Following on from the action that Microsoft has been taking to remove the use of Basic authentication when connecting to Exchange online, Deprecation of Basic authentication in Exchange Online | Microsoft Learn.
Microsoft recently announced (see here: Raising the Baseline Security for all Organizations in the World – Microsoft Community Hub) that they are now rolling out security defaults to all Office 365 tenants globally. This is the action they are taking to help customers take their first steps to better security. But also, help partners protect themselves from these cyber incidents.
In recent weeks we have seen increased cyber-attack activities that have unfortunately led to breaches. Furthermore, I want to highlight that while security defaults are a great first step that enables MFA (Multi Factor Authentication) the basic version of MFA can and has been bypassed! So please use this change that Microsoft is making as a conversation starter with your clients in helping them achieve a better security posture. Moving as quickly as you can towards a zero-trust security posture for all your clients.
In short, Microsoft has decided that following the success of enforcing baseline security policies in tenants created after 2019, they are now seeing data that shows those clients using tenants created prior to 2019 and who have not started deploying security controls are at a much greater risk of getting breached.
Identity attacks are one of the biggest risks your clients face while using cloud services, every 2 seconds, 900 plus attempted attacks take place. Identity theft of an account can lead to man-in-the-middle attacks, or lateral movement in your environment. If you are unlucky enough to have an account breached that has access to an Azure resource, you could see an instance of crypto mining take place in your client’s environment. Please note that under your commercial terms with Microsoft, this will be billed as usage! That is not a pleasant experience for you, your client, or for us as your Indirect provider.
Security baselines will help clients by deploying MFA for all users by default, however, we have had feedback from partners & clients alike that this version of MFA is extremely limited and can cause end-user pushback. This gives partners a terrific opportunity to discuss a zero-trust offer by introducing Azure AD P1 & Intune to the equation and using conditional access policies rather than baseline settings.
Microsoft 365 has a feature called **Security Defaults** that provides secure default settings that Microsoft manages on behalf of organizations to keep customers safe until they are ready to manage their own identity security story⁶. Security defaults include using Multi-Factor Authentication (MFA) for logins, disabling legacy mail protocols, etc. ¹.
Security defaults are available to everyone because managing security can be difficult. Identity-related attacks like password spray, replay, and phishing are common in today’s environment. More than 99.9% of these identity-related attacks are stopped by using multifactor authentication (MFA) and blocking legacy protocols¹.
To enable security defaults (or confirm they are already enabled), you can go to the Azure portal (https://portal.azure.com/) and sign in. Under Manage Azure Active Directory, select View. In the navigation pane, select Properties, and then select Manage security defaults. On the right side of the screen, in the Security defaults pane, select Yes².
If you want to disable security defaults for a single user, a conditional access policy can be set in Azure AD⁵.
The team in MWH want to make sure you know that security defaults are not a silver bullet to stop cyber-attacks, but for your clients who have been pushing back on security features being enabled, it will force them to discuss this and other security configuration options with you.
It is happening now, and Microsoft is saying the following: “Based on usage patterns, we will start with organizations that are a good fit for security defaults. Specifically, we will start with customers who are not using Conditional Access, have not used security defaults before, and are not actively using legacy authentication clients. “
This means your clients could have these changes enabled at any stage in the coming weeks and months. It is important that you and your clients are aware of these changes and why they are being deployed. You can then discuss better options for your clients and their environments.
For example, you can discuss adding Azure AD P1 to create exclusion rules for certain users to bypass these changes (This is not advised) or you could start discussing M365 Business Premium and bringing devices under management. When this is done, you can create Conditional access rules only allowing managed and secure devices to connect to services, and hide the MFA unless users try to access services from an unmanaged device. (This is our advised approach for clients not impressed by Security Defaults)
For clients that have started using security defaults, there should be no change. For clients that are using Conditional access policies etc, there should be no change. For clients that to date have not started using MFA in Office 365 they will be impacted. IT will start to ask the Administrator first, and then the rest of the end users. See the full article for details on what to expect. Raising the Baseline Security for all Organizations in the World – Microsoft Community Hub
We say this “should not affect” clients already using CA or Security basics already, but mistakes can happen. So be aware of these changes should they arise in your clients’ sites.
Actions for partners to take: