A while back Azure AD has announced Azure AD Security Defaults. Azure AD Security defaults is positioned as a baseline to harden the security of your Azure AD Tenant.
Conditional Access Baselines
You might be thinking? Wait? Weren’t the Conditional Access baseline policies introduced for this exact reason? Baseline policies were actually never fully released and have remained in preview for a few months.
They were four policies:
- Require MFA for admins
- End User Protection
- Block Legacy Authentication
- Require MFA for Service Management
These policies were here for organizations without Azure AD P1 licenses that would still like to benefit from the features of Conditional Access.
During the first release it was possible to add exclusions to these baseline policies. This option was taken away after a while, which meant you had to enable these policies for all the users in your tenant. Now Microsoft has announced it’s deprecation. The following text can be seen when navigating to the Conditional Access portal.
Baseline Protection policies are a legacy experience which is being deprecated. It looks like you haven’t enabled any Baseline Protection policies, so they will be removed from your tenant. This will not impact your existing workflows. If you’re looking to enable a security policy for your organization, we recommend enabling Security defaults or configuring Conditional Access policies.
Introducing Security Defaults
Security Defaults are the official replacement of the Conditional Access baselines. Simply put: they combine all 4 separate baselines into one policy & they enable the unified Multi-Factor authentication registration experience. The latter combines the MFA & SSPR experience so you avoid the fact that users have to put in their information twice.
The impact of this policy is pretty big:
- Administrators will have to perform multifactor authentication at every sign-in
- Users will to be required to provide a stronger form of authentication when the risk is high
- All protocols using legacy authentication will be blocked
- Users who interact with Azure (whether they are admin or not) will be presented with an MFA prompts every time they try to use Azure ARM.
Should you do it?
Enabling Security Defaults can be done with one very easy flip of the switch. It brings a lot of the security (that should be present in every tenant IMO) at no extra cost. This is perfect for smaller customers (1-50 users) who don’t want to go out and buy Azure AD Premium 1 licenses, but still worry about security. These small customers don’t have a complex environment (most of the time 🙂 ) with a lot of service accounts & legacy applications.
The awesome thing is that the security defaults contain some sort of Identity Protection policy which only requires MFA when users are doing risky sign-ins (new location, device). This limits the amount of MFA prompts a user will receive.
This is a huge benefit compared to the other free version of MFA, ‘Office 365 MFA’ (which can be configured through the following link). This enables you to enable MFA on a per-user basis, but prompts the user for MFA at every sign-in and still allows for legacy authentication by default.
Larger customers should really go for the AAD P1 license because of a few reasons:
- They will have a need for exclusions because of service accounts/legacy applications
- They require extra logging for troubleshooting (sign-in logs are only included in an AAD P1 license)
- They have the requirement to have more granular controls (provide more exclusions).
Microsoft doesn’t even allow you to enable Security Defaults when you have one or more Conditional Access policies active. Conditional Access policies offer much granular moderation which allows you to exclude compliant device or require stronger authentication on a subset of your users.
This is why I wholeheartedly recommend you to look into Conditional Access. The granularity and extra logging will save your butt !