%3CLINGO-SUB%20id%3D%22lingo-sub-1061414%22%20slang%3D%22en-US%22%3EIntroducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1061414%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20folks%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%202012%2C%20we%20started%20the%20Identity%20security%20and%20protection%20team%20for%20our%20consumer%20accounts%20(Microsoft%20accounts%20used%20for%20signing%20in%20to%20OneDrive%2C%20Skype%2C%20Xbox%20and%20such).%20We%20started%20out%20by%20doing%20two%20things%20%E2%80%93%20putting%20metrics%20in%20place%20for%20everything%20(so%20we%20could%20be%20confident%20we%E2%80%99d%20know%20what%20works)%20and%20establishing%20a%20security%20minimum%20standard%20for%20our%20consumer%20accounts.%20This%20includes%20measures%20like%20registering%20a%20second%20factor%2C%20challenging%20accounts%20when%20we%20see%20risk%20on%20the%20login%2C%20and%20forcing%20folks%20to%20change%20their%20passwords%20when%20we%20found%20them%20in%20the%20hands%20of%20criminals.%20The%20results%20have%20been%20very%20good%3B%20while%20there%20was%20some%20angst%20involved%20in%20requiring%20multi-factor%20authentication%20(MFA)%20registration%20to%20play%20Xbox%20or%20on%20that%20Hotmail%20account%20that%E2%80%99s%20%E2%80%9Cworked%20fine%20for%2016%20years!%E2%80%9D%2C%20the%20net%20impact%20was%20massively%20positive%20%E2%80%93%20e.g.%2C%20measuring%20from%202014%20to%202019%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CUL%3E%3CLI%3EUnaided%20password%20recovery%20jumped%20from%20less%20than%2020%25%20to%20more%20than%2090%25%3C%2FLI%3E%3CLI%3EAccount%20retention%20increased%20by%20more%20than%2010%25%3C%2FLI%3E%3CLI%3EOur%20ability%20to%20challenge%20users%20when%20we%20see%20risk%20led%20to%20a%206x%20decrease%20in%20compromise%20rate.%20This%20means%20that%20even%20as%20we%E2%80%99ve%20had%20a%20substantial%20increase%20in%20users%2C%20we%20have%20fewer%20compromised%20Microsoft%20accounts%20than%20ever%20before.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3EIn%202014%2C%20we%20started%20making%20these%20technologies%20available%20to%20our%20Azure%20Active%20Directory%20(AD)%20organizational%20customers%2C%20and%20we%E2%80%99ve%20learned%20that%20they%E2%80%99re%20very%20effective%20%E2%80%93%20for%20example%2C%20our%20telemetry%20tells%20us%20that%20more%20than%2099.9%25%20of%20organization%20account%20compromise%20could%20be%20stopped%20by%20simply%20using%20MFA%2C%20and%20that%20disabling%20legacy%20authentication%20correlates%20to%20a%2067%25%20reduction%20in%20compromise%20risk%20(and%20completely%20stops%20password%20spray%20attacks%2C%20100%25%20of%20which%20come%20in%20via%20legacy%20authentication).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUnfortunately%2C%20we%E2%80%99ve%20been%20less%20successful%20than%20we%E2%80%99d%20like%20at%20raising%20awareness%20and%20getting%20folks%20to%20adopt%20the%20technologies.%20While%20the%20tools%20are%20in%20place%20for%20customers%20to%20stop%20these%20attacks%2C%20adoption%20is%20significantly%20low.%20Despite%20marketing%2C%20tweeting%2C%20and%20shouting%20from%20the%20rooftops%2C%20the%20most%20optimistic%20measurement%20of%20MFA%20usage%20shows%20that%20only%20about%209%25%20of%20organizational%20users%20ever%20see%20an%20MFA%20claim.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%E2%80%99re%20reading%20this%20blog%2C%20you%E2%80%99re%20probably%20a%20security%20or%20identity%20enthusiast.%20You%E2%80%99re%20aware%20of%20the%20importance%20of%20securing%20identities%20and%20taking%20advantage%20of%20key%20capabilities%20in%20the%20platform.%20But%20for%20most%20people%2C%20especially%20individual%20developers%2C%20small%20businesses%2C%20or%20folks%20just%20experimenting%20with%20our%20Azure%2C%20Office%2C%20or%20Dynamics%20services%2C%20security%20isn%E2%80%99t%20the%20first%20thing%20on%20their%20minds.%20The%20goal%20is%20just%20to%20find%20the%20shortest%20path%20to%20setting%20up%20email%20and%20document%20sharing%2C%20or%20building%20that%20first%20Azure%20application%20%E2%80%93%20they%20won%E2%80%99t%20configure%20security%20settings%20until%20they%E2%80%99ve%20been%20hacked.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20millions%20of%20organizational%20accounts%20vulnerable%20to%20preventable%20compromise%20each%20year%2C%20we%20felt%20we%20needed%20to%20take%20a%20different%20tack%20%E2%80%93%20to%20protect%20organizational%20accounts%20just%20like%20we%20do%20the%20consumer%20accounts.%20We%20experimented%20with%20a%20few%20different%20approaches%20(including%20%E2%80%9CBaseline%20protection%E2%80%9D)%2C%20listened%20to%20partners%20and%20customers%2C%20and%20learned%20a%20ton%20along%20the%20way.%20The%20result%20of%20all%20this%20learning%20is%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Ffundamentals%2Fconcept-fundamentals-security-defaults%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESecurity%20Defaults%3C%2FA%3E.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3ESecurity%20defaults%20provide%20secure%20default%20settings%20that%20we%20manage%20on%20behalf%20of%20organizations%20to%20keep%20customers%20safe%20until%20they%20are%20ready%20to%20manage%20their%20own%20identity%20security%20story.%20For%20customers%20like%20this%2C%20we%E2%80%99ll%20manage%20their%20security%20settings%20like%20we%20do%20for%20our%20Xbox%2C%20OneDrive%2C%20Skype%20and%20Outlook%20users.%3C%2FP%3E%3CP%3EFor%20starters%2C%20we%E2%80%99re%20doing%20the%20following%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3ERequiring%20all%20users%20and%20admins%20to%20register%20for%20MFA.%3C%2FLI%3E%3CLI%3EChallenging%20users%20with%20MFA%20-%20mostly%20when%20they%20show%20up%20on%20a%20new%20device%20or%20app%2C%20but%20more%20often%20for%20critical%20roles%20and%20tasks.%3C%2FLI%3E%3CLI%3EDisabling%20authentication%20from%20legacy%20authentication%20clients%2C%20which%20can%E2%80%99t%20do%20MFA.%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20will%20judiciously%20expand%20these%20security%20defaults%20to%20maximize%20protection%20for%20our%20users%2C%20but%20as%20MFA%20prevents%20%26gt%3B99.9%25%20of%20account%20compromise%2C%20that%E2%80%99s%20where%20we%E2%80%99re%20starting.%20We%20are%20applying%20security%20defaults%20for%20all%20license%20levels%2C%20even%20trial%20tenants%2C%20ensuring%20every%20account%20can%20be%20protected%20by%20MFA.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENone%20of%20this%20replaces%20the%20rich%20security%20capabilities%20in%20Azure%20Active%20Directory.%20If%20you%20are%20a%20person%20who%20uses%20Conditional%20Access%20to%20manage%20your%20break%20glass%20accounts%20with%20terms%20of%20use%20controls%2C%20chooses%20MFA%20based%20on%20device%20compliance%2C%20or%20integrates%20Identity%20protection%20reports%20into%20your%20SIEM%2C%20you%E2%80%99re%20far%20more%20sophisticated%20than%20our%20target%20user%20for%20Security%20Defaults.%20If%20you%E2%80%99re%20thinking%20of%20break%20glass%20accounts%20or%20exception%20scenarios%2C%20Security%20Defaults%20isn%E2%80%99t%20for%20you%20%E2%80%93%20you%20want%20Azure%20AD%20Conditional%20Access.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESince%20introducing%20the%20feature%2C%20we%E2%80%99ve%20enabled%20Security%20Defaults%20for%20more%20than%2060k%20newly%20created%20tenants.%20More%20than%205k%20other%20tenants%20have%20opted%20into%20Security%20Defaults.%20All%20of%20these%20organizations%20have%20significantly%20reduced%20their%20compromise%20rates%3B%20only%20a%20few%20hundred%20have%20opted%20out%2C%20mostly%20to%20use%20Conditional%20Access.%20We%E2%80%99ll%20take%20the%20learnings%20from%20these%20tenants%20and%20continuously%20tune%20as%20we%20eventually%20roll%20this%20out%20to%20all%20new%20tenants%2C%20then%20to%20tenants%20who%20have%20never%20looked%20at%20security%20settings.%20We%20will%20expand%20first%20to%20apply%20security%20defaults%20to%20all%20new%20tenants%20as%20well%20as%20applying%20it%20retroactively%20to%20existing%20tenants%20who%20have%20not%20taken%20any%20security%20measures%20for%20themselves.%20We%E2%80%99re%20experimenting%2C%20listening%20and%20adapting%20as%20we%20go.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20have%20an%20existing%20tenant%20where%20you%E2%80%99d%20like%20to%20enable%20security%20defaults%2C%20or%20are%20ready%20to%20turn%20it%20off%20and%20move%20up%20to%20using%20Conditional%20Access%20to%20manage%20your%20access%20policies%2C%20you%E2%80%99ll%20find%20the%20settings%20in%20your%20Azure%20AD%20tenant%20configuration%20in%20Azure%20Active%20Directory%2C%20Manage%2C%20Properties%20%E2%80%93%20look%20for%20%E2%80%9CManage%20Security%20Defaults%E2%80%9D%20at%20the%20bottom%20of%20the%20page%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F164363i8EC10ECE6AAB466C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Security%20defaults.PNG%22%20title%3D%22Security%20defaults.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EClick%20there%20and%20you%E2%80%99ll%20see%20the%20blade%20that%20allows%20you%20to%20enable%20security%20defaults.%20But%20again%2C%20security%20and%20identity%20enthusiast%20%E2%80%93%20you%20probably%20want%20the%20advanced%20controls%20that%20Azure%20Active%20Directory%20Conditional%20Access%20gives%20you.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20523px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F164364i6371BB74FDF9A8F4%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Security%20defaults2.PNG%22%20title%3D%22Security%20defaults2.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%E2%80%99t%20enable%20Security%20Defaults%20if%20you%E2%80%99re%20already%20using%20conditional%20access%20policies%20or%20other%20settings%20which%20conflict.%20If%20you%20do%2C%20you%E2%80%99ll%20see%20this%20warning%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20492px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F164365i08B3966D23CC4A3F%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Security%20defaults%203.PNG%22%20title%3D%22Security%20defaults%203.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESome%20of%20you%20may%20have%20tried%20out%20baseline%20protection%20policies%20%E2%80%93%20security%20defaults%20replaces%20all%20those%20settings%2C%20and%20we%20will%20stop%20enforcing%20them%20on%20Feb%2029th.%20If%20you%E2%80%99re%20reading%20this%2C%20you%20probably%20want%20the%20granular%20control%20Conditional%20Access%20gives%20you%2C%20so%20in%20place%20of%20baseline%2C%20set%20up%20the%20equivalent%20Conditional%20Access%20policies%20as%20outlined%20here.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20Identity%20Security%20team%20is%20super-focused%20on%20preventing%20account%20compromise%2C%20and%20ensuring%20there%20is%20no%20barrier%20to%20secure%2C%20multi-factor%20authentication%20using%20secure%20protocols%20is%20a%20critical%20step%20forward.%20As%20always%2C%20we%E2%80%99d%20love%20your%20feedback.%20Reach%20out%20to%20me%20at%20%3CA%20href%3D%22https%3A%2F%2Fmicrosoft-my.sharepoint-df.com%2Fpersonal%2Falexwe_ntdev_microsoft_com%2FDocuments%2FDocuments%2FBlogs%2Ftwitter.com%2Falex_t_weinert%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%40alex_t_weinert%3C%2FA%3E%20on%20twitter!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EStay%20safe%20out%20there%2C%3C%2FP%3E%3CP%3EAlex%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1061414%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3ESecurity%20defaults%20provide%20secure%20default%20settings%20that%20we%20manage%20on%20behalf%20of%20organizations%20to%20keep%20customers%20safe%3C%2FSPAN%3E!%20Read%20on%20to%20learn%20more!%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1061414%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EBest%20Practices%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1099586%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1099586%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F221690%22%20target%3D%22_blank%22%3E%40Alex%20Weinert%3C%2FA%3E%26nbsp%3BI%20have%20always%20wondered%20what%20the%20settings%20look%20like%20for%20the%20Baseline%20conditional%20access%20polices%20-%20such%20as%20the%20Block%20legacy%20auth%2C%20so%20that%20I%20could%20replicate%20in%20a%20custom%20CA%20policy%20with%20exceptions%20for%20other%20customers%20with%20AAD%20P1.%20Does%20the%20article%20at%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fconcept-conditional-access-policy-common%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fconcept-conditional-access-policy-common%3C%2FA%3E%20replicate%20the%20baseline%20policies%20exactly%20or%20are%20there%20things%20you%20are%20doing%20in%20the%20baseline%20policies%20that%20differ%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20understand%20correctly%2C%20there%20are%202%20types%20of%20customers%20%26gt%3B%20Those%20that%20manage%20their%20own%20security%20and%20have%20sophisticated%20CA%20policies%20in%20place%2C%20and%20those%20that%20don't%20know%20or%20care%20to%20do%20so.%20Will%20the%20end%20goal%20be%20to%20have%20Security%20Defaults%20enabled%20by%20default%20(this%20would%20explain%20the%20over%20simplified%20UI%20experience)%20for%20new%20tenants%20or%20customers%20without%20AAD%20P1%20in%20the%20future%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20love%20the%20direction%20of%20travel%20btw.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1100674%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1100674%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F34642%22%20target%3D%22_blank%22%3E%40Matthew%20Levy%3C%2FA%3E%26nbsp%3BLove%20this!%20We%20have%20hundreds%20of%20old%20customers%20with%20no%20Conditional%20Access%20policies%20created%20nor%20enabled%20Baseline%20Policies.%20I%20understand%20you%20are%20slowly%20rolling%20out%20Security%20Defaults%20to%20existing%20tenants.%20How%20do%20you%20inform%20the%20customers%20you%20will%20enforce%20Security%20Defaults%3F%20Message%20Center%3F%20Email%20to%20admins%3F%20Message%20in%20portal.azure.com%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJust%20figuring%20out%20how%20to%20prepare%20for%20unplanned%20move%20to%20Security%20Defaults.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1105008%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1105008%22%20slang%3D%22en-US%22%3E%22We%E2%80%99ll%20take%20the%20learnings%20from%20these%20tenants%20and%20continuously%20tune%20as%20we%20eventually%20roll%20this%20out%20to%20all%20new%20tenants%2C%20then%20to%20tenants%20who%20have%20never%20looked%20at%20security%20settings.%20We%20will%20expand%20first%20to%20apply%20security%20defaults%20to%20all%20new%20tenants%20as%20well%20as%20applying%20it%20retroactively%20to%20existing%20tenants%20who%20have%20not%20taken%20any%20security%20measures%20for%20themselves.%22%20*%20Will%20you%20enable%20for%20tenants%20that%20have%20looked%20at%20Conditional%20Access%20but%20not%20enabled%20or%20created%20any%20rules%3F%20I%20find%20the%20way%20you%20put%20this%20automated%20process%20of%20enabling%20Security%20Defaults%20on%20existing%20tenants%20confusing.%20*%20Will%20said%20tenant%20get%20any%20alert%2F%20notification%20ahead%20of%20time%2C%20or%20will%20you%20just%20go%20all%20in%20and%20break%20integrations%2C%20break%20glass%20accounts%20etc.%20in%20the%20process%3F%20I%20like%20Security%20Defaults%2C%20don't%20get%20me%20wrong.%20I'm%20just%20afraid%20that%20we'll%20get%20a%20lot%20of%20frustrated%20and%20confused%20CSP%20customers%20in%20near%20future.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1106570%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1106570%22%20slang%3D%22en-US%22%3EMicrosoft%20has%20done%20a%20great%20job%20by%20releasing%20security%20defaults%2C%20however%20it's%20lacking%20the%20ability%20to%20exclude%20a%20single%20emergency%20access%20account.%20As%20per%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fdirectory-emergency-access%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fdirectory-emergency-access%3C%2FA%3E%20one%20of%20Microsoft's%20best%20practices%20for%20Azure%20Active%20Directory%20(Azure%20AD)%20is%20to%20have%20a%20cloud-only%20emergency%20access%20account%20which%20is%20excluded%20from%20MFA.%20This%20is%20similar%20to%20the%20built-in%20Administrator%20account%20in%20traditional%20Active%20Directory%2C%20without%20the%20ability%20to%20exclude%20a%20single%20account%20most%20organizations%20without%20AAD%20P1%20licensing%20will%20simply%20leave%20security%20defaults%20turned%20off.%20If%20we%20want%20fine%20grained%20exclusions%20or%20multiple%20emergency%20access%20accounts%20it%20would%20then%20make%20sense%20to%20purchase%20AAD1%20P1%20licenses%20and%20configure%20Conditional%20Access.%20I've%20created%20a%20feedback%20suggestion%20here%20-%20%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%2Fsuggestions%2F39425896-exclude-emergency-access-account-from-security-def%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%2Fsuggestions%2F39425896-exclude-emergency-access-account-from-security-def%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1112921%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1112921%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20everyone%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20spent%20the%20last%20month%20looking%20at%20the%20security%20options%20offered%20by%20Azure%20and%20I%20must%20say%20that%20Microsoft%20did%20a%20great%20job!%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E3%20days%20ago%20we%20enabled%20the%20security%20defaults%20same%20as%20explained%20by%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F221690%22%20target%3D%22_blank%22%3E%40Alex%20Weinert%3C%2FA%3E.%20Since%20then%20we%20have%20one%20issue%20with%20Dynamics%20365%20Business%20Central%20that%20is%20now%20blocked%20by%20these%20settings.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20is%20the%20error%20message%20we%20can%20see%20on%20the%20sign-in%20log%20(account%20used%20by%20Business%20Central%20to%20send%20emails)%3A%3C%2FP%3E%3CDIV%20class%3D%22azc-form-labelcontainer%20azc-text-label%22%3EStatus%3A%26nbsp%3B%3CSPAN%3EFailure%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22azc-form-labelcontainer%20azc-text-label%22%3E%3CDIV%20class%3D%22azc-form-labelcontainer%20azc-text-label%22%3ESign-in%20error%20code%3A%26nbsp%3B%3CSPAN%3E53003%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22azc-form-labelcontainer%20azc-text-label%22%3E%3CDIV%20class%3D%22azc-form-labelcontainer%20azc-text-label%22%3EFailure%20reason%3A%26nbsp%3B%3CSPAN%3EAccess%20has%20been%20blocked%20due%20to%20conditional%20access%20policies.%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22azc-form-labelcontainer%20azc-text-label%22%3E%3CDIV%20class%3D%22azc-form-labelcontainer%20azc-text-label%22%3EApplication%3A%26nbsp%3B%3CSPAN%3EOffice%20365%20Exchange%20Online%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22azc-form-labelcontainer%20azc-text-label%22%3E%3CDIV%20class%3D%22fxc-section-control%20ext-drawer-row-item%20fxc-base%20msportalfx-customHtml%20msportalfx-form-formelement%20fxc-left-label%22%3E%3CDIV%20class%3D%22azc-form-labelcontainer%20azc-text-label%22%3ELocation%3A%26nbsp%3B%3CSPAN%3EToronto%2C%20Ontario%2C%20CA%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-section-control%20ext-drawer-row-item%20fxc-base%20msportalfx-customHtml%20msportalfx-form-formelement%20fxc-left-label%22%3E%3CDIV%20class%3D%22azc-form-labelcontainer%20azc-text-label%22%3EIP%20address%3A%26nbsp%3B%3CSPAN%3E52.138.16.175%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22azc-form-labelcontainer%20azc-text-label%22%3E%3CDIV%20class%3D%22fxc-gc-thead%22%3E%3CDIV%20class%3D%22fxc-gc-columnheaderrow%20azc-br-muted%20fxc-gc-columnheaderrow_1%22%3E%3CDIV%20class%3D%22fxc-gc-columnheader%20fxc-gc-bold%20fxc-gc-columnheader_1_0%20fxc-gc-sorting%22%3E%3CDIV%20class%3D%22fxc-gc-columnheader-content-container%22%3E%3CDIV%20class%3D%22fxc-gc-columnheader-aftercontent%22%3E%3CDIV%20class%3D%22fxc-gc-columnheader-aftercontent-gizmo%20fxc-none%22%3E%3CSPAN%3E%3CSTRONG%3EAuthentication%20method%3A%3C%2FSTRONG%3E%26nbsp%3BCloudOnlyPassword%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-columnheader%20fxc-gc-bold%20fxc-gc-columnheader_1_1%20fxc-gc-sorting%22%3E%3CDIV%20class%3D%22fxc-gc-columnheader-content-container%22%3E%3CDIV%20class%3D%22fxc-gc-columnheader-aftercontent%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-columnheader%20fxc-gc-bold%20fxc-gc-columnheader_1_5%20fxc-gc-sorting%22%3E%3CDIV%20class%3D%22fxc-gc-columnheader-content-container%22%3E%3CDIV%20class%3D%22fxc-gc-columnheader-content%20fxc-gc-text%22%3E%3CSTRONG%3ERequirement%3A%3C%2FSTRONG%3E%26nbsp%3B%3CSPAN%3EPrimary%20Authentication%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-columnheader-content%20fxc-gc-text%22%3E%3CSPAN%3E%3CSTRONG%3EPolicy%20Name%3A%3C%2FSTRONG%3E%20Security%20defaults%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-columnheader-content%20fxc-gc-text%22%3E%3CSPAN%3E%3CSTRONG%3EGrant%20Controls%3A%3C%2FSTRONG%3E%20block%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-columnheader-content%20fxc-gc-text%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-columnheader-content%20fxc-gc-text%22%3E%3CSPAN%3EHow%20can%20we%20prevent%20this%20kind%20of%20false%20positives%3F%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-columnheader-content%20fxc-gc-text%22%3E%3CFONT%20face%3D%22inherit%22%3EAs%20I%20added%20the%20IP%20range%20of%20the%20Microsoft%20%3C%2FFONT%3Edata%20center%3CFONT%20face%3D%22inherit%22%3E%26nbsp%3Bused%20by%20business%20central%20as%20a%20trusted%20Named%20location%20but%20it%20still%20doesn't%20work.%3C%2FFONT%3E%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-columnheader-content%20fxc-gc-text%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-columnheader-content%20fxc-gc-text%22%3EThank%20you%20for%20your%20help.%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1115135%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1115135%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20info%20Alex.%3C%2FP%3E%3CP%3EHow%20would%20you%20manage%20this%20setting%20using%20PowerShell%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-Tom%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1115140%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1115140%22%20slang%3D%22en-US%22%3E%3CP%3EI%20implemented%20Security%20Defaults%20for%20one%20of%20my%20tenants%2C%20and%20configured%20MFA%20for%20an%20end%20user%20account.%26nbsp%3B%20I%20then%20tested%20logging%20into%20office.com%20from%20several%20different%20computers%2C%20in%20geographically%20different%20locations%20and%20found%20that%20it%20does%20not%20always%20prompt%20for%20secondary%20authentication.%20For%20example%2C%20i%20logged%20into%20my%20customer's%20office.com%20account%20from%20my%20home%20pc%20and%20it%20did%20not%20prompt.%20We%20are%20in%20the%20same%20physical%20town%2C%20a%20few%20miles%20away%20from%20each%20other.%20I%20then%20tried%20the%20same%20thing%20from%20a%20computer%20about%2010%20miles%20away%20in%20a%20different%20town%20and%20it%20did%20not%20prompt%20for%20mfa.%20I%20then%20attempted%20to%20login%20from%20a%20computer%20in%20a%20different%20state%20and%20it%20DID%20prompt%20for%20mfa.%20When%20i%20inspect%20the%20azure%20login%20logs%2C%20every%20login%20says%20it%20is%20using%20the%20%22Security%20Defaults%22%20policy%2C%20but%20it%20is%20NOT%20prompting%20for%202fa%20authentication%20in%20many%20circumstances.%20Is%20there%20a%20document%20available%20that%20explains%2C%20in%20detail%2C%20under%20what%20circumstances%20Security%20Defaults%20will%20prompt%20the%20end%20user%20for%20MFA%20authentication%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1117558%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1117558%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20a%20great%20idea%20but%20I%20only%20stumbled%20across%20this%20setting%20when%20browsing%20around%20the%20Azure%20Portal.%20It%20really%20should%20be%20a%20banner%20at%20the%20top%20of%20the%20Security%20blade.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1127836%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1127836%22%20slang%3D%22en-US%22%3EThank%20you%20%2C%20Great%20Article%20Enabling%20Security%20Defaults%20equivalent%20to%20Enable%20all%20Default%20CA%20Policies%20.%3C%2FLINGO-BODY%3E
Microsoft

Hey folks,

 

In 2012, we started the Identity security and protection team for our consumer accounts (Microsoft accounts used for signing in to OneDrive, Skype, Xbox and such). We started out by doing two things – putting metrics in place for everything (so we could be confident we’d know what works) and establishing a security minimum standard for our consumer accounts. This includes measures like registering a second factor, challenging accounts when we see risk on the login, and forcing folks to change their passwords when we found them in the hands of criminals. The results have been very good; while there was some angst involved in requiring multi-factor authentication (MFA) registration to play Xbox or on that Hotmail account that’s “worked fine for 16 years!”, the net impact was massively positive – e.g., measuring from 2014 to 2019:

  • Unaided password recovery jumped from less than 20% to more than 90%
  • Account retention increased by more than 10%
  • Our ability to challenge users when we see risk led to a 6x decrease in compromise rate. This means that even as we’ve had a substantial increase in users, we have fewer compromised Microsoft accounts than ever before.

In 2014, we started making these technologies available to our Azure Active Directory (AD) organizational customers, and we’ve learned that they’re very effective – for example, our telemetry tells us that more than 99.9% of organization account compromise could be stopped by simply using MFA, and that disabling legacy authentication correlates to a 67% reduction in compromise risk (and completely stops password spray attacks, 100% of which come in via legacy authentication).

 

Unfortunately, we’ve been less successful than we’d like at raising awareness and getting folks to adopt the technologies. While the tools are in place for customers to stop these attacks, adoption is significantly low. Despite marketing, tweeting, and shouting from the rooftops, the most optimistic measurement of MFA usage shows that only about 9% of organizational users ever see an MFA claim.

 

If you’re reading this blog, you’re probably a security or identity enthusiast. You’re aware of the importance of securing identities and taking advantage of key capabilities in the platform. But for most people, especially individual developers, small businesses, or folks just experimenting with our Azure, Office, or Dynamics services, security isn’t the first thing on their minds. The goal is just to find the shortest path to setting up email and document sharing, or building that first Azure application – they won’t configure security settings until they’ve been hacked.

 

With millions of organizational accounts vulnerable to preventable compromise each year, we felt we needed to take a different tack – to protect organizational accounts just like we do the consumer accounts. We experimented with a few different approaches (including “Baseline protection”), listened to partners and customers, and learned a ton along the way. The result of all this learning is Security Defaults.

Security defaults provide secure default settings that we manage on behalf of organizations to keep customers safe until they are ready to manage their own identity security story. For customers like this, we’ll manage their security settings like we do for our Xbox, OneDrive, Skype and Outlook users.

For starters, we’re doing the following:

 

  1. Requiring all users and admins to register for MFA.
  2. Challenging users with MFA - mostly when they show up on a new device or app, but more often for critical roles and tasks.
  3. Disabling authentication from legacy authentication clients, which can’t do MFA.

 

We will judiciously expand these security defaults to maximize protection for our users, but as MFA prevents >99.9% of account compromise, that’s where we’re starting. We are applying security defaults for all license levels, even trial tenants, ensuring every account can be protected by MFA.

 

None of this replaces the rich security capabilities in Azure Active Directory. If you are a person who uses Conditional Access to manage your break glass accounts with terms of use controls, chooses MFA based on device compliance, or integrates Identity protection reports into your SIEM, you’re far more sophisticated than our target user for Security Defaults. If you’re thinking of break glass accounts or exception scenarios, Security Defaults isn’t for you – you want Azure AD Conditional Access.

 

Since introducing the feature, we’ve enabled Security Defaults for more than 60k newly created tenants. More than 5k other tenants have opted into Security Defaults. All of these organizations have significantly reduced their compromise rates; only a few hundred have opted out, mostly to use Conditional Access. We’ll take the learnings from these tenants and continuously tune as we eventually roll this out to all new tenants, then to tenants who have never looked at security settings. We will expand first to apply security defaults to all new tenants as well as applying it retroactively to existing tenants who have not taken any security measures for themselves. We’re experimenting, listening and adapting as we go.

 

If you have an existing tenant where you’d like to enable security defaults, or are ready to turn it off and move up to using Conditional Access to manage your access policies, you’ll find the settings in your Azure AD tenant configuration in Azure Active Directory, Manage, Properties – look for “Manage Security Defaults” at the bottom of the page:

 

 

Security defaults.PNG

 

Click there and you’ll see the blade that allows you to enable security defaults. But again, security and identity enthusiast – you probably want the advanced controls that Azure Active Directory Conditional Access gives you. 

 

Security defaults2.PNG

 

You can’t enable Security Defaults if you’re already using conditional access policies or other settings which conflict. If you do, you’ll see this warning:

 

Security defaults 3.PNG

 

Some of you may have tried out baseline protection policies – security defaults replaces all those settings, and we will stop enforcing them on Feb 29th. If you’re reading this, you probably want the granular control Conditional Access gives you, so in place of baseline, set up the equivalent Conditional Access policies as outlined here.

 

The Identity Security team is super-focused on preventing account compromise, and ensuring there is no barrier to secure, multi-factor authentication using secure protocols is a critical step forward. As always, we’d love your feedback. Reach out to me at @alex_t_weinert on twitter!

 

Stay safe out there,

Alex

 

 

9 Comments
Senior Member

@Alex Weinert I have always wondered what the settings look like for the Baseline conditional access polices - such as the Block legacy auth, so that I could replicate in a custom CA policy with exceptions for other customers with AAD P1. Does the article at https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-acces... replicate the baseline policies exactly or are there things you are doing in the baseline policies that differ?

 

If I understand correctly, there are 2 types of customers > Those that manage their own security and have sophisticated CA policies in place, and those that don't know or care to do so. Will the end goal be to have Security Defaults enabled by default (this would explain the over simplified UI experience) for new tenants or customers without AAD P1 in the future?

 

I love the direction of travel btw.

Frequent Contributor

@Matthew Levy Love this! We have hundreds of old customers with no Conditional Access policies created nor enabled Baseline Policies. I understand you are slowly rolling out Security Defaults to existing tenants. How do you inform the customers you will enforce Security Defaults? Message Center? Email to admins? Message in portal.azure.com?

 

Just figuring out how to prepare for unplanned move to Security Defaults.

Occasional Contributor
"We’ll take the learnings from these tenants and continuously tune as we eventually roll this out to all new tenants, then to tenants who have never looked at security settings. We will expand first to apply security defaults to all new tenants as well as applying it retroactively to existing tenants who have not taken any security measures for themselves." * Will you enable for tenants that have looked at Conditional Access but not enabled or created any rules? I find the way you put this automated process of enabling Security Defaults on existing tenants confusing. * Will said tenant get any alert/ notification ahead of time, or will you just go all in and break integrations, break glass accounts etc. in the process? I like Security Defaults, don't get me wrong. I'm just afraid that we'll get a lot of frustrated and confused CSP customers in near future.
Visitor
Microsoft has done a great job by releasing security defaults, however it's lacking the ability to exclude a single emergency access account. As per https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-emergency-acces... one of Microsoft's best practices for Azure Active Directory (Azure AD) is to have a cloud-only emergency access account which is excluded from MFA. This is similar to the built-in Administrator account in traditional Active Directory, without the ability to exclude a single account most organizations without AAD P1 licensing will simply leave security defaults turned off. If we want fine grained exclusions or multiple emergency access accounts it would then make sense to purchase AAD1 P1 licenses and configure Conditional Access. I've created a feedback suggestion here - https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/39425896-exclude-emergen...
Frequent Visitor

Hello everyone,

 

I spent the last month looking at the security options offered by Azure and I must say that Microsoft did a great job! 

 

3 days ago we enabled the security defaults same as explained by @Alex Weinert. Since then we have one issue with Dynamics 365 Business Central that is now blocked by these settings.

 

Here is the error message we can see on the sign-in log (account used by Business Central to send emails):

Status: Failure
Sign-in error code: 53003
Failure reason: Access has been blocked due to conditional access policies.
Application: Office 365 Exchange Online
Location: Toronto, Ontario, CA
IP address: 52.138.16.175
Authentication method: CloudOnlyPassword
 
Requirement: Primary Authentication
Policy Name: Security defaults
Grant Controls: block
 
How can we prevent this kind of false positives? 
As I added the IP range of the Microsoft data center used by business central as a trusted Named location but it still doesn't work.
 
Thank you for your help.
Frequent Visitor

Thanks for the info Alex.

How would you manage this setting using PowerShell?

 

-Tom

Visitor

I implemented Security Defaults for one of my tenants, and configured MFA for an end user account.  I then tested logging into office.com from several different computers, in geographically different locations and found that it does not always prompt for secondary authentication. For example, i logged into my customer's office.com account from my home pc and it did not prompt. We are in the same physical town, a few miles away from each other. I then tried the same thing from a computer about 10 miles away in a different town and it did not prompt for mfa. I then attempted to login from a computer in a different state and it DID prompt for mfa. When i inspect the azure login logs, every login says it is using the "Security Defaults" policy, but it is NOT prompting for 2fa authentication in many circumstances. Is there a document available that explains, in detail, under what circumstances Security Defaults will prompt the end user for MFA authentication?

Established Member

This is a great idea but I only stumbled across this setting when browsing around the Azure Portal. It really should be a banner at the top of the Security blade.

New Contributor
Thank you , Great Article Enabling Security Defaults equivalent to Enable all Default CA Policies .