🚀Launch Week 04, May 13th - 17th, 2024!🚀
Powerpipe Hub 
Hub
Mods
turbot/microsoft365_compliance
Overview
4Dashboards
80Controls
21Queries
2Variables
GitHub

Control: 5.1.1.1 Ensure Security Defaults is disabled on Azure Active Directory

Description

Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect the organization. Security defaults contain preconfigured security settings for common attacks.

By default, Microsoft enables security defaults. The goal is to ensure that all organizations have a basic level of security enabled. The security default setting is manipulated in the Azure Portal.

The use of security defaults, however, will prohibit custom settings which are being set with more advanced settings from this benchmark.

The use of security defaults, however, will prohibit custom settings which are being set with more advanced settings from this benchmark.

For example, doing the following:

  • Requiring all users and admins to register for MFA.
  • Challenging users with MFA - mostly when they show up on a new device or app, but more often for critical roles and tasks.
  • Disabling authentication from legacy authentication clients, which can’t do MFA.

Remediation

To disable security defaults:

  1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com.
  2. Click to expand Identity select Overview
  3. Click Properties.
  4. Click Manage security defaults.
  5. Set the Security defaults dropdown to Disabled.
  6. Select Save.

To configure security defaults using Microsoft Graph PowerShell:

  1. Connect to the Microsoft Graph service using Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess".
  2. Run the following Microsoft Graph PowerShell command:
$params = @{ IsEnabled = $false }
Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy -BodyParameter
$params

Warning:: It is recommended not to disable security defaults until you are ready to implement conditional access rules in the benchmark. Rules such as requiring MFA for all users and blocking legacy protocols are required in CA in order to make up the gap by disabling defaults. Plan accordingly. See the reference section for more details on what coverage Security Defaults provide.

Default Value

Enabled.

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v300_5_1_1_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v300_5_1_1_1 --share

SQL

This control uses a named query:

azuread_security_default_disabled

Tags

category = Compliance
cis = true
cis_item_id = 5.1.1.1
cis_level = 1
cis_section_id = 5.1.1
cis_type = manual
cis_version = v3.0.0
microsoft_365_license = E3
plugin = microsoft365
service = Azure/ActiveDirectory