Security Defaults Allows Setting Up SMS

%3CLINGO-SUB%20id%3D%22lingo-sub-1318191%22%20slang%3D%22en-US%22%3ESecurity%20Defaults%20Allows%20Setting%20Up%20SMS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1318191%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20web%20page%20below%20states%20that%20if%20your%20tenant%20space%20is%20using%20Security%20Defaults%2C%20which%20ours%20is%2C%20then%20everyone%20must%20setup%20MFA%20in%2014%20days%20and%20the%20ONLY%20method%20to%20use%20is%20the%20Microsoft%20Authenticator%20App.%26nbsp%3B%20Problem%20is%20that%20Azuare%20AD%20ALLOWS%20you%20to%20setup%20SMS%20for%20MFA.%26nbsp%3B%20Since%20I%20have%20a%20LONG%20time%20until%2014%20days%2C%20can%20anyone%20confirm%20that%20at%20day%2014%20anyone%20who%20used%20SMS%20will%20be%20forced%20to%20setup%20the%20app%3F%26nbsp%3B%20I%20would%20think%20so%2C%20but%20I%20don't%20want%20to%20assume%20there%20is%20not%20something%20wrong%20with%20our%20tenant%20given%20the%20fact%20we%20had%20problems%20getting%20it%20provisioned.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Ffundamentals%2Fconcept-fundamentals-security-defaults%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Ffundamentals%2Fconcept-fundamentals-security-defaults%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1318191%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1318334%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20Defaults%20Allows%20Setting%20Up%20SMS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1318334%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F626952%22%20target%3D%22_blank%22%3E%40Eddie78723%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20not%20sure%20what%20the%20experience%20will%20be%2C%20as%20i've%20not%20been%20in%20the%20position%20you%20are%20in.%20%26nbsp%3BHowever%2C%20I%20would%20imagine%20that%20what%20you%20suspect%20will%20be%20what%20occurs%20after%2014%20days.%20%26nbsp%3BCan't%20be%20sure%20though.%20You%20just%20never%20can%20tell%20for%20sure%20sometimes%20with%20Microsoft.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20I%20would%20say%20is%20that%20it's%20far%20more%20preferable%20in%20my%20opinion%20to%20control%20these%20settings%20yourself%20if%20you%20can.%20%26nbsp%3BIE%2C%20turn%20off%20the%20security%20defaults%20in%20favour%20of%20deploying%20your%20own%20Conditional%20Access%20Policies%20and%20doing%20things%20like%20blocking%20legacy%20authentication.%20%26nbsp%3BThis%20will%20allow%20you%20to%20test%20at%20your%20own%20pace%2C%20enable%20CA%20policies%20to%20pilot%20users%2Fgroups%2C%20and%20run%20in%20reporting%20mode%20etc.%20%26nbsp%3BFar%20better%20way%20in%20my%20opinion.%20%26nbsp%3BSecurity%20defaults%20in%20theory%20are%20a%20good%20idea%2C%20but%20some%20organisations%20could%20get%20into%20trouble%20with%20them%20if%20they%20suddenly%20find%20blanket%20settings%20applied.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2169746%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20Defaults%20Allows%20Setting%20Up%20SMS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2169746%22%20slang%3D%22en-US%22%3E%3CP%3EOld%20post%2C%20but%20I've%20found%20it%20still%20allows%20SMS%2C%20even%20on%20Global%20Admin%20accounts.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

The web page below states that if your tenant space is using Security Defaults, which ours is, then everyone must setup MFA in 14 days and the ONLY method to use is the Microsoft Authenticator App.  Problem is that Azuare AD ALLOWS you to setup SMS for MFA.  Since I have a LONG time until 14 days, can anyone confirm that at day 14 anyone who used SMS will be forced to setup the app?  I would think so, but I don't want to assume there is not something wrong with our tenant given the fact we had problems getting it provisioned.

 

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-d...

 

2 Replies

@Eddie78723 

 

I'm not sure what the experience will be, as i've not been in the position you are in.  However, I would imagine that what you suspect will be what occurs after 14 days.  Can't be sure though. You just never can tell for sure sometimes with Microsoft.

 

What I would say is that it's far more preferable in my opinion to control these settings yourself if you can.  IE, turn off the security defaults in favour of deploying your own Conditional Access Policies and doing things like blocking legacy authentication.  This will allow you to test at your own pace, enable CA policies to pilot users/groups, and run in reporting mode etc.  Far better way in my opinion.  Security defaults in theory are a good idea, but some organisations could get into trouble with them if they suddenly find blanket settings applied.

Old post, but I've found it still allows SMS, even on Global Admin accounts.