Hey folks, In 2012, we started the Identity security and protection team for our consumer accounts (Microsoft accounts used for signing in to OneDrive, Skype, Xbox and such). We started out by do...
Updated Nov 09, 2023
Version 8.0
Blog Post
Lots of questions here, going to try to catch them all up at once.
Matthew Levy, the article is intended to exactly replicate the policies. As to your second point, there are a spectrum of customers at all license levels. We want to make sure everyone starts with safe defaults (MFA always). Come customers may choose to change those defaults, and many organizations will choose to turn off security defaults and take the reins themselves with Conditional Access. Glad you like the direction!
Jonas Back we are spec’ing the comms plan and rollout plan now – we’ll broadcast here before we start engagement.
Olav Rønnestad Birkeland see prior response on comms. The cases you are describing wouldn’t happen per plan – if a tenant has *any* conditional access policies, creds policies, or other overlapping setitngs, we wouldn’t apply security defaults.
jakemarston I think we have threaded on Twitter on this – break glass is about continuity. The phone app in passwordless mode doesn’t use the MFA infrastructure, nor does FIDO. Regardless, security defaults is really about ensuring that *before* tenants are thinking about break glass or other more complex policies, they are safe.
RBdeltA I think you are hitting an endpoint that can’t do MFA, thus getting blocked. We should have no need to hit such endpoints in our first party apps. Will dig in and get back to you if we have questions.
@TomPhillips we will add the setting to graph for powershell management
Kent Gerhart at this time, we are prompting when our ML system determines that the risk justifies the challenge. The rules factor in many aspects of the login, including behavioral familiarity, threat intelligence, and many many other factors.
Gavin Meerwald it isn’t appropriate for all tenants. Most large tenants or security enthusiast smaller tenants shouldn’t use it, but set up Conditional Access instead.
Lassaad glad you enjoyed it.
CarlosKYO no, you are looking at Conditional Access. See the link in the blog for how to set these policies up.
ericng99 this is universal, we are removing the baseline policies for all tenants.
brandon nesbitt no, if you want that control use Conditional Access.
Luitzen_Boot no, if you want exceptions use Conditional Access. Security defaults is a “starter” setting for orgs aren’t yet dialing in their own security settings.
RBdeltA if you want per-app exceptions, per user exceptions, etc. that’s Conditional Access.
Jonas Back yep I am here. Security defaults is not a replacement for Conditional Access. Yes, we expect that as orgs become more sophisticated in their rollouts they will transition from Security Defaults to Conditional Access, and we don’t think anyone using Conditional Access should go from that to Security Defaults.
Luitzen_Boot that’s not accurate – partners must protect their users and all delegated admin access with MFA. Security defaults is *not* the only way to do that – use Conditional Access. We do not recommend of old clients that can’t handle MFA claims.
Jimburris006 for all connected apps.
Gus_Tejada please dm me at Alex_t_weinert on twitter and let me know the specifics of the app you are using?
JeremyTBradshaw fair feedback. Will definitely take it to heart.
ablanken yes, that is correct, if you want risk-based MFA you need P2/E5.