Forum Discussion
All users receive "Your organization needs more information to keep your account secure" when logon
- Feb 11, 2020
Thank you for the hint.
Finally solved by:
Azure Active Directory > Properties
Manage security defaults
set Enable security defaults to No
Just pointing out that MS put those defaults there for a reason. You are disabling many security features instead of finding a solution to your specific issue. Hackers are now able to password spray your Exchange Online using IMAP / POP3 etc, among other things. Here's how to do it without undermining the security of the tenant:
1. Add any external IPs of the locations they will send from to Trusted IPs under MFA settings. In most cases you would do this for all company owned office locations. https://account.activedirectory.windowsazure.com/UserManagement/MfaSettings.aspx
2. Set Password Reset Registration to No so that new users are not prompted to register.
https://portal.azure.com/#blade/Microsoft_AAD_IAM/PasswordResetMenuBlade/Registration
3. If you need to send SMTP email through Exchange Online (e.g. from a printer), create an account with exchange license to use for sending.
https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview
4. Load Cloud Shell from top of the Azure Portal. Connect to Exchange:
Connect-EXOPSSession
5. Create an Authentication Policy:
New-AuthenticationPolicy -Name "Allow Basic Auth SMTP" -AllowBasicAuthSmtp
6. Assign the policy to the user:
Get-User user@domain.com | Set-User -AuthenticationPolicy "Allow Basic Auth SMTP"
7. Force policy to apply within 30 minutes:
Set-User user@domain.com -STSRefreshTokensValidFrom $([System.DateTime]::UtcNow)
Reference:
https://www.howdoiuseacomputer.com/index.php/2021/09/16/do-not-disable-security-defaults/
- GeekKatieMcKNov 09, 2021Copper ContributorThanks, SimBur! I had the issue today, because I thought I'd do my client a favor and enable self password reset, but this seemed to be a side-effect. Really didn't want to disable security defaults, so your post was perfect (I used the link under your #2). It is odd how, by default, they REQUIRE all users to set up authentication methods on first sign-in if self-password reset is enabled, rather than just leave it optional. And then they let that page be buggy. 😕
- msssltdukDec 14, 2022Copper ContributorI agree with you SimBur that SSPR, MFA, Security Defaults are useful features for the vast majority of users in the tenancy. However in even a modest tenancy there are often 'edge cases' that must be accommodated. The problem sysadmins are trying resolve is, how to exclude a selected group from the security defaults. Unfortunately the choice provided by the admin portal is to include everyone or only a selected group - The opposite of what is required.
- d_logaanJan 09, 2023Copper Contributor
SimBur2365
None of your suggestions make any sense for my scenario. I can't login to Teams with MY account even though I'm the org admin. We don't use Exchange online, we have Exchange on prem. I already have 2FA enabled for my account. After approving in the MS authenticator app I get the message "Your organization needs more information to keep your account secure."
Well, what f***** information does it want?
- SimBur999Jan 09, 2023Copper Contributor
d_logaan you just told me the problem... you are using an admin account for your day to day use. Create yourself a could-only account email address removed for privacy reasons. This doesn't need to be licensed. Give it a 32+ character password. Assign only the admin roles you need (not Global Admin). Create a browser profile in edge or chrome so you can easily switch to that account when required for admin tasks. Now create an emergency admin account (two even better)... with 64+ character passwords and save them in a password vault or similarly secure location. Only use those when you must have Global Admin rights to perform a task (this will not be very often).
Now remove any admin roles from your day to day account so that if you get compromised they can't highjack your entire tenant.
If you don't want to do that then go to https://myaccount.microsoft.com and register another couple of methods like SMS and Email.
Cheers 😃
PS - IMO it's becoming a no-brainer to go for Business Premium for up to 300 users, or an AD Premium add-on for more than 300. Having the granular control over these settings is worth it, and you get full Defender Antivirus, phishing and DLP protection etc. Appreciate that may not fit your scenario for some reason.