Control: 1.1.1 Ensure Security Defaults are disabled on Azure Active Directory

Description

Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect the organization. Security defaults contain preconfigured security settings for common attacks.

By default, Microsoft enables security defaults. The goal is to ensure that all organizations have a basic level of security-enabled. The security default setting is manipulated in the Azure Portal.

The use of security defaults however, will prohibit custom settings which are being set with more advanced settings from this benchmark.

Security defaults provide secure default settings that are manage on behalf of organizations to keep customers safe until they are ready to manage their own identity security settings.

For example doing the following:

• Requiring all users and admins to register for MFA.
• Challenging users with MFA - mostly when they show up on a new device or app, but more often for critical roles and tasks.
• Disabling authentication from legacy authentication clients, which can’t do MFA.

Remediation

To disable security defaults:

1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com.
2. Click to expand Azure Active Directory select Overview.
3. Click Properties.
4. Click Manage security defaults.
5. Set the Security defaults dropdown to Disabled.
6. Select Save.

To configure security defaults using Microsoft Graph PowerShell:

1. Connect to the Microsoft Graph service using Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess".
2. Run the following Microsoft Graph PowerShell command:

$params = @{ IsEnabled = $false } Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy -BodyParameter $params

Default Value: Enabled.