Enabling Security Defaults seemed to have no effect; MFA policies not applied etc. (Azure AD Basic)

%3CLINGO-SUB%20id%3D%22lingo-sub-1320160%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20Security%20Defaults%20seemed%20to%20have%20no%20effect%3B%20MFA%20policies%20not%20applied%20etc.%20(Azure%20AD%20Bas%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1320160%22%20slang%3D%22en-US%22%3E%3CP%3EHI%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F627270%22%20target%3D%22_blank%22%3E%40madcat%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20were%20able%20to%20save%20the%20changes%20and%20Security%20Default%20applied-%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20think%20the%20best%20way%20to%20test%20the%20Security%20Defaults%20and%20see%20if%20applied-%20%26nbsp%3Bsign%20in%20with%20Admin%26nbsp%3BAccount%20and%20see%20if%20you%20get%20prompted%20for%20MFA%2C%20it%20should%20prompt%20every%20time%20you%20login.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20have%20found%20that%20users%20don't%20get%20prompted%20for%20MFA%2C%20unless%20they%20are%20doing%20something%20like%20accessing%20sensitive%20information%20or%20logging%20on%20from%20another%20country.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ESecurity%20score%20will%20change%20after%20sometime%20but%20not%20instantly.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks!%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EMoe%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1331523%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20Security%20Defaults%20seemed%20to%20have%20no%20effect%3B%20MFA%20policies%20not%20applied%20etc.%20(Azure%20AD%20Bas%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1331523%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F503735%22%20target%3D%22_blank%22%3E%40Moe_Kinani%3C%2FA%3E%26nbsp%3Byou%20were%20right%20my%20security%20score%20is%20bumped%20up%20considerably%20now%20and%20the%20policies%20are%20definitely%20enable%20as%20my%20new%20users%20are%20getting%20grilled%20by%20AD%20when%20choosing%20passwords.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EObviously%20takes%20few%20days%20for%20changes%20to%20be%20reflected%20here.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1331903%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20Security%20Defaults%20seemed%20to%20have%20no%20effect%3B%20MFA%20policies%20not%20applied%20etc.%20(Azure%20AD%20Bas%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1331903%22%20slang%3D%22en-US%22%3EGlad%20it%20worked!%3CBR%20%2F%3E%3CBR%20%2F%3EMoe%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1319949%22%20slang%3D%22en-US%22%3EEnabling%20Security%20Defaults%20seemed%20to%20have%20no%20effect%3B%20MFA%20policies%20not%20applied%20etc.%20(Azure%20AD%20Basic)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1319949%22%20slang%3D%22en-US%22%3E%3CP%3EI%20manage%20a%20Basic%20Azure%20AD%20tenant%20for%20a%20small%20business.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20just%20turned%20on%20Security%20Defaults%20under%20Properties%20%26gt%3B%20Manage%20Security%20Defaults%20but%20it%20seems%20to%20have%20had%20no%20effect%20at%20all.%20According%20to%20this%20document%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Ffundamentals%2Fconcept-fundamentals-security-defaults%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Ffundamentals%2Fconcept-fundamentals-security-defaults%3C%2FA%3E%26nbsp%3B%2C%20this%20should%20have%20made%20a%20number%20of%20changes%20including%20but%20not%20limited%20to%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EUnified%20Multi-Factor%20Authentication%20registration%3C%2FLI%3E%3CLI%3EMulti-Factor%20Authentication%20enforcement%20for%20the%20following%20roles%3A%26nbsp%3BGlobal%20administrator%2C%26nbsp%3BSharePoint%20administrator%2C%26nbsp%3BExchange%20administrator%2C%26nbsp%3BConditional%20Access%20administrator%2C%26nbsp%3BSecurity%20administrator%2C%26nbsp%3BHelpdesk%20administrator%20or%20password%20administrator%2C%26nbsp%3BBilling%20administrator%2C%26nbsp%3BUser%20administrator%2C%26nbsp%3BAuthentication%20administrator%3C%2FLI%3E%3C%2FUL%3E%3CP%3EAfter%20enabling%20security%20defaults%20I%20checked%20the%20Security%20Identity%20Score%20and%20it%20is%20unchanged%20and%20recommending%20enabling%20policies%20that%20security%20defaults%20should%20have%20fixed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can't%20enable%20these%20policies%20manually%20as%20we%20have%20Azure%20AD%26nbsp%3B%3CSTRONG%3EBasic%3C%2FSTRONG%3E.%20This%20situation%20of%20documented%20Azure%20AD%20functionality%20requiring%20a%20Premium%20upgrade%20is%20getting%20ridiculous.%20At%20the%20very%20least%20Basic%20should%20have%20applied%20Security%20Defaults%20as%20documented.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20image-alt%3D%22Screen%20Shot%202020-04-20%20at%2007.31.21.png%22%20style%3D%22width%3A%20591px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F185253iF8E4F165854C7FB2%2Fimage-dimensions%2F591x412%3Fv%3D1.0%22%20width%3D%22591%22%20height%3D%22412%22%20role%3D%22button%22%20title%3D%22Screen%20Shot%202020-04-20%20at%2007.31.21.png%22%20alt%3D%22Screen%20Shot%202020-04-20%20at%2007.31.21.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20image-alt%3D%22Screen%20Shot%202020-04-20%20at%2007.29.35.png%22%20style%3D%22width%3A%20482px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F185254iCFBA0217503EA4AB%2Fimage-dimensions%2F482x317%3Fv%3D1.0%22%20width%3D%22482%22%20height%3D%22317%22%20role%3D%22button%22%20title%3D%22Screen%20Shot%202020-04-20%20at%2007.29.35.png%22%20alt%3D%22Screen%20Shot%202020-04-20%20at%2007.29.35.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1319949%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

I manage a Basic Azure AD tenant for a small business.

 

I just turned on Security Defaults under Properties > Manage Security Defaults but it seems to have had no effect at all. According to this document, https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-d... , this should have made a number of changes including but not limited to:

 

  • Unified Multi-Factor Authentication registration
  • Multi-Factor Authentication enforcement for the following roles: Global administrator, SharePoint administrator, Exchange administrator, Conditional Access administrator, Security administrator, Helpdesk administrator or password administrator, Billing administrator, User administrator, Authentication administrator

After enabling security defaults I checked the Security Identity Score and it is unchanged and recommending enabling policies that security defaults should have fixed.

 

I can't enable these policies manually as we have Azure AD Basic. This situation of documented Azure AD functionality requiring a Premium upgrade is getting ridiculous. At the very least Basic should have applied Security Defaults as documented.

 

Screen Shot 2020-04-20 at 07.31.21.png

Screen Shot 2020-04-20 at 07.29.35.png

3 Replies

HI @madcat,

 

If you were able to save the changes and Security Default applied- 

 

I think the best way to test the Security Defaults and see if applied-  sign in with Admin Account and see if you get prompted for MFA, it should prompt every time you login.

 

I have found that users don't get prompted for MFA, unless they are doing something like accessing sensitive information or logging on from another country. 

 

Security score will change after sometime but not instantly.

 

 

Thanks!

Moe

 

 

@Moe_Kinani you were right my security score is bumped up considerably now and the policies are definitely enable as my new users are getting grilled by AD when choosing passwords.

 

Obviously takes few days for changes to be reflected here.