Manage Security Defaults in Azure AD
This document provides a comprehensive guide to managing Security Defaults within your Azure Active Directory (Azure AD) environment. Security Defaults are a set of sensible, baseline security configurations that help protect your organization from common identity-based attacks.
What are Security Defaults?
Security Defaults are a free feature for all Azure AD tiers. They provide a basic level of security to help protect your organization by enforcing security best practices. These defaults are designed to be simple to understand and implement, offering immediate protection against common threats.
- Multi-Factor Authentication (MFA) Enforcement: All users are prompted to register for MFA, and administrators are required to use MFA.
- Restricting Legacy Authentication: Legacy authentication protocols that don't support MFA are blocked.
- Privileged Role Assignment: Users assigned to administrative roles are required to perform MFA.
- Real-time Phishing Protection: Users are protected from common phishing attacks.
Enabling Security Defaults
Security Defaults can be enabled or disabled by a Global Administrator in the Azure portal. It's important to note that Security Defaults cannot be used alongside Azure AD Conditional Access policies. If you have Conditional Access policies enabled, you must disable them before enabling Security Defaults.
Steps to Enable:
- Sign in to the Azure portal as a Global Administrator.
- Navigate to Azure Active Directory.
- In the left-hand navigation pane, select Properties.
- At the bottom of the Properties page, click Manage Security defaults.
- Set the Enable Security defaults toggle to Yes.
- Click Save.
Configuring Security Defaults
Security Defaults offer a predefined set of configurations. While you cannot customize individual settings, you can choose whether to enable or disable them. For more granular control over your security policies, consider using Azure AD Conditional Access.
Managing Users and Groups
When Security Defaults are enabled, all users within the Azure AD tenant are subject to the enforced policies, including MFA registration. Ensure that your users are aware of these requirements and have the necessary resources to complete their MFA setup.
Monitoring and Auditing
It's crucial to monitor sign-in logs and audit logs in Azure AD to track the impact of Security Defaults. This will help you identify any potential issues or unusual activity. You can access these logs via the Azure portal under Azure Active Directory > Monitoring & health.
Limitations
Security Defaults provide a baseline level of security. They may not be sufficient for organizations with more complex security requirements or specific compliance needs. Some limitations include:
- Lack of granular control over MFA policies (e.g., per-user or per-application MFA).
- Inability to exclude specific users or applications from MFA.
- No support for location-based access policies or device compliance checks.
Migration to Conditional Access
For organizations that require more advanced security controls, migrating from Security Defaults to Azure AD Conditional Access is recommended. Conditional Access offers a powerful and flexible way to enforce access policies based on real-time conditions.
When you are ready to move to Conditional Access, you must first disable Security Defaults. Then, you can start creating your Conditional Access policies in the Azure portal.
# Example of a disabled Security Defaults setting
<Toggle Name="EnableSecurityDefaults" Value="No" />
# Example of a Conditional Access policy outline (not actual configuration)
<ConditionalAccessPolicy Name="Block Legacy Auth" Rules="..." />
<ConditionalAccessPolicy Name="Require MFA for Admins" Rules="..." />
Consider the following when planning your migration:
- Identify critical applications and users.
- Define your specific security requirements.
- Plan a phased rollout to minimize disruption.