Microsoft announced Azure Active Directory Security defaults with the stated goal to ensure “all organizations have a basic level of security-enabled at no extra cost.” The decision to offer such an option is in response to some alarming trends they have observed within the Office 365 customer base. However, Microsoft Office 365 users experience a number of challenges and gaps to set this basic level of security. In this blog, Shawn Jordan describes a much-needed alternative to Security Defaults, and how to successfully bridge the gap.
Setting Security Defaults to encourage customers to adopt Multi-Factor Authentication.
Recently Microsoft announced Azure Active Directory Security defaults with the stated goal to ensure “all organizations have a basic level of security-enabled at no extra cost.” The decision to offer such an option is in response to some alarming trends they have observed within the Office 365 customer base. A recent article published by Forbes indicated that over 1.2 million Office 365 user accounts were compromised in January 2020 1. Those recent numbers only validate years of additional research and observations that Microsoft has conducted. Part of that research indicates that Multi-Factor Authentication (MFA) would have prevented a vast majority of the accounts from being compromised. Some articles and notes indicate that MFA would have mitigated around 99% of these identity-based attacks. If that is a true representation of its effectiveness, there’s no wonder why Microsoft has chosen to offer Security Defaults.
Even more interesting is that Microsoft has been trying to raise awareness and encourage customers to adopt Multi-Factor Authentication for years. Unfortunately, their attempts to increase adoption among their Office 365 users have been considered unsuccessful by many. Even Microsoft reports the most optimistic estimation is only about 9% of organizational users trigger an MFA claim.
Based on the data provided by Microsoft and Government agencies including the Department of Homeland Security 2 and National Cyber Security Centre 3 recommend that organizations should use multi-factor authentication to protect your Office 365 accounts.
The 5 challenges for applying the default option.
While Azure Active Directory Security Defaults offer a basic level of security, it, unfortunately, has its downfalls as well. There is certainly justification for using the default option because it provides free MFA that includes the use of Microsoft Authentication application. Unfortunately, though, it leaves some gaps and creates challenges for many Office 365 users which include:
- Security Defaults only allow MFA through the authentication app.
- This could be challenging with a BYOD model as users may be hesitant to install an app on their personal device.
- It also limits your flexibility to help users that lose their cell phones and may need an alternative authentication method such as email on a temporary basis.
- Blocks all legacy authentication methods including hardware tokens, texts, phone calls, etc.
- On the surface this seems harmless, but for those who have printers and external systems that use POP3, IMAP4 and SMTP, enabling Multi-Factor Authentication on all users will block the access causing business disruption until modern authentication can be adopted.
- All users must enable MFA with no exceptions.
- Unfortunately, security defaults will apply MFA to all users with no exceptions. Organizations need the flexibility to apply policies based on individual user needs and authentication ability.
- No ability to create and use “Break Glass” Emergency Access Accounts 4.
- Microsoft recommends the creation and use of emergency access accounts with instructions to exclude at least one account from phone-based multi-factor authentication.
- With Azure AD Security Defaults turned on, Emergency Access Accounts become more difficult and perhaps more costly to implement.
- It does not address other fundamental security elements beyond MFA.
- Security Defaults focus on enabling Multi-Factor Authentication to mitigate risks associated with identity-based attacks. But achieving a higher level of security will require additional effort to protect sensitive information and harden email defenses.
- The Department of Homeland Security and National Cyber Security Centre both advise enabling features that include mailbox auditing and mail filtering such as Advanced Threat Protection.
A much-needed alternative to Security Defaults
To help our partners and their end customers, we have created a flexible alternative. Tech Data has launched Modern Workplace with Secure Score to help address some of the challenges and gaps of Security Defaults. We wanted to offer flexibility and control while establishing security preferences and addressing the risks associated with identity-based attacks. Furthermore, we have used our automation techniques and Azure Runbooks to apply safe attachment / safe links policies, Data Loss Prevention policies, mailbox auditing policies and other key settings on a regular schedule. This reduces IT maintenance time and complexity of these time-consuming and error-prone tasks.
Here is a side by side comparison of Security Defaults and Tech Data’s Modern Workplace with Secure Score:
Flexibility and control while establishing security preferences and addressing the risks associated with identity-based attacks.
A few key points to highlight here are that we will automatically enforce MFA for all users, however, we also create an MFA exempt user group. This exempt user group allows organizations to identify and add users that cannot authenticate through MFA. This might include scanners and fax machines, or you may find some third-party applications need to access a mailbox and cannot authenticate while MFA is enabled. The primary use case is to support Break Glass Emergency Access users. These types of users with diverse authentication requirements are highly recommended to help ensure organizations do not get locked out of their tenants. 4
The main premise is to enable partners and end customers with flexibility and a mechanism to authenticate users based on need. Our Modern Workplace with Secure Score solution accomplishes this through automation and allows for legacy authentication as needed. We hope this provides the much-needed security MFA delivers, while also preventing unnecessary business disruption.
Enhanced Security Policies as part of your security strategy
Looking beyond identity-based attacks we felt a need to address other highly recommended security settings that should be considered as part of your security strategy. These include establishing safe attachment and safe link policies to mitigate common email-based attacks leveraging Advanced Threat Protection and protecting sensitive information by setting up Data Loss Prevention policies. Beyond that, we also enable and turn on mailbox auditing, block auto email forwarding outside of the domain and create a password expiration policy all through a fully automated schedule to verify and apply policies daily.
For our partners, this is a great opportunity to create a security baseline and add value to their customers by offering a more robust and flexible alternative to security defaults. Beyond that, partners and Office 365 users should leverage Microsoft Secure Score, since it provides great insights, recommendations, and trends that allow Office 365 users to quickly identify additional areas to improve their security posture and take control of the security over time.
Learn more about Tech Data’s Modern Workplace with Secure Score TODAY
Shawn Jordan is a Global Solution Manager at Tech Data Cloud. As part of Tech Data’s Solution Factory, Shawn works daily to solve business challenges for partners – to design “Click-to-Run” solutions for simple, fast deployment. These solutions are developed by leveraging Tech Data’s vast technology expertise and ecosystem of vendors to deliver specific business outcomes in the areas of cloud, analytics and IoT, and security.