New clients MFA is all out of whack and not sure how to fix it.

Sky-Knight said:
Yeah the problem is Security Defaults does NOT enforce MFA on all users. It only enforces MFA on ADMINS. It uses MFA on users only at specific times, like accessing the security section of the account. It's not great...

BUT from what I've seen if the user takes the time to do phone signon, it'll consistently enforce MFA for the account.

And again if you see this behavior on the tenant open a ticket with Microsoft. They need to know people are upset they're taking away a feature to sell another $3 / month / user, and that isn't OK.

Docs for Security Defaults here: https://learn.microsoft.com/en-us/a...-do-multifactor-authentication-when-necessary

This is what's enforced on users
Click to expand...
I appreciate all your input on this thread. You are well beyond my knowledge and it's great to have someone like you here.
 
Sky-Knight said:
Yeah the problem is Security Defaults does NOT enforce MFA on all users. It only enforces MFA on ADMINS. It uses MFA on users only at specific times, like accessing the security section of the account. It's not great...
Click to expand...
man o man Im doing too many things here and not paying attention...deleted the wrong post.

learn.microsoft.com

Turn on MFA by using security defaults or Conditional Access - Microsoft 365 Business Premium

Learn how security defaults can help protect your organization from identity-related attacks by providing preconfigured security settings for Microsoft 365 Business Premium.
learn.microsoft.com

Im not sure what you mean by admins only? It states all users, which has been my experience with it as well for as long as I can remember. Does it allow you to granularly control all the different conditions like CA does, no, but its better than managing per-user mfa where over time things can get missed or someone can turn off the MFA and forget to re-enable it.
1682091982291.png

If OP doesnt have the manpower or expertise yet to tackle CA, then secdefaults is the next best thing to get some resemblance of security standards across the tenant.

thecomputerguy said:
Here's the problem.

In my test tenant I enabled security defaults for my tenant.

Then I registered a test user with security defaulted azure based MFA with Legacy MFA disabled (no business premium or conditional access enabled, only business standard).

Even after registration I was able to login to the account from a different computer/IP/location using single factor.

Why?

I did this by logging into a test computer in incognito I have at my uncle's company.

Why?
Click to expand...
Thats interesting. I have never seen that with a default tenant configuration with secdefaults enabled. It requires user when they login to setup MFA. Sure you have X days to put it off but after the grace period you are forced to set it up.

I just popped onto my dev sandbox and verified secdefaults were on, created a user, logged in, was prompted to setup MFA, and now whenever I login from anywhere I am prompted for the MFA code on the account.
 
putz said:
man o man Im doing too many things here and not paying attention...deleted the wrong post.

learn.microsoft.com

Turn on MFA by using security defaults or Conditional Access - Microsoft 365 Business Premium

Learn how security defaults can help protect your organization from identity-related attacks by providing preconfigured security settings for Microsoft 365 Business Premium.
learn.microsoft.com

Im not sure what you mean by admins only? It states all users, which has been my experience with it as well for as long as I can remember. Does it allow you to granularly control all the different conditions like CA does, no, but its better than managing per-user mfa where over time things can get missed or someone can turn off the MFA and forget to re-enable it.
View attachment 14538

If OP doesnt have the manpower or expertise yet to tackle CA, then secdefaults is the next best thing to get some resemblance of security standards across the tenant.


Thats interesting. I have never seen that with a default tenant configuration with secdefaults enabled. It requires user when they login to setup MFA. Sure you have X days to put it off but after the grace period you are forced to set it up.

I just popped onto my dev sandbox and verified secdefaults were on, created a user, logged in, was prompted to setup MFA, and now whenever I login from anywhere I am prompted for the MFA code on the account.
Click to expand...
Complete the Authentication Method migration, it won't pop anymore. It's only consistent when O365 Single User MFA is enforced, which is flipped all on with security defaults, and then flipped OFF when you complete the auth migration.

And again, the auth migration is being FORCED ON US coming September with completion to be done January.

The behavior you're observing is OUT OF DATE.

And yes, we all need to be screaming about it, because the old normal WORKED WONDERFULLY, and needs to be the new normal. But it isn't.
 
Sky-Knight said:
Yeah the problem is Security Defaults does NOT enforce MFA on all users. It only enforces MFA on ADMINS. It uses MFA on users only at specific times, like accessing the security section of the account. It's not great...

BUT from what I've seen if the user takes the time to do phone signon, it'll consistently enforce MFA for the account.

And again if you see this behavior on the tenant open a ticket with Microsoft. They need to know people are upset they're taking away a feature to sell another $3 / month / user, and that isn't OK.

Docs for Security Defaults here: https://learn.microsoft.com/en-us/a...-do-multifactor-authentication-when-necessary

This is what's enforced on users
Click to expand...
and you're sure thats not being confused with session persistence? It would seem very odd that you can log into any other device or application w/o being prompted for MFA just because you signed in somewhere else.

Ill dig into it a little later on when I have more time but that seems back-asswards.
 
putz said:
Im not sure what you mean by admins only? It states all users, which has been my experience with it as well for as long as I can remember.
View attachment 14538
Click to expand...
It states..."all users"....but...only states (looking at your yellow highlight)..that all users need to REGISTER for MFA. Doesn't mean it challenges MFA all the time, like when it should.

SD is very "fuzzy" with its logic...it's a very...very basic, sleep, lazy version of Risky Login logic. ...and it's far from consistent. Better than nothing, but not at all confidence inspiring.
 
YeOldeStonecat said:
It states..."all users"....but...only states (looking at your yellow highlight)..that all users need to REGISTER for MFA. Doesn't mean it challenges MFA all the time, like when it should.

SD is very "fuzzy" with its logic...it's a very...very basic, sleep, lazy version of Risky Login logic. ...and it's far from consistent. Better than nothing, but not at all confidence inspiring.
Click to expand...
interesting... I swear on any tenant accounts we still have left using only sec defs, I am always prompted for MFA on new sign-ins for regular users, no matter where I sign-in from. If for some reason it no longer works that way after moving to authentication policies, that's odd. I get that MS might have some fancy AI making those determinations, but all it takes is for it to be wrong 1 time. Just more a reason to keep pushing clients into more mature licensing like biz premium, especially if the goal is to get the moved completely to cloud. With all the other features you get, its worth it.
 
@YeOldeStonecat Is correct, and this is why I have tickets open with Azure.

@putz Yes, again this is normal behavior IF YOU'RE USING O365 MFA, which has been normal for years. If you have that feature configured, and you enable Security Defaults, Azure will always pop for MFA on login.

The problem is O365 MFA IS GOING AWAY, with forced migrations starting in September. So if you got into your Azure portal, did a search for Authentication and opened up the recently separated Azure AD Authentication Methods applet, you'll see the migration details right there, and if you COMPLETE that migration, O365 MFA is NOW DISABLED and you're left with the true Security Defaults.

Which does NOT ENFORCE MFA on users, unless they muck with specific "risky" operations. Unless the user enrolls in phone signon, which I HIGHLY encourage anyway. So my tenants haven't really noticed, but there's no enforcement anywhere so it's very squishy.

And again I have tickets open with Microsoft on this, because they removed a feature to sell it back... it doesn't look good. And all they have to do to "fix" the problem is CHANGE Security Defaults such that it enforces MFA on all users all the time. If a tenant in those conditions wants to get around that, the only fix becomes Conditional Access, which is now an easy upsell based on need, instead of stupid on the part of Microsoft.

Also, Security Defaults won't require MFA to join a machine to Azure AD... unless you get into AAD's device blade and flip the switch... which is also baffling.

P.S. @putz Look at your screen grab... read the 2nd bullet point until it sinks in.
 
Last edited:
Sky-Knight said:
@putz Yes, again this is normal behavior IF YOU'RE USING O365 MFA, which has been normal for years. If you have that feature configured, and you enable Security Defaults, Azure will always pop for MFA on login.
Click to expand...
Ahh yeah that makes sense. Im just so used to tenant accounts having the security defaults on by default, and we don't ever go in and mess with the 365 MFA settings anymore. I guess I didnt even realize MS was still factoring those in when security defaults are on.
 
Sky-Knight said:
@YeOldeStonecat Is correct, and this is why I have tickets open with Azure.

@putz Yes, again this is normal behavior IF YOU'RE USING O365 MFA, which has been normal for years. If you have that feature configured, and you enable Security Defaults, Azure will always pop for MFA on login.

The problem is O365 MFA IS GOING AWAY, with forced migrations starting in September. So if you got into your Azure portal, did a search for Authentication and opened up the recently separated Azure AD Authentication Methods applet, you'll see the migration details right there, and if you COMPLETE that migration, O365 MFA is NOW DISABLED and you're left with the true Security Defaults.

Which does NOT ENFORCE MFA on users, unless they muck with specific "risky" operations. Unless the user enrolls in phone signon, which I HIGHLY encourage anyway. So my tenants haven't really noticed, but there's no enforcement anywhere so it's very squishy.

And again I have tickets open with Microsoft on this, because they removed a feature to sell it back... it doesn't look good. And all they have to do to "fix" the problem is CHANGE Security Defaults such that it enforces MFA on all users all the time. If a tenant in those conditions wants to get around that, the only fix becomes Conditional Access, which is now an easy upsell based on need, instead of stupid on the part of Microsoft.

Also, Security Defaults won't require MFA to join a machine to Azure AD... unless you get into AAD's device blade and flip the switch... which is also baffling.

P.S. @putz Look at your screen grab... read the 2nd bullet point until it sinks in.
Click to expand...

That's pretty much exactly what I think about this situation. Per-user MFA is tedious ... since you have to enable it per user but it challenges MFA EVERYTIME.

I was able to test what was considered a "risky" login using security defaults by firing up a VPN and what I found was the MFA was not challenged in the following cases.

- Login to portal.office.com using a different computer
- Login to portal.office.com using a different computer at a different location
- Login to portal.office.com from an adjacent state (CA to Utah)
- Login to portal.office.com from a state across the country (CA to NY)

So what the hell is risky then?

MFA is only challenged when logging into portal.office.com then clicking "view account" which I believe sends you into Azure land which then does in fact challenge MFA.

BUT

You can still click Outlook and access the entirety of the users Outlook data without being challenged by MFA.

I can't imagine how a login from CA and then a login from NY in a matter of a few minutes doesn't trigger an MFA challenge.

This MFA stuff really would just be solved by requiring MFA on ALL users by enabling security defaults. It's honestly crazy to me that it isn't that way by default.

When I login to my free gmail account I get challenged every time using the conditions above. This SIMPLE but REQUIRED feature is now $22 a month for business premium. Yes I get it, you get other stuff that is well worth the cost but I'm only talking about MFA here.

True MFA should not be hidden behind ANY paywall EVER.

For Microsoft to do what you described above which was to remove an option and re-sell it to you just seems rediculous.
 
Azure Active Directory Premium P1 is $7.20 / user / month, $6 if you do an annual commitment.
Business Standard is $15 / user / month, or $12.50 if you do an annual commitment.
Business Premium is $26.40 / user / month, or $22 if you do an annual commitment.

So if you do pure month to month, it's $22.20 / user / month if you do Standard + AAD P1, which saves $4.20 / user / month relative to Premium.

But yes, I do very much see this, again MANDATORY change which goes into effect in September, is to force those on smaller subs to bolt in that extra $7.20 / user / month.

As for the definition of "risky", it's mucking with account security settings, or trying to setup an email forward. But yes, the attacker can read all he wants, he can DELETE all he wants. Though presumably if he reads too much or too many accounts he gets black listed into permanently having to POP MFA... but it's certainly NOT ENOUGH.

And we really need to keep screaming at Microsoft to make all MFA all the time the DEFAULT. I really think that's what will happen in the end, but this Summer is going to SUCK.
 
This thread has been very educational - digging out all of the nuances is next to impossible unless you make it a field of study. I'm grateful some of you have done that!
 
You must log in or register to reply here.

Similar threads

thecomputerguy
[O365] You don't often get email from XXX (Learn why this is important).
Replies
10
Views
371
thecomputerguy
thecomputerguy
thecomputerguy
I cannot possibly see how this MX record swap is going to work...
Replies
2
Views
313
thecomputerguy
thecomputerguy
thecomputerguy
New tenant, Global admin requiring MFA even though MFA & Security defaults are disabled.
Replies
5
Views
566
Sky-Knight
Sky-Knight
callthatgirl
Weird hack I can't figure out
2
Replies
21
Views
1K
Sky-Knight
Sky-Knight
thecomputerguy
Best way to forward 20+ addresses to new email after a company sale.
Replies
1
Views
414
mikeroq
mikeroq
Back
Top