Multi-factor Authentication (MFA) via Security Defaults enforced on tenants by Microsoft (status)

Steel Contributor

Hi all,

 

- Security Defaults is enabled by default on all newly created Microsoft 365 tenants.

Microsoft has started enforcing Multi-factor Authentication (MFA) on all tenants.

- MFA will not be enforced on tenants using Conditional Access policies (at least one Azure AD Premium P1 license is required to be able to use Conditional Access policies).

- Self-service password reset (SSPR) will enforce Multi-factor Authentication on all accounts (and the breakglass account) but SSPR can be disabled.

Please check admin.microsoft.com >Health > Message center regarding notification.

- Security Defaults requires all users to register for MFA within 14 days; however, users can postpone this registration. After 14 days, they will be forced to do the registration; however, this happens during interactive sign-ins.

- If a user doesn't perform the MFA registration and a bad actor figures out the user's password, they can register their phone or authentication app as an MFA method.

 

It is recommended:

- to use MFA company-wide because this security-feature prevents 99.9% of attacks on your accounts.

- to revoke existing tokens to require all users to register for multifactor authentication. This revocation event forces previously authenticated users to authenticate and register for multifactor authentication.

 

https://learn.microsoft.com/en-us/microsoft-365/business-premium/m365bp-turn-on-mfa

https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/let-users-reset-passwords

https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults#revoking-active-tokens 

Notification.png

 

1 Reply