The impact to customers of Microsoft enforcing Security Defaults

What’s happening?

In 2022, Microsoft publicly announced it planned to raise the baseline security for all their customers, globally (see here). Microsoft’s focus is disabling legacy authentication (username and password) capability and mandating the use of Multi-Factor Authentication (MFA) for sign-in. Microsoft state Multi-Factor Authentication would have prevented more than 99.9% of user account compromises, from identity-related attacks including password spray, replay, and phishing.

They are planning to achieve this by enabling Security Defaults within customer tenancies for organisations that do not currently use Security Defaults or Conditional Access. It must be noted that using Security Defaults – which is the Microsoft’s minimum requirement, can result in interrupted use of systems, so we strongly recommend you plan ahead and speak to a trusted advisor at TSG.

When is this happening?

As of May 2023, TSG can confirm some clients are now receiving emails from Microsoft, advising Security Defaults will be enabled within 14-days of the date of the email. These emails are sent to global administrators for customer tenancies.

What are the challenges of this?

Enabling Security Defaults can cause issues for companies that do not supply mobile devices for all employees within their organisation. This is due to only being able to use MFA through the mobile app. If you need more MFA methods, which we strongly recommend to mitigate interruption to services, you will need ‘Conditional Access’.

‘Service accounts’ used by software programmes to send email can stop working, as well as scan to email services from devices such as Multi-Function Printers (MFP’s).

What do I need to do?

We strongly recommend you get in touch with us about this change so you can plan ahead. Failure to prepare for this change would result in interrupted use of systems with no access.

What are my options?

There are three different methods for enabling MFA:

A) Per User MFA (now Legacy MFA) – not recommended

This option is not recommended as it does not provide for any centralised management or compliance.

B) Security Defaults – minimum Microsoft recommendation

This is the minimum Microsoft recommendation but can directly cause problems for customers. It also requires all employees to have mobiles phone for the Authenticator app.

Common issues include service accounts used by application software to send email to stop working, or scan to email services from devices (MFP’s) to stop working.

C) Conditional Access – recommended

This must be paid for but provides the best experience out of the three options. It gives a more granular control and is recommended by Microsoft (and TSG) for ‘more complex’ environments. As well as Microsoft Authenticator app, Conditional Access also works through user receiving a text message, phone call, or using a hardware token.

We can help you to determine the most appropriate Microsoft 365 licensing for your organisation, as the various plans, including Azure Active Directory Premium P1/P2, Microsoft 365 Business Premium, Microsoft 365 E3/E5/F3/F5, Microsoft EM+S have different use cases/features.

TSG clients:

It is important that you enable Azure MFA as soon as possible to continue to operate your business as normal. Please do not wait until you are contacted by Microsoft as new licensing may need to be in place before the change, so preparation is key.

We understand this may be confusing and you may not know where to start. Please contact us if so, and we will be in touch to help.

Non-TSG clients:

You must prepare for this transition whether you are a TSG client or not to avoid having your accounts affected.

We pride ourselves on having a team of seasoned security professionals with years of experience in managing risks and ensuring security for businesses of all sizes.  Contact us today to learn more about how we can help you safeguard your systems and networks for your peace of mind.