May 12 2023 12:35 AM - edited Nov 06 2023 12:17 AM
Hi all,
- Security Defaults is enabled by default on all newly created Microsoft 365 tenants.
- Microsoft has started enforcing Multi-factor Authentication (MFA) on all tenants.
- MFA will not be enforced on tenants using Conditional Access policies (at least one Azure AD Premium P1 license is required to be able to use Conditional Access policies).
- Self-service password reset (SSPR) will enforce Multi-factor Authentication on all accounts (and the breakglass account) but SSPR can be disabled.
- Please check admin.microsoft.com >Health > Message center regarding notification.
- Security Defaults requires all users to register for MFA within 14 days; however, users can postpone this registration. After 14 days, they will be forced to do the registration; however, this happens during interactive sign-ins.
- If a user doesn't perform the MFA registration and a bad actor figures out the user's password, they can register their phone or authentication app as an MFA method.
It is recommended:
- to use MFA company-wide because this security-feature prevents 99.9% of attacks on your accounts.
- to revoke existing tokens to require all users to register for multifactor authentication. This revocation event forces previously authenticated users to authenticate and register for multifactor authentication.
https://learn.microsoft.com/en-us/microsoft-365/business-premium/m365bp-turn-on-mfa
https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/let-users-reset-passwords
https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults#revoking-active-tokens
May 14 2023 05:28 PM
Thank you for sharing, would like to supplment how to disable in case needed:
Providing a default level of security in Azure Active Directory - Microsoft Entra | Microsoft Learn