Forum Discussion

madcat's avatar
madcat
Copper Contributor
Apr 19, 2020

Enabling Security Defaults seemed to have no effect; MFA policies not applied etc. (Azure AD Basic)

I manage a Basic Azure AD tenant for a small business.

 

I just turned on Security Defaults under Properties > Manage Security Defaults but it seems to have had no effect at all. According to this document, https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults , this should have made a number of changes including but not limited to:

 

  • Unified Multi-Factor Authentication registration
  • Multi-Factor Authentication enforcement for the following roles: Global administrator, SharePoint administrator, Exchange administrator, Conditional Access administrator, Security administrator, Helpdesk administrator or password administrator, Billing administrator, User administrator, Authentication administrator

After enabling security defaults I checked the Security Identity Score and it is unchanged and recommending enabling policies that security defaults should have fixed.

 

I can't enable these policies manually as we have Azure AD Basic. This situation of documented Azure AD functionality requiring a Premium upgrade is getting ridiculous. At the very least Basic should have applied Security Defaults as documented.

 

Azure Active Directory (AAD)
Identity Management

4 Replies

  • MathieuVandenHautte's avatar
    MathieuVandenHautte
    Iron Contributor
    Nov 06, 2023

    Hi all,

     

    Security Defaults requires all users to register for MFA within 14 days; however, users can postpone this registration. After 14 days, they will be forced to do the registration; however, this happens during interactive sign-ins.

     

    If a user doesn't perform the MFA registration and a bad actor figures out the user's password, they can register their phone or authentication app as an MFA method.

     

    It is recommended to revoke existing tokens to require all users to register for multifactor authentication. This revocation event forces previously authenticated users to authenticate and register for multifactor authentication.
    https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults#revoking-active-tokens

  • Moe_Kinani's avatar
    Moe_Kinani
    Bronze Contributor
    Apr 20, 2020

    HI madcat,

     

    If you were able to save the changes and Security Default applied- 

     

    I think the best way to test the Security Defaults and see if applied-  sign in with Admin Account and see if you get prompted for MFA, it should prompt every time you login.

     

    I have found that users don't get prompted for MFA, unless they are doing something like accessing sensitive information or logging on from another country. 

     

    Security score will change after sometime but not instantly.

     

     

    Thanks!

    Moe

     

     

    • madcat's avatar
      madcat
      Copper Contributor
      Apr 23, 2020

      Moe_Kinani you were right my security score is bumped up considerably now and the policies are definitely enable as my new users are getting grilled by AD when choosing passwords.

       

      Obviously takes few days for changes to be reflected here. 

Resources