can be done by heading to Azure Active Directory, selecting “Sign-in logs” and adding the “Client App” filter and selecting which legacy authentication methods/clients you want to check:
  
  
• Exchange on-prem - If you are using Exchange on-prem, you would need to configure your server to use Hybrid Modern Authentication
• SharePoint on-prem – Since SharePoint Online is configured (After August 1, 2017) to use Modern Authentication, most organizations will not be impacted but you would need to change any legacy basic authentication sites to modern if you did use basic authentication in the past
• PowerShell – Any administrators using PowerShell would need to update their PowerShell modules with the supported versions and also change the connection string when connecting

Microsoft makes it real easy to enable Security defaults. It's just a slider in the Azure Portal. The ramifications of flipping that switch could very well bring your organization to a grinding halt. Make sure that you are meticulous about identifying the items listed above, and make sure that you have a mitigation plan implemented before you flip that switch.

In closing, the impact of switching on Security defaults should not be taken lightly. My tips to rolling out Security defaults, are as follows:

• MFA - Make sure you have an effective communication plan with instructions on how to enroll in MFA for all users, and that you circulate at least 6 weeks before you hit the switch. Ensure that users have a guide that helps them through what is required.
• Administrators – Make sure that they are not locked out when you enable Security Defaults
• Check your apps – There’s nothing like having your helpdesk inundated with support calls for applications that stopped functioning, and nobody knows why
• Helpdesk – Make sure that your helpdesk is aware of the roll out and that they are equipped with guides on how to help users, specifically with MFA and what is required.

By understanding the benefits of Security defaults, organizations will be better equipped with making sound decisions pertaining to their security posture. Make sure you know, before you go.

Do you need Active Directory Monitoring and Reporting?

Active Directory is the foundation of your network, and the structure that controls access to the most critical resources in your organization. The ENow Active Directory Monitoring and Reporting tool uncovers cracks in your Active Directory that can cause a security breach or poor end-user experience and enables you to quickly identify and remove users that have inappropriate access to privileged groups (Schema Admins, Domain Administrators). While ENow is not an auditing software, our reports reduce the amount of work required to cover HIPAA, SOX, and other compliance audits.

Access your FREE 14-day trial to accelerate your security awareness and simplify your compliance audits. Includes entire library of reports.