Microsoft has begun rolling out security defaults to existing Microsoft customers who have yet to roll out security defaults or Azure AD Conditional Access, helping tenants created before October 2019 better secure their IT environments.
Microsoft introduced security defaults in the fall of 2019 for new tenants, which included multifactor authentication (MFA) and modern auth requirements regardless of license. Now, the company says it has more than 30 million organizations protected by security defaults that are 80% less likely to be compromised than the overall tenant population.
According to Microsoft, security defaults can protect organizations against a large majority of cyberattacks, as 99.9% of compromised accounts don’t have MFA and are vulnerable to identity attacks.
In addition to MFA, security defaults feature Conditional Access and Identity Protection, and now the company plans to help protect another 60 million accounts by rolling it out to tenants created before October 2019.
Security defaults will challenge users with MFA when necessary, based on factors such as location, device, role and task. Admins will be required to perform MFA every time they sign in, according to the company.
Microsoft says it will start the rollout with organizations that need more security, including customers who aren’t using Conditional Access, haven’t used security defaults before and aren’t actively using legacy authentication clients.
Global admins of eligible tenants will be notified via email, and will be prompted beginning in late June to enable security defaults or push it off for up to 14 days. They can also opt out of security defaults.
After security defaults are enabled, all users in the tenant will be asked to register for MFA via the Microsoft Authenticator app, and Global admins will be asked for a phone number in addition.
For whatever reason, customers can opt out of security defaults by disabling them through Azure Active Directory properties or the Microsoft 365 admin center. Customers that do so will be prompted to give a reason so Microsoft can improve the service.
Alex Weinert, director of identity security at Microsoft, wrote in a blog post that many smaller companies like security and IT expertise, so they aren’t in touch with new security baselines, such as MFA.
“So, even though the industry is clear on the importance of MFA, there’s no one to hear or execute on these security mandates,” Weinert writes. “These organizations are often the most vulnerable and experience the most compromised accounts.”
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply