Should You Rely on Azure AD Security Defaults for Your Enterprise?

Should You Rely on Azure AD Security Defaults for Your Enterprise?

December 5, 2022

Since 2019, Microsoft has been slowly rolling out its new security settings as a default for encouraging better identity security over legacy authentication in Azure Active Directory.

In fact, there are more than 30 million organizations as of May 2022 that are using Azure AD security defaults to enforce security standards within their ecosystems. This number has grown exponentially from just 60,000 tenants in January 2020.

But how effective are Microsoft’s security defaults for Azure AD, really? Are they reliable enough to be trusted with enterprise identity protection needs? 

While the defaults offered by Microsoft are a good choice for small-scale companies dipping their toes into multi-factor authentication (MFA) for the first time, is it viable to use those same security defaults for enterprise-grade organizations?

Keep reading as we break down everything you need to know about Azure AD security defaults — including who they’re for, when you should use them, and what are the alternatives available.

Azure AD Security Defaults: What They Really Are

According to Microsoft, 99.9% of identity-related attacks — including password spray, replay, and phishing — can be stopped by enabling multi-factor authentication for users within your organization’s ecosystem. 

Security defaults are a set of identity protection best practices that Microsoft enables by default for every new tenant created in Azure AD. They enforce, among other things, multi-factor authentication requirements to protect against identity-based attacks on company systems.

At their core, the security defaults are all about providing a basic level of security to all organizations using Microsoft 365. They’re especially useful for organizations on the free tier of Azure Active Directory.

Should You Enable Security Defaults for Your Tenant?

Azure AD security defaults provide a basic layer of identity protection beyond the legacy authentication protocols available for every organization on Microsoft 365. But, that doesn’t mean you should have them enabled under all circumstances.

Here are a few cases where the Azure AD security defaults might not be a good fit for your organization’s infrastructure:

  • If you already have an Azure AD premium license.
  • If your tenants are currently using Conditional Access Policies.
  • If your organization has complex security needs. 

As a rule of thumb, security defaults aren’t a good idea for enterprise-grade organizations spread across multiple departments and locations. If your organization works with sensitive data or if you employ lots of people, you should consider using conditional access policies to provide enhanced security from identity hackers.

Conditional Access: Microsoft’s Answer to Enterprise Security

Conditional Access Policies (CAP) are a more granular version of security defaults that offer greater freedom and more functionality for how you configure your data policies. They enable you to combine different authentication methods to serve complex security needs.

A conditional access policy is an if-then statement that allows admins to specify authentication requirements for carrying out specific tasks in Microsoft Azure AD. You can combine multiple authentication requirements to serve complex scenarios with more improved security policies.

If you’d like to know how to get started quickly with conditional access policies in Azure AD, check out our other article on the new conditional access policy templates from Microsoft.

Use Simeon to Automate Enterprise CAPs in Microsoft 365

Simeon Cloud is a configuration management tool for Microsoft 365. It helps you automate your entire security and compliance infrastructure with powerful baselines and advanced monitoring for your configurations in Azure AD.

With Simeon, you can easily create conditional access policies for your tenants and roll them out at scale through a unified dashboard. You also gain access to detailed auditing and compliance monitoring to ensure that your CA policies don’t defer from your pre-established baseline configuration. 

Simeon keeps you up-to-date on changes and lets you know every time a system admin modifies a conditional access policy within your tenant. It also provides detailed audit logs to help you document every change.

Want to know more about how you can upgrade your organization’s security posture with Simeon? Sign up for a free demo to see it all in action!