Microsoft is rolling out these security settings to protect millions of accounts. Here's what's changing

Microsoft's 'security defaults' are getting a much bigger rollout.
Written by Liam Tung, Contributing Writer

To thwart password and phishing attacks, Microsoft is rolling out security defaults to a massive number of Azure Active Directory (AD) users. 

Microsoft began rolling out security defaults to customers who created a new Azure AD tenant after October 2019, but didn't enable the defaults for customers that created Azure AD tenants prior to October 2019. 

Today, Azure AD security defaults are used by about 30 million organizations, according to Microsoft, and over the next month Microsoft will roll out the defaults to many more organizations that will result in the defaults protecting 60 million more accounts. 

"When complete, this rollout will protect an additional 60 million accounts (roughly the population of the United Kingdom!) from the most common identity attacks," says Microsoft's director of identity security, Alex Weinert.  

Azure AD is Microsoft's cloud service for handling identity and authentication to on-premise and cloud apps. It was the evolution of Active Directory Domain Services in Windows 2000. 

Microsoft introduced secure defaults in 2019 as a basic set of identity security mechanisms for less well-resourced organizations that wanted to boost defenses against password and phishing attacks. It was also aimed at organizations using the free tier of Azure AD licensing, allowing these admins to just toggle on "security defaults" via the Azure portal. 

Secure defaults wasn't intended for larger organizations or those already using more advanced Azure AD controls like Conditional Access policies.      

As Weinert explains, the defaults were introduced for new tenants to ensure they had "basic security hygiene", especially multi-factor authentication (MFA) and modern authentication, regardless of the license. The 30 millions organizations that have security defaults in place are far less prone to breaches, he points out.  

"These organizations experience 80 percent less compromise than the overall tenant population. Most tenants simply leave it on, while others add even more security with Conditional Access when they're ready," says Weinert. 

The security defaults mean users will face an MFA challenge "when necessary", based on the user's location, device, role, and task, according to Weinert. Admins, however, will be need to use MFA every time they sign in. 

The security default roll out will come first to organizations that aren't using Conditional Access, haven't previously used security defaults, and "aren't actively using legacy authentication clients". 

So, one group of customers that won't be prompted to enable security defaults next month are Exchange Online customers still using legacy authentication. Microsoft wanted to disable legacy authentication for Exchange Online  in 2020, but that was delayed by the pandemic. Now, the deadline for moving Exchange Online to modern authentication is October 1, 2022. Customers can't request extensions beyond this date, Microsoft's Exchange Team stressed earlier this month.     

Microsoft will notify global admins of eligible Azure AD tenants this month about security defaults through an email. In late June, these admins will see an Outlook notification from Microsoft prompting them to click on "enable security defaults" and a warning that "security defaults will be enabled automatically for your organizations in 14 days". 

"Global admins can opt into security defaults right away or snooze for as many as 14 days. They can also explicitly opt out of security defaults in this time," Weinert says. 

Once enabled, all users in a tenant will be asked to register for MFA using the Microsoft Authenticator app. Global admins also need to provide a phone number. 

Microsoft is allowing customers to leave security defaults disabled through the "properties" section of Azure Active Directory properties or the Microsoft 365 admin center

Weinert offers one compelling argument against admins who refuse to enable it. 

"When we look at hacked accounts, more than 99.9% don't have MFA, making them vulnerable to password spray, phishing, and password reuse," he notes. 

Editorial standards