Merge pull request #194424 from MicrosoftGuyJFlo/SecurityDefaultsSplit

tamarakhader · web-flow · commit e8a3c7c0e803 · 2022-04-12T12:45:35.000-04:00
[Azure AD] Conditional Access - Security Defaults Split
diff --git a/articles/active-directory/fundamentals/concept-fundamentals-security-defaults.md b/articles/active-directory/fundamentals/concept-fundamentals-security-defaults.md
@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
-ms.date: 03/01/2022
+ms.date: 04/07/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -19,25 +19,17 @@ ms.custom: contperf-fy20q4
 ---
 # Security defaults in Azure AD
 
-Managing security can be difficult with common identity-related attacks like password spray, replay, and phishing becoming more popular. Security defaults make it easier to help protect your organization from these attacks with preconfigured security settings:
+Microsoft is making security defaults available to everyone, because managing security can be difficult. Identity-related attacks like password spray, replay, and phishing are common in today's environment. More than 99.9% of these identity-related attacks are stopped by using multi-factor authentication (MFA) and blocking legacy authentication. The goal is to ensure that all organizations have at least a basic level of security enabled at no extra cost.
 
-- Requiring all users to register for Azure AD Multi-Factor Authentication.
-- Requiring administrators to do multi-factor authentication.
-- Blocking legacy authentication protocols.
-- Requiring users to do multi-factor authentication when necessary.
-- Protecting privileged activities like access to the Azure portal.
+Security defaults make it easier to help protect your organization from these identity-related attacks with preconfigured security settings:
 
-## Why security defaults?
+- [Requiring all users to register for Azure AD Multi-Factor Authentication](#require-all-users-to-register-for-azure-ad-multi-factor-authentication).
+- [Requiring administrators to do multi-factor authentication](#require-administrators-to-do-multi-factor-authentication).
+- [Requiring users to do multi-factor authentication when necessary](#require-users-to-do-multi-factor-authentication-when-necessary).
+- [Blocking legacy authentication protocols](#block-legacy-authentication-protocols).
+- [Protecting privileged activities like access to the Azure portal](#protect-privileged-activities-like-access-to-the-azure-portal).
 
-Quoting Alex Weinert, Director of Identity Security at Microsoft:
-
-> ...our telemetry tells us that more than 99.9% of organization account compromise could be stopped by simply using MFA, and that disabling legacy authentication correlates to a 67% reduction in compromise risk (and completely stops password spray attacks, 100% of which come in via legacy authentication)...
-
-More details on why security defaults are being made available can be found in Alex Weinert's blog post, [Introducing security defaults](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/introducing-security-defaults/ba-p/1061414).
-
-Microsoft is making security defaults available to everyone. The goal is to ensure that all organizations have a basic level of security enabled at no extra cost. You turn on security defaults in the Azure portal. If your tenant was created on or after October 22, 2019, security defaults may be enabled in your tenant. To protect all of our users, security defaults are being rolled out to new tenants at creation.
-
-### Who's it for?
+## Who's it for?
 
 - Organizations who want to increase their security posture, but don't know how or where to start.
 - Organizations using the free tier of Azure Active Directory licensing.
@@ -46,17 +38,34 @@ Microsoft is making security defaults available to everyone. The goal is to ensu
 
 - If you're an organization currently using Conditional Access policies, security defaults are probably not right for you. 
 - If you're an organization with Azure Active Directory Premium licenses, security defaults are probably not right for you.
-- If your organization has complex security requirements, you should consider Conditional Access.
+- If your organization has complex security requirements, you should consider [Conditional Access](#conditional-access).
+
+## Enabling security defaults
+
+If your tenant was created on or after October 22, 2019, security defaults may be enabled in your tenant. To protect all of our users, security defaults are being rolled out to all new tenants at creation.
+
+To enable security defaults in your directory:
+
+1. Sign in to the [Azure portal](https://portal.azure.com) as a security administrator, Conditional Access administrator, or global administrator.
+1. Browse to **Azure Active Directory** > **Properties**.
+1. Select **Manage security defaults**.
+1. Set the **Enable security defaults** toggle to **Yes**.
+1. Select **Save**.
+
+![Screenshot of the Azure portal with the toggle to enable security defaults](./media/concept-fundamentals-security-defaults/security-defaults-azure-ad-portal.png)
 
-## Policies enforced
+## Enforced security policies
 
-### Unified Multi-Factor Authentication registration
+### Require all users to register for Azure AD Multi-Factor Authentication
 
 All users in your tenant must register for multi-factor authentication (MFA) in the form of the Azure AD Multi-Factor Authentication. Users have 14 days to register for Azure AD Multi-Factor Authentication by using the Microsoft Authenticator app. After the 14 days have passed, the user can't sign in until registration is completed. A user's 14-day period begins after their first successful interactive sign-in after enabling security defaults.
 
-### Protecting administrators
+### Require administrators to do multi-factor authentication
+
+Administrators have increased access to your environment. Because of the power these highly privileged accounts have, you should treat them with special care. One common method to improve the protection of privileged accounts is to require a stronger form of account verification for sign-in. In Azure AD, you can get a stronger account verification by requiring multi-factor authentication. 
 
-Users with privileged access have increased access to your environment. Because of the power these accounts have, you should treat them with special care. One common method to improve the protection of privileged accounts is to require a stronger form of account verification for sign-in. In Azure AD, you can get a stronger account verification by requiring multi-factor authentication. We recommend having separate accounts for administration and standard productivity tasks to significantly reduce the number of times your admins are prompted for MFA.
+> [!TIP]
+> We recommend having separate accounts for administration and standard productivity tasks to significantly reduce the number of times your admins are prompted for MFA.
 
 After registration with Azure AD Multi-Factor Authentication is finished, the following Azure AD administrator roles will be required to do extra authentication every time they sign in:
 
@@ -74,15 +83,15 @@ After registration with Azure AD Multi-Factor Authentication is finished, the fo
 - SharePoint administrator
 - User administrator
 
-### Protecting all users
+### Require users to do multi-factor authentication when necessary
 
 We tend to think that administrator accounts are the only accounts that need extra layers of authentication. Administrators have broad access to sensitive information and can make changes to subscription-wide settings. But attackers frequently target end users. 
 
 After these attackers gain access, they can request access to privileged information for the original account holder. They can even download the entire directory to do a phishing attack on your whole organization. 
 
 One common method to improve protection for all users is to require a stronger form of account verification, such as Multi-Factor Authentication, for everyone. After users complete Multi-Factor Authentication registration, they'll be prompted for another authentication whenever necessary. Azure AD decides when a user will be prompted for Multi-Factor Authentication, based on factors such as location, device, role and task. This functionality protects all applications registered with Azure AD including SaaS applications.
 
-### Blocking legacy authentication
+### Block legacy authentication protocols
 
 To give your users easy access to your cloud apps, Azure AD supports various authentication protocols, including legacy authentication. *Legacy authentication* is a term that refers to an authentication request made by:
 
@@ -98,7 +107,7 @@ After security defaults are enabled in your tenant, all authentication requests
 
 - [How to set up a multifunction device or application to send email using Microsoft 365](/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-microsoft-365-or-office-365)
 
-### Protecting privileged actions
+### Protect privileged activities like access to the Azure portal
 
 Organizations use various Azure services managed through the Azure Resource Manager API, including:
 
@@ -126,19 +135,35 @@ This policy applies to all users who are accessing Azure Resource Manager servic
 
 ## Deployment considerations
 
-The following extra considerations are related to deployment of security defaults.
+### Authentication methods
+
+Security defaults allow registration and use of Azure AD Multi-Factor Authentication **using only the Microsoft Authenticator app using notifications**. Conditional Access allows the use of any authentication method the administrator chooses to enable.
+
+| Method | Security defaults | Conditional Access |
+| --- | --- | --- |
+| Notification through mobile app | X | X |
+| Verification code from mobile app or hardware token | X** | X |
+| Text message to phone |   | X |
+| Call to phone |   | X |
+| App passwords |   | X*** |
 
-### Emergency access accounts
+- ** Users may use verification codes from the Microsoft Authenticator app but can only register using the notification option.
+- *** App passwords are only available in per-user MFA with legacy authentication scenarios only if enabled by administrators.
 
-Every organization should have at least two emergency access account configured. 
+> [!WARNING]
+> Do not disable methods for your organization if you are using Security Defaults. Disabling methods may lead to locking yourself out of your tenant. Leave all **Methods available to users** enabled in the [MFA service settings portal](../authentication/howto-mfa-getstarted.md#choose-authentication-methods-for-mfa).
+
+### Backup administrator accounts
+
+Every organization should have at least two backup administrator accounts configured. We call these emergency access accounts.
 
 These accounts may be used in scenarios where your normal administrator accounts can't be used. For example: The person with the most recent Global Administrator access has left the organization. Azure AD prevents the last Global Administrator account from being deleted, but it doesn't prevent the account from being deleted or disabled on-premises. Either situation might make the organization unable to recover the account.
 
 Emergency access accounts are:
 
-- Assigned Global Administrator rights in Azure AD
-- Aren't used on a daily basis
-- Are protected with a long complex password
+- Assigned Global Administrator rights in Azure AD.
+- Aren't used on a daily basis.
+- Are protected with a long complex password.
  
 The credentials for these emergency access accounts should be stored offline in a secure location such as a fireproof safe. Only authorized individuals should have access to these credentials. 
 
@@ -155,58 +180,28 @@ To create an emergency access account:
 1. Under **Usage location**, select the appropriate location.
 1. Select **Create**.
 
-You may choose [disable password expiration](../authentication/concept-sspr-policy.md#set-a-password-to-never-expire) to for these accounts using Azure AD PowerShell.
+You may choose to [disable password expiration](../authentication/concept-sspr-policy.md#set-a-password-to-never-expire) for these accounts using Azure AD PowerShell.
 
 For more detailed information about emergency access accounts, see the article [Manage emergency access accounts in Azure AD](../roles/security-emergency-access.md).
 
-### Authentication methods
-
-These free security defaults allow registration and use of Azure AD Multi-Factor Authentication **using only the Microsoft Authenticator app using notifications**. Conditional Access allows the use of any authentication method the administrator chooses to enable.
-
-| Method | Security defaults | Conditional Access |
-| --- | --- | --- |
-| Notification through mobile app | X | X |
-| Verification code from mobile app or hardware token | X** | X |
-| Text message to phone |   | X |
-| Call to phone |   | X |
-| App passwords |   | X*** |
-
-- ** Users may use verification codes from the Microsoft Authenticator app but can only register using the notification option.
-- *** App passwords are only available in per-user MFA with legacy authentication scenarios only if enabled by administrators.
-
-> [!WARNING]
-> Do not disable methods for your organization if you are using Security Defaults. Disabling methods may lead to locking yourself out of your tenant. Leave all **Methods available to users** enabled in the [MFA service settings portal](../authentication/howto-mfa-getstarted.md#choose-authentication-methods-for-mfa).
-
 ### Disabled MFA status
 
 If your organization is a previous user of per-user based Azure AD Multi-Factor Authentication, don't be alarmed to not see users in an **Enabled** or **Enforced** status if you look at the Multi-Factor Auth status page. **Disabled** is the appropriate status for users who are using security defaults or Conditional Access based Azure AD Multi-Factor Authentication.
 
 ### Conditional Access
 
-You can use Conditional Access to configure policies similar to security defaults, but with more granularity including user exclusions, which aren't available in security defaults. If you're using Conditional Access and have Conditional Access policies enabled in your environment, security defaults won't be available to you. More information about Azure AD licensing can be found on the [Azure AD pricing page](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing).
+You can use Conditional Access to configure policies similar to security defaults, but with more granularity including user exclusions, which aren't available in security defaults. If you're using Conditional Access in your environment today, security defaults won't be available to you. 
 
 ![Warning message that you can have security defaults or Conditional Access not both](./media/concept-fundamentals-security-defaults/security-defaults-conditional-access.png)
 
-Here are step-by-step guides for Conditional Access to configure a set of policies, which form a good starting point for protecting your identities:
+If you want to enable Conditional Access to configure a set of policies, which form a good starting point for protecting your identities:
 
 - [Require MFA for administrators](../conditional-access/howto-conditional-access-policy-admin-mfa.md)
 - [Require MFA for Azure management](../conditional-access/howto-conditional-access-policy-azure-management.md)
 - [Block legacy authentication](../conditional-access/howto-conditional-access-policy-block-legacy.md)
 - [Require MFA for all users](../conditional-access/howto-conditional-access-policy-all-users-mfa.md)
 
-## Enabling security defaults
-
-To enable security defaults in your directory:
-
-1. Sign in to the [Azure portal](https://portal.azure.com) as a security administrator, Conditional Access administrator, or global administrator.
-1. Browse to **Azure Active Directory** > **Properties**.
-1. Select **Manage security defaults**.
-1. Set the **Enable security defaults** toggle to **Yes**.
-1. Select **Save**.
-
-![Screenshot of the Azure portal with the toggle to enable security defaults](./media/concept-fundamentals-security-defaults/security-defaults-azure-ad-portal.png)
-
-## Disabling security defaults
+### Disabling security defaults
 
 Organizations that choose to implement Conditional Access policies that replace security defaults must disable security defaults. 
 
@@ -222,4 +217,6 @@ To disable security defaults in your directory:
 
 ## Next steps
 
-[Common Conditional Access policies](../conditional-access/concept-conditional-access-policy-common.md)
+- [Blog: Introducing security defaults](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/introducing-security-defaults/ba-p/1061414)
+- [Common Conditional Access policies](../conditional-access/concept-conditional-access-policy-common.md)
+- More information about Azure AD licensing can be found on the [Azure AD pricing page](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing).
