Something I stumbled across today – it appears that Microsoft has decided to abandon Baseline Protection Policies, and replace them with a single ‘on/off’ switch called ‘Security Defaults’
Baseline Protection policies (also called Baseline Policies, it seems both terms have been used) were in preview, and were a pre-canned set of policies based on Microsoft recommendations on standard security settings that should be in place – such as forcing any administrator account to use MFA at each sign in, and blocking legacy authentication.
Here’s what the Conditional Access page currently shows. There might be something wrong with the detection though, as I clearly have a Baseline Policy enabled:
It’s not difficult to recreate the Baseline policies, so I’d suggest migrating off of them now while they’re still functional – you don’t want to be left in a state where you didn’t realise MFA for admins was now not being forced.
The replacement Security Defaults option can be found by going to Azure Active Directory > Manage – Properties > Manage Security Defaults (it’s not in the Conditional Access area):
Before flipping this switch to ‘On’, you’ll need to have a really good read of the documentation. There’s a lot this option does, and may break many environments who aren’t ready for this – such as making sure you have no Legacy Authentication requirements, and that all users will register for MFA within 14 days or be blocked from sign-in until they register.
Although I can see this option being turned on by an uninformed administrator and causing some chaos, I like the idea of this. It means a new tenant can now have a single option to start with to implement several critical aspects to protect the tenant against attacks – right now there’s a lot you need to go through to lock it down, and especially for a small business who doesn’t have the time or resources to do this as well as a larger one, a single on/off switch solves a lot of security problems.
Security Defaults is also available to all customers on all tiers – Azure AD Free tier, which means those who have basic needs can now be protected in several ways they weren’t able to do via Conditional Access before.
Security Defaults isn’t listed as being in Preview as far as I can tell, so it may be an option that’s just rolled out and a ready to go. I am guessing there’ll be a bit of kickback around this being a single option that has no other configurable options in it, so we’ll have to wait and see if the product changes, or Microsoft’s vision of a security toggle stays as their goal.
Per official documentation – Microsoft is making security defaults available to everyone. The goal is to ensure that all organizations have a basic level of security enabled at no extra cost. You turn on security defaults in the Azure portal.
So this is good start for free AAD license, but the customers with AAD premium are recommended to use more granular AAD Conditional Access policies. In fact they shouldnt be able to enable Security Defaults if they already have AAD CA policy.
Thanks for the write up. I’m in the process of rebuilding the baseline policies. Do you have any pointers on how to rebuild the baseline policy that block legacy auth?
When you say rebuild the baseline policy, elaborate some more on what you mean?