Back in October 2019 – you know, before it all changed – Microsoft beta-tested a new baseline security program with 30 million users. We let the mega-computers crunch all of those numbers but the result was astoundingly clear: Adding things like MFA and conditional access to accounts made a world of difference.
To be fair that isn’t exactly a surprising find. While it’s our job to care about how nefarious types are trying to get into your data, you’re likely busy thinking about 99.9% of the rest of your business. Cakes, cookies, muffins, whatever kind of delicious baked goods you make. (And even if you don’t make baked goods, you should still keep reading..)
Even before this testing, Microsoft, and the industry as a whole, were well aware of the use of security features built-in, but not made mandatory, like multifactor authentication which prevents 99.9% of attempted breaches. So rather than let users languish after breaches that could have been presented by bare-minimum security standards being enabled, Microsoft has now created an all-new baseline security default that’s already protecting 30 million organizations.
In this blog, we’re going to look at what exactly Microsoft’s new baseline security defaults are and the details you need to know to keep your business safe.
Need to Know: Microsoft Baseline Security Defaults
As we were saying, in October 2019, new users were added to the Microsoft 365 platform with a new kind of “baseline security” in place regardless of license. This means that, as accounts were created, the minimum allowable security features were brought to a new level with defaulted settings for multifactor authentication and identity protection.
With over 30 million organizations protected by these automatic security defaults, the entire group has experienced 80% less compromise than other program users. Microsoft also found most users simply left the security settings on, while others decided to add even more security with Conditional Access when they became ready.
As terms and three-letter acronyms (TLAs) get tossed around, it can get difficult to keep track of what everything means. We wanted to define some common terms so that we’re all on the same page:
One of the most important tools to thwart unwanted attempts on your system, multifactor authentication adds an additional layer to your security, like combining a PIN and texted passcode with a biometric layer like a facial scan on a personal device.
This additional factor – knowledge, possession, inherence, or contex – creates a nearly impassable barricade between the hacker and information. By automatically setting MFA as the default for your Microsoft account, the baseline security is putting you in full control of all security, especially when an MFA hardware cryptographic device is used as recommended by NIST for AAL 3.
Another key addition to Microsoft’s baseline security, Azure Active Directory Identity Governance allows your organization to balance the need for security and employee productivity with the right processes and visibility for each user. The program uses entitlement management, access reviews, privileged identity management, and terms-of-use policies to make sure only the right people always have the right access to the right resources.
This program also aids in increasing productivity by streamlining access to apps, groups, and Microsoft Teams in one package. Users can be easily configured as approvers without involving administrators or additional time from upper management.
This may seem complicated but at its core, nothing could be simpler. Conditional access is like a guard at the front of a private dance club door – only allowing the people in who are dressed for the part and have the right invitation to come inside.
Conditional access to a computer then is an automated, intelligent way of bringing together rules that enforce specific company policies in specific situations that arise for your team. It sets standards for if-then statements, specifically that if a user wants access to something they must prove their proper identity.
Conditional access is also often the catalyst for when MFA needs to be used. Policies created through conditional accessing can get super detailed for specific actions while still keeping everyone safe, like mandating MFA being used for anyone with an administrative role or other management tasks, granting access from specific locations, and even requiring in-house devices to be used for access to work applications.
Will My Business Be Affected – and If So, When?
“When we look at hacked accounts, more than 99.9% don’t have MFA, making them vulnerable to password spray, phishing, and password reuse.” In a statement, Microsoft said, “Based on usage patterns, we’ll start [mandating MFA] with organizations that are a good fit for security defaults. Specifically, we will start with customers who aren’t using Conditional Access, haven’t used security defaults before, and aren’t actively using legacy authentication clients.”
Going on to mention global admins of eligible tenants being notified through email, the statement also says that, starting in late June, users will start to receive the following prompt during sign-in: