Microsoft announced that security baseline policies will stop being enforced on February 29th. A baseline policy is a predefined Conditional Access policy. The goal of these security baseline policies is to make sure that you have at least the baseline level of security enabled. Baseline policies are available in all editions of Azure AD, and they provide only limited customization options. If you are leveraging these policies for things like ‘Require MFA for admins’, you will need to replace this with a Conditional Access policy or the Security Defaults in the Azure portal. Clients can enable these policies in Azure.

For reference, see the following article posted by Microsoft Azure Active Directory Identity Blog “Introducing Security Defaults”.

https://techcommunity.microsoft.com/t5/azure-active-directory-identity/introducing-security-defaults/ba-p/1061414

In 2012, we started the Identity security and protection team for our consumer accounts (Microsoft accounts used for signing in to OneDrive, Skype, Xbox and such). We started out by doing two things – putting metrics in place for everything (so we could be confident we’d know what works) and establishing a security minimum standard for our consumer accounts. This includes measures like registering a second factor, challenging accounts when we see risk on the login, and forcing folks to change their passwords when we found them in the hands of criminals. The results have been very good; while there was some angst involved in requiring multi-factor authentication (MFA) registration to play Xbox or on that Hotmail account that’s “worked fine for 16 years!”, the net impact was massively positive – e.g., measuring from 2014 to 2019:

  • Unaided password recovery jumped from less than 20% to more than 90%
  • Account retention increased by more than 10%
  • Our ability to challenge users when we see risk led to a 6x decrease in compromise rate. This means that even as we’ve had a substantial increase in users, we have fewer compromised Microsoft accounts than ever before.

In 2014, they started making these technologies available to our Azure Active Directory (AD) organizational customers, and Microsoft has learned that they’re very effective – for example, our telemetry tells us that more than 99.9% of organization account compromise could be stopped by simply using MFA, and that disabling legacy authentication correlates to a 67% reduction in compromise risk (and completely stops password spray attacks, 100% of which come in via legacy authentication).

Unfortunately, they have been less successful than we’d like at raising awareness and getting folks to adopt the technologies. While the tools are in place for customers to stop these attacks, adoption is significantly low. Despite marketing, tweeting, and shouting from the rooftops, the most optimistic measurement of MFA usage shows that only about 9% of organizational users ever see an MFA claim.

If you’re reading this blog, you’re probably a security or identity enthusiast. You’re aware of the importance of securing identities and taking advantage of key capabilities in the platform. But for most people, especially individual developers, small businesses, or folks just experimenting with our Azure, Office, or Dynamics services, security isn’t the first thing on their minds. The goal is just to find the shortest path to setting up email and document sharing, or building that first Azure application – they won’t configure security settings until they’ve been hacked.

MessageOps can help with Azure planning, design, migration, and training services. Learn more today!

With millions of organizational accounts vulnerable to preventable compromise each year, we felt we needed to take a different tack – to protect organizational accounts just like we do the consumer accounts. We experimented with a few different approaches (including “Baseline protection”), listened to partners and customers, and learned a ton along the way. The result of all this learning is Security Defaults.

Security defaults provide secure default settings that we manage on behalf of organizations to keep customers safe until they are ready to manage their own identity security story. For customers like this, we’ll manage their security settings like we do for our Xbox, OneDrive, Skype and Outlook users.

For starters, we’re doing the following:

  1. Requiring all users and admins to register for MFA.
  2. Challenging users with MFA – mostly when they show up on a new device or app, but more often for critical roles and tasks.
  3. Disabling authentication from legacy authentication clients, which can’t do MFA.

Microsoft will judiciously expand these security defaults to maximize protection for our users, but as MFA prevents >99.9% of account compromise, that’s where we’re starting. We are applying security defaults for all license levels, even trial tenants, ensuring every account can be protected by MFA.

None of this replaces the rich security capabilities in Azure Active Directory. If you are a person who uses Conditional Access to manage your break glass accounts with terms of use controls, chooses MFA based on device compliance, or integrates Identity protection reports into your SIEM, you’re far more sophisticated than our target user for Security Defaults. If you’re thinking of break glass accounts or exception scenarios, Security Defaults isn’t for you – you want Azure AD Conditional Access.

Since introducing the feature, we’ve enabled Security Defaults for more than 60k newly created tenants. More than 5k other tenants have opted into Security Defaults. All of these organizations have significantly reduced their compromise rates; only a few hundred have opted out, mostly to use Conditional Access. We’ll take the learnings from these tenants and continuously tune as we eventually roll this out to all new tenants, then to tenants who have never looked at security settings. We will expand first to apply security defaults to all new tenants as well as applying it retroactively to existing tenants who have not taken any security measures for themselves. We’re experimenting, listening and adapting as we go.

If you have an existing tenant where you’d like to enable security defaults, or are ready to turn it off and move up to using Conditional Access to manage your access policies, you’ll find the settings in your Azure AD tenant configuration in Azure Active Directory, Manage, Properties – look for “Manage Security Defaults” at the bottom of the page:

security baseline

You may have tried out baseline protection policies – security defaults replaces all those settings, and Microsoft will stop enforcing them on Feb 29th. If you’re reading this, you probably want the granular control Conditional Access gives you, so in place of baseline, set up the equivalent Conditional Access policies as outlined here.

Effective 29-Feb Microsoft will stop enforcing security baseline policies

Clients can enable these policies in Azure.

If you are leveraging these policies for things like ‘Require MFA for admins’, you will need to replace this with a Conditional Access policy or the Security Defaults in the Azure portal.

 

 

Ready to get started?

Get in touch to unlock the full potential of your Microsoft investment.

Get started