In this blog we provide you with insight on Security Default’s Deployment considerations, Various deployment methods, Errors you might encounter and more on what alternative measures you can you avail if Security Defaults doesn’t suffice the granular needs of your organisation.  

Enabling Security Defaults through your Azure portal.

1. Sign in to the Azure portal as a Security Administrator, Conditional Access Administrator, or Global Administrator. 
2. Browse to Azure Active Directory > Properties. 
3. Select Manage Security Defaults. 
4. Set the Enable Security Defaults toggle to Yes. 
5. Select Save. 

Everything you should know about Security Defaults:

New user:

If you are a new user, the Security Defaults feature is enabled by default for you but If you require high-end granular security access and user exclusion for service and break glass accounts, you are not the target audience for Security Defaults. In such scenario, you can either configure Common Conditional Access Security Policy or Custom Conditional Access policy but, before configuring them you will have to first disable Security Defaults and then configure Conditional Access Policies as per your organizational needs, as depicted here. 

Existing user:

• If you are an existing user, make sure that none of your applications use legacy authentication.

• if any application is identified using legacy authentication protocols adopt modern authentication for those since Security Defaults blocks legacy authentication. 

• Make sure all the users in your organisation comply to register MFA within 14 days, as further delay will block user from performing any action. it’s also vital to note that for users with privileged actions, registration with Microsoft Authentication app is mandatory. No 14-day MFA registration period would be made available for privileged action users. If you are an existing user and have not enabled any basic security settings, then Security Defaults will be enabled by default. 

Errors that you may encounter while you try to enable Security Defaults:

Error 1:

It looks like you have Baseline Protection policy enabled, the preview version of Security Defaults. Enabling Security Defaults will remove all Baseline protection policies from your tenant since Security Defaults is the most up-to-date version.

You may likely experience this error if you have enabled any or all the baseline policies, in such case enabling Security Defaults may lead to the removal of any baseline policy in place. However, it must be noted that due to deprecation of baseline policy if you have previously enabled baseline policies then you will have to either opt for Security Defaults or configure Conditional Access Policy. 

Error 2:

It like you have a custom Condition Access Policy enabled. Enabling a Conditional Access Policy prevents you from enabling Security Defaults. You can use Conditional Access to configure policies that enable that same behavior provided by Security Defaults. 

 If you have configured any custom Conditional Access Policy this error might occur. 

• Deployment of Conditional Access Policy will prevent you from enabling Security Defaults  
• To deploy Security Defaults, you will have to disable all the Conditional Access Policies in place. 

Factors you should be considering before deployment of Security Defaults.

Case 1:

The MFA: – Considerations for MFA in regards with Security Defaults. 

Here are measures you must consider with respect to user account in your partner tenant, to ensure a smooth deployment

• It is significant to identify if any corporate policy prevents employees from using mobile devices while working because it will influence the multi-factor authentication implemented via Security Defaults. If your organization has a policy that prevents the use of mobile devices, then you should consider one of the following options: – 

• Deploy a Time-Based One-Time base Password (TOTP) application that can run on secure system. 

• Password free authentications available for MFA.

You can now experience password free usability experience by enabling Password-less authentication techniques such as FIDO2 Security Key, Windows Hello for Business and Password-less Microsoft Authenticator Application.  

• These strong authentication factors are based on the same world-class, public key/private key encryption standards and protocols, which are protected by a biometric factor (fingerprint or facial recognition) or a PIN. Users apply the biometric factor or PIN to unlock the private key stored securely on the device. The key is then used to prove who the user and the device are to service. 

Deployment considerations and steps for Password–less Authentication.

Enable combined registration for Azure MFA and self-service password reset (SSPR). 

Register Azure MFA and SSPR for all your users. Ensure all your users can perform Azure MFA. The mobile device used by your users must be registered to Azure Active Directory. The above are critical for both for Microsoft authenticator application and FIDO2 Security Keys. 

Use compatible FIDO2 security key and ensure to use a Microsoft-tested and verified FIDO2 security device, or other compatible FIDO2 security device. 

For Windows Hello, Azure Multi-Factor Authentication, Latest version of Microsoft Authenticator must be installed on devices running iOS 8.0 or greater, or Android 6.0 or greater with push notifications allowed as a verification method 

How to enable Password-less Authentication?

1. FIDO2 Security Key:

• Sign-in to the Azure portal. 
• Browse to Azure Active Director > Security >Authentication Methods > Authentication   Method Policy (Preview). 
• Under the method FIDO2 Security Key, choose the following options: – 
  1. Enable – Yes or No 
  2. Target – All users or Select users 

• Save the configuration. 

2. Windows Hello for Business:

Windows Hello deployment can be either carried out by Key Trust Model or Certificate Model on the bases of it being a hybrid or a on premise deployment. Hybrid deployment is considered for enterprises using Azure Active Directory and on-premise Azure Active Directory for on-premise deployment.  

• Hybrid Azure AD Joined Key Trust Deployment 
• Hybrid Azure AD Joined Certificate Trust Deployment 
• Azure AD Join Single Sign-on Deployment Guides 

3. Password-less Microsoft Authenticator Application.

• Sign-in to the Azure portal 
• Search for and select Azure Active Directory. Select Security > Authentication methods > Authentication method policy (Preview) 
• Under Password-less phone sign-in, choose the following options: – 
  1. Enable – Yes or No 
  2. Target – All users or Select users 

• Save to set the new policy 

4. Implement a third-party solution that enforces multi-factor authentication for each user account in the partner tenant that provides the most appropriate verification option. 

5. Purchase Azure Active Directory Premium licenses for the impacted users to enable Conditional Access Policy.  

If you have any application or device that does not support the use of modern authentication, they will be blocked. To address this limitation the app password feature can be used to ensure that your application or your device will still authenticate. 

When Security Defaults are enabled the requirement is to enforce MFA for each user, including service accounts, in your partner directory any automation or integration that leverages user credentials for authentication will be impacted. Thereby, it is important that you identify such accounts and deploy Conditional access for those. 

Case 2:

Say an Azure external process running on PowerShell which has not yet been transcended as a service principle yet, which implies that it doesn’t support client token, open authentication or any modern authentication flow but uses a simple username and password for authentication in such scenario’s deploying Security Defaults is not possible thereby Conditional Access Policy must be resorted. 

How to register for MFA?                                        

1. You can register for MFA by visiting the site: – https://aka.ms/mfasetup 
2. Sign-in into your Microsoft account with your password.
3. You will then encounter the above information, on clicking Next you will be asked to register MFA using Microsoft Authenticator Application.
4. Choose the compatible option. 
5. Click Set up. 
6. On clicking set up you will be asked install Microsoft Authenticator Application. 
7. Choose between “Work or school account” 
8. Then scan the generated QR code or enter the verification code in your Microsoft Authenticator Application to login.    

Deploying OAUTH Tokens for Azure MFA in Cloud.

1. Buy OAUTH token from the vendor of your choice. 
2. You can avail any OAUTH TOTP token with 30- or –60 second refresh that has a secret key of 128 characters or less. 
3. Once you purchase the keys from your vendor, they will have to send you a file with a secret key, serial number, time interval, manufacturer, and model for each token. 
4. Then assign the tokens to users, edit that file to add your user’s user principal names (usually their email address) and then upload it to Azure Portal > Azure Active Directory > MFA Server > OAUTH tokens.  
5. Authentication through hardware tokens are better than authentication through Microsoft Authenticator Application because they provide secure password generation without network connection and is safe from external infiltration that might infect or intercept the generated code 

The users are provided with a 14-day time limit to register for MFA, the users who defy to register within 14 days will be blocked unless they complete their MFA registration. 

Can any other authentication application be used in place of Microsoft Authentication App?

• YES! You can use other third-party TOTP applications too. 

 Here is how you can register third-party TOTP applications to authenticate your Azure account. 

1. Go to the MFA security setup/verification page: –  https://aka.ms/MFASetup 
2. Select Add method tab in Security info page. 
3. Select Authenticator app in Add a method dialog box that appears. 
4. Click Add.
5. Select I want to use a different authenticator app.
6. Click Next
7. Scan the QR code with the Authenticator Application of your choice.
8. Enter the code generated on your authenticator application.
9. Your authentication application is successfully registered. 

Can you use conditional access along with Security Defaults?

You cannot while availing conditional policy, you simultaneously can’t avail Security Defaults but If you possess a conditional access license yet, have refined from configuring any Conditional Access Policies then you can enable Security Defaults. 

 Worried about Security Defaults not being able to provide the flexibility that your organisation requires. Here is what you can do! 

Many organisations require the ability to exclude specific accounts like your emergency access or break-glass administration accounts which is not possible when you enable Security Defaults in such cases you have to disable Security Defaults and configure common conditional access policies that will care of basic security while enabling you user exclusion. 

• Require MFA for administrators
• Require MFA for Azure management
• Require MFA for all users
• Block legacy authentication

The configuration of the above four policies together would mimic functionality enabled by Security Defaults. For more granular access you can configure your own conditional access policy according to your organisational needs 

Configuring Conditional Access Policy.

1. Sign in to the Azure portal using an account with global administrator permissions. 
2. Search for and select Azure Active Directory, then choose Security from the menu on the left-hand side. 
3. Select Conditional Access, then choose + New policy. 
4. Enter a name for the policy, such as MFA Pilot. 
5. Under Assignments, choose Users and groups, then the Select users and groups radio button. 
6. Check the box for Users and groups, then Select to browse the available Azure AD users and groups. 
7. Browse for and select your Azure AD group, such as MFA-Test-Group, then choose Select. 
8. To apply the Conditional Access policy for the group, select Done. 

Hope the above-given deployment considerations help you analyse and select apt deployment technique for your organisation. Prevent any account compromises through Security Defaults or Conditional Access Policy and manage your organisational needs by selecting an appropriate deployment technique, also we would love to know how helpful was this blog for you to deploy a secure identity management story for your organisation so do tell us how you get around with Security Defaults in the comment section. 

The post Deploying Security Defaults – An Indepth Guide appeared first on Office 365 Reports.

In this blog we walk you through: – 

• How far this feature will help the newbies. 

• What difference will it make for the existing users? 

Through this blog, we aim to answer all your doubts on Security Defaults. 

Major objective of Security Defaults.

Technology being the major chord bridging the gap between the human and virtual world, the need to secure your identity in the virtual world is becoming more complex and significant. The increased sophisticated attacks corner you to become vulnerable to data theft. In focus with curbing Identity-related attacks such as spray, reply and phishing, Microsoft has introduced a new feature “Security Defaults” which promises to take care of your basic security requirements. 

Enabling Security Defaults through your Azure portal.

1. Sign in to the Azure portal as a Security Administrator, Conditional Access Administrator, or Global Administrator. 
2. Browse to Azure Active Directory > Properties. 
3. Select Manage Security Defaults. 
4. Set the Enable Security Defaults toggle to Yes. 
5. Select Save. 

or you can use this direct link to enable security defaults.

Pre-configured Security Settings in Security Defaults.

 Security Defaults are the newly introduced basic level of security that Microsoft has developed. Security Defaults secures your organization through its pre-configured security settings such as: – 

• Unified Multi-Factor Authentication Registration.
• Multi-Factor Authentication Enforcement.
• Blocking Legacy Authentication.
• Protecting Privileged Actions.

Unified Multi-Factor Authentication Registration.

Unified Multi-Factor Authentication Registration involves registration for Multi-Factor Authentication. You can deploy MFA through the following ways mentioned below. 

• A push notification or verification code from Microsoft Authenticator Application. 

• A hardware token such as OAUTH tokens can be used instead of Microsoft Authenticator Application however, you will require Azure Premium P1 or P2 to utilise them. The OATH tokens resolve the MFA issue for the users who do not have a mobile. 

• It is significant to note than more than one MFA can be deployed for verification at a time, in such scenarios either OTP from Microsoft Authenticator Application or OTP from OAUTH tokens can be used. 

Having difficulties with remembering your passwords.  

Looking for a way to go  Password-free.

Here are some methods that you can adopt for password-free MFA

• FIDO2 Security Key
• Windows Hello
• Password less Microsoft Authenticator App

Multi-Factor Authentication Enforcement

Protecting Administrators:

• All significant azure ad admins will have to perform additional security authentications every time they sign-in.  

Protecting All Users:

• All the users are mandatorily enabled with MFA and are prompted with additional authentication whenever necessary.
  

   

Blocking Legacy Authentication:

• Any legacy authentications protocols used by an application excluding Exchange ActiveSync will be blocked when you enable Security Defaults. 

Protecting Privileged Actions:

• Users accessing Azure portal, Azure PowerShell, or the Azure CLI will need to complete additional authentication,this policy comprehensively applies for all the users with no regards to their role. 

• It is significant to note that after enabling Security Defaults there will be no 14-day MFA period that will be provided for the admins. 

Why Security Defaults? Why now?

With Microsoft introducing Security Defaults which has the same functionalities that the Baseline Policy had the question why is it being introduced as a new feature in the name of Security Defaults is a natural doubt that you may have and the answer to your doubt lies in the very word “Security Defaults” itself, unlike baseline policy in Security Defaults the basic security settings are enabled by default for all new users which strengthens the features ultimate goal that all the accounts must be equipped with basic security settings until they are ready to tailor their own identity security story.  

Security Defaults is easy to implement and is equipped with pre-configured settings to protect your organisations account from preventable compromises with just a swipe on Security Defaults toggle. 

• The major reason to introduce Security Defaults was due to the concerning telemetry that more than 99 % of attacks are targeted on end-users which can be prevented by using MFA, though this feature has been available previously it was found that only 9% of the users were availing it thereby it became significant for Microsoft to mandate MFA in Security Defaults. 

• It is crucial to note that there are no options for exclusion of users in regards with these pre-configured security settings, once Security Defaults option is enabled, all these pre-configured settings are applied without any exclusion. 

New users

• If you are a new user, the Security Defaults feature is enabled by default for you however, it is not observed to be true across all the tenants. 

Existing users

• If you are an existing user, make sure none of your application is using legacy authentication. 
• Make sure all the users in your organisation comply to register for MFA within 14 days. For detailed information on various deployment considerations and techniques in Security Defaults check out deployment considerations for Security Defaults blog. 

How distinguished is Security Defaults from Baseline Policy? 

The above question only corners us to realize and question, if Security Defaults is Baseline policy wrapped in different pre-configured security titles, only deprecating the feature of user exclusion? 

“Security Defaults provide secure default settings that we manage on behalf of organizations to keep customers safe until they are ready to manage their own identity security story” 

From the above statement, we can reflect that Security Defaults can only be fruitful to newbie users who are more concerned about setting up the necessary applications in relevance with their organisational needs than security for such users Security Defaults provides maximum protection against threats and prevents common security attacks.  

Meanwhile for sophisticated users who have customization need and requirement for user exclusion especially from certain pre-configured settings in Security Defaults will have to configure Conditional Access Policy as per their organisations requirement. 

While Baseline Policy did offer all the basic security protection policies as Security Defaults does, it allowed the users to enable baseline policies you require individually and provided you with user exclusion options that could be advantageous in the light of providing the capability of break glass process for privileged accounts and exemption for service accounts. After the deprecation of the Baseline Policy, the only way to avail user exclusion capabilities is by setting up a Conditional Access Policy. 

Pros of Security Defaults

• If you are a new user Instead of configuring multiple security policies Security Defaults provides you maximum protection through its pre-configured security settings. 

• Its free for all license levels and trial tenants. 

Cons of Security Defaults

• These settings are not customizable, you can either deploy all the pre-configured security settings by selecting Security Defaults single toggle switch or disable it and configure Conditional Access as per your requirements. 

• If you enable Conditional Policy, you won’t be able to subscribe to Security Defaults. 

• Admins must be alert and mindful about Security Defaults update, as it has no customization possibilities thus users will be impacted by new inclusions. 

The Vulnerability

As stated in Microsoft Tech Community blog on “Introduction to Security Defaults”

“We will expand first to apply Security Defaults to all new tenants as well as applying it retroactively to existing tenants who have not taken any security measures for themselves” 

The above statements do not provide us clear insight as to what will be the plight of the users who had previously resorted to baseline policy and on the deletion of them, how will they be impacted. Since we do not find any documentation specifying that Security Defaults will be enabled by default for the tenants relying on Baseline Policy for protection, there lies a possibility that those users might become vulnerable as they will be ripped off the baseline protection policies that had guarded them. Thereby it is advisable to pre-configure the required policies through Conditional Access Policy or enable Security Defaults before depreciation of Baseline Policy. 

Can we expect more pre-configured settings to be included in Security Defaults in the near future?

Yes!! Since Microsoft promises to judiciously expand these Security Defaults to maximize protection for the users and terms MFA as the starting point in this journey, you surely can expect more pre-configured settings to be added to Security Defaults. 

Summary 

With Baseline Policy deprecated on February 29th, 2020 we can’t term the transition to Security Defaults to be a smooth one since it has quite an impact on the users, essentially because Security Defaults does not have any user exclusion and if a user wants to continue to experience the same security privilege that they accustomed while baseline policy was enabled they will have to configure similar baseline policies from scratch through Conditional Access Policies and it is also required that you will have to buy Azure P1 licence to exercise customized Conditional Access Policy that they create. 

The post Introduction To Security Defaults appeared first on Office 365 Reports.