%3CLINGO-SUB%20id%3D%22lingo-sub-1099586%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1099586%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F221690%22%20target%3D%22_blank%22%3E%40Alex%20Weinert%3C%2FA%3E%26nbsp%3BI%20have%20always%20wondered%20what%20the%20settings%20look%20like%20for%20the%20Baseline%20conditional%20access%20polices%20-%20such%20as%20the%20Block%20legacy%20auth%2C%20so%20that%20I%20could%20replicate%20in%20a%20custom%20CA%20policy%20with%20exceptions%20for%20other%20customers%20with%20AAD%20P1.%20Does%20the%20article%20at%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fconcept-conditional-access-policy-common%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fconcept-conditional-access-policy-common%3C%2FA%3E%20replicate%20the%20baseline%20policies%20exactly%20or%20are%20there%20things%20you%20are%20doing%20in%20the%20baseline%20policies%20that%20differ%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20understand%20correctly%2C%20there%20are%202%20types%20of%20customers%20%26gt%3B%20Those%20that%20manage%20their%20own%20security%20and%20have%20sophisticated%20CA%20policies%20in%20place%2C%20and%20those%20that%20don't%20know%20or%20care%20to%20do%20so.%20Will%20the%20end%20goal%20be%20to%20have%20Security%20Defaults%20enabled%20by%20default%20(this%20would%20explain%20the%20over%20simplified%20UI%20experience)%20for%20new%20tenants%20or%20customers%20without%20AAD%20P1%20in%20the%20future%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20love%20the%20direction%20of%20travel%20btw.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1100674%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1100674%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F34642%22%20target%3D%22_blank%22%3E%40Matthew%20Levy%3C%2FA%3E%26nbsp%3BLove%20this!%20We%20have%20hundreds%20of%20old%20customers%20with%20no%20Conditional%20Access%20policies%20created%20nor%20enabled%20Baseline%20Policies.%20I%20understand%20you%20are%20slowly%20rolling%20out%20Security%20Defaults%20to%20existing%20tenants.%20How%20do%20you%20inform%20the%20customers%20you%20will%20enforce%20Security%20Defaults%3F%20Message%20Center%3F%20Email%20to%20admins%3F%20Message%20in%20portal.azure.com%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJust%20figuring%20out%20how%20to%20prepare%20for%20unplanned%20move%20to%20Security%20Defaults.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1105008%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1105008%22%20slang%3D%22en-US%22%3E%22We%E2%80%99ll%20take%20the%20learnings%20from%20these%20tenants%20and%20continuously%20tune%20as%20we%20eventually%20roll%20this%20out%20to%20all%20new%20tenants%2C%20then%20to%20tenants%20who%20have%20never%20looked%20at%20security%20settings.%20We%20will%20expand%20first%20to%20apply%20security%20defaults%20to%20all%20new%20tenants%20as%20well%20as%20applying%20it%20retroactively%20to%20existing%20tenants%20who%20have%20not%20taken%20any%20security%20measures%20for%20themselves.%22%20*%20Will%20you%20enable%20for%20tenants%20that%20have%20looked%20at%20Conditional%20Access%20but%20not%20enabled%20or%20created%20any%20rules%3F%20I%20find%20the%20way%20you%20put%20this%20automated%20process%20of%20enabling%20Security%20Defaults%20on%20existing%20tenants%20confusing.%20*%20Will%20said%20tenant%20get%20any%20alert%2F%20notification%20ahead%20of%20time%2C%20or%20will%20you%20just%20go%20all%20in%20and%20break%20integrations%2C%20break%20glass%20accounts%20etc.%20in%20the%20process%3F%20I%20like%20Security%20Defaults%2C%20don't%20get%20me%20wrong.%20I'm%20just%20afraid%20that%20we'll%20get%20a%20lot%20of%20frustrated%20and%20confused%20CSP%20customers%20in%20near%20future.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1106570%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1106570%22%20slang%3D%22en-US%22%3EMicrosoft%20has%20done%20a%20great%20job%20by%20releasing%20security%20defaults%2C%20however%20it's%20lacking%20the%20ability%20to%20exclude%20a%20single%20emergency%20access%20account.%20As%20per%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fdirectory-emergency-access%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fdirectory-emergency-access%3C%2FA%3E%20one%20of%20Microsoft's%20best%20practices%20for%20Azure%20Active%20Directory%20(Azure%20AD)%20is%20to%20have%20a%20cloud-only%20emergency%20access%20account%20which%20is%20excluded%20from%20MFA.%20This%20is%20similar%20to%20the%20built-in%20Administrator%20account%20in%20traditional%20Active%20Directory%2C%20without%20the%20ability%20to%20exclude%20a%20single%20account%20most%20organizations%20without%20AAD%20P1%20licensing%20will%20simply%20leave%20security%20defaults%20turned%20off.%20If%20we%20want%20fine%20grained%20exclusions%20or%20multiple%20emergency%20access%20accounts%20it%20would%20then%20make%20sense%20to%20purchase%20AAD1%20P1%20licenses%20and%20configure%20Conditional%20Access.%20I've%20created%20a%20feedback%20suggestion%20here%20-%20%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%2Fsuggestions%2F39425896-exclude-emergency-access-account-from-security-def%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%2Fsuggestions%2F39425896-exclude-emergency-access-account-from-security-def%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1112921%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1112921%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20everyone%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20spent%20the%20last%20month%20looking%20at%20the%20security%20options%20offered%20by%20Azure%20and%20I%20must%20say%20that%20Microsoft%20did%20a%20great%20job!%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E3%20days%20ago%20we%20enabled%20the%20security%20defaults%20same%20as%20explained%20by%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F221690%22%20target%3D%22_blank%22%3E%40Alex%20Weinert%3C%2FA%3E.%20Since%20then%20we%20have%20one%20issue%20with%20Dynamics%20365%20Business%20Central%20that%20is%20now%20blocked%20by%20these%20settings.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20is%20the%20error%20message%20we%20can%20see%20on%20the%20sign-in%20log%20(account%20used%20by%20Business%20Central%20to%20send%20emails)%3A%3C%2FP%3E%3CDIV%20class%3D%22azc-form-labelcontainer%20azc-text-label%22%3EStatus%3A%26nbsp%3B%3CSPAN%3EFailure%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22azc-form-labelcontainer%20azc-text-label%22%3E%3CDIV%20class%3D%22azc-form-labelcontainer%20azc-text-label%22%3ESign-in%20error%20code%3A%26nbsp%3B%3CSPAN%3E53003%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22azc-form-labelcontainer%20azc-text-label%22%3E%3CDIV%20class%3D%22azc-form-labelcontainer%20azc-text-label%22%3EFailure%20reason%3A%26nbsp%3B%3CSPAN%3EAccess%20has%20been%20blocked%20due%20to%20conditional%20access%20policies.%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22azc-form-labelcontainer%20azc-text-label%22%3E%3CDIV%20class%3D%22azc-form-labelcontainer%20azc-text-label%22%3EApplication%3A%26nbsp%3B%3CSPAN%3EOffice%20365%20Exchange%20Online%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22azc-form-labelcontainer%20azc-text-label%22%3E%3CDIV%20class%3D%22fxc-section-control%20ext-drawer-row-item%20fxc-base%20msportalfx-customHtml%20msportalfx-form-formelement%20fxc-left-label%22%3E%3CDIV%20class%3D%22azc-form-labelcontainer%20azc-text-label%22%3ELocation%3A%26nbsp%3B%3CSPAN%3EToronto%2C%20Ontario%2C%20CA%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-section-control%20ext-drawer-row-item%20fxc-base%20msportalfx-customHtml%20msportalfx-form-formelement%20fxc-left-label%22%3E%3CDIV%20class%3D%22azc-form-labelcontainer%20azc-text-label%22%3EIP%20address%3A%26nbsp%3B%3CSPAN%3E52.138.16.175%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22azc-form-labelcontainer%20azc-text-label%22%3E%3CDIV%20class%3D%22fxc-gc-thead%22%3E%3CDIV%20class%3D%22fxc-gc-columnheaderrow%20azc-br-muted%20fxc-gc-columnheaderrow_1%22%3E%3CDIV%20class%3D%22fxc-gc-columnheader%20fxc-gc-bold%20fxc-gc-columnheader_1_0%20fxc-gc-sorting%22%3E%3CDIV%20class%3D%22fxc-gc-columnheader-content-container%22%3E%3CDIV%20class%3D%22fxc-gc-columnheader-aftercontent%22%3E%3CDIV%20class%3D%22fxc-gc-columnheader-aftercontent-gizmo%20fxc-none%22%3E%3CSPAN%3E%3CSTRONG%3EAuthentication%20method%3A%3C%2FSTRONG%3E%26nbsp%3BCloudOnlyPassword%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-columnheader%20fxc-gc-bold%20fxc-gc-columnheader_1_1%20fxc-gc-sorting%22%3E%3CDIV%20class%3D%22fxc-gc-columnheader-content-container%22%3E%3CDIV%20class%3D%22fxc-gc-columnheader-aftercontent%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-columnheader%20fxc-gc-bold%20fxc-gc-columnheader_1_5%20fxc-gc-sorting%22%3E%3CDIV%20class%3D%22fxc-gc-columnheader-content-container%22%3E%3CDIV%20class%3D%22fxc-gc-columnheader-content%20fxc-gc-text%22%3E%3CSTRONG%3ERequirement%3A%3C%2FSTRONG%3E%26nbsp%3B%3CSPAN%3EPrimary%20Authentication%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-columnheader-content%20fxc-gc-text%22%3E%3CSPAN%3E%3CSTRONG%3EPolicy%20Name%3A%3C%2FSTRONG%3E%20Security%20defaults%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-columnheader-content%20fxc-gc-text%22%3E%3CSPAN%3E%3CSTRONG%3EGrant%20Controls%3A%3C%2FSTRONG%3E%20block%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-columnheader-content%20fxc-gc-text%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-columnheader-content%20fxc-gc-text%22%3E%3CSPAN%3EHow%20can%20we%20prevent%20this%20kind%20of%20false%20positives%3F%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-columnheader-content%20fxc-gc-text%22%3E%3CFONT%20face%3D%22inherit%22%3EAs%20I%20added%20the%20IP%20range%20of%20the%20Microsoft%20%3C%2FFONT%3Edata%20center%3CFONT%20face%3D%22inherit%22%3E%26nbsp%3Bused%20by%20business%20central%20as%20a%20trusted%20Named%20location%20but%20it%20still%20doesn't%20work.%3C%2FFONT%3E%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-columnheader-content%20fxc-gc-text%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-columnheader-content%20fxc-gc-text%22%3EThank%20you%20for%20your%20help.%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1115135%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1115135%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20info%20Alex.%3C%2FP%3E%3CP%3EHow%20would%20you%20manage%20this%20setting%20using%20PowerShell%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-Tom%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1115140%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1115140%22%20slang%3D%22en-US%22%3E%3CP%3EI%20implemented%20Security%20Defaults%20for%20one%20of%20my%20tenants%2C%20and%20configured%20MFA%20for%20an%20end%20user%20account.%26nbsp%3B%20I%20then%20tested%20logging%20into%20office.com%20from%20several%20different%20computers%2C%20in%20geographically%20different%20locations%20and%20found%20that%20it%20does%20not%20always%20prompt%20for%20secondary%20authentication.%20For%20example%2C%20i%20logged%20into%20my%20customer's%20office.com%20account%20from%20my%20home%20pc%20and%20it%20did%20not%20prompt.%20We%20are%20in%20the%20same%20physical%20town%2C%20a%20few%20miles%20away%20from%20each%20other.%20I%20then%20tried%20the%20same%20thing%20from%20a%20computer%20about%2010%20miles%20away%20in%20a%20different%20town%20and%20it%20did%20not%20prompt%20for%20mfa.%20I%20then%20attempted%20to%20login%20from%20a%20computer%20in%20a%20different%20state%20and%20it%20DID%20prompt%20for%20mfa.%20When%20i%20inspect%20the%20azure%20login%20logs%2C%20every%20login%20says%20it%20is%20using%20the%20%22Security%20Defaults%22%20policy%2C%20but%20it%20is%20NOT%20prompting%20for%202fa%20authentication%20in%20many%20circumstances.%20Is%20there%20a%20document%20available%20that%20explains%2C%20in%20detail%2C%20under%20what%20circumstances%20Security%20Defaults%20will%20prompt%20the%20end%20user%20for%20MFA%20authentication%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1117558%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1117558%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20a%20great%20idea%20but%20I%20only%20stumbled%20across%20this%20setting%20when%20browsing%20around%20the%20Azure%20Portal.%20It%20really%20should%20be%20a%20banner%20at%20the%20top%20of%20the%20Security%20blade.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1127836%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1127836%22%20slang%3D%22en-US%22%3EThank%20you%20%2C%20Great%20Article%20Enabling%20Security%20Defaults%20equivalent%20to%20Enable%20all%20Default%20CA%20Policies%20.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1133365%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1133365%22%20slang%3D%22en-US%22%3E%3CP%3EHi.%3C%2FP%3E%3CP%3E%3CSPAN%3EIs%20there%20a%20way%20to%20%3CSTRONG%3E%3CU%3EEnable%20Security%20defaults%3C%2FU%3E%3C%2FSTRONG%3E%20just%20for%20a%20few%20%E2%80%98test%E2%80%99%20users%20instead%20of%20enabling%20for%20the%20entire%20tenant%3F%20-%20%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EWe%20would%20like%20to%20prepare%2Ftest%20%3CI%3E(see%20the%20entire%20process%2C%20see%20the%20prompt%20to%20register%20for%20multi-factor%20authentication%2C%20etc.)%3C%2FI%3E%20internally%20(IT%20department)%20before%20we%20turn%20it%20on%20for%20all%20end-users.%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EThis%20way%20we%20can%20communicate%20in%20advance%20what%20they%20can%20expect.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1141421%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1141421%22%20slang%3D%22en-US%22%3E%3CP%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1147249%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1147249%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20you're%20saying%20--%20%22Some%20of%20you%20may%20have%20tried%20out%20baseline%20protection%20policies%20%E2%80%93%20security%20defaults%20replaces%20all%20those%20settings%2C%20and%20we%20will%20%3CSTRONG%3E%3CU%3Estop%20enforcing%20them%3C%2FU%3E%3C%2FSTRONG%3E%20on%20Feb%2029th.%22%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWere%20you%20referring%20that%20with%20effective%20Feb%2029th%2C%20%22baseline%20policies%22%20will%20be%20replaced%20by%20%22security%20default%22%20and%20these%20settings%20WILL%20BE%20ENFORCED%20for%20all%20applicable%20tenants%20%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20that's%20the%20case%2C%20does%20this%20apply%20to%20all%20kinds%20of%20Office%20365%20licensed%20organizations%2C%20or%20only%20those%20service%20providers%20managing%20Office%20365%20tenants%20participated%20in%20CSP%20%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEric%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1148441%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1148441%22%20slang%3D%22en-US%22%3E%3CP%3EOur%20organization%20has%20same%20questions.%20Do%20we%20have%20the%20ability%20to%20control%20when%20this%20setting%20will%20be%20enforced%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1152133%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1152133%22%20slang%3D%22en-US%22%3E%3CP%3EHow%20to%20make%20exceptions%20to%20the%20security%20default%3F%20Is%20this%20still%20possible%3F%20If%20not%20then%3B%3C%2FP%3E%3CP%3EI'm%20all%20for%20increasing%20security%2C%20however%20for%20now%2095%25%20of%20organizations%20cannot%20enable%20the%20security%20defaults%20as%20it%20will%20break%20many%20mail%20enabled%20applications.%20We%20will%20still%20use%20conditional%20access%20policies%2C%20because%20with%20security%20defaults%20we%20cannot%20make%20exceptions.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20microsoft%20documentation%20is%20unclear%20about%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1152637%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1152637%22%20slang%3D%22en-US%22%3E%3CP%3EI%20agree%20with%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F545749%22%20target%3D%22_blank%22%3E%40Luitzen_Boot%3C%2FA%3E%26nbsp%3B%20post.%3C%2FP%3E%3CP%3EThis%20is%20the%20same%20issue%20I%20posted%20a%20message%20about%20almost%20a%20month%20ago%20here%20in%20this%20thread.%3C%2FP%3E%3CP%3ECan%20anyone%20from%20Microsoft%20step%20in%20and%20let%20us%20know%20what%20can%20be%20done%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1154546%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1154546%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20not%20from%20Microsoft%20but%20my%20thinking%20is%20that%20if%20you%20enable%20Security%20Defaults%20you%20accept%20these%20defaults.%20Most%20of%20my%20customers%20will%20not%20be%20able%20to%20accept%20these%20since%20almost%20everyone%20need%20some%20kind%20of%20exception%2C%20mainly%3A%3C%2FP%3E%3CP%3E-%20users%20that%20can't%20run%20the%20Authenticator%20app%20but%20need%20text%20message%20instead%3C%2FP%3E%3CP%3E-%20Some%20few%20accounts%20which%20can't%20have%20MFA%20at%20all%3C%2FP%3E%3CP%3E-%20Some%20few%20accounts%20still%20using%20legacy%20authentication%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20that%20case%2C%20Microsoft%20seem%20to%20point%20us%20to%20not%20using%20Security%20Defaults%20but%20create%20our%20own%20Conditional%20Access%20%3CSTRONG%3Einstead%3C%2FSTRONG%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20to%20be%20honest%2C%20I%20think%20Microsoft%20themselves%20are%20slowly%20rolling%20this%20out%20and%20learning%20and%20listening.%20I've%20reached%20out%20to%20Alex%20on%20Twitter%20and%20hope%20he%20can%20join%20the%20conversation%20here.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1154922%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1154922%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F19218%22%20target%3D%22_blank%22%3E%40Jonas%20Back%3C%2FA%3Esounds%20reasonable%2C%20however%20MS%20requires%20it's%20partners%20to%20be%20compliant.%20If%20we%20do%20not%20enable%20security%20defaults%20we're%20not%20compliant.%20So%20we%20can%20choose%20non%20compliant%20or%20break%20e-mail%20enabled%20third%20party%20applications.%20It%20seems%20this%20has%20not%20been%20thought%20through%20carefully.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1157943%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1157943%22%20slang%3D%22en-US%22%3E%3CP%3EAre%20the%20security%20defaults%20going%20to%20force%20MFA%20for%20Outlook%2Femail%20when%20implemented%20or%20is%20this%20just%20for%20Azure%20AD%20at%20this%20time%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhile%20I%20agree%20MFA%20needs%20to%20be%20implemented%20for%20all%20customers%2Fclients.%20We%20need%20time%20for%20a%20full%20Office%20365%20MFA%20rollout.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1164810%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1164810%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20recently%20applied%20the%20change%20on%20our%20domain%2C%20and%20it%20has%20broken%20the%20connection%20to%20Outlook.%20Our%20users%20can%20still%20access%20outlook%20using%20the%20browser%2C%20but%20trying%20to%20get%20the%20outlook%20client%20isn't%20working.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EA%20couple%20things%20I've%20already%20attempted.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20Reset%20PW%3C%2FP%3E%3CP%3E2.%20Clear%20out%20app%20pw's%26nbsp%3B%3C%2FP%3E%3CP%3E3.%20Clear%20out%20windows%20credential%20manager%3C%2FP%3E%3CP%3E4.%20create%20new%20App%20PW%3C%2FP%3E%3CP%3E5.%20Create%20new%20Outlook%20profile%3C%2FP%3E%3CP%3E6.%20Reboot%3C%2FP%3E%3CP%3E7.%20Install%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENothing%20that%20I%20have%20done%20has%20resolved%20the%20issue.%20What%20should%20i%20be%20trying%20next%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1164905%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1164905%22%20slang%3D%22en-US%22%3E%3CP%3EI%20think%20Microsoft%20should%20be%20prohibited%20from%20calling%20anything%20that%20didn't%20make%20it%20out%20of%20Preview%20status%2C%20and%20only%20existed%20for%20a%20short%20time%20-%20%22Legacy%22.%26nbsp%3B%20In%20the%20AAD%20Portal%2C%20if%20you%20select%20a%20Baseline%20policy%20it%20says%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22%3CU%3EBaseline%20Protection%20policies%20are%20a%20legacy%20experience%3C%2FU%3E%20which%20is%20being%20deprecated.%20All%20Baseline%20Protection%20policies%20will%20be%20removed%20on%20February%2029th%2C%202020.%20If%20you're%20looking%20to%20enable%20a%20security%20policy%20for%20your%20organization%2C%20we%20recommend%20enabling%20Security%20defaults%20or%20configuring%20Conditional%20Access%20policies.%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJust%20my%20two%20cents.%26nbsp%3B%20Something%20like%20%22Bad%20idea%22%20or%20%22boycotted%20feature%22%20would%20be%20better.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1173085%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1173085%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20currently%20have%20all%20Baseline%20policies%20enabled%2C%20as%20well%20as%20use%20a%20number%20of%20our%20own%20Conditional%20Access%20Policies%20that%20further%20secure%20access%20to%20various%20services.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20order%20to%20achieve%20the%20same%20functionality%20going%20forward%2C%20it%20looks%20like%20we%20would%20have%20to%20purchase%20AAD%20P2%20licenses%20to%20re-create%20what%20the%20baseline%20End-User%20Policy%20achieved.%20The%20risk-based%20CA%20condition%20is%20not%20available%20with%20the%20AAD%20P1%20licenses%20that%20we%20already%20have.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20you%20please%20confirm%20that%20my%20understanding%20is%20correct%3F%20It%20would%20be%20better%20if%20we%20could%20use%20custom%20CA%20policies%20in%20conjunction%20with%20the%20Security%20Defaults%20as%20we%20have%20been%20able%20to%20with%20the%20End%20User%20Policies...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1182556%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1182556%22%20slang%3D%22en-US%22%3E%3CP%3ELots%20of%20questions%20here%2C%20going%20to%20try%20to%20catch%20them%20all%20up%20at%20once.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F34642%22%20target%3D%22_blank%22%3E%40Matthew%20Levy%3C%2FA%3E%2C%20the%20article%20is%20intended%20to%20exactly%20replicate%20the%20policies.%20As%20to%20your%20second%20point%2C%20there%20are%20a%20spectrum%20of%20customers%20at%20all%20license%20levels.%20We%20want%20to%20make%20sure%20everyone%20starts%20with%20safe%20defaults%20(MFA%20always).%20Come%20customers%20may%20choose%20to%20change%20those%20defaults%2C%20and%20many%20organizations%20will%20choose%20to%20turn%20off%20security%20defaults%20and%20take%20the%20reins%20themselves%20with%20Conditional%20Access.%20Glad%20you%20like%20the%20direction!%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F6201%22%20target%3D%22_blank%22%3E%40Jonas%20Back%3C%2FA%3E%20we%20are%20spec%E2%80%99ing%20the%20comms%20plan%20and%20rollout%20plan%20now%20%E2%80%93%20we%E2%80%99ll%20broadcast%20here%20before%20we%20start%20engagement.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F176916%22%20target%3D%22_blank%22%3E%40Olav%20R%C3%B8nnestad%20Birkeland%3C%2FA%3E%20see%20prior%20response%20on%20comms.%20The%20cases%20you%20are%20describing%20wouldn%E2%80%99t%20happen%20per%20plan%20%E2%80%93%20if%20a%20tenant%20has%20*any*%20conditional%20access%20policies%2C%20creds%20policies%2C%20or%20other%20overlapping%20setitngs%2C%20we%20wouldn%E2%80%99t%20apply%20security%20defaults.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F517301%22%20target%3D%22_blank%22%3E%40jakemarston%3C%2FA%3E%20I%20think%20we%20have%20threaded%20on%20Twitter%20on%20this%20%E2%80%93%20break%20glass%20is%20about%20continuity.%20The%20phone%20app%20in%20passwordless%20mode%20doesn%E2%80%99t%20use%20the%20MFA%20infrastructure%2C%20nor%20does%20FIDO.%20Regardless%2C%20security%20defaults%20is%20really%20about%20ensuring%20that%20*before*%20tenants%20are%20thinking%20about%20break%20glass%20or%20other%20more%20complex%20policies%2C%20they%20are%20safe.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F521233%22%20target%3D%22_blank%22%3E%40RBdeltA%3C%2FA%3E%20I%20think%20you%20are%20hitting%20an%20endpoint%20that%20can%E2%80%99t%20do%20MFA%2C%20thus%20getting%20blocked.%20We%20should%20have%20no%20need%20to%20hit%20such%20endpoints%20in%20our%20first%20party%20apps.%20Will%20dig%20in%20and%20get%20back%20to%20you%20if%20we%20have%20questions.%3C%2FP%3E%0A%3CP%3E%40TomPhillips%20we%20will%20add%20the%20setting%20to%20graph%20for%20powershell%20management%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F193162%22%20target%3D%22_blank%22%3E%40Kent%20Gerhart%3C%2FA%3E%20at%20this%20time%2C%20we%20are%20prompting%20when%20our%20ML%20system%20determines%20that%20the%20risk%20justifies%20the%20challenge.%20The%20rules%20factor%20in%20many%20aspects%20of%20the%20login%2C%20including%20behavioral%20familiarity%2C%20threat%20intelligence%2C%20and%20many%20many%20other%20factors.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F62212%22%20target%3D%22_blank%22%3E%40Gavin%20Meerwald%3C%2FA%3E%20it%20isn%E2%80%99t%20appropriate%20for%20all%20tenants.%20Most%20large%20tenants%20or%20security%20enthusiast%20smaller%20tenants%20shouldn%E2%80%99t%20use%20it%2C%20but%20set%20up%20Conditional%20Access%20instead.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F419565%22%20target%3D%22_blank%22%3E%40Lassaad_TOUKABRI%3C%2FA%3E%20glad%20you%20enjoyed%20it.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F532008%22%20target%3D%22_blank%22%3E%40CarlosKYO%3C%2FA%3E%20no%2C%20you%20are%20looking%20at%20Conditional%20Access.%20See%20the%20link%20in%20the%20blog%20for%20how%20to%20set%20these%20policies%20up.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F494541%22%20target%3D%22_blank%22%3E%40ericng99%3C%2FA%3E%20this%20is%20universal%2C%20we%20are%20removing%20the%20baseline%20policies%20for%20all%20tenants.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F131852%22%20target%3D%22_blank%22%3E%40brandon%20nesbitt%3C%2FA%3E%20no%2C%20if%20you%20want%20that%20control%20use%20Conditional%20Access.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F545749%22%20target%3D%22_blank%22%3E%40Luitzen_Boot%3C%2FA%3E%20no%2C%20if%20you%20want%20exceptions%20use%20Conditional%20Access.%20Security%20defaults%20is%20a%20%E2%80%9Cstarter%E2%80%9D%20setting%20for%20orgs%20aren%E2%80%99t%20yet%20dialing%20in%20their%20own%20security%20settings.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F521233%22%20target%3D%22_blank%22%3E%40RBdeltA%3C%2FA%3E%20if%20you%20want%20per-app%20exceptions%2C%20per%20user%20exceptions%2C%20etc.%20that%E2%80%99s%20Conditional%20Access.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F6201%22%20target%3D%22_blank%22%3E%40Jonas%20Back%3C%2FA%3E%20%26nbsp%3Byep%20I%20am%20here.%20Security%20defaults%20is%20not%20a%20replacement%20for%20Conditional%20Access.%20Yes%2C%20we%20expect%20that%20as%20orgs%20become%20more%20sophisticated%20in%20their%20rollouts%20they%20will%20transition%20from%20Security%20Defaults%20to%20Conditional%20Access%2C%20and%20we%20don%E2%80%99t%20think%20anyone%20using%20Conditional%20Access%20should%20go%20from%20that%20to%20Security%20Defaults.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F545749%22%20target%3D%22_blank%22%3E%40Luitzen_Boot%3C%2FA%3E%20that%E2%80%99s%20not%20accurate%20%E2%80%93%20partners%20must%20protect%20their%20users%20and%20all%20delegated%20admin%20access%20with%20MFA.%20Security%20defaults%20is%20*not*%20the%20only%20way%20to%20do%20that%20%E2%80%93%20use%20Conditional%20Access.%20We%20do%20not%20recommend%20of%20old%20clients%20that%20can%E2%80%99t%20handle%20MFA%20claims.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F548561%22%20target%3D%22_blank%22%3E%40Jimburris006%3C%2FA%3E%20for%20all%20connected%20apps.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F552251%22%20target%3D%22_blank%22%3E%40Gus_Tejada%3C%2FA%3E%20please%20dm%20me%20at%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F15847%22%20target%3D%22_blank%22%3E%40Alex%3C%2FA%3E_t_weinert%20on%20twitter%20and%20let%20me%20know%20the%20specifics%20of%20the%20app%20you%20are%20using%3F%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F64125%22%20target%3D%22_blank%22%3E%40Jeremy%20Bradshaw%3C%2FA%3E%20fair%20feedback.%20Will%20definitely%20take%20it%20to%20heart.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F417831%22%20target%3D%22_blank%22%3E%40ablanken%3C%2FA%3E%20yes%2C%20that%20is%20correct%2C%20if%20you%20want%20risk-based%20MFA%20you%20need%20P2%2FE5.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1182601%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1182601%22%20slang%3D%22en-US%22%3E%3CP%3E%3CEM%3EWe%20recently%20applied%20the%20change%20on%20our%20domain%2C%20and%20it%20has%20broken%20the%20connection%20to%20Outlook.%20Our%20users%20can%20still%20access%20outlook%20using%20the%20browser%2C%20but%20trying%20to%20get%20the%20outlook%20client%20isn't%20working.%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3EA%20couple%20things%20I've%20already%20attempted.%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3E1.%20Reset%20PW%3C%2FEM%3E%3C%2FP%3E%3CP%3E%3CEM%3E2.%20Clear%20out%20app%20pw's%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%3CP%3E%3CEM%3E3.%20Clear%20out%20windows%20credential%20manager%3C%2FEM%3E%3C%2FP%3E%3CP%3E%3CEM%3E4.%20create%20new%20App%20PW%3C%2FEM%3E%3C%2FP%3E%3CP%3E%3CEM%3E5.%20Create%20new%20Outlook%20profile%3C%2FEM%3E%3C%2FP%3E%3CP%3E%3CEM%3E6.%20Reboot%3C%2FEM%3E%3C%2FP%3E%3CP%3E%3CEM%3E7.%20Install%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3ENothing%20that%20I%20have%20done%20has%20resolved%20the%20issue.%20What%20should%20i%20be%20trying%20next%3F%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20replying%20back%20to%20my%20own%20thread%20made%20back%20on%202-10-2020.%20I%20was%20able%20to%20resolve%20the%20issue%20by%20enabling%20Modern%20Authentication%20using%20powershell.%20Here%20is%20a%20good%20link%20I%20found%20in%20case%20someone%20has%20the%20same%20issue%20my%20company%20had.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Fenable-or-disable-modern-authentication-in-exchange-online%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Fenable-or-disable-modern-authentication-in-exchange-online%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1182660%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1182660%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F552251%22%20target%3D%22_blank%22%3E%40Gus_Tejada%3C%2FA%3E%26nbsp%3BThat%20is%20exactly%20what%20I%20sent%20you%20in%20a%20private%20message%20shortly%20after%20you%20made%20that%20post.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F221690%22%20target%3D%22_blank%22%3E%40Alex%20Weinert%3C%2FA%3E%26nbsp%3Bin%20pretty%20sure%20the%20original%20post%20has%20been%20modified%20after%20my%20reply.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1182668%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1182668%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F221690%22%20target%3D%22_blank%22%3E%40Alex%20Weinert%3C%2FA%3E%26nbsp%3B%20Thanks%20for%20the%20very%20detailed%20explanation%20and%20individually%20answering%20posts%20by%20admins.%20Glad%20to%20hear%20the%20Security%20Defaults%20will%20not%20enable%20if%20Tenant%20already%20has%20Conditional%20Access%20policies%20applied.%20I%20will%20be%20verifying%20that%20is%20the%20case%20very%20soon.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1182669%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1182669%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F545749%22%20target%3D%22_blank%22%3E%40Luitzen_Boot%3C%2FA%3E%26nbsp%3Byou%20did%2C%20and%20I%20much%20appreciate%20it!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1183252%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1183252%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F221690%22%20target%3D%22_blank%22%3E%40Alex%20Weinert%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20curious%20about%20the%20details%20around%20what%20will%20happen%20on%20February%2029th%202020%20with%20regards%20to%20existing%20configured%20Baseline%20policies%20and%20Security%20Defaults.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%E2%80%99m%20wondering%20about%20the%20Baseline%20policies%20that%20are%20already%20configured%20for%20tenants%2C%20in%20some%20cases%20only%201%20or%202%20of%20the%204%20are%20configured%20(end%20user%20protection%20for%20e.g.)%2C%20so%20will%20they%20be%20off%20by%20default%20and%20disappear%20on%2029%20Feb%3F%20Will%20Security%20Defaults%20be%20off%20by%20default%2C%20therefore%20leaving%20a%20tenant%20which%20was%20previously%20protected%20in%20a%20worse%20state%20than%20before.%20If%20Security%20defaults%20will%20be%20ON%20by%20default%2C%20what%20will%20happen%20with%20legacy%20auth%20exceptions%20etc%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyone%20else%20have%20other%20concerns%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1184893%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1184893%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F221690%22%20target%3D%22_blank%22%3E%40Alex%20Weinert%3C%2FA%3E%20Having%20an%20Emergency%20Access%20or%20Break%20Glass%20Account%20is%20not%20complex%20and%20is%20thoroughly%20recommended%20by%20Microsoft%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fdirectory-emergency-access%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fdirectory-emergency-access%3C%2FA%3E.%20It's%20unbelievable%20that%20this%20account%20isn't%20created%20automatically%20and%20excluded%20from%20security%20defaults%2C%20like%20AWS%20has%20accomplished%20by%20making%20the%20first%20account%20the%20root%20account.%20I%20understand%20that%20if%20we%20want%20fine%20grained%20exclusions%20conditional%20access%20is%20required%2C%20but%20for%20small%20customers%2Fenvironments%20that%20only%20have%20a%20few%20administrators%20having%20a%20EA%2FBreak%20Glass%20account%20is%20absolutely%20crucial.%20Since%20Microsoft%20is%20turning%20on%20Security%20Defaults%20for%20new%20tenants%20you%20are%20going%20against%20your%20own%20best%20practices%20and%20making%20Security%20Defaults%20impractical.%20I%20seriously%20hope%20that%20Microsoft%20reconsiders%20having%20a%20%22single%22%20exclusion%20for%20Security%20Defaults.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1190248%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1190248%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F221690%22%20target%3D%22_blank%22%3E%40Alex%20Weinert%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EInteresting%2C%20activating%20Security%20Defaults%20means%20we%20can't%20use%20any%20other%20Conditional%20Access%20policies.%20For%20instance%2C%20device%20compliance%20policies%20to%20ensure%20all%20devices%20with%20company%20data%20are%20encrypted.%20So%2C%20to%20maintain%20proper%20security%20we're%20forced%20to%20use%20Conditional%20Access%2C%20but%20using%20our%20own%20Conditional%20Access%20instead%20of%20Security%20Defaults.%20Are%20we%20forced%20to%20license%20all%20guest%20users%20with%20AAD%20Premium%20in%20our%20tenant%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1190465%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1190465%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F566457%22%20target%3D%22_blank%22%3E%40cloud_compadre%3C%2FA%3E%3C%2FP%3E%3CP%3EB2B%20guest%20users%20must%20be%20licensed%201%20(license)%20to%205%20(guest%20users)%2C%20or%20greater%20license%20to%20guest%20users%20ratio%20(X%26gt%3B%3D1%3A5).%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fb2b%2Flicensing-guidance%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fb2b%2Flicensing-guidance%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1190685%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1190685%22%20slang%3D%22en-US%22%3E%3CP%3EThat%20B2B%20licensing%20stuff%20that%20runs%20on%20the%20honor%20system%2C%20and%20we%20all%20know%20that%20means%20customers%20will%20get%20weird%20deals%20thrown%20at%20them%20later%20on%20to%20avoid%20backdated%20bills%20-%20is%20just%20as%20stupid%20as%20it%20gets.%26nbsp%3B%20This%20kind%20of%20billing%20mindset%20is%2C%20stupid.%26nbsp%3B%20I%20can't%20think%20of%20a%20better%20word%20for%20it.%26nbsp%3B%20Maybe%20I'm%20stupid%20too.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1198017%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1198017%22%20slang%3D%22en-US%22%3EHow%20is%20this%20related%20to%20the%20end%20of%20support%20for%20Basic%20Authentication%20for%20the%20mail%20protocols%20announced%20for%20the%2013th%20of%20Ocober%3F%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fhowto-conditional-access-policy-block-legacy%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fhowto-conditional-access-policy-block-legacy%3C%2FA%3E)%20Will%20applications%20using%20Basic%20Authentication%20for%20IMAP%20and%20POP%20to%20EWS%20stop%20working%20the%20end%20of%20February%20when%20legacy%20authentication%20will%20be%20blocked%20by%20default%3F%20Or%20am%20I%20mixing%20up%20things%20now%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1198022%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1198022%22%20slang%3D%22en-US%22%3EI%20added%20the%20wrong%20link%20in%20my%20previous%20comment.%20I%20mean%20this%20one%3A%20%3CA%20href%3D%22https%3A%2F%2Fdeveloper.microsoft.com%2Fen-us%2Foffice%2Fblogs%2Fend-of-support-for-basic-authentication-access-to-exchange-online-apis-for-office-365-customers%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdeveloper.microsoft.com%2Fen-us%2Foffice%2Fblogs%2Fend-of-support-for-basic-authentication-access-to-exchange-online-apis-for-office-365-customers%2F%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1210246%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1210246%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20response%20Alex.%20Will%20you%20be%20posting%20the%20PowerShell%20cmdlet%20that%20will%20be%20used%20to%20manage%20this%20setting%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1259142%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1259142%22%20slang%3D%22en-US%22%3E%3CP%3EI%20was%20hoping%20to%20find%20a%20PowerShell%20cmdlet%20to%20display%20this%20setting%20too%20but%20so%20far%20I%20have%20not%20been%20able%20to%20find%20anything.%26nbsp%3B%3C%2FP%3E%3CP%3EWould%20it%20be%20available%20through%20Graph%20for%20example%20%3F%20If%20so%2C%20what%20endpoint%3F%3C%2FP%3E%3CP%3EI%20feel%20the%20customers%20for%20Microsoft%20who%20administers%20more%20than%20one%20customer%20in%20their%20CSP%20tenants%2C%20are%20forgotten%20when%20it%20comes%20to%20functionality%20like%20this%2C%20its%20easy%20to%20administer%20if%20you%20have%20just%20your%20one%20tenant%20to%20work%20with...%20Having%20an%20overall%20control%20of%20all%20customers%20this%20setting%20should%20be%20visible%20through%20either%20Graph%20or%20a%20cmdlet.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1281409%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1281409%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Alex%20or%20anybody%20who%20can%20help%20me%2C%3C%2FP%3E%3CP%3EWe%20have%26nbsp%3B%20Azure%20AD%20(no%20Premium%20license)%20with%20600%20users%20of%20O365.%20We%20have%20%22Modern%20Authentication%22%26nbsp%3B%20already%20enabled.%20We%20want%20to%20enable%20MFA%20for%20set%20of%20users%20who%20considered%20to%20be%20high%20risk.%20I%20am%20hesitant%20to%20enable%20%22Security%20Default%22%20as%20there%20is%20no%20way%20to%20exclude%20users%2Fgroup.%20Is%20it%20advisable%20to%20enable%20MFA%20individually%20at%20each%20users%20level%3F%20Will%20it%20affect%20anyway%20later%20enabling%20Security%20default%20or%20any%20other%20security%20measures%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3ECharles%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1283834%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1283834%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F609170%22%20target%3D%22_blank%22%3E%40charlesntoroaluminum%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThese%20are%20your%20options%3A%3C%2FP%3E%3CP%3E%22You%20can%20use%20security%20defaults%20to%20enable%20multi-factor%20authentication%20for%20all%20users%2C%20every%20time%20an%20authentication%20request%20is%20made.%20You%20don't%20have%20granular%20control%20of%20enabled%20users%20or%20scenarios%2C%20but%20it%20does%20provide%20that%20additional%20security%20step.%3CBR%20%2F%3EEven%20when%20security%20defaults%20aren't%20used%20to%20enable%20multi-factor%20authentication%20for%20everyone%2C%20users%20assigned%20the%20Azure%20AD%20Global%20Administrator%20role%20can%20be%20configured%20to%20use%20multi-factor%20authentication.%20This%20feature%20of%20the%20free%20tier%20makes%20sure%20the%20critical%20administrator%20accounts%20are%20protected%20by%20multi-factor%20authentication.%22%3C%2FP%3E%3CP%3E%3CBR%20%2F%3ESource%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fnl-nl%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-mfa-licensing%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fnl-nl%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-mfa-licensing%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3ESo%20to%20answer%20your%20question%2C%20you%20can't%20enable%20MFA%20individually%20with%20a%20free%20license%20to%20a%20specific%20set%20of%20users%20(except%20for%20global%20administrators).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1283847%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1283847%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F166721%22%20target%3D%22_blank%22%3E%40Jan%20van%20Veldhuizen%3C%2FA%3EIt's%20not%20related.%20You're%20confusing%20basic%20authentication%20with%20legacy%20authentication.%20Security%20defaults%20block%20legacy%20authentication.%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1284549%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1284549%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F545749%22%20target%3D%22_blank%22%3E%40Luitzen_Boot%3C%2FA%3E%26nbsp%3B%2C%20is%20there%20any%20other%20authentication%20type%20than%20basic%2C%20which%20%22legacy%22%20is%20meant%20to%20be%20covering%3F%26nbsp%3B%20I%20don't%20think%20so%2C%20not%20in%20Azure%20AD.%26nbsp%3B%20There's%20just%20basic%20and%20then%20Modern%20(inferring%20all%20that%20modern%20entails).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1284583%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1284583%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F64125%22%20target%3D%22_blank%22%3E%40Jeremy%20Bradshaw%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFair%20enough.%20Basic%20authentication%20falls%20under%20the%20broader%20category%20legacy%20authentication.%20There's%20a%20list%20here%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fconcept-conditional-access-conditions%23client-apps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fconcept-conditional-access-conditions%23client-apps%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1284676%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1284676%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F545749%22%20target%3D%22_blank%22%3E%40Luitzen_Boot%3C%2FA%3E%26nbsp%3B%20Thanks%20for%20your%20response.%20But%20I%20cannot%20enable%20Security%20default%20as%20there%20are%20legacy%20apps%20like%20Outlook%202010%20and%202013%20are%20still%20in%20use%20for%20few%20users.%26nbsp%3B%20I%20don't%20see%20a%20place%20to%20enable%20MFA%20only%20for%20Admins%20as%20Baseline%20Policies%20are%20no%20longer%20available.%26nbsp%3B%3C%2FP%3E%3CP%3EWhy%20do%20you%20say%22%3CSPAN%3Eyou%20can't%20enable%20MFA%20individually%20with%20a%20free%20license%20to%20a%20specific%20set%20of%20users%22%20%3F%20I%20can%20go%20in%20to%20individual%20users%20settings%26nbsp%3Band%20enable%20MFA.%20I%20already%20did%20it%20for%20few%20users.%20I%20am%20not%20sure%20whether%20I%20am%20using%20free%20licenses.%20I%20have%2080%20licenses%20of%20Office%20365%20Business%20Premium%2C%20and%20350%20Exchange%20Online%20(Plan%201)%20which%20I%20know%20does%20not%20include%20Azure%20AD%20Premium%20Licenses.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1284722%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1284722%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F609170%22%20target%3D%22_blank%22%3E%40charlesntoroaluminum%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20meant%20to%20say%20you%20can't%20control%20access%20(in%20your%20case%20exclude%20certain%20users%20for%20use%20of%20legacy%20apps)%20with%20a%20free%20license%2C%20instead%20you%20need%20a%20premium%20license%20to%20do%20that%20(E3%2CE5%2C%20AAD%20premium%20P1%2C%20AAD%20premium%20P2%20etc.%20contact%20your%20account%20manager%2Freseller).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20you%20want%20is%20to%20exclude%20certain%20users%20by%20using%20conditional%20access%20policies.%20With%20security%20defaults%20you%20have%20no%20way%20of%20making%20exclusions.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1284802%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1284802%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F545749%22%20target%3D%22_blank%22%3E%40Luitzen_Boot%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20reply%2C%20I%20understand%20I%20need%20Azure%20Premium%20level%20licenses%20to%20granular%20managed%20of%20MFA.%20But%20my%20original%20question%26nbsp%3B%20is%20%22will%20it%20create%20problems%20if%20I%20enable%20MFA%20at%20individual%20users%20level%22%20which%20I%20was%20able%20to%20do%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1284818%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1284818%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F609170%22%20target%3D%22_blank%22%3E%40charlesntoroaluminum%3C%2FA%3EYes%20it%20will%20create%20problems.%20Enabling%20security%20defaults%20will%20block%20legacy%20authentication.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1285489%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1285489%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F545749%22%20target%3D%22_blank%22%3E%40Luitzen_Boot%3C%2FA%3E%26nbsp%3B%20Which%20will%20create%20problem%3F%20enabling%20MFA%20per%20user%20or%20enabling%20Security%20defaults%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1311985%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1311985%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F204262%22%20target%3D%22_blank%22%3E%40Tom%20Phillips%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F221690%22%20target%3D%22_blank%22%3E%40Alex%20Weinert%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20appears%20there%20is%20a%20Graph%20API%20beta%20for%20at%20least%20checking%20the%20status.%26nbsp%3B%20I%20found%20this%20last%20night.%26nbsp%3B%20Haven't%20had%20a%20chance%20to%20try%20it%20yet.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fresources%2Fidentitysecuritydefaultsenforcementpolicy%3Fview%3Dgraph-rest-beta%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fresources%2Fidentitysecuritydefaultsenforcementpolicy%3Fview%3Dgraph-rest-beta%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMatthew%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1335756%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1335756%22%20slang%3D%22en-US%22%3E%3CP%3EI%20would%20like%20to%20support%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F609170%22%20target%3D%22_blank%22%3E%40charlesntoroaluminum%3C%2FA%3E's%20question%20-%20Do%20we%20eligible%20to%20configure%20and%20use%20the%20per-user%20MFA%20%3CSTRONG%3Ewithout%3C%2FSTRONG%3E%20enabling%20Security%20defaults%20and%20having%20P1%2FP2%20licenses%20per%20each%20MFA-enabled%20user%3F%20Currently%2C%20we%20can%20do%20it%20and%20it%20works.%20But%20if%20it%20meets%20Microsoft%20licensing%20requirements%3F%20Thank%20you!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1378436%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1378436%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20enabled%20Security%20Defaults%20for%20a%20tenant.%26nbsp%3BSecurity%20info%20is%20managed%20via%20Combined%20Security%20Information%20Registration.%20My%20understanding%20is%20that%20MFA%20will%20be%20enforced%20for%20all%20user%20identities%20(except%20AD%20Connect%20user)%20simply%20by%20enabling%20Security%20Defaults.%20However%20users%20are%20still%20able%20to%20login%20to%20login.microsoftonline.com%20without%20completing%20an%20MFA%20challenge%20(the%20user%20has%20at%20this%20point%20completed%20their%20security%20info%20registration).%20Microsoft%20Support%20have%20advised%20that%20to%20enable%20MFA%20for%20each%20user%20identity%20after%20enabling%20Security%20Defaults%2C%20MFA%20must%20be%20enabled%20on%20the%20user%20account%20in%20the%20Microsoft%20365%20admin%20center%20under%20Users%20--%26gt%3B%20Active%20users%20--%26gt%3B%20Multi-factor%20authentication.%20Is%20this%20behavior%20by%20design%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1387220%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1387220%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F662656%22%20target%3D%22_blank%22%3E%40malcolmd_cnx%3C%2FA%3E%26nbsp%3Bis%20there%20any%20chance%20that%20you're%20just%20not%20seeing%20MFA%20prompts%20on%20*every*%20sign-in%20because%20of%20how%20refresh%20tokens%20work%3F%26nbsp%3B%20If%20you%20want%20MFA%20every%20single%20time%2C%20I%20believe%20the%20options%20are%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20If%20Conditional%20Access%20policies%20are%20available%20to%20you%3A%20use%20%22Session%22%20settings%20(i.e.%20'Sign-in%20frequency'%20and%20'Persistent%20browser%20session').%3C%2FP%3E%3CP%3E-%20Otherwise%2C%20use%20per-user%20MFA%20settings%20and%20MFA%20service%20settings'%20%22Remember%20multifactor%20authentication%22%20setting%20(configurable%20in%20%23%20of%20days).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20I'm%20understanding%20your%20concern%20correctly.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1387723%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1387723%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F64125%22%20target%3D%22_blank%22%3E%40Jeremy%20Bradshaw%3C%2FA%3E.%20I%20don't%20believe%20this%20is%20related%20to%20refresh%20token%20behavior%20because%20in%20my%20testing%20I%20had%20the%20credentials%20for%20a%20user%20whom%20had%20completed%20Security%20Info%20Registration%20after%20I%20had%20enabled%20Security%20Defaults.%20And%20I%20used%20those%20credentials%20to%20access%20login.microsoftonline.com%20without%20an%20MFA%20challenge%20from%20a%20computer%20which%20had%20never%20authenticated%20the%20user%20in%20the%20past%20and%20was%20in%20a%20different%20network%20and%20behind%20a%20different%20firewall%5Cpublic%20IP.%20However%20when%20I%20attempted%20to%20sign%20into%20mysignins.microsoft.com%20using%20the%20same%20session%2C%20an%20MFA%20challenge%20was%20initiated.%20Assuming%20this%20is%20a%20bug%3F%20Conditional%20access%20is%20not%20an%20option%20and%20per-user%20MFA%20via%20O365%20is%20an%20option%20but%20the%20point%20is%20that%20I%20didn't%20think%20per-user%20MFA%20was%20required%20with%20Security%20Defaults%20enabled.%20Thanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1388880%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1388880%22%20slang%3D%22en-US%22%3E%3CP%20data-unlink%3D%22true%22%3EI'm%20having%20the%20same%20experience%20as%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F662656%22%20target%3D%22_blank%22%3E%40malcolmd_cnx%3C%2FA%3E.%20I%20mean%2C%26nbsp%3B%3CSPAN%3EI%20did%20enable%20the%20Security%20Default%20feature%20for%20the%20Office%20365%20tenant%2C%20then%20everyone%20completed%20the%202FA%20registration.%20However%2C%20the%20users%20haven't%20been%20challenged%20for%20the%202FA%20authentication%20after%2013%20days.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20can%20see%20through%20the%20Sign-in%20events%20logs%20that%20the%20users%20can%20successfully%20have%20access%20to%20the%20apps%2C%20using%20the%20Security%20Default%20policy%20but%20the%20'Grant%20Control'%20field%20is%20empty%20which%20means%2C%20the%20users%20haven't%20been%20challenged%20for%20the%202FA%20at%20all.%20Through%20my%20Admin%20account%2C%20it's%20required%20the%202FA%20every%20time%20that%20I%20sign%20into%20the%20portal%20then%20you%20can%20see%20the%20status%20'required%20multi-factor%20authentication'%20in%20the%20Sign-ins%20logs.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%40Jeremy_Bradshaw%2C%20I%20reckon%20if%20I%20must%20enable%2F%20enforce%202FA%20to%20the%20users%26nbsp%3Bthrough%20the%20per-user%20MFA%20settings%20and%20MFA%20service%20settings%20even%20after%20enabling%20the%20Security%20Default.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1390030%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1390030%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F172446%22%20target%3D%22_blank%22%3E%40Leonardo%20Pellegrino%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F662656%22%20target%3D%22_blank%22%3E%40malcolmd_cnx%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20to%20admit%20I%20think%20it's%20an%20issue%2C%20as%20Malcolm%20stated%20even%20on%20new%20systems%20with%20no%20tokens%20cached%20there%20was%20no%20MFA.%26nbsp%3B%20While%20you%20may%20get%20away%20with%20configuring%20the%20per-user%20service%20settings%20to%20not%20remember%20longer%20than%20X%20days%2C%20it%20sounds%20to%20me%20like%20an%20issue%20or%20something%20with%20Security%20defaults.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20don't%20have%20a%20tenant%20ATM%20where%20I%20can%20enable%20security%20defaults%20so%20the%20refresh%20token%20thing%20was%20just%20a%20hunch%2C%20but%20it%20didn't%20end%20up%20being%20that.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1392646%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1392646%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Contributor%20lia-component-message-view-widget-author-username%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F64125%22%20target%3D%22_self%22%3E%3CSPAN%20class%3D%22%22%3EJeremy%20Bradshaw%3C%2FSPAN%3E%3C%2FA%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Contributor%20lia-component-message-view-widget-author-username%22%3E%26nbsp%3BI%20did%20raise%20a%20ticket%20with%20Microsoft's%20support%20and%20was%20told%20that%20if%20you%20require%20the%20users%20being%20challenged%20accordingly%2C%20you%20should%20also%20enable%202FA%20the%26nbsp%3B%3CSPAN%3Ethrough%20the%20per-user%20MFA%20settings.%20Hence%2C%20I%20enabled%20that%20and%20the%20users%20got%20prompted.%20Anyway%2C%20will%20follow%20up%20if%20they%20will%20be%20challenged%20in%207%20days%20now%2C%20as%20I%20have%20set%20up%20the%20policy.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Contributor%20lia-component-message-view-widget-author-username%22%3E%3CSPAN%3EAbout%20the%20Conditional%20Access%2C%20I%20do%20agree%20with%20you.%20However%2C%20this%20is%20a%20tiny%20customer%20and%20they%20don't%20have%20the%20P1%20license%20for%20that.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Contributor%20lia-component-message-view-widget-author-username%22%3E%3CSPAN%3EThanks.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1412222%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1412222%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20a%20bit%20confused%20by%20%40malcolm_cnx%20's%20comments.%26nbsp%3B%20We%20have%20various%20Business%20Essentials%20and%20Premium%20accounts%20in%20a%20tenant%20that%20we%20purchased%20through%20GoDaddy%20(a%20mistake)%2C%20and%20we%20have%20enabled%20Security%20Defaults%20through%20the%20Azure%20Portal.%26nbsp%3B%20I%20do%20not%20see%20that%20under%20Users%20there%20is%20even%20a%20choice%20%3CEM%3EActive%20Users%3C%2FEM%3E%2C%20much%20less%20a%20further%20menu%20choice%20%3CEM%3EMulti-Factor%20Authentication%3C%2FEM%3E.%26nbsp%3B%26nbsp%3B%20Rather%2C%20after%20choosing%20a%20user%2C%20there%20is%20an%20option%20called%20%3CEM%3EAuthentication%20contact%20info%3C%2FEM%3E%2C%20and%20then%20a%20link%20%3CEM%3EAuthentication%20Methods%3C%2FEM%3E.%26nbsp%3B%20Clicking%20this%20allows%20me%20as%20admin%20to%20enter%20user's%20MFA%20phone%20numbers%20and%20email%20addresses.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20in%20itself%20is%20confusing%2C%20because%20Security%20Defaults%20is%20supposed%20to%20require%20the%20Authenticator%20app%2C%20and%20not%20allow%20MFA%20through%20phone%20texts%20and%20emails.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECould%20someone%20please%20tell%20me%20what%20is%20going%20on%20here%3F%26nbsp%3B%20Does%20Security%20Defaults%20actually%20work%3F%26nbsp%3B%20Does%20it%20require%20MFA%20for%20all%20users%3F%26nbsp%3B%20Do%20I%20have%20to%20take%20an%20additional%20step%20to%20enable%20MFA%20for%20all%20users%20after%20turning%20on%20Security%20defaults%3F%20%26nbsp%3B%20How%20would%20I%20do%20that%3F%26nbsp%3B%20Why%20do%20the%20options%20I%20see%20differ%20from%20the%20ones%20malcolm_cnx%20is%20reporting%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJust%20trying%20to%20avoid%20more%20compromised%20users.%26nbsp%3B%20Thanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1390032%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1390032%22%20slang%3D%22en-US%22%3E%3CP%3E...but%20wouldn't%20it%20have%20been%20nice%20if%20they%20just%20made%20Conditional%20Access%20a%20non-premium%20thing%20and%20Security%20Defaults%20never%20even%20came%20into%20existence%3F%26nbsp%3B%20I%20think%20that%20would%20have%20been%20best.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1061414%22%20slang%3D%22en-US%22%3EIntroducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1061414%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20folks%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%202012%2C%20we%20started%20the%20Identity%20security%20and%20protection%20team%20for%20our%20consumer%20accounts%20(Microsoft%20accounts%20used%20for%20signing%20in%20to%20OneDrive%2C%20Skype%2C%20Xbox%20and%20such).%20We%20started%20out%20by%20doing%20two%20things%20%E2%80%93%20putting%20metrics%20in%20place%20for%20everything%20(so%20we%20could%20be%20confident%20we%E2%80%99d%20know%20what%20works)%20and%20establishing%20a%20security%20minimum%20standard%20for%20our%20consumer%20accounts.%20This%20includes%20measures%20like%20registering%20a%20second%20factor%2C%20challenging%20accounts%20when%20we%20see%20risk%20on%20the%20login%2C%20and%20forcing%20folks%20to%20change%20their%20passwords%20when%20we%20found%20them%20in%20the%20hands%20of%20criminals.%20The%20results%20have%20been%20very%20good%3B%20while%20there%20was%20some%20angst%20involved%20in%20requiring%20multi-factor%20authentication%20(MFA)%20registration%20to%20play%20Xbox%20or%20on%20that%20Hotmail%20account%20that%E2%80%99s%20%E2%80%9Cworked%20fine%20for%2016%20years!%E2%80%9D%2C%20the%20net%20impact%20was%20massively%20positive%20%E2%80%93%20e.g.%2C%20measuring%20from%202014%20to%202019%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3EUnaided%20password%20recovery%20jumped%20from%20less%20than%2020%25%20to%20more%20than%2090%25%20Account%20retention%20increased%20by%20more%20than%2010%25%20Our%20ability%20to%20challenge%20users%20when%20we%20see%20risk%20led%20to%20a%206x%20decrease%20in%20compromise%20rate.%20This%20means%20that%20even%20as%20we%E2%80%99ve%20had%20a%20substantial%20increase%20in%20users%2C%20we%20have%20fewer%20compromised%20Microsoft%20accounts%20than%20ever%20before.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CP%3EIn%202014%2C%20we%20started%20making%20these%20technologies%20available%20to%20our%20Azure%20Active%20Directory%20(AD)%20organizational%20customers%2C%20and%20we%E2%80%99ve%20learned%20that%20they%E2%80%99re%20very%20effective%20%E2%80%93%20for%20example%2C%20our%20telemetry%20tells%20us%20that%20more%20than%2099.9%25%20of%20organization%20account%20compromise%20could%20be%20stopped%20by%20simply%20using%20MFA%2C%20and%20that%20disabling%20legacy%20authentication%20correlates%20to%20a%2067%25%20reduction%20in%20compromise%20risk%20(and%20completely%20stops%20password%20spray%20attacks%2C%20100%25%20of%20which%20come%20in%20via%20legacy%20authentication).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUnfortunately%2C%20we%E2%80%99ve%20been%20less%20successful%20than%20we%E2%80%99d%20like%20at%20raising%20awareness%20and%20getting%20folks%20to%20adopt%20the%20technologies.%20While%20the%20tools%20are%20in%20place%20for%20customers%20to%20stop%20these%20attacks%2C%20adoption%20is%20significantly%20low.%20Despite%20marketing%2C%20tweeting%2C%20and%20shouting%20from%20the%20rooftops%2C%20the%20most%20optimistic%20measurement%20of%20MFA%20usage%20shows%20that%20only%20about%209%25%20of%20organizational%20users%20ever%20see%20an%20MFA%20claim.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%E2%80%99re%20reading%20this%20blog%2C%20you%E2%80%99re%20probably%20a%20security%20or%20identity%20enthusiast.%20You%E2%80%99re%20aware%20of%20the%20importance%20of%20securing%20identities%20and%20taking%20advantage%20of%20key%20capabilities%20in%20the%20platform.%20But%20for%20most%20people%2C%20especially%20individual%20developers%2C%20small%20businesses%2C%20or%20folks%20just%20experimenting%20with%20our%20Azure%2C%20Office%2C%20or%20Dynamics%20services%2C%20security%20isn%E2%80%99t%20the%20first%20thing%20on%20their%20minds.%20The%20goal%20is%20just%20to%20find%20the%20shortest%20path%20to%20setting%20up%20email%20and%20document%20sharing%2C%20or%20building%20that%20first%20Azure%20application%20%E2%80%93%20they%20won%E2%80%99t%20configure%20security%20settings%20until%20they%E2%80%99ve%20been%20hacked.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20millions%20of%20organizational%20accounts%20vulnerable%20to%20preventable%20compromise%20each%20year%2C%20we%20felt%20we%20needed%20to%20take%20a%20different%20tack%20%E2%80%93%20to%20protect%20organizational%20accounts%20just%20like%20we%20do%20the%20consumer%20accounts.%20We%20experimented%20with%20a%20few%20different%20approaches%20(including%20%E2%80%9CBaseline%20protection%E2%80%9D)%2C%20listened%20to%20partners%20and%20customers%2C%20and%20learned%20a%20ton%20along%20the%20way.%20The%20result%20of%20all%20this%20learning%20is%20-ERR%3AREF-NOT-FOUND-Security%20Defaults.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3ESecurity%20defaults%20provide%20secure%20default%20settings%20that%20we%20manage%20on%20behalf%20of%20organizations%20to%20keep%20customers%20safe%20until%20they%20are%20ready%20to%20manage%20their%20own%20identity%20security%20story.%20For%20customers%20like%20this%2C%20we%E2%80%99ll%20manage%20their%20security%20settings%20like%20we%20do%20for%20our%20Xbox%2C%20OneDrive%2C%20Skype%20and%20Outlook%20users.%3C%2FP%3E%3CP%3EFor%20starters%2C%20we%E2%80%99re%20doing%20the%20following%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3ERequiring%20all%20users%20and%20admins%20to%20register%20for%20MFA.%20Challenging%20users%20with%20MFA%20-%20mostly%20when%20they%20show%20up%20on%20a%20new%20device%20or%20app%2C%20but%20more%20often%20for%20critical%20roles%20and%20tasks.%20Disabling%20authentication%20from%20legacy%20authentication%20clients%2C%20which%20can%E2%80%99t%20do%20MFA.%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20will%20judiciously%20expand%20these%20security%20defaults%20to%20maximize%20protection%20for%20our%20users%2C%20but%20as%20MFA%20prevents%20%26gt%3B99.9%25%20of%20account%20compromise%2C%20that%E2%80%99s%20where%20we%E2%80%99re%20starting.%20We%20are%20applying%20security%20defaults%20for%20all%20license%20levels%2C%20even%20trial%20tenants%2C%20ensuring%20every%20account%20can%20be%20protected%20by%20MFA.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENone%20of%20this%20replaces%20the%20rich%20security%20capabilities%20in%20Azure%20Active%20Directory.%20If%20you%20are%20a%20person%20who%20uses%20Conditional%20Access%20to%20manage%20your%20break%20glass%20accounts%20with%20terms%20of%20use%20controls%2C%20chooses%20MFA%20based%20on%20device%20compliance%2C%20or%20integrates%20Identity%20protection%20reports%20into%20your%20SIEM%2C%20you%E2%80%99re%20far%20more%20sophisticated%20than%20our%20target%20user%20for%20Security%20Defaults.%20If%20you%E2%80%99re%20thinking%20of%20break%20glass%20accounts%20or%20exception%20scenarios%2C%20Security%20Defaults%20isn%E2%80%99t%20for%20you%20%E2%80%93%20you%20want%20Azure%20AD%20Conditional%20Access.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESince%20introducing%20the%20feature%2C%20we%E2%80%99ve%20enabled%20Security%20Defaults%20for%20more%20than%2060k%20newly%20created%20tenants.%20More%20than%205k%20other%20tenants%20have%20opted%20into%20Security%20Defaults.%20All%20of%20these%20organizations%20have%20significantly%20reduced%20their%20compromise%20rates%3B%20only%20a%20few%20hundred%20have%20opted%20out%2C%20mostly%20to%20use%20Conditional%20Access.%20We%E2%80%99ll%20take%20the%20learnings%20from%20these%20tenants%20and%20continuously%20tune%20as%20we%20eventually%20roll%20this%20out%20to%20all%20new%20tenants%2C%20then%20to%20tenants%20who%20have%20never%20looked%20at%20security%20settings.%20We%20will%20expand%20first%20to%20apply%20security%20defaults%20to%20all%20new%20tenants%20as%20well%20as%20applying%20it%20retroactively%20to%20existing%20tenants%20who%20have%20not%20taken%20any%20security%20measures%20for%20themselves.%20We%E2%80%99re%20experimenting%2C%20listening%20and%20adapting%20as%20we%20go.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20have%20an%20existing%20tenant%20where%20you%E2%80%99d%20like%20to%20enable%20security%20defaults%2C%20or%20are%20ready%20to%20turn%20it%20off%20and%20move%20up%20to%20using%20Conditional%20Access%20to%20manage%20your%20access%20policies%2C%20you%E2%80%99ll%20find%20the%20settings%20in%20your%20Azure%20AD%20tenant%20configuration%20in%20Azure%20Active%20Directory%2C%20Manage%2C%20Properties%20%E2%80%93%20look%20for%20%E2%80%9CManage%20Security%20Defaults%E2%80%9D%20at%20the%20bottom%20of%20the%20page%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EClick%20there%20and%20you%E2%80%99ll%20see%20the%20blade%20that%20allows%20you%20to%20enable%20security%20defaults.%20But%20again%2C%20security%20and%20identity%20enthusiast%20%E2%80%93%20you%20probably%20want%20the%20advanced%20controls%20that%20Azure%20Active%20Directory%20Conditional%20Access%20gives%20you.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%E2%80%99t%20enable%20Security%20Defaults%20if%20you%E2%80%99re%20already%20using%20conditional%20access%20policies%20or%20other%20settings%20which%20conflict.%20If%20you%20do%2C%20you%E2%80%99ll%20see%20this%20warning%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESome%20of%20you%20may%20have%20tried%20out%20baseline%20protection%20policies%20%E2%80%93%20security%20defaults%20replaces%20all%20those%20settings%2C%20and%20we%20will%20stop%20enforcing%20them%20on%20Feb%2029th.%20If%20you%E2%80%99re%20reading%20this%2C%20you%20probably%20want%20the%20granular%20control%20Conditional%20Access%20gives%20you%2C%20so%20in%20place%20of%20baseline%2C%20set%20up%20the%20equivalent%20Conditional%20Access%20policies%20as%20outlined%20%5B%23%24dp83%5D%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fconcept-conditional-access-policy-common%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20Identity%20Security%20team%20is%20super-focused%20on%20preventing%20account%20compromise%2C%20and%20ensuring%20there%20is%20no%20barrier%20to%20secure%2C%20multi-factor%20authentication%20using%20secure%20protocols%20is%20a%20critical%20step%20forward.%20As%20always%2C%20we%E2%80%99d%20love%20your%20feedback.%20Reach%20out%20to%20me%20at%20-ERR%3AREF-NOT-FOUND-%40alex_t_weinert%20on%20twitter!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EStay%20safe%20out%20there%2C%3C%2FP%3E%3CP%3EAlex%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1061414%22%20slang%3D%22en-US%22%3E%3CP%3ESecurity%20defaults%20provide%20secure%20default%20settings%20that%20we%20manage%20on%20behalf%20of%20organizations%20to%20keep%20customers%20safe!%20Read%20on%20to%20learn%20more!%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1061414%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EBest%20Practices%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1456876%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1456876%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F104037%22%20target%3D%22_blank%22%3E%40Andrey%20Kulnev%3C%2FA%3E%26nbsp%3B%20I%20am%20stuck%20on%20this%20question%20as%20well.%20Did%20you%20ever%20discover%20which%20licenses%20include%20per-user%20MFA%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1466393%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1466393%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F104037%22%20target%3D%22_blank%22%3E%40Andrey%20Kulnev%3C%2FA%3E%26nbsp%3B%26amp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F337274%22%20target%3D%22_blank%22%3E%40cmessina85%3C%2FA%3E%2C%20you%20can%20roll%20out%20%2F%20enable%20MFA%20to%20any%20licensed%20user%2C%20doesn't%20matter%20the%20license.%20%3B)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1469260%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1469260%22%20slang%3D%22en-US%22%3E%3CP%3EEchoing%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F172446%22%20target%3D%22_blank%22%3E%40Leonardo%20Pellegrino%3C%2FA%3E%26nbsp%3Band%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F662656%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3E%40malcolmd_cnx%3C%2FA%3E.%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CBR%20%2F%3EBrand%20new%20AAD%20-%20free%20tier%20security%20defaults%20on%20by%20default.%20Created%20a%20new%20user%2C%20when%20they%20login%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ESign-Ins%20audit%20log%20for%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22fxc-tabs-menu-content%20msportalfx-tooltip-overflow%22%3E%3CSPAN%3EConditional%20Access%20just%20shows%20not%20applied%3A%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CTABLE%3E%3CTBODY%3E%3CTR%3E%3CTD%3E%3CDIV%20class%3D%22azc-grid-cellContent%20azc-grid-cell-ellipse%22%3E%3CDIV%20class%3D%22azc-vivaControl%22%3E%3CDIV%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fsecuritydefaults%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESecurity%20defaults%3C%2FA%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FTD%3E%3CTD%3E%3CDIV%20class%3D%22azc-grid-cellContent%20azc-grid-cell-ellipse%22%3EMfaRegistration%3C%2FDIV%3E%3C%2FTD%3E%3CTD%3E%3CDIV%20class%3D%22azc-grid-cellContent%20azc-grid-cell-ellipse%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FTD%3E%3CTD%3E%3CDIV%20class%3D%22azc-grid-cellContent%20azc-grid-cell-ellipse%22%3ENot%20Applied%3C%2FDIV%3E%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1470208%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1470208%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F701474%22%20target%3D%22_blank%22%3E%40chadbentz%3C%2FA%3EI%20had%20the%20same%20scenario.%20So%2C%20as%20I%20posted%20here%20on%2015%20May%2C%26nbsp%3B%3CSPAN%3EI%20did%20raise%20a%20ticket%20with%20Microsoft's%20support%2C%20then%20I%20was%20told%20that%20if%20you%20require%20the%20users%20being%20challenged%20accordingly%20%2F%20Sign-Ins%20audit%20log%20showing%20'Grant%20Controls%3A%20require%20MFA'%2C%20you%20should%20also%20enable%202FA%20the%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ethrough%20the%20per-user%20MFA%20settings.%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EHence%2C%20I%20enabled%20that%20for%20my%20end-users%2C%20and%20they%20got%20prompted%20immediately.%20Likewise%2C%20the%20audit%20logs%20are%20now%20correctly.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1457295%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1457295%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F337274%22%20target%3D%22_blank%22%3E%40cmessina85%3C%2FA%3E%26nbsp%3BUnfortunately%2C%20there%20is%20no%20clear%20answer%20so%20far.%20I%20had%26nbsp%3Braised%20a%20ticket%20to%20Microsoft%20support%20and%20they%20provided%20an%20interesting%20answer%3A%20%22%3CEM%3EYou%20can%20use%20per-user%20MFA%20only%20if%20you%20do%20not%20have%20%3CSTRONG%3Eany%3C%2FSTRONG%3E%20premium%20license%20in%20the%20tenant.%20Otherwise%2C%20if%20you%20have%20at%20least%20one%20premium%20license%20you%20need%20to%20use%20MFA%20with%20CA%3C%2FEM%3E%22.%20I%20asked%20them%20to%20provide%20a%20link%20to%20an%20article%20or%20a%20licensing%20guide%20that%20can%20prove%20their%20statement.%20But%2C%20the%20only%20proof%20they%20managed%20to%20provide%20is%20a%20well-known%20article%26nbsp%3Bthat%20does%20not%20answer%20this%20question%2C%20from%20my%20perspective%20-%20%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-mfa-licensing%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-mfa-licensing%3C%2FA%3E.%20Thus%2C%20the%20question%20is%20still%20open.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Hey folks,

 

In 2012, we started the Identity security and protection team for our consumer accounts (Microsoft accounts used for signing in to OneDrive, Skype, Xbox and such). We started out by doing two things – putting metrics in place for everything (so we could be confident we’d know what works) and establishing a security minimum standard for our consumer accounts. This includes measures like registering a second factor, challenging accounts when we see risk on the login, and forcing folks to change their passwords when we found them in the hands of criminals. The results have been very good; while there was some angst involved in requiring multi-factor authentication (MFA) registration to play Xbox or on that Hotmail account that’s “worked fine for 16 years!”, the net impact was massively positive – e.g., measuring from 2014 to 2019:

  • Unaided password recovery jumped from less than 20% to more than 90%
  • Account retention increased by more than 10%
  • Our ability to challenge users when we see risk led to a 6x decrease in compromise rate. This means that even as we’ve had a substantial increase in users, we have fewer compromised Microsoft accounts than ever before.

In 2014, we started making these technologies available to our Azure Active Directory (AD) organizational customers, and we’ve learned that they’re very effective – for example, our telemetry tells us that more than 99.9% of organization account compromise could be stopped by simply using MFA, and that disabling legacy authentication correlates to a 67% reduction in compromise risk (and completely stops password spray attacks, 100% of which come in via legacy authentication).

 

Unfortunately, we’ve been less successful than we’d like at raising awareness and getting folks to adopt the technologies. While the tools are in place for customers to stop these attacks, adoption is significantly low. Despite marketing, tweeting, and shouting from the rooftops, the most optimistic measurement of MFA usage shows that only about 9% of organizational users ever see an MFA claim.

 

If you’re reading this blog, you’re probably a security or identity enthusiast. You’re aware of the importance of securing identities and taking advantage of key capabilities in the platform. But for most people, especially individual developers, small businesses, or folks just experimenting with our Azure, Office, or Dynamics services, security isn’t the first thing on their minds. The goal is just to find the shortest path to setting up email and document sharing, or building that first Azure application – they won’t configure security settings until they’ve been hacked.

 

With millions of organizational accounts vulnerable to preventable compromise each year, we felt we needed to take a different tack – to protect organizational accounts just like we do the consumer accounts. We experimented with a few different approaches (including “Baseline protection”), listened to partners and customers, and learned a ton along the way. The result of all this learning is Security Defaults.

Security defaults provide secure default settings that we manage on behalf of organizations to keep customers safe until they are ready to manage their own identity security story. For customers like this, we’ll manage their security settings like we do for our Xbox, OneDrive, Skype and Outlook users.

For starters, we’re doing the following:

 

  1. Requiring all users and admins to register for MFA.
  2. Challenging users with MFA - mostly when they show up on a new device or app, but more often for critical roles and tasks.
  3. Disabling authentication from legacy authentication clients, which can’t do MFA.

 

We will judiciously expand these security defaults to maximize protection for our users, but as MFA prevents >99.9% of account compromise, that’s where we’re starting. We are applying security defaults for all license levels, even trial tenants, ensuring every account can be protected by MFA.

 

None of this replaces the rich security capabilities in Azure Active Directory. If you are a person who uses Conditional Access to manage your break glass accounts with terms of use controls, chooses MFA based on device compliance, or integrates Identity protection reports into your SIEM, you’re far more sophisticated than our target user for Security Defaults. If you’re thinking of break glass accounts or exception scenarios, Security Defaults isn’t for you – you want Azure AD Conditional Access.

 

Since introducing the feature, we’ve enabled Security Defaults for more than 60k newly created tenants. More than 5k other tenants have opted into Security Defaults. All of these organizations have significantly reduced their compromise rates; only a few hundred have opted out, mostly to use Conditional Access. We’ll take the learnings from these tenants and continuously tune as we eventually roll this out to all new tenants, then to tenants who have never looked at security settings. We will expand first to apply security defaults to all new tenants as well as applying it retroactively to existing tenants who have not taken any security measures for themselves. We’re experimenting, listening and adapting as we go.

 

If you have an existing tenant where you’d like to enable security defaults, or are ready to turn it off and move up to using Conditional Access to manage your access policies, you’ll find the settings in your Azure AD tenant configuration in Azure Active Directory, Manage, Properties – look for “Manage Security Defaults” at the bottom of the page:

 

 

Security defaults.PNG

 

Click there and you’ll see the blade that allows you to enable security defaults. But again, security and identity enthusiast – you probably want the advanced controls that Azure Active Directory Conditional Access gives you. 

 

Security defaults2.PNG

 

You can’t enable Security Defaults if you’re already using conditional access policies or other settings which conflict. If you do, you’ll see this warning:

 

Security defaults 3.PNG

 

Some of you may have tried out baseline protection policies – security defaults replaces all those settings, and we will stop enforcing them on Feb 29th. If you’re reading this, you probably want the granular control Conditional Access gives you, so in place of baseline, set up the equivalent Conditional Access policies as outlined here.

 

The Identity Security team is super-focused on preventing account compromise, and ensuring there is no barrier to secure, multi-factor authentication using secure protocols is a critical step forward. As always, we’d love your feedback. Reach out to me at @alex_t_weinert on twitter!

 

Stay safe out there,

Alex

 

 

60 Comments
Senior Member

I'm having the same experience as @malcolmd_cnx. I mean, I did enable the Security Default feature for the Office 365 tenant, then everyone completed the 2FA registration. However, the users haven't been challenged for the 2FA authentication after 13 days. 

I can see through the Sign-in events logs that the users can successfully have access to the apps, using the Security Default policy but the 'Grant Control' field is empty which means, the users haven't been challenged for the 2FA at all. Through my Admin account, it's required the 2FA every time that I sign into the portal then you can see the status 'required multi-factor authentication' in the Sign-ins logs.

@Jeremy_Bradshaw, I reckon if I must enable/ enforce 2FA to the users through the per-user MFA settings and MFA service settings even after enabling the Security Default. 

Thanks.

Contributor

@Leonardo Pellegrino @malcolmd_cnx 

I have to admit I think it's an issue, as Malcolm stated even on new systems with no tokens cached there was no MFA.  While you may get away with configuring the per-user service settings to not remember longer than X days, it sounds to me like an issue or something with Security defaults.

 

I don't have a tenant ATM where I can enable security defaults so the refresh token thing was just a hunch, but it didn't end up being that.

Contributor

...but wouldn't it have been nice if they just made Conditional Access a non-premium thing and Security Defaults never even came into existence?  I think that would have been best.

Senior Member

Jeremy Bradshaw I did raise a ticket with Microsoft's support and was told that if you require the users being challenged accordingly, you should also enable 2FA the through the per-user MFA settings. Hence, I enabled that and the users got prompted. Anyway, will follow up if they will be challenged in 7 days now, as I have set up the policy.

About the Conditional Access, I do agree with you. However, this is a tiny customer and they don't have the P1 license for that.

Thanks.

Frequent Visitor

I am a bit confused by @malcolm_cnx 's comments.  We have various Business Essentials and Premium accounts in a tenant that we purchased through GoDaddy (a mistake), and we have enabled Security Defaults through the Azure Portal.  I do not see that under Users there is even a choice Active Users, much less a further menu choice Multi-Factor Authentication.   Rather, after choosing a user, there is an option called Authentication contact info, and then a link Authentication Methods.  Clicking this allows me as admin to enter user's MFA phone numbers and email addresses.

 

This in itself is confusing, because Security Defaults is supposed to require the Authenticator app, and not allow MFA through phone texts and emails.

 

Could someone please tell me what is going on here?  Does Security Defaults actually work?  Does it require MFA for all users?  Do I have to take an additional step to enable MFA for all users after turning on Security defaults?   How would I do that?  Why do the options I see differ from the ones malcolm_cnx is reporting?

 

Just trying to avoid more compromised users.  Thanks.

New Contributor

@Andrey Kulnev  I am stuck on this question as well. Did you ever discover which licenses include per-user MFA?

Senior Member

@cmessina85 Unfortunately, there is no clear answer so far. I had raised a ticket to Microsoft support and they provided an interesting answer: "You can use per-user MFA only if you do not have any premium license in the tenant. Otherwise, if you have at least one premium license you need to use MFA with CA". I asked them to provide a link to an article or a licensing guide that can prove their statement. But, the only proof they managed to provide is a well-known article that does not answer this question, from my perspective -  https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-licensing. Thus, the question is still open.

Senior Member

@Andrey Kulnev & @cmessina85, you can roll out / enable MFA to any licensed user, doesn't matter the license. ;)

Occasional Visitor

Echoing @Leonardo Pellegrino and  @malcolmd_cnx. 


Brand new AAD - free tier security defaults on by default. Created a new user, when they login:

 

Sign-Ins audit log for Conditional Access just shows not applied:

MfaRegistration
 
Not Applied

 

Senior Member

@chadbentzI had the same scenario. So, as I posted here on 15 May, I did raise a ticket with Microsoft's support, then I was told that if you require the users being challenged accordingly / Sign-Ins audit log showing 'Grant Controls: require MFA', you should also enable 2FA the through the per-user MFA settings.

Hence, I enabled that for my end-users, and they got prompted immediately. Likewise, the audit logs are now correctly.