5.1.1.1 Ensure Security Defaults is disabled on Azure Active Directory

Information

Security defaults in Microsoft Entra ID make it easier to be secure and help protect the organization. Security defaults contain preconfigured security settings for common attacks.

By default, Microsoft enables security defaults. The goal is to ensure that all organizations have a basic level of security enabled. The security default setting is manipulated in the Azure Portal.

The use of security defaults, however, will prohibit custom settings which are being set with more advanced settings from this benchmark.

Rationale:

Security defaults provide secure default settings that are managed on behalf of organizations to keep customers safe until they are ready to manage their own identity security settings.

For example, doing the following:

Requiring all users and admins to register for MFA.

Challenging users with MFA - mostly when they show up on a new device or app, but more often for critical roles and tasks.

Disabling authentication from legacy authentication clients, which can't do MFA.

Impact:

The potential impact associated with disabling of Security Defaults is dependent upon the security controls implemented in the environment. It is likely that most organizations disabling Security Defaults plan to implement equivalent controls to replace Security Defaults.

It may be necessary to check settings in other Microsoft products, such as Azure, to ensure settings and functionality are as expected when disabling security defaults for MS365.

Solution

To disable security defaults:

Navigate to the Microsoft Entra admin center https://entra.microsoft.com.

Click to expand Identity select Overview

Click Properties.

Click Manage security defaults.

Set the Security defaults dropdown to Disabled.

Select Save.

To configure security defaults using Microsoft Graph PowerShell:

Connect to the Microsoft Graph service using Connect-MgGraph -Scopes 'Policy.ReadWrite.ConditionalAccess'.

Run the following Microsoft Graph PowerShell command:

$params = @{ IsEnabled = $false }
Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy -BodyParameter $params

Warning: It is recommended not to disable security defaults until you are ready to implement conditional access rules in the benchmark. Rules such as requiring MFA for all users and blocking legacy protocols are required in CA to make up for the gap created by disabling defaults. Plan accordingly. See the reference section for more details on what coverage Security Defaults provide.

Default Value:

Enabled.

See Also

https://workbench.cisecurity.org/benchmarks/15279

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b.

Plugin: microsoft_azure

Control ID: 48e4d244162502bc44c4cf2c2b8d41341afff7f777540f457ddad8105fd7a350