Do security defaults disable this?

thecomputerguy

thecomputerguy

Well-Known Member
Reaction score
1,326
If security defaults are enabled for an organization ... are these disabled tenant-wide even though they are checked in and appear to be enabled in the user management section of O365?

1683582051237.png

I assume security defaults just over-rides this?
 
Nope, doesn't impact available services at all. What it does do is disable legacy authentication. Which CAN have a defacto negative impact on some of those things, but not all of them.

POP/IMAP is basically dead once modern auth is enforced.
 
Sky-Knight said:
Nope, doesn't impact available services at all. What it does do is disable legacy authentication. Which CAN have a defacto negative impact on some of those things, but not all of them.

POP/IMAP is basically dead once modern auth is enforced.
Click to expand...

I see.

So in the above list, since POP/IMAP are dead after modern auth, technically the only "dangerous" service here would be authenticated SMTP which ... I think is disabled already by default in the tenant?

If not then is there a mass way to do that across a tenant? Powershell, which I suck at, probably?

This "manage email apps" page seems out-dated.
 
It's not actually, but it doesn't show how to do it from the new Exchange Admin Center.

So if you're using https://admin.exchange.microsoft.com

Expand Recipients on the left, click mailboxes.

You'll see a list of mailboxes, tick the box at the very top to select them all, then click edit -> app settings.

Something you can check beyond that is in https://admin.microsoft.com, settings -> Org Settings -> Modern Authentication.

Both boxes should be checked, the lower one enforces modern auth for SMTP/POP3/IMAP, which for many purposes turns those services off. There are modern clients that can work, and those are OK because they'll MFA normally. Just make sure it's enforced.

These settings are overridden by conditional access.
 
Yeah run the script or select all in the webUI. However via the webUI, as you added users...they'd default to "on".
Microsoft depreciated legacy auth Jan of 2023...so tenants should have it disabled now. Doesn't technically disable IMAP/POP, but it makes access to those nixed. However, Microsoft recently announced they'll massage IMAP/POP to support modern auth. (weird, and I see zero reason to spend time doing that..but, oh well, it's their stuff). Not like I'm going to go do something crazy like configure Outlook to an Exchange mailbox and opt to use IMAP, or configure the native email client on a smart phone using it.

Another way I used to kill them globally before Jan 2023 was a Conditional Access policy that disabled legacy auth.

I also had a default login script from the early days before M365BizPrem when we did lots of E3 licenses, it tickled a ton of settings some of which were disabling IMAP/POP globally.
 
Sky-Knight said:
It's not actually, but it doesn't show how to do it from the new Exchange Admin Center.

So if you're using https://admin.exchange.microsoft.com

Expand Recipients on the left, click mailboxes.

You'll see a list of mailboxes, tick the box at the very top to select them all, then click edit -> app settings.

Something you can check beyond that is in https://admin.microsoft.com, settings -> Org Settings -> Modern Authentication.

Both boxes should be checked, the lower one enforces modern auth for SMTP/POP3/IMAP, which for many purposes turns those services off. There are modern clients that can work, and those are OK because they'll MFA normally. Just make sure it's enforced.

These settings are overridden by conditional access.
Click to expand...

I checked two tenants and neither of them had the ability to mass edit app settings per your instructions

1683649786734.png

Also as soon as security defaults get enabled then Modern Auth at least in Org settings > Modern Auth gets wrapped up into security defaults.

1683649895849.png
 
Ahh I think I see the problem, you're not using the new exchange admin center, you're using the old ECP. Click the button to use the new one, should be a switch at the top.

The old one works too, but it's actually under a right click menu I think.

Also, screw this forum's terrible handling of images... everything else on the planet I can just paste images into the box and have it work... not this hot mess.
 

Attachments

  • firefox_hNizNhY50T.png
    firefox_hNizNhY50T.png
    7.9 KB · Views: 4
Not quite sure what's going wrong for you, @Sky-Knight, but I'm able to paste images from the clipboard straight into messages here.

A quick and dirty example:
1683691979344.png

Taken with the snipping tool and directly pasted into the message.
 
You must log in or register to reply here.

Similar threads

thecomputerguy
[O365] You don't often get email from XXX (Learn why this is important).
Replies
10
Views
377
thecomputerguy
thecomputerguy
thecomputerguy
New tenant, Global admin requiring MFA even though MFA & Security defaults are disabled.
Replies
5
Views
571
Sky-Knight
Sky-Knight
thecomputerguy
New clients MFA is all out of whack and not sure how to fix it.
2 3
Replies
50
Views
2K
HCHTech
HCHTech
HCHTech
Interpreting "Risky Users" in Microsoft Entra admin center
2
Replies
31
Views
1K
britechguy
britechguy
thecomputerguy
I cannot possibly see how this MX record swap is going to work...
Replies
2
Views
326
thecomputerguy
thecomputerguy
Back
Top