Forum Discussion
Azure AD Security Defaults MFA not working (as expected?)
Hi, We use Microsoft 365 Standard and have enabled Security Defaults ( https://learn.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-w...
After a bit more research I found this article which tested Security Defaults and is an interesting read:
https://diligex.com/2021/01/are-microsoft-365-azure-security-defaults-sufficient/
Looks like if you want to protect users email and data and you only have 365 Basic or Standard licenses it's quite possibly a complete waste of time to use Security Defaults on it's own. Given that a user will eventually be phished for a login, no matter how often I email them advice on avoiding, then someone will get into your data. I'll be looking at going back to per user MFA, which is a bit of a pain.
The skeptic in me thinks maybe MS has made Security Defaults fairly useless to try and push for more revenue from Premium or AAD P1 licenses, but some SMBs really don't have the money at present to fully move to Premuim 365 or ( Azure AD P1 licenses).
https://diligex.com/2021/01/are-microsoft-365-azure-security-defaults-sufficient/
Looks like if you want to protect users email and data and you only have 365 Basic or Standard licenses it's quite possibly a complete waste of time to use Security Defaults on it's own. Given that a user will eventually be phished for a login, no matter how often I email them advice on avoiding, then someone will get into your data. I'll be looking at going back to per user MFA, which is a bit of a pain.
The skeptic in me thinks maybe MS has made Security Defaults fairly useless to try and push for more revenue from Premium or AAD P1 licenses, but some SMBs really don't have the money at present to fully move to Premuim 365 or ( Azure AD P1 licenses).
- I really don't understand this. If the point is to push people to upgrade to Conditional Access, surely it needs to be obvious there's a benefit to doing so? If it's not obvious that it doesn't work properly until someone gets compromised then why would anyone feel the need to upgrade? If I wanted to make people want to upgrade, I'd set it so you have to authenticate pretty much every time and annoy the users into it, not leave them thinking they're protected when they're not.
