Microsoft deploys these security settings to protect millions of accounts. Here’s what’s changing

To thwart password and phishing attacks, Microsoft deploys default security settings for a large number of Azure Active Directory (AD) users.

Microsoft started rolling out the security defaults for customers who created a new Azure AD tenant after October 2019, but did not enable the defaults for customers who created Azure AD tenants before October 2019.

Today, Azure AD security defaults are used by approximately 30 million organizations, according to Microsoft, and over the next month, Microsoft will be rolling out the defaults to many more organizations, resulting in the Default protection for 60 million additional accounts.

“When complete, this rollout will protect an additional 60 million accounts (that’s roughly the population of the UK!) against the most common identity attacks,” said Alex Weinert, director of identity security at Microsoft.

Azure AD is Microsoft’s cloud service for managing on-premises and cloud application identity and authentication. It was the evolution of Active Directory Domain Services in Windows 2000.

Microsoft introduced secure defaults in 2019 as a base set of identity security mechanisms for less well-resourced organizations that wanted to strengthen defenses against password and phishing attacks. It was also aimed at organizations using the free tier of Azure AD licensing, allowing these administrators to simply switch to “security defaults” through the Azure portal.

The secure defaults weren’t intended for large organizations or those already using more advanced Azure AD controls like Conditional Access policies.

As Weinert explains, defaults were introduced for new tenants to ensure they had “basic security hygiene” in place, specifically multi-factor authentication (MFA) and authentication. modern, regardless of license. The 30 million organizations that have security flaws in place are much less prone to breaches, he points out.

“These organizations experience 80% fewer compromises than the overall tenant population. Most tenants just leave it enabled, while others add even more security with Conditional Access when ready,” says Weinert.

The security defaults mean that users will face an MFA challenge “if necessary,” depending on the user’s location, device, role and task, according to Weinert. However, administrators will need to use MFA every time they log in.

Deploying default security will be a priority for organizations that don’t use Conditional Access, have never used default security, and “do not actively use legacy authentication clients.”

So one group of customers who won’t be prompted to enable default security settings next month are Exchange Online customers who are still using legacy authentication. Microsoft wanted to disable legacy authentication for Exchange Online in 2020, but that was delayed by the pandemic. Now, the deadline to switch from Exchange Online to Modern Authentication is October 1, 2022. Customers cannot request extensions beyond this date, Microsoft’s Exchange team pointed out earlier this month -this.

Microsoft will notify global administrators of eligible Azure AD tenants of the security flaws via email this month. At the end of June, these admins will see an Outlook notification from Microsoft directing them to click “enable default security settings” and a warning that “default security settings will be automatically enabled for your organizations in 14 days.”

“Global admins can enable security defaults immediately or snooze for up to 14 days. They can also explicitly disable security defaults during this time,” Weinert says.

Once enabled, all users in a tenant will be prompted to enroll in MFA using the Microsoft Authenticator app. Global admins must also provide a phone number.

Microsoft allows customers to leave default security settings disabled through the “properties” section of Azure Active Directory properties or the Microsoft 365 admin center.

Weinert offers a compelling argument against administrators who refuse to enable it.

“When we look at hacked accounts, over 99.9% don’t have MFA, making them vulnerable to password spraying, phishing, and password reuse,” it notes. he.