Azure Active Directory (AAD) Security Defaults allows you a quick and easy way to implement some base level security within your AAD network. Enabling Security Defaults implements the following:
- Requires every user to register for Multifactor Authentication
- Blocks legacy authentication protocols, such as SMTP, POP3, and many proprietary protocols used by older applications.
- Requires Multifactor Authentication before users can access high security areas, such as the Azure Portal and the Azure CLI.
One important limitation of Security Defaults is that you may NOT implement them if you have created any Conditional Access Policies. Conditional Access Policies provide more flexibility and are likely a better choice in the long run for your organization's security; but it may take you some time to determine which policies are appropriate and to implement them. In the meantime, Security Defaults are a good first step.
Configuring AAD Security Defaults
To configure AAD Security Defaults, first log onto the Azure Portal as an Administrator; then search for Azure Active Directory, as shown in Fig. 1.
The "Overview" blade of Azure Active Directory displays, as shown in Fig. 2.
In the left menu, click the [Properties] button (Fig. 3) to open the "Properties" blade, as shown in Fig. 4.
Click the "Manage security defaults" link (Fig. 5) to display the "Enable security defaults" dialog, as shown in Fig. 6.
Toggle, the "Enable security defaults" radio button to "Yes". If you see a warning message like the one shown in Fig. 7, this means that you have configured at least one Conditional Access Policy.
You may not enable Security Defaults unless you first delete all Conditional Access Policies. If this is what you want, exit this dialog and go to the Conditional Access Policies "Overview" blade: Azure Active Directory | Security | Conditional Access Policies.
After removing all Conditional Access Policies, repeat the above steps. The [Save] button in the "Enable security defaults" dialog will be enabled, as shown in Fig. 8.
Click the [Save] button to turn on Security Defaults.
In this article, you have learned how to quickly implement some basic security settings in an Azure Active Directory by enabling AAD Security Defaults. When you wish to implement more complex security rules, you may turn off Security Defaults and replace them with Conditional Access Policies and other security measures.