Microsoft Security Defaults for Azure AD
Managing workplace users and their access to systems and applications is made easy with Microsoft Azure Active Directory. However, with network and data security a constant worry for organisations of all sizes, we need to be confident that user management and access is locked down – so that we have a safe networked working environment.
In the increasingly complex online workplace – from remote working, to BYOD policy, to hiring from the gig economy, cloud services usage, and inter-company collaboration – there becomes an increasingly complex cybersecurity surface for your organisation. This ranges from a larger number of attack vectors to greater opportunities for human error, such as losing a phone.
Microsoft Azure AD Security Defaults is a great first step to helping secure user access across your organisation, so that only your approved users have access to your company information, and that only privileged users have access to certain areas and controls. Security Defaults replaces Baseline Policy – for those familiar with this older MS standard.
What’s included in Security Defaults?
Security Defaults are a set of controls to give you a good baseline security posture for your Azure AD user management.
Unified Multi-Factor Authentication (MFA)
The first default is requiring all users in your tenancy to enrol in Multi-Factor Authentication (MFA). One password is simply not always enough these days for logging into your systems.
When switching on Security Defaults, all users will have 14 days to set up their MFA, which is currently done by using the Microsoft Authenticator app. MFA will be triggered for all users on certain events that seem out of character from the user’s normal login practices.
Once set up, MFA can be applied with a number of different types of authentication, including Microsoft Authenticator, pin codes, and biometrics. These can be supported on mobile devices (iOS/Android), Windows 10 devices, and, with extra configuration, on other operating systems including UNIX-based systems.
Do be aware that legacy authentication protocols will no longer be supported under Security Defaults, including mail protocols such as IMAP and POP3. These will need to be updated or rolled over to newer apps/protocols to continue use.
Elevated Privilege Users
Once MFA is enabled, it will be compulsory at all times for your elevated privilege users, the administrators of your systems. These are the following user types:
- Global administrator
- SharePoint administrator
- Exchange administrator
- Conditional Access administrator
- Security administrator
- Helpdesk administrator
- Billing administrator
- User administrator
- Authentication administrator
Elevated privilege apps
Like with privileged users, there are also Azure apps that require heightened security. Users accessing the Azure portal, Azure PowerShell, Azure Resource Manager, and Azure CLI will also be required to do further authentication.
Let’s now walk how through to set up Security Defaults in your Azure environment.
Switching on Security Defaults in Azure
A note before we start. User types who are able to switch on Security Defaults for Azure AD may only be from the following: Security Administrators, Conditional Access Administrators, and Global Administrators.
- Login to the Azure portal.
- Navigate to Azure Active Directory > Properties
- Select Manage Security Defaults
- Switch the toggle for Enable Security Defaults to On and then select Save.
Considerations before deploying Security Defaults
For organisations that need a more granular approach to their MFA, they will instead need to use Conditional Access policies. These are if-then policies that can be applied on a singular user or group of users, on specific apps, devices, at locations, etc.
If you are using Security Defaults, you cannot also use Conditional Access. If you are just starting up a heightened security posture, you may like to start with Security Defaults before developing a plan and strategy towards implementing Conditional Access policies.
On the other hand, if you have any Conditional Access policies in place currently, these will need to be removed before switching to Security Defaults.
Your organisational security is essential
Your systems and data are the core of your business. It is not enough to simply hope for the best that you’ll avoid a security incident – you need to reinforce your security perimeter and Security Defaults is the first step to doing so for user access with Azure AD.
While Security Defaults is a good initial action to take for user management security, further granularity in policies is generally recommended for organisations of all sizes.
If you need assistance in security management for your user base in Azure AD, then come to us to help you work through what’s necessary for your organisation. We can help design a plan and strategy to ensure systems and data are both easy to access for the right users, as well as security-fortified for your most sensitive information and systems.
Contact A1 Technologies for more information or to set up a consultation.
Subscribe to our newsletter
Enter your email and stay in touch with the latest updates from A1.
You might also like…
- A Secure Web Gateway (SWG) is a new term for an old service – blocking incoming web traffic based on terms XYZ. If...
- This is a follow-on article to the article ‘Microsoft Passwordless Security Reduces Chances of Being Compromised by Up to 99.9%’ where we looked...
- The age-old debate: Office 365 vs Google G Suite – any workplace’s software backbone is the productivity suite they use, with output directly...