Microsoft Security Defaults

Purpose 

The purpose of this article is to explain Security Defaults and end of life for baseline policies. We give you the recommended actions to take to replace these policies and how to manage security defaults for you customers in the future. 

Audience 

Pax8 Microsoft Partners


What are Baseline Policies?




Overview:

Baseline Policies are part of Microsoft's conditional access. These polices allowed you perform management task such as requiring MFA for all admin users or blocking legacy authentication across a tenant in a couple of clicks. The main reason MSPs would have added these policies was due to Microsoft's enforcement of the Secure Application Model, back on August 1, 2019. These requirements made you enable MFA for all of your Partner Center user accounts. MSPs may have enabled these policies across some of their customer's tenants as well in efforts to heighten security. In some cases, they may not have enforced these baseline policies and simply enabled MFA manually in their tenant accounts. Baseline policies were a part of conditional access which is a feature only seen in tenants with M365 Business, EMS+E3, and Azure Active Directory Plan 1. 

Ex.



Navigation:

You can navigate to these policies is a couple of different ways. One of the easiest ways would be the following:

1. Portal.office.com>Login a Global Admin>Admin Centers>Azure Active Directory>All Services>AD Conditional Access




Security Defaults


Microsoft recently relayed the following email:



Highlights:

Here they recommend transitioning to security defaults in your Azure AD tenant and tell you that this setting will be on by default in net new tenants. They link the following article which shows you exactly how to turn on security defaults: Click Here

This policy is an all or nothing configuration for the following settings in the tenant:

  • Enforcing MFA Across all Users in the Tenant
  • Blocking Legacy Authentication(IMAP/POP/SMTP Protocols)
  • Enforcing MFA for users who access the Azure Portal, Azure Powershell, Azure CLI (disregards "Trust this device for X days")


Concerns:

    This setting will be on by default in all net new office 365 Tenants after Feb 29,2020:

    MFA will be on by default for these customers by this date. Users will have 14 days to register in MFA upon their first sign in.  They will only have the Microsoft Authenticator App as an option to enroll. You will need to communicate this with them and have a plan in place for implementation. Having security defaults on is only a hard requirement for partners not customers. We provide some recommended best practices if you do not want security defaults in place because of these reasons. By going to aad.portal.azure.com>Active Directory>Properties>Manage Security Defaults, you can turn this setting off and choose to only enable MFA on certain users:






    Apps/Portals Using Legacy Authentication:

    Another big concern we see here is blocking legacy authentication, as many MSPs are still using this for scanners/printers/etc, as well as any tenants using older mail protocols such as IMAP/POP. This could also encompass MSP ticketing systems that use imap/pop protocols, applications that use legacy auth, and SaaS providers that use exchange online powershell cmdlets.  Please take note of this before enabling security defaults. If you turn this on with devices/users using legacy authentication, there will be disruption in service.


    Recommended Actions


    Option A:Turn on MFA and Implement App Passwords for Legacy Authentication


    Applies to:

    • All Partner Center User Accounts
    • Customer Tenants with Users that have MFA Enabled


    Overview:

    Instead of turning on the Security Defaults, we can simply enforce MFA and add App Passwords. Microsoft references the following in their security requirement documentation:



    *NOTE* While we recommend this as a temporary fix, please take note that support for legacy auth is ending in October of this year:

    Microsoft announced back in 2018 that end of support was coming for Basic Authentication and we've been updated with an official date of Oct 13,2020.

    "Today, we are announcing that on October 13th, 2020 we will stop supporting and retire Basic Authentication for Exchange Active Sync (EAS), Post Office Protocol (POP), Internet Message Access Protocol (IMAP), and Remote PowerShell (RPS) in Exchange Online. This means that new or existing applications using one or more of these API’s/protocols will not be able to use Basic Authentication when connecting to Office 365 mailboxes or endpoints and will need to update how they authenticate."

    "Please note this change does not affect SMTP AUTH and we will continue to support Basic Authentication for it in Exchange Online at this time. With the large number of solutions, devices, and appliances that use SMTP for sending mail we are working on ways to further secure SMTP AUTH and will continue to update you as we make progress."


    https://developer.microsoft.com/en-us/office/blogs/end-of-support-for-basic-authentication-access-to-exchange-online-apis-for-office-365-customers/ 


      Turning on MFA:

      a. Navigate to Portal.office.com>Click Admin Centers>Azure Active Directory


      b. Click Azure Active Directory>Users>...Multi-Factor Authentication



      c. From this portal, you can enable MFA on demand for users and control the settings with Service Settings:





      Option B: Use a Conditional Access Policy to Implement MFA for Admins


      Applies to:

      •     All Partner Center User Accounts
      •     Customer Tenants with Users that have MFA Enabled


      Licensing Requirements:


      Overview:

      If you have a tenant with the correct licensing you can create you own custom conditional access policy to enforce MFA on certain users or all users without having to block legacy authentication. 


      Require MFA for Users/Groups:


      a. Navigate to Portal.office.com>Click Admin Centers>Azure Active Directory


      b. Click All Services>AD Conditional Access



      c. Click +New Policy    


      c. Here we can name our policy and define our scope. You can apply this to all users, certain groups, or to certain directory roles:



      d. Next you can define you scope of Apps that apply. If you have legacy authentication apps in your tenant, you can either choose to exclude them using that tab here or you can give them an app password as defined earlier in this guide.




      e. We will skip the conditions tab, as there are no requirements there and go to the grant tab. Here we can grant access and require MFA



      f. Lastly, you can choose to enable the policy and save



      FAQ
       

      Q: What is the difference between modern authentication and legacy authentication?

      A: Legacy authentication refers to protocols that use basic authentication. Typically, these protocols can't enforce any type of second factor authentication. Examples for apps that are based on legacy authentication are:


      Older Microsoft Office apps

      Apps using mail protocols like POP, IMAP, and SMTP

      Single factor authentication (for example, username and password) is not enough these days. Passwords are bad as they are easy to guess and we (humans) are bad at choosing good passwords. Passwords are also vulnerable to a variety of attacks like phishing and password spray. One of the easiest things you can do to protect against password threats is to implement MFA. With MFA, even if an attacker gets in possession of a user's password, the password alone is not sufficient to successfully authenticate and access the data.


      Modern authentication is an umbrella term for a combination of authentication and authorization methods between a client (for example, your laptop or your phone) and a server, as well as some security measures that rely on access policies that you may already be familiar with. It includes:

       

      ·       Authentication methods: Multi-factor authentication (MFA); smart card authentication; client certificate-based authentication

      ·       Authorization methods: Microsoft's implementation of Open Authorization (OAuth)

      ·       Conditional access policies: Mobile Application Management (MAM) and Azure Active Directory Conditional Access



      Q: Are App Passwords disabled when Security Defaults are turned on? 

      A: No, app passwords can still be used to bypass MFA for certain apps you designate


      Q: What applications should i be concerned with if security defaults are turned on?

      A: You should take an inventory of what apps are still using imap/pop/smtp protocols as well as applications that are using exchange online powershell cmdelts as these do not support MFA either unless you are using the exchange online remote powershell module


      Q: Are App Password considered legacy authentication or just a work around?

      A: App passwords are used to bypass MFA for apps that use legacy authentication like IMAP/POP/SMTP, they are not considered legacy authentication themselves.


      Q: What license do I need for Conditional Access?

      A: You need Azure AD P1 ($6), EMS+E3/E5 ($8.75), M365 Business ($20), M365 E3/E5 ($32, $64)

       

      Q: Is MFA turned on by Default in new tenants?

      A: Yes, after February 29th, 2020, Security Defaults will be on by default in all net new tenants

       

      Q: What methods of enrollment for MFA are available to end users with Security Defaults?

      A: Only Microsoft Authenticator App

       

      Q: Is MFA required for all user with Security Defaults turned on?

      A: Yes, MFA is required and will be strictly enforced after 14 days after the users first sign-in

       

      Q: Is this a hard enforcement for Customer Tenants?

      A: No, the hard requirement is for Partner Tenants to meet Partner Security Requirements

       

      Q: How do I turn off/on security defaults in customer tenants?

      A: Sign in as a global admin to Office.com>Admin Centers>Azure Active Directory>Azure Active Directory>Properties>Manage Security Defaults

       

      Q: How do I avoid Security defaults blocking legacy authentication to my ticketing system or other apps using these protocols?

      A: Either Use App passwords or a conditional access policy to bypass MFA. Steps for these detailed in this article.

       

      Q: How do i allow for SMTP relay at my customer sites with Security Defaults turned on?

      A: Bypass MFA with a conditional access policy or consider Direct Send



      Next Steps:
      • Review any tenants that have Baseline Policies turned on. 
      • Ensure you have no one using legacy authentication before enabling the security default policy
      • If there are users/apps using legacy authentication, use one of the following recommended solutions in this support article
      • Have a game plan for customers that you on-board to Office365 as they will have MFA turned on by default. 

      North America

      United States
      English

      Europe, Middle East, Africa

      United Kingdom
      English
      Austria
      Deutsch
      Germany
      Deutsch
      Switzerland
      Deutsch français
      Belgium
      français
      France
      français
      Other Europe
      English

      Asia-Pacific

      Australia
      English
      Other Asia-Pacific
      English