Forum Discussion
All users receive "Your organization needs more information to keep your account secure" when logon
All users receive "Your organization needs more information to keep your account secure" when logon o365 web portal.
Users can select "skip for now (XX days until is required)" but it will finally require all users to provide it.
I will have some user accounts to use on some applications or devices which must logon without multi-factor authentication and password should never changed.
I have checked that the multi-factor authentication page of the "MULTI-FACTOR AUTH STATUS" for all users are disabled.I also checked that the "Self service password reset enabled" is set to "none".
I don't have idea why all users still receive such message.
How can I disable this message and requirement to all user accounts?
Thank you.
Thank you for the hint.
Finally solved by:
Azure Active Directory > Properties
Manage security defaults
set Enable security defaults to No
- SimBur2365Brass Contributor
Just pointing out that MS put those defaults there for a reason. You are disabling many security features instead of finding a solution to your specific issue. Hackers are now able to password spray your Exchange Online using IMAP / POP3 etc, among other things. Here's how to do it without undermining the security of the tenant:
1. Add any external IPs of the locations they will send from to Trusted IPs under MFA settings. In most cases you would do this for all company owned office locations. https://account.activedirectory.windowsazure.com/UserManagement/MfaSettings.aspx
2. Set Password Reset Registration to No so that new users are not prompted to register.
https://portal.azure.com/#blade/Microsoft_AAD_IAM/PasswordResetMenuBlade/Registration
3. If you need to send SMTP email through Exchange Online (e.g. from a printer), create an account with exchange license to use for sending.
https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview
4. Load Cloud Shell from top of the Azure Portal. Connect to Exchange:
Connect-EXOPSSession
5. Create an Authentication Policy:
New-AuthenticationPolicy -Name "Allow Basic Auth SMTP" -AllowBasicAuthSmtp
6. Assign the policy to the user:
Get-User user@domain.com | Set-User -AuthenticationPolicy "Allow Basic Auth SMTP"
7. Force policy to apply within 30 minutes:
Set-User user@domain.com -STSRefreshTokensValidFrom $([System.DateTime]::UtcNow)Reference:
https://www.howdoiuseacomputer.com/index.php/2021/09/16/do-not-disable-security-defaults/
- GeekKatieMcKCopper ContributorThanks, SimBur! I had the issue today, because I thought I'd do my client a favor and enable self password reset, but this seemed to be a side-effect. Really didn't want to disable security defaults, so your post was perfect (I used the link under your #2). It is odd how, by default, they REQUIRE all users to set up authentication methods on first sign-in if self-password reset is enabled, rather than just leave it optional. And then they let that page be buggy. 😕
- msssltdukCopper ContributorI agree with you SimBur that SSPR, MFA, Security Defaults are useful features for the vast majority of users in the tenancy. However in even a modest tenancy there are often 'edge cases' that must be accommodated. The problem sysadmins are trying resolve is, how to exclude a selected group from the security defaults. Unfortunately the choice provided by the admin portal is to include everyone or only a selected group - The opposite of what is required.
- d_logaanCopper Contributor
SimBur2365
None of your suggestions make any sense for my scenario. I can't login to Teams with MY account even though I'm the org admin. We don't use Exchange online, we have Exchange on prem. I already have 2FA enabled for my account. After approving in the MS authenticator app I get the message "Your organization needs more information to keep your account secure."
Well, what f***** information does it want?
- SimBur999Copper Contributor
d_logaan you just told me the problem... you are using an admin account for your day to day use. Create yourself a could-only account email address removed for privacy reasons. This doesn't need to be licensed. Give it a 32+ character password. Assign only the admin roles you need (not Global Admin). Create a browser profile in edge or chrome so you can easily switch to that account when required for admin tasks. Now create an emergency admin account (two even better)... with 64+ character passwords and save them in a password vault or similarly secure location. Only use those when you must have Global Admin rights to perform a task (this will not be very often).
Now remove any admin roles from your day to day account so that if you get compromised they can't highjack your entire tenant.
If you don't want to do that then go to https://myaccount.microsoft.com and register another couple of methods like SMS and Email.
Cheers 😃
PS - IMO it's becoming a no-brainer to go for Business Premium for up to 300 users, or an AD Premium add-on for more than 300. Having the granular control over these settings is worth it, and you get full Defender Antivirus, phishing and DLP protection etc. Appreciate that may not fit your scenario for some reason.
- SinfulDustCopper Contributor
It's almost certainly a Conditional Access Policy.
Is the "End user protection (Preview)" baseline enabled?
- microc1Copper Contributor
Thank you for the hint.
Finally solved by:
Azure Active Directory > Properties
Manage security defaults
set Enable security defaults to No- Stefani_stCopper Contributor
CHECK THE SCREENSHOT BELOW MAKE SURE YOU SEARCH FOR THE PROPERTIES.
IF YOU DIDN'T CREATED AN AZURE ACCOUNT MAKE SURE YOU SIGN IN WITH YOUR ACCOUNT FACING THAT IS ISSUE.
THE SOLUTION IS TOTALLY FREE DO NOT SIGN UP FOR ANY AZURE PLANS PROVIDED
- Lewis-HIron ContributorInstructions for setting up Self-Service Password Reset for companies using Azure Active Directory
Step 1 - Create a Security group in Office 365. To do this, go to https://portal.office.com and sign-in with your office 365 Global Administrator account > Select Admin Center.
Step 2 - On the left-Navigation pane, select Groups > Groups
Step 3 - Click on Add a Group. > Choose Security Group from the type drop-down > Give the group a name. Click Add.
Step 4 - Once the security group is created, navigate to the group and click Edit, next to members to add the user as the member of this security group.
Step 5 - Once you add the user as a member of the security group, then from the left navigation pane, expand Admin Centers and click on Azure Active Directory.
Step 6 - From Azure Active Directory Admin Center, choose Azure Active directory from the left menu.
Step 7 - From the Dashboard and option menu in the middle, click on Password Reset.
Step 8 - In the Password Reset properties page, choose Properties and select Selected to select a security group. You can also choose All if you want to enable SSPR for everyone.
Step 9 - Click on the group, then find the Select a Group desired security group from the list and click on select and then finally click on Save. Once saved, Self-Service Password Reset has been enabled for the users in the selected security group in your Office 365/Azure AD tenant, and you're done! - Thomo_ausCopper Contributor
The issue for me was having enabled self-service password reset. Once I reverted that setting I was able to function with that account again as normal microc1
I believe the problem was that there were not sufficient email/phone numbers listed for the account to enable self-service.
- nick242Copper ContributorThe issue persists for me. I have self serve password rest on. the security defaults are off, there is no conditional access policy. I have cleared out all cache on browser along with site info. The look is still there. I can do it until my heart is content. I have reviewed the users logs and it keeps saying it will send the user the info to check upon next login. It continues to loop and the user cannot log in. Please assist on a resolution.
Thank you!- qbees_RainerCopper ContributorWe had a similar problem for technical users, prompting for setting mail or phone verification.
Our solution was to set "self service password resets" only for human accounts, which we handled by creating a specific group.
Thanks Thomo
- Carlos_CubCopper ContributorHallo people. I got the same problem when I try to login into my azure account. I already changed the password but not changes, still I can not get access.
I have read the advices but for most of them, it is required to log in in order to make some changes. I haven no clue what to do - HoLengZaiCopper Contributor
I think the best response marked is not the right solution.
I guess I won't be the only one to have that scenario:
With a Microsoft 365 plan, you get
- Microsoft Entra (previously named Azure Active Directory)
- SharePoint
And you just want to simply share documents from your SharePoint to external users from your organization and to simply use One time password (OTP) passcode through e-mail
You do not want your external users to be requested to create a Microsoft Account or to be linked to Microsoft services or needed to install Microsoft Authenticator or to be in your Microsoft Entra Directory.You also do not want to set your SharePoint Sharing Settings to "Anyone" (very bad to enable that option)
A lot of websites and people say, just add a Conditional Access Policies to exclude external users from MFA
BUT You also do not want to use Conditional Access Policies because you need Azure AD Premium (Entra Premium?)
Then some people suggest removing the Security Defaults but it's not the answer to the issue, it's just a workaround.Then I finally find / understand how this mess works:
https://identity-man.eu/2022/01/11/securing-sharepoint-online-guest-users-with-the-azure-ad-b2b-experience/
I really recommend reading that page blog, it will clarify the situation about, how to have a simple file sharing system with a OTP code without having Conditional Access Policies and use the default settings "Security Defaults" which enables MFA for all users in your Entra Directory (Azure AD)Just in case the blog is down. I will sum up the situation here:
The answer is, do not use Azure B2B Integration with SharePoint. It seems to be enabled by default on any new Microsoft 365 plan.
Hence all the policies set in your Microsoft Entra (I really do not like that name, AAD was so much better I do not understand why they changed it but anyway), are set by "Security Defaults"
It is really badly documented or at least really confusing on the Microsoft learn/docs. They barely mentioned it (to push you to use Conditional Access Policies?)
You need to disable the following settings: EnableAzureADB2BIntegrationSet-SPOTenant -EnableAzureADB2BIntegration $false
By using this command, external user sharing will use SharePoint B2B instead of Azure B2B for SharePoint
You will see that every time someone from your organization (based on how you set up your SharePoint policies of course) shares a doc from SharePoint with an external user, but you will not see the e-mail of that external user in your Microsoft Entra.
If you want to see the SharePoint B2B Directory (=all sharepoint users (internal+external users), it's very weird, I do not get why Microsoft does not improve the UI/UX.
To access to it, you need to go to that link (manually, as I do find a menu to access to it - It still SharePoint Classic page (facepalm))
https://YOUR_SHAREPOINT_NAME.sharepoint.com/sites/Shared/_layouts/15/people.aspx?MembershipGroupId=0
Very important to put 0 for the MembershipGroupId
Then you will be able to see (clean up, update, ...) all internal/external users who are in your SharePoint B2B
Hope it will help anyone who is facing that issue
- SimBur999Copper Contributor
That is some good information! Considering this question was all about Security Defaults i.e. NOT have Entra P1 or 2 licensing, with Security Defaults you are essentially forced to require MFA for all users without exception. This includes Guest users. Your suggestion is great as it will work with Security Defaults in place, by disconnecting SharePoint from the equation. For those with P1 or P2, you would not do this as you can control who is or is not prompted using CA policies.
There are two things I find people miss when it comes to MFA / SSPR:
1. As in the screenshot, the number of methods required to reset a password is important because the registration for MFA is tied to this (combined registration is a forced setting). If this is set to '2', your users in scope for SSPR will be prompted continually for a second method, because it is required for password reset. This is where you can register an Email, which is not supported for MFA, but is supported as a method for password reset - again slightly confusing, easily misunderstood until you read the docs. Generally you want SSPR set to all in which case I recommend keeping the number of methods set to '1', otherwise it gets confusing for users.2. It's okay to have SSPR enabled for all with security defaults, as long as you disable 'Registration' which is two down on the menu from where you enable it. Set it to 'No'. Users will not be prompted for SSPR, but will be prompted for MFA registration.
NOTE: This has all changed recently for Entra Premium, with the move to the Security => Authentication Methods blade. You need to migrate from the current configurations to the new methods, then you benefit from some new methods like 'Temporary Access Pass'. The new methods include a 'Registration Campaign' where you can control the prompts that occur during login, and the number of days it can be skipped.
Here's a step by step walk-though for the migration:
How to migrate to the Authentication methods policy | Microsoft Learn
Good luck!
- techlogik7Brass Contributor
We have this same issue. We use CA, no defaults are configurable. Out of nowhere users are getting hit with
Your organization requires you to set up the following methods of proving who you are.Additional authentication is required to complete this sign-in.Then you go to a redirect/Azure and around in circles it goes and finally back to this message, just a loop over and over and you can't do anything.MFA is supposed to be the first line of things Azure checked if enabled. We do have CAs for hybrid joined/intune compliant devices...but how do you setup MFA if you can't even get the page to show to download the MS App or enter a phone number. Which this is another issue I have a support ticket open on. We can't modify the default Authentication methods or disabled MS Auth app it just gives an error and 3 days later no support response, just send us info...dead in water. Cluster and mess as usual with MS and this entire CAs, Auth apps, Intune dumpster fire....Rant over. Any ideas, let us know. Only way to get a user in is turn off MFA, they sign in, then setup MFA methods, then put them in the groups to enforce CAs Intune policies. Giant mess. And let's not get into the 18hrs it takes for a CA rule change to go into effect. Literally spending weeks on end making single changes to troubleshoot issues and getting nowhere fast. MS is useless their support.
- Indo24Copper ContributorStep :
1. https://entra.microsoft.com/
2. (left menu) Identity -> Overview
3. There are sub menu ( Overview, Monitoring, properties, Recomendation, and tutorials) choose Properties
4. in bottom page click "manage security default"
5. Then choose "disable" and save.
Thanks, you are welcome