Microsoft is taking a more aggressive step to try to protect users of Azure Active Directory from account compromise. In a new blog post, the company revealed that it’s adding multi-factor authentication as the default security setting for existing Azure customers who haven’t changed that setting on their own. This means that administrators and users alike will be required to set up MFA and use it to secure their logins each time they sign in.
Multi-factor authentication is still one of the best ways to protect accounts and data from compromise. The reason is simple: Anyone who attempts to sign into an account using stolen credentials won’t get very far without that second method of authentication, ideally provided by an app such as Microsoft Authenticator. In the blog post, Microsoft said that 99.9% of the hacked accounts that it has observed don’t have MFA enabled, putting them at risk for phishing attacks and other threats.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
The default MFA setting has already been in effect for new Azure AD customers since October 2019. More than 30 million organizations have been operating with this default setting, which Microsoft said had led to 80% fewer compromises for that group as a whole. Most customers leave the setting as is, according to the company. Some beef up their security further with Conditional Access, a type of zero trust method that requires several conditions be met in order to grant access to data and other assets.
The latest change will apply to organizations that signed up for Azure AD prior to October 2019 and have not rolled out the tighter security defaults or turned to Conditional Access. The effort is especially aimed at companies that don’t have in-house security professionals or IT staffers who could otherwise analyze and implement the right type of security settings. Following the rollout of the new defaults, an additional 60 million accounts could be protected from the most common types of identity-based attacks, Microsoft said.
Microsoft will start rolling out the new settings to organizations that it considers a good fit for them, meaning those that haven’t adjusted the defaults, aren’t using Conditional Access or aren’t using legacy authentication clients. Starting in late June, global administrators of eligible customers will be notified of the change via email and receive a notice during sign-in prompting them to enable the new security defaults. They can snooze the option for as long as 14 days, after which time the new defaults will automatically be applied (Figure A).
Figure A
Once the new defaults are enabled, all users of the organization will be asked to register for MFA with the same 14-day grace period. Both admins and users will be prompted to set up MFA using the Microsoft Authenticator app, while admins will receive an additional recommendation to provide a phone number.
Any admins who want to apply the MFA requirement without waiting should follow the appropriate steps described in Microsoft’s deployment guide or Azure AD documentation. Admins who want to leave the new security defaults disabled can certainly do so. However, Microsoft asks that you share your reasons why via its Azure Active Directory feedback forum.
