Now that the news about the Microsoft Security Defaults is becoming more and more known, more and more questions arise about its impact. High time to clarify this!
Azure AD Security Defaults
We have been saying for years that passwords are rarely secure. Phishing and keylogging are common methods used by hackers to get hold of passwords. To increase the security level of its users, the company is implementing some stricter security settings in its Microsoft 365 environments. The use of Multifactor Authentication or Conditional Access will become mandatory. Legacy Authentication (an outdated login protocol) will be deactivated and replaced by Modern Authentication.
What changes when?
- New tenants: Security Defaults are now automatically activated
- Existing tenants: environments without Security Defaults that no using Conditional Access are automatically converted in stages
Note: Customers without an Azure AD P1 licence are not able to activate Conditional Access and are by definition converted. This licence is included in several bundles including Microsoft 365 Business Premium or Microsoft 365 E3/E5.
Impact Security Defaults
For customers who belong to this second category, the new Azure AD Security Defaults will soon be activated automatically. In concrete terms, this means that tenant administrators (Global Admins) will be asked to activate the "Security Defaults" function in the Azure AD environment during the login process. This can be postponed for a maximum of 14 days. If this does not happen, the function will be activated automatically by Microsoft.
What is the impact on users?
- Multifactor Authentication: for all users required - there are no exceptions. Without proper communication beforehand, it is therefore possible that users will 'suddenly' no longer be able to log on.
- Legacy Authenticationis blocked for all users - There are no exceptions here either. Most e-mail programmes make the switch from Legacy to Modern Authentication flawlessly. If users still report problems, manual intervention is necessary.
As an organisation, you had better be well prepared! Without taking the right measures in advance, users 'suddenly' run the risk of experiencing login problems. Therefore, do not hesitate to contact us if necessary.