Control: 5.1.1.1 Ensure Security Defaults is disabled on Azure Active Directory
Description
Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect the organization. Security defaults contain preconfigured security settings for common attacks.
By default, Microsoft enables security defaults. The goal is to ensure that all organizations have a basic level of security enabled. The security default setting is manipulated in the Azure Portal.
The use of security defaults, however, will prohibit custom settings which are being set with more advanced settings from this benchmark.
The use of security defaults, however, will prohibit custom settings which are being set with more advanced settings from this benchmark.
For example, doing the following:
- Requiring all users and admins to register for MFA.
- Challenging users with MFA - mostly when they show up on a new device or app, but more often for critical roles and tasks.
- Disabling authentication from legacy authentication clients, which can’t do MFA.
Remediation
To disable security defaults:
- Navigate to the
Microsoft Entra admin center
https://entra.microsoft.com. - Click to expand
Identity
selectOverview
- Click
Properties.
- Click
Manage security defaults.
- Set the
Security defaults
dropdown toDisabled.
- Select Save.
To configure security defaults using Microsoft Graph PowerShell:
- Connect to the Microsoft Graph service using
Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess".
- Run the following Microsoft Graph PowerShell command:
$params = @{ IsEnabled = $false }Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy -BodyParameter$params
Warning:: It is recommended not to disable security defaults until you are ready to implement conditional access rules in the benchmark. Rules such as requiring MFA for all users and blocking legacy protocols are required in CA in order to make up the gap by disabling defaults. Plan accordingly. See the reference section for more details on what coverage Security Defaults provide.
Default Value
Enabled.
Usage
Run the control in your terminal:
powerpipe control run microsoft365_compliance.control.cis_v300_5_1_1_1
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run microsoft365_compliance.control.cis_v300_5_1_1_1 --share
SQL
This control uses a named query:
azuread_security_default_disabled