cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Enabling Security Defaults seemed to have no effect; MFA policies not applied etc. (Azure AD Basic)

madcat
Copper Contributor

‎Apr 19 2020 03:02 PM - last edited on ‎Jan 14 2022 04:32 PM by

‎Apr 19 2020 03:02 PM - last edited on ‎Jan 14 2022 04:32 PM by

Enabling Security Defaults seemed to have no effect; MFA policies not applied etc. (Azure AD Basic)

I manage a Basic Azure AD tenant for a small business.

 

I just turned on Security Defaults under Properties > Manage Security Defaults but it seems to have had no effect at all. According to this document, https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-d... , this should have made a number of changes including but not limited to:

 

  • Unified Multi-Factor Authentication registration
  • Multi-Factor Authentication enforcement for the following roles: Global administrator, SharePoint administrator, Exchange administrator, Conditional Access administrator, Security administrator, Helpdesk administrator or password administrator, Billing administrator, User administrator, Authentication administrator

After enabling security defaults I checked the Security Identity Score and it is unchanged and recommending enabling policies that security defaults should have fixed.

 

I can't enable these policies manually as we have Azure AD Basic. This situation of documented Azure AD functionality requiring a Premium upgrade is getting ridiculous. At the very least Basic should have applied Security Defaults as documented.

 

Screen Shot 2020-04-20 at 07.31.21.png

Screen Shot 2020-04-20 at 07.29.35.png

6,482 Views
0 Likes
4 Replies
Reply
4 Replies
Moe_Kinani

‎Apr 19 2020 07:39 PM - edited ‎Apr 19 2020 07:41 PM

‎Apr 19 2020 07:39 PM - edited ‎Apr 19 2020 07:41 PM

Re: Enabling Security Defaults seemed to have no effect; MFA policies not applied etc. (Azure AD Bas

HI @madcat,

 

If you were able to save the changes and Security Default applied- 

 

I think the best way to test the Security Defaults and see if applied-  sign in with Admin Account and see if you get prompted for MFA, it should prompt every time you login.

 

I have found that users don't get prompted for MFA, unless they are doing something like accessing sensitive information or logging on from another country. 

 

Security score will change after sometime but not instantly.

 

 

Thanks!

Moe

 

 

2 Likes
Reply
madcat

‎Apr 23 2020 01:56 AM

‎Apr 23 2020 01:56 AM

Re: Enabling Security Defaults seemed to have no effect; MFA policies not applied etc. (Azure AD Bas

@Moe_Kinani you were right my security score is bumped up considerably now and the policies are definitely enable as my new users are getting grilled by AD when choosing passwords.

 

Obviously takes few days for changes to be reflected here. 

1 Like
Reply
MathieuVandenHautte

‎Nov 06 2023 12:11 AM - edited ‎Nov 06 2023 12:18 AM

‎Nov 06 2023 12:11 AM - edited ‎Nov 06 2023 12:18 AM

Re: Enabling Security Defaults seemed to have no effect; MFA policies not applied etc. (Azure AD Bas

Hi all,

 

Security Defaults requires all users to register for MFA within 14 days; however, users can postpone this registration. After 14 days, they will be forced to do the registration; however, this happens during interactive sign-ins.

 

If a user doesn't perform the MFA registration and a bad actor figures out the user's password, they can register their phone or authentication app as an MFA method.

 

It is recommended to revoke existing tokens to require all users to register for multifactor authentication. This revocation event forces previously authenticated users to authenticate and register for multifactor authentication.
https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults#revoking-active-tokens

0 Likes
Reply