Jason Moermond
asked on
Office 365 MFA Changes coming
We have received the following email from Microsoft in regards to our Tenant. I'm confused and unable to find anything concrete as to what to expect. We have 4 locations throughout the US and have 5 different domains in our tenant. With the change coming on 2-29-2020, am I understanding that Microsoft will enable MFA for all users in our tenant? If this is true, can we setup conditional access rules that would disable MFA at least temporarily? We have roughly 1250+ users and would prefer to roll this out at each location one at a time by department instead of flipping a switch for the entire organization. Any help would be appreciated.
Security Defaults is the generally available version of Azure Active Directory Baseline Protection policies and is available today to all tenants. We'll be gradually replacing Baseline Protection policies with Security Defaults starting February 29th, 2020.
This message is associated with Microsoft 365 Roadmap ID 55688.
[How does this affect me?]
You are receiving this message because our reporting indicates you are using Azure Active Directory Baseline Protection policies. Baseline protection policies will stop being enforced starting February 29th, 2020. You will need to either move to Security Defaults or configure equivalent Conditional Access policies.
If you are interested in protecting your organization from identity related attacks, tenant admins will be able to enable the basic level of identity security in their tenant with just one-click. Enabling Security Defaults will do the following:
• Require all users and admins to register for Multi-Factor Authentication (MFA)
• Challenge users whenever our systems indicate it’s necessary – mostly when users show up on a new device or app, but more often for critical roles and tasks
• Prevent users from using legacy authentication clients, which can’t do multi-factor authentication. Security Defaults will soon block authentication requests made from Exchange Active Sync basic authentication.
To learn more about Security Defaults review: What are security defaults?
[What do I need to do to prepare for this change?]
Migrating off of Baseline Protection
Baseline protection policies will stop being enforced starting February 29th, 2020. If you are using one or more Azure AD baseline protection policies, you will need to move off of baseline protection before then. If you are looking to enable similar identity security protection in your tenant, you can enable Security Defaults or configure equivalent Conditional Access policies as outlined here. Please click the additional information link to learn more.
Enabling Security Defaults
Security Defaults has administrative controls to enable and disable. This feature is normally off by default but you might have it on by default if your tenant was created on or after October 22nd, 2019. Security Defaults can be enabled/disabled by going to Azure Portal -> Properties -> Manage Security Defaults. To learn more about Security Defaults review: What are security defaults?
Security Defaults prevents users from using legacy authentication clients, which can’t do multi-factor authentication. These are normally authentication requests that are made using IMAP, SMTP, and POP3. In the coming month, Security Defaults will begin to block Exchange Active Sync basic authentication as well. Before enabling Security Defaults, be sure to go through the legacy authentication guide to understand how to prepare for this block and move over to modern authentication.
To learn more about Security Defaults and this change please see the Additional Information.
Security Defaults is the generally available version of Azure Active Directory Baseline Protection policies and is available today to all tenants. We'll be gradually replacing Baseline Protection policies with Security Defaults starting February 29th, 2020.
This message is associated with Microsoft 365 Roadmap ID 55688.
[How does this affect me?]
You are receiving this message because our reporting indicates you are using Azure Active Directory Baseline Protection policies. Baseline protection policies will stop being enforced starting February 29th, 2020. You will need to either move to Security Defaults or configure equivalent Conditional Access policies.
If you are interested in protecting your organization from identity related attacks, tenant admins will be able to enable the basic level of identity security in their tenant with just one-click. Enabling Security Defaults will do the following:
• Require all users and admins to register for Multi-Factor Authentication (MFA)
• Challenge users whenever our systems indicate it’s necessary – mostly when users show up on a new device or app, but more often for critical roles and tasks
• Prevent users from using legacy authentication clients, which can’t do multi-factor authentication. Security Defaults will soon block authentication requests made from Exchange Active Sync basic authentication.
To learn more about Security Defaults review: What are security defaults?
[What do I need to do to prepare for this change?]
Migrating off of Baseline Protection
Baseline protection policies will stop being enforced starting February 29th, 2020. If you are using one or more Azure AD baseline protection policies, you will need to move off of baseline protection before then. If you are looking to enable similar identity security protection in your tenant, you can enable Security Defaults or configure equivalent Conditional Access policies as outlined here. Please click the additional information link to learn more.
Enabling Security Defaults
Security Defaults has administrative controls to enable and disable. This feature is normally off by default but you might have it on by default if your tenant was created on or after October 22nd, 2019. Security Defaults can be enabled/disabled by going to Azure Portal -> Properties -> Manage Security Defaults. To learn more about Security Defaults review: What are security defaults?
Security Defaults prevents users from using legacy authentication clients, which can’t do multi-factor authentication. These are normally authentication requests that are made using IMAP, SMTP, and POP3. In the coming month, Security Defaults will begin to block Exchange Active Sync basic authentication as well. Before enabling Security Defaults, be sure to go through the legacy authentication guide to understand how to prepare for this block and move over to modern authentication.
To learn more about Security Defaults and this change please see the Additional Information.
Just to add to the above, both Baseline policies and Security default are mostly intended for smaller orgs, that dont necessarily have Azure AD Premium licenses and thus cannot utilize CA. In turn, they lack the flexibility of CA policies. In your scenario, you can just stick to using CA.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Baseline protection policies will be stopped, if you want to Enabling Security Defaults with one click you will enable MFA for your users. So it is your choice. I do not think you can enable MFA en "disable" it with conditional access.
The baseline policies can be replaced with security policies or other conditional access policies.
Check if security defaults are enable, by going to properties of your AAD and clicking on "manage Security Defaults". Otherwise you can set conditional access.
A good article about the baseline policies: https://www.itpromentor.com/new-baseline-ca-policies/
So check your conditional access policies if any is one which force MFA.