SOLVED

Transition from baseline policies to security defaults

%3CLINGO-SUB%20id%3D%22lingo-sub-1132413%22%20slang%3D%22en-US%22%3ETransition%20from%20baseline%20policies%20to%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1132413%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EHi%20team%2C%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%3EAny%20action%20required%20from%20all%20end%20users%26nbsp%3B%20or%20affect%20to%20them%20if%20we%20we%20transition%20to%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3Esecurity%20defaults%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%3Ein%20Office%20365%20admin%3F%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSTRONG%3ENote%3C%2FSTRONG%3E%3CSPAN%3E%3B%20currently%20we%20are%20uses%20baseline%20policies%20and%20all%20users%20is%20already%20apply%20MFA%20using%20text%20code%20%26amp%3B%20Microsoft%20Authentication%20app.%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%3ERegards%2C%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3EVichet%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1132413%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Emfa%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1132590%22%20slang%3D%22en-US%22%3ERe%3A%20Transition%20from%20baseline%20policies%20to%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1132590%22%20slang%3D%22en-US%22%3E%3CP%3EWell%20for%20starters%2C%20SMS%2Ftext%20is%20not%20an%20available%20method%20with%20security%20defaults%20in%20place.%20Read%20the%20documentation%20for%20all%20the%20other%20differences%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Ffundamentals%2Fconcept-fundamentals-security-defaults%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Ffundamentals%2Fconcept-fundamentals-security-defaults%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1132835%22%20slang%3D%22en-US%22%3ERe%3A%20Transition%20from%20baseline%20policies%20to%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1132835%22%20slang%3D%22en-US%22%3EI%20found%20that%20this%20is%20not%20true%20however.%20You%20need%20to%20register%20with%20the%20app%2C%20but%20after%20that%20you%20can%20go%20back%20to%20aka.ms%2Fmfasetup%20and%20register%20all%20the%20other%20methods%2C%20and%20they%20also%20work%20just%20fine.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1147525%22%20slang%3D%22en-US%22%3ERe%3A%20Transition%20from%20baseline%20policies%20to%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1147525%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3CBR%20%2F%3E%3CBR%20%2F%3ESince%20Security%20Default%20are%20block%20legacy%20authentication%20protocol%20for%20whole%20tenant.%20If%20some%20of%20users%20required%20this%20protocol%20such%20as%20IMAP%20for%20some%20use-case%2C%20How%20do%20we%20exclude%20it%3F%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%20for%20help.%3CBR%20%2F%3ERegards%2C%3CBR%20%2F%3E%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1147526%22%20slang%3D%22en-US%22%3ERe%3A%20Transition%20from%20baseline%20policies%20to%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1147526%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F110212%22%20target%3D%22_blank%22%3E%40Vichet%20SIM%3C%2FA%3E%26nbsp%3Byou%20can't%2C%20you%20would%20need%20to%20use%20conditional%20access%20instead%20and%20build%20some%20policies.%20But%20that%20would%20require%20AAD%20premium.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1147529%22%20slang%3D%22en-US%22%3ERe%3A%20Transition%20from%20baseline%20policies%20to%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1147529%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F431307%22%20target%3D%22_blank%22%3E%40CloudHal%3C%2FA%3E%26nbsp%3Bthanks%20you.%20Can%20you%20provide%20some%20tip%20how%26nbsp%3B%3CSPAN%3Ebuild%20some%20policies%20in%26nbsp%3Bconditional%20access.%20We%20will%20go%20through%20to%20AAD%20premium%20to%20fix%20the%20issue.%3CBR%20%2F%3E%3CBR%20%2F%3ERegards%2C%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1147535%22%20slang%3D%22en-US%22%3ERe%3A%20Transition%20from%20baseline%20policies%20to%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1147535%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F110212%22%20target%3D%22_blank%22%3E%40Vichet%20SIM%3C%2FA%3E%26nbsp%3BYes%2C%20h%3CSPAN%3Eighly%20recommend%20starting%20with%20Alex%E2%80%99s%20spreadsheet%20here%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.itpromentor.com%2Fconditional-access-for-the-smb-a-how-to-guide%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20nofollow%20ugc%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.itpromentor.com%2Fconditional-access-for-the-smb-a-how-to-guide%2F%3C%2FA%3E%3CSPAN%3E%26nbsp%3BUse%20his%20spreadsheet%20and%20customise%20it%20to%20your%20needs.%20Makes%20it%20far%20easier%20to%20design%20them%2C%20and%20is%20also%20a%20good%20starting%20point.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1147561%22%20slang%3D%22en-US%22%3ERe%3A%20Transition%20from%20baseline%20policies%20to%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1147561%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20you%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F431307%22%20target%3D%22_blank%22%3E%40CloudHal%3C%2FA%3E%26nbsp%3Bfor%20the%20advise%2C%20I%20will%20check%20it%20for%20more.%20Any%20ways%20how%20%3CSTRONG%3Emodern%20auth%3C%2FSTRONG%3E%20from%20Default%20Security%20can%20help%20for%20this%20required!%20I%20thinks%20it%20might%20related%20to%20this%20topic%2C%20but%20not%20sure%20how%20to%20deploy%20and%20move%20to%20modern%20auth%20in%20%3CSTRONG%3ESecurity%20Default%3C%2FSTRONG%3E.%3CBR%20%2F%3E%3CBR%20%2F%3ERegards%2C%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1307335%22%20slang%3D%22en-US%22%3ERe%3A%20Transition%20from%20baseline%20policies%20to%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1307335%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F431307%22%20target%3D%22_blank%22%3E%40CloudHal%3C%2FA%3E-%20This%20is%20a%20associated%20with%20your%20reply%20and%20I%20am%20wondering%20if%20something%20has%20changed.%20This%20is%20a%20new%20experience%20for%20me%20and%20I%20am%20in%20the%20middle%20of%20setting%20up%20a%20small%20company%20we%20purchased%20with%20a%20new%20account.%20By%20default%20Security%20Defaults%20are%20on.%20My%20first%20urge%20is%20to%20leave%20them%20on%20as%20it%20forces%20good%20practices%20in%20general%20but%20believe%20it%20or%20not%20we%20have%20people%20at%20this%20company%20without%20a%20smart%20phone%20using%20O365.%20That%20said%20when%20I%20go%20into%20Azure%20%26gt%3B%20Security%20Policies%20%26gt%3B%20Conditional%20Access%20policies%20the%20new%20policy%20button%20is%20greyed%20out%20and%20there%20is%20a%20message%20%22Create%20your%20own%20policies%20and%20target%20specific%20conditions%20like%20Cloud%20apps%2C%20Sign-in%20risk%20and%20Device%20platforms%20with%20Azure%20AD%20Premium%22%20and%20a%20link%20to%20sign%20up.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20the%20button%20greyed%20out%20because%20Defaults%20are%20on%3F%20If%20I%20turn%20off%20defaults%20am%20I%20going%20to%20be%20able%20to%20even%20create%20policies%3F%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image%20(7).png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F184373i6437C67843F10339%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22image%20(7).png%22%20alt%3D%22image%20(7).png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%E2%80%83%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1307422%22%20slang%3D%22en-US%22%3ERe%3A%20Transition%20from%20baseline%20policies%20to%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1307422%22%20slang%3D%22en-US%22%3EWhat%20licenses%20do%20you%20have%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1309279%22%20slang%3D%22en-US%22%3ERe%3A%20Transition%20from%20baseline%20policies%20to%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1309279%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F431307%22%20target%3D%22_blank%22%3E%40CloudHal%3C%2FA%3EO365%20Business%20Essentials%20and%20O365%20Business%20Premium.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1309289%22%20slang%3D%22en-US%22%3ERe%3A%20Transition%20from%20baseline%20policies%20to%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1309289%22%20slang%3D%22en-US%22%3ESo%20neither%20of%20those%20give%20you%20the%20rights%20to%20use%20conditional%20access%2C%20so%20that%20is%20your%20issue.%3CBR%20%2F%3EI%20would%20upgrade%20to%20Microsoft%20365%20if%20you%20can.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1309290%22%20slang%3D%22en-US%22%3ERe%3A%20Transition%20from%20baseline%20policies%20to%20security%20defaults%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1309290%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F621617%22%20target%3D%22_blank%22%3E%40Pete200414%3C%2FA%3E%26nbsp%3BHave%20a%20look%20at%20this%20comparison%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fservicedescriptions%2Fmicrosoft-365-service-descriptions%2Fmicrosoft-365-business-service-description%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fservicedescriptions%2Fmicrosoft-365-service-descriptions%2Fmicrosoft-365-business-service-description%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20this%20as%20well%20(linked%20to%20in%20above%20info)%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fsmall-and-medium-business-blog%2Fazure-active-directory-premium-p1-is-coming-to-microsoft-365%2Fba-p%2F1275496%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fsmall-and-medium-business-blog%2Fazure-active-directory-premium-p1-is-coming-to-microsoft-365%2Fba-p%2F1275496%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi team,

Any action required from all end users  or affect to them if we we transition to security defaults in Office 365 admin?
Note; currently we are uses baseline policies and all users is already apply MFA using text code & Microsoft Authentication app.

Regards,
Vichet

12 Replies
Highlighted

Well for starters, SMS/text is not an available method with security defaults in place. Read the documentation for all the other differences: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-d...

Highlighted
I found that this is not true however. You need to register with the app, but after that you can go back to aka.ms/mfasetup and register all the other methods, and they also work just fine.
Highlighted

Hi All,

Since Security Default are block legacy authentication protocol for whole tenant. If some of users required this protocol such as IMAP for some use-case, How do we exclude it?

Thanks for help.
Regards,
   

Highlighted

@Vichet SIM you can't, you would need to use conditional access instead and build some policies. But that would require AAD premium.

Highlighted

@CloudHal thanks you. Can you provide some tip how build some policies in conditional access. We will go through to AAD premium to fix the issue.

Regards,

Highlighted
Solution

@Vichet SIM Yes, highly recommend starting with Alex’s spreadsheet here https://www.itpromentor.com/conditional-access-for-the-smb-a-how-to-guide/ Use his spreadsheet and customise it to your needs. Makes it far easier to design them, and is also a good starting point.

Highlighted

Thanks you @CloudHal for the advise, I will check it for more. Any ways how modern auth from Default Security can help for this required! I thinks it might related to this topic, but not sure how to deploy and move to modern auth in Security Default.

Regards,

Highlighted

@CloudHal- This is a associated with your reply and I am wondering if something has changed. This is a new experience for me and I am in the middle of setting up a small company we purchased with a new account. By default Security Defaults are on. My first urge is to leave them on as it forces good practices in general but believe it or not we have people at this company without a smart phone using O365. That said when I go into Azure > Security Policies > Conditional Access policies the new policy button is greyed out and there is a message "Create your own policies and target specific conditions like Cloud apps, Sign-in risk and Device platforms with Azure AD Premium" and a link to sign up.

 

Is the button greyed out because Defaults are on? If I turn off defaults am I going to be able to even create policies?

image (7).png

Highlighted
What licenses do you have?
Highlighted

@CloudHalO365 Business Essentials and O365 Business Premium.

Highlighted
So neither of those give you the rights to use conditional access, so that is your issue.
I would upgrade to Microsoft 365 if you can.
Highlighted