MicrosoftDocs
diff --git a/‎articles/active-directory/fundamentals/media/security-defaults/approve-sign-in-request.png
94.1 KB b/‎articles/active-directory/fundamentals/media/security-defaults/approve-sign-in-request.png
94.1 KB
diff --git a/‎articles/active-directory/fundamentals/security-defaults.md
Lines changed: 15 additions & 54 deletions b/‎articles/active-directory/fundamentals/security-defaults.md
Lines changed: 15 additions & 54 deletions
@@ -1,6 +1,6 @@
 ---
 title: Providing a default level of security in Azure Active Directory
-description: Azure AD security defaults that help protect organizations from common identity attacks
+description: Get protected from common identity threats using Azure AD security defaults
 
 services: active-directory
 ms.service: active-directory
@@ -23,7 +23,7 @@ Microsoft is making these preconfigured security settings available to everyone,
 
 These basic controls include:
 
-- [Requiring all users to register for Azure AD Multifactor Authentication](#require-all-users-to-register-for-azure-ad-multifactor-authentication).
+- [Requiring all users to register for multifactor authentication](#require-all-users-to-register-for-azure-ad-multifactor-authentication).
 - [Requiring administrators to do multifactor authentication](#require-administrators-to-do-multifactor-authentication).
 - [Requiring users to do multifactor authentication when necessary](#require-users-to-do-multifactor-authentication-when-necessary).
 - [Blocking legacy authentication protocols](#block-legacy-authentication-protocols).
@@ -37,7 +37,7 @@ These basic controls include:
 ### Who should use Conditional Access?
 
 - If you're an organization with Azure Active Directory Premium licenses, security defaults are probably not right for you.
-- If your organization has complex security requirements, you should consider [Conditional Access](#conditional-access).
+- If your organization has complex security requirements, you should consider [Conditional Access](../conditional-access/concept-conditional-access-policy-common.md#template-categories)
 
 ## Enabling security defaults
 
@@ -71,18 +71,22 @@ As part of enabling security defaults, administrators should revoke all existing
 
 ### Require all users to register for Azure AD Multifactor Authentication
 
-All users in your tenant must register for multifactor authentication (MFA) in the form of the Azure AD Multifactor Authentication. Users have 14 days to register for Azure AD Multifactor Authentication by using the [Microsoft Authenticator app](../authentication/concept-authentication-authenticator-app.md) or any app supporting [OATH TOTP](../authentication/concept-authentication-oath-tokens.md). After the 14 days have passed, the user can't sign in until registration is completed. A user's 14-day period begins after their first successful interactive sign-in after enabling security defaults.
+All users have 14 days to register using the [Microsoft Authenticator app](../authentication/concept-authentication-authenticator-app.md) or any app supporting [OATH TOTP](../authentication/concept-authentication-oath-tokens.md). After the 14 days have passed, the user can't sign in until registration is completed. A user's 14-day period begins after their first successful interactive sign-in after enabling security defaults.
+
+When users sign in and are prompted to perform multifactor authentication, they see a screen providing them with a number to enter in the Microsoft Authenticator app. This measure helps prevent users from falling for MFA fatigue attacks.
+
+:::image type="content" source="media/security-defaults/approve-sign-in-request.png" alt-text="Screenshot showing an example of the Approve sign in request window with a number to enter.":::
 
 ### Require administrators to do multifactor authentication
 
-Administrators have increased access to your environment. Because of the power these highly privileged accounts have, you should treat them with special care. One common method to improve the protection of privileged accounts is to require a stronger form of account verification for sign-in. In Azure AD, you can get a stronger account verification by requiring multifactor authentication. 
+Administrators have increased access to your environment. Because of the power these highly privileged accounts have, you should treat them with special care. One common method to improve the protection of privileged accounts is to require a stronger form of account verification for sign-in, like requiring multifactor authentication. 
 
 > [!TIP]
 > Recommendations for your admins:
 > - Ensure all your admins sign in after enabling security defaults so that they can register for authentication methods.
 > - Have separate accounts for administration and standard productivity tasks to significantly reduce the number of times your admins are prompted for MFA.
 
-After registration with Azure AD Multifactor Authentication is finished, the following Azure AD administrator roles will be required to do extra authentication every time they sign in:
+After registration is finished, the following administrator roles will be required to do multifactor authentication every time they sign in:
 
 - Global Administrator
 - Application Administrator
@@ -105,14 +109,14 @@ We tend to think that administrator accounts are the only accounts that need ext
 
 After these attackers gain access, they can request access to privileged information for the original account holder. They can even download the entire directory to do a phishing attack on your whole organization. 
 
-One common method to improve protection for all users is to require a stronger form of account verification, such as multifactor authentication, for everyone. After users complete registration, they'll be prompted for another authentication whenever necessary. Azure AD decides when a user is prompted for multifactor authentication, based on factors such as location, device, role and task. This functionality protects all applications registered with Azure AD including SaaS applications.
+One common method to improve protection for all users is to require a stronger form of account verification, such as multifactor authentication, for everyone. After users complete registration, they'll be prompted for another authentication whenever necessary. Microsoft decides when a user is prompted for multifactor authentication, based on factors such as location, device, role and task. This functionality protects all registered applications, including SaaS applications.
 
 > [!NOTE]
 > In case of [B2B direct connect](../external-identities/b2b-direct-connect-overview.md) users, any multifactor authentication requirement from security defaults enabled in resource tenant will need to be satisfied, including multifactor authentication registration by the direct connect user in their home tenant.  
 
 ### Block legacy authentication protocols
 
-To give your users easy access to your cloud apps, Azure AD supports various authentication protocols, including legacy authentication. *Legacy authentication* is a term that refers to an authentication request made by:
+To give your users easy access to your cloud apps, we support various authentication protocols, including legacy authentication. *Legacy authentication* is a term that refers to an authentication request made by:
 
 - Clients that don't use modern authentication (for example, an Office 2010 client).
 - Any client that uses older mail protocols such as IMAP, SMTP, or POP3.
@@ -161,60 +165,18 @@ It's critical to inform users about upcoming changes, registration requirements,
 
 ### Authentication methods
 
-Security defaults users are required to register for and use Azure AD Multifactor Authentication using the [Microsoft Authenticator app using notifications](../authentication/concept-authentication-authenticator-app.md). Users may use verification codes from the Microsoft Authenticator app but can only register using the notification option. Users can also use any third party application using [OATH TOTP](../authentication/concept-authentication-oath-tokens.md) to generate codes.
+Security defaults users are required to register for and use multifactor authentication using the [Microsoft Authenticator app using notifications](../authentication/concept-authentication-authenticator-app.md). Users may use verification codes from the Microsoft Authenticator app but can only register using the notification option. Users can also use any third party application using [OATH TOTP](../authentication/concept-authentication-oath-tokens.md) to generate codes.
 
 > [!WARNING]
 > Do not disable methods for your organization if you are using security defaults. Disabling methods may lead to locking yourself out of your tenant. Leave all **Methods available to users** enabled in the [MFA service settings portal](../authentication/howto-mfa-getstarted.md#choose-authentication-methods-for-mfa).
 
-### Backup administrator accounts
-
-Every organization should have at least two backup administrators configured. We call these emergency access accounts.
-
-These accounts may be used in scenarios where your normal administrator accounts can't be used. For example: The person with the most recent global administrator access has left the organization. Azure AD prevents the last global administrator account from being deleted, but it doesn't prevent the account from being deleted or disabled on-premises. Either situation might make the organization unable to recover the account.
-
-Emergency access accounts are:
-
-- Assigned global administrator rights in Azure AD.
-- Aren't used on a daily basis.
-- Are protected with a long complex password.
- 
-The credentials for these emergency access accounts should be stored offline in a secure location such as a fireproof safe. Only authorized individuals should have access to these credentials. 
-
-To create an emergency access account: 
-
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) as an existing Global Administrator.
-1. Browse to **Microsoft Entra ID (Azure AD)** > **Users** > **All users**.
-1. Select **New user** > **Create user**.
-1. Set the **User principal name** and **Display name** for this account.
-1. Create a long and complex password for the account.
-1. Under **Properties**, set **Usage location** to the appropriate location.
-1. Under **Assignments** > **Add role**, assign the **Global Administrator** role.
-1. Select **Create**.
-
-You may choose to [disable password expiration](../authentication/concept-sspr-policy.md#set-a-password-to-never-expire) for these accounts using Azure AD PowerShell.
-
-For more detailed information about emergency access accounts, see the article [Manage emergency access accounts in Azure AD](../roles/security-emergency-access.md).
-
 ### B2B users
 
 Any [B2B guest](../external-identities/what-is-b2b.md) users or [B2B direct connect](../external-identities/b2b-direct-connect-overview.md) users that access your directory are treated the same as your organization's users.
 
 ### Disabled MFA status
 
-If your organization is a previous user of per-user based Azure AD Multifactor Authentication, don't be alarmed to not see users in an **Enabled** or **Enforced** status if you look at the Multi-Factor Auth status page. **Disabled** is the appropriate status for users who are using security defaults or Conditional Access based Azure AD Multifactor Authentication.
-
-### Conditional Access
-
-You can use Conditional Access to configure policies similar to security defaults, but with more granularity. Conditional Access policies allow selecting other authentication methods and the ability to exclude users, which aren't available in security defaults. If you're using Conditional Access in your environment today, security defaults aren't available to you. 
-
-:::image type="content" source="media/security-defaults/security-defaults-conditional-access.png" alt-text="Screenshot showing the warning message that you can have security defaults or Conditional Access not both" lightbox="media/security-defaults/security-defaults-conditional-access.png":::
-
-If you want to enable Conditional Access to configure a set of policies, which form a good starting point for protecting your identities:
-
-- [Require MFA for administrators](../conditional-access/howto-conditional-access-policy-admin-mfa.md)
-- [Require MFA for Azure management](../conditional-access/howto-conditional-access-policy-azure-management.md)
-- [Block legacy authentication](../conditional-access/howto-conditional-access-policy-block-legacy.md)
-- [Require MFA for all users](../conditional-access/howto-conditional-access-policy-all-users-mfa.md)
+If your organization is a previous user of per-user based multifactor authentication, don't be alarmed to not see users in an **Enabled** or **Enforced** status if you look at the Multi-Factor Auth status page. **Disabled** is the appropriate status for users who are using security defaults or Conditional Access based multifactor authentication.
 
 ### Disabling security defaults
 
@@ -231,5 +193,4 @@ To disable security defaults in your directory:
 ## Next steps
 
 - [Blog: Introducing security defaults](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/introducing-security-defaults/ba-p/1061414)
-- [Common Conditional Access policies](../conditional-access/concept-conditional-access-policy-common.md)
-- More information about Azure AD licensing can be found on the [Azure AD pricing page](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing).
+- More information about licensing can be found on the [Azure AD pricing page](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing).