Apr 19 2020
03:02 PM
- last edited on
Jan 14 2022
04:32 PM
by
TechCommunityAP
Apr 19 2020
03:02 PM
- last edited on
Jan 14 2022
04:32 PM
by
TechCommunityAP
I manage a Basic Azure AD tenant for a small business.
I just turned on Security Defaults under Properties > Manage Security Defaults but it seems to have had no effect at all. According to this document, https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-d... , this should have made a number of changes including but not limited to:
After enabling security defaults I checked the Security Identity Score and it is unchanged and recommending enabling policies that security defaults should have fixed.
I can't enable these policies manually as we have Azure AD Basic. This situation of documented Azure AD functionality requiring a Premium upgrade is getting ridiculous. At the very least Basic should have applied Security Defaults as documented.
Apr 19 2020 07:39 PM - edited Apr 19 2020 07:41 PM
HI @madcat,
If you were able to save the changes and Security Default applied-
I think the best way to test the Security Defaults and see if applied- sign in with Admin Account and see if you get prompted for MFA, it should prompt every time you login.
I have found that users don't get prompted for MFA, unless they are doing something like accessing sensitive information or logging on from another country.
Security score will change after sometime but not instantly.
Thanks!
Moe
Apr 23 2020 01:56 AM
@Moe_Kinani you were right my security score is bumped up considerably now and the policies are definitely enable as my new users are getting grilled by AD when choosing passwords.
Obviously takes few days for changes to be reflected here.
Apr 23 2020 04:35 AM
Nov 06 2023 12:11 AM - edited Nov 06 2023 12:18 AM
Hi all,
Security Defaults requires all users to register for MFA within 14 days; however, users can postpone this registration. After 14 days, they will be forced to do the registration; however, this happens during interactive sign-ins.
If a user doesn't perform the MFA registration and a bad actor figures out the user's password, they can register their phone or authentication app as an MFA method.
It is recommended to revoke existing tokens to require all users to register for multifactor authentication. This revocation event forces previously authenticated users to authenticate and register for multifactor authentication.
https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults#revoking-active-tokens