In a recent blog post from a member of Microsoft’s Security and Protection Team, an announcement was made in regards to the way that Microsoft is planning to handle security settings, in the form of a new feature called Security Defaults.
Before diving into what the new Security Defaults feature will offer, here is a recap of how security has improved across tenants between 2014 and 2019. The most revealing detail of the recap is that data shows that more than 99.9% of organization account compromises could be stopped by using Multifactor Authentication (MFA). This is a feature that is included in all Office 365 business and enterprise licenses, which means you are most likely already paying for it!
Microsoft is aware of the fact that there are millions of organizations accounts vulnerable to preventable compromises. This is where the new Security Defaults feature comes in, which, when enabled, will require MFA for all user and admin accounts. Currently, this can be done with a preview feature, Baseline Policies, and the Security Defaults feature will replace that as of February 29, 2020. To further push the use of MFA, the Security Defaults feature will be enabled on all new tenants going forward, as well as those created on or after October 22, 2019.
On top of enforcing MFA, Security Defaults provides the additional protection of disabling legacy authentication clients. One reason for this is that legacy clients do not support MFA. The other being that legacy authentication protocols are slated to be retired from support by Microsoft at the end of this year. Additional settings will be enabled by default via this feature in the future, but for now, they are starting with these changes that will vastly increase security. If you’re interested in what other simple setting changes you can manually make to add further protection, see my previous blog posts that expand on this.
Microsoft has made it clear that their intent for enabling these settings by default is to target their less savvy users who may not know how to configure MFA manually. For those who are using advanced features like Conditional Access policies to handle tasks like manage a break glass account for emergency access, or enforce MFA based on device compliance, they recommend disabling Security Defaults and continuing to manage MFA manually. In fact, the Security Defaults feature will not be able to be enabled if a Conditional Access policy is in place.
Sikich recommends the use of MFA, so this new feature is a welcomed change. It is a responsible move by Microsoft, who continues to show that they take cloud security very seriously. If you aren’t currently using multifactor authentication and want to roll it out in a smooth, controlled fashion, please reach out to Sikich to discuss how we can help with the process!