Azure AD Security Defaults MFA not working (as expected?)

Copper Contributor

Hi,

 

We use Microsoft 365 Standard and have enabled Security Defaults ( https://learn.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-au... ) so thought that our accounts would be as secure as they could be without Conditional Access.

 

One of our users was Phished and emails were sent from their account. Checking the Interactive sign-in logs I can see the attacker attempted to login from Nigeria (we don't operate from Nigeria) using Chrome on Windows 10 and was denied login due to MFA (which is as expected - part log shown below)

 

Date (UTC): 2023-05-10T09:12:20Z
Username: email address removed for privacy reasons
Application: Microsoft Authentication Broker
IP address: 105.112.183.103
Location: Lagos, Lagos, NG
Status: Interrupted
Sign-in error code: 50074
Failure reason: Strong Authentication is required
Client app: Browser
Browser: Chrome 112.0.0
Operating System: Windows 10
Multifactor authentication result: User needs to perform multi-factor authentication. There could be multiple things requiring multi-factor, e.g. Conditional Access policies, per-user enforcement, requested by client, among others
Authentication requirement: Multifactor authentication
Sign-in identifier: email address removed for privacy reasons
Token issuer type: Azure AD

 

2 minutes after that attempt the attacker then tried using Safari on iOS 14 and this only asked for single factor authentication and let them in, which certainly wasn't expected! From there, they were able to monitor the email in this instance and send / modify emails until we detected them and locked them out. It could of been worse, we were lucky this time. The successful (part) log is shown below:

 

Date (UTC): 2023-05-10T09:14:27Z
Username: email address removed for privacy reasons
Application: Microsoft Authentication Broker
IP address: 105.112.183.103
Location: Lagos, Lagos, NG
Status: Success
Sign-in error code:
Failure reason: Other
Client app: Mobile Apps and Desktop clients
Browser: Mobile Safari 14.1
Operating System: iOS 14
Multifactor authentication result:
Authentication requirement: Single-factor authentication
Sign-in identifier: email address removed for privacy reasons
Token issuer type: Azure AD

 

I have logged this with Microsoft but all they are concerned with is that the account is now secure and not the fact that with Security Defaults on and a phished account was accessed without MFA (and from a country we don't operate from).

 

I have since done some more testing with another account and after revoking sessions and MFA, they could login to the same PC they normally use and access www.office.com without MFA prompts only finally being asked when going into Security Settings in My Account. I can accept as the location this was from is the main office it might be flagged as safe by MS.
So then I used the same account to login from another clients office not associated with us (using a VM there) and again it was able to login to www.office.com without any MFA prompts, which again is quite concerning.

 

I wondered if anyone had any insights into why this might have happened like this? As far as I can see Security Defaults isn't really doing a very good job. 

 

Thanks


Rob

5 Replies
After a bit more research I found this article which tested Security Defaults and is an interesting read:
https://diligex.com/2021/01/are-microsoft-365-azure-security-defaults-sufficient/

Looks like if you want to protect users email and data and you only have 365 Basic or Standard licenses it's quite possibly a complete waste of time to use Security Defaults on it's own. Given that a user will eventually be phished for a login, no matter how often I email them advice on avoiding, then someone will get into your data. I'll be looking at going back to per user MFA, which is a bit of a pain.
The skeptic in me thinks maybe MS has made Security Defaults fairly useless to try and push for more revenue from Premium or AAD P1 licenses, but some SMBs really don't have the money at present to fully move to Premuim 365 or ( Azure AD P1 licenses).

@Kat-UK 

For MFA, still have a chance bypass such as SMB, please aware

Hi all,

Please note:

Security Defaults requires all users to register for MFA within 14 days; however, users can postpone this registration. After 14 days, they will be forced to do the registration; however, this happens during interactive sign-ins.

If a user doesn't perform the MFA registration and a bad actor figures out the user's password, they can register their phone or authentication app as an MFA method.

It is recommended to revoke existing tokens to require all users to register for multifactor authentication. This revocation event forces previously authenticated users to authenticate and register for multifactor authentication.
https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults#revoking-active-tokens
I really don't understand this. If the point is to push people to upgrade to Conditional Access, surely it needs to be obvious there's a benefit to doing so? If it's not obvious that it doesn't work properly until someone gets compromised then why would anyone feel the need to upgrade? If I wanted to make people want to upgrade, I'd set it so you have to authenticate pretty much every time and annoy the users into it, not leave them thinking they're protected when they're not.

@Kat-UK I'm jumping in here too because I have been fighting this myself.  I "thought" enabling security defaults would force all users to use MFA for all logins.  That appears to not be the case.  I help manage several small businesses that have Microsoft 365 Business Standard subscriptions.  Over the past few months the admins of those accounts have been notified they needed to turn on Security defaults to protect their users because 99.9% of all compromises could have been prevented with MFA or something like that wording.

 

They all have enabled security defaults and yes, the admins are all forced through MFA.  And yes, all users were forced to enroll in MFA.  But in reviewing the login logs (7 day report in Entra) not a single 'normal' user has been forced through the MFA authentication.  They all still get the single-authentication path.

 

Now none of them have the Premium or AAD P1 licenses so using conditional access isn't an option so I am assuming they are going to have to use per user MFA?  Seriously, the whole Security Defaults documentation/recommendation stuff is misleading at best and down right confusing in reality.

 

So I guess at this point the question comes down to "If a customer is only using MS365 Business Standard, to ensure all users must use MFA, is using per user MFA the option they should use?"

 

Dan