Let’s Talk About Office 365 Security Defaults

an unlocked Masterlock surrounded by different keys on a circuit board

May 11, 2023 by Kyle Haas

Office 365 Security Defaults have been… well, the default… for new Office 365 tenants since October of 2019. Time flies—I remember when they were brand new and we couldn’t figure out why everyone was being forced to do MFA. And here we are—in 2022, and “being forced to do MFA” has been the new normal for a while now. In fact, almost everyone is okay with using MFA at this point, and Cyber Security Insurance providers won’t even cover you if you’re not using MFA…

Imagine if your auto insurance provider wouldn’t cover your car due to it being unfit for the road! At this point, using cloud-based apps without MFA is absolutely comparable to attempting to drive a car with only three wheels.

Office 365 security default settings make it simpler to defend your organization against various types of cybersecurity attacks – so tell me you didn’t disable them…did you? But before we dive too deep, what are security defaults?

Office 365 Security

What Are Office 365 Security Defaults?

Security Defaults are a baseline configuration of policies, highly recommended by Microsoft, to help secure authentication to Office 365. These policies are non-negotiable when enabled, and are perfect for organizations who need to meet these requirements. Specifically:

  • All admin role-holders must always use MFA.
  • All users must register MFA methods within 14 days of account creation.
  • Certain tasks, roles, or sudden changes in device or location will require an MFA-check when necessary.
  • The Azure Portal will be blocked for all non-admins.
  • And finally… The one we all lament: All legacy authentication is blocked.

Let’s play Devil’s Advocate: maybe you have a great reason to disable Office 365 Security Defaults. Perhaps you’re already following the best practices by using Conditional Access, and making strict policies to govern who is allowed to access your organization; perhaps you’re restricting sign-ins to your home country, and you’re requiring MFA for everyone!

That would be great.

But something tells me that plenty of people disabled Security Defaults because their copier stopped doing Scan-to-Email, or the President’s legacy mail client from 2007 stopped working with Office 365.

Regardless of the scenario, just remember that we never want “to let the exception define the rule.” It’s perfectly acceptable to have an exception, but lowering the security of the entire organization is a terrible idea.

What You Can Do

What’s the alternative for the cases I mentioned? For the copier, you could enable SMTP Direct-Send or use an on-premises mail relay, only allowing transmissions from your public IP.

For the dysfunctional mail client, I would suggest using an app which is actually supported for Office 365, and help that user transition to OWA if necessary—but it’s true that an MFA exception could be made for this single user, from this single location.

If you’re already paying for Azure P1/P2, Business Premium, or EMS licensing, then you are already licensed for Conditional Access—and you had better be using it! If you’re using Security Defaults but have the aforementioned licenses, then you have the ability to provide even better security for your organization.

At the end of the day, I hope that everyone at least knows where they fall on the spectrum. Some organizations would benefit greatly from enabling Security Defaults, and yet do not know they exist. Other organizations will never use Security Defaults—either because they are already implementing BETTER security—or they are settling for convenience over security. Let’s get one thing straight: strict MFA policies are here to stay, and everyone needs to get onboard, or risk everything.

Whether you need help determining whether you should implement Security Defaults, whether you should transition to Conditional Access, or anything in-between—give us a shout. We would be more than happy to help you make the best decisions for your organization, and help you provide the best experience and security for your users through our proven processes and Layered Security Strategy.

If you’d like to learn more about how we can help you with Office 365 Security, please contact us and call 502-240-0404 or email us at info@mirazon.com.

Press enter to search