Share via

I recently switched from Security Defaults to Conditional Access.

Kinkzter 1 Reputation point
2022-07-23T20:49:18.05+00:00

All of my users were using the Microsoft Authenticator App. I included all users, excluding myself. I included all Cloud apps. Under Grant, I selected "Require MFA", and Require one of the selected controls. I created a special policy for myself that was nearly identical for Admins, and my Microsoft Authenticator App was fine. All of my users are broken. I have to require re-register mfa on each user and set them back up.

Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. risolis 8,741 Reputation points
    2022-07-24T05:06:16.127+00:00

    Hello @Kinkzter

    Thank you for your post.

    I would like to get familiar with your concern a little bit more if it is ok... From what I understood was that you were using security default but when swapping to Conditional access, you were noticing that all of your users were broken.

    Could you please elaborate more this statement "All of my users were broken" ?
    What were the modifications/conditions made at the moment of doing this ?
    Do you configure any custom action conditions for risky-users or groups?

    I just wanted to do a friendly reminder when using security defaults as shown below:

    224101-image.png

    https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults

    Finally, you may think of using this feature as an option as shown on the next picture.

    224064-image.png

    I hope this was useful for you to get a better picture of this : )

    Cheers,

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments
  2. Kinkzter 1 Reputation point
    2022-07-24T12:17:28.747+00:00

    Thank you so much for your response!

    I created four policies to try and match Security Defaults. A policy for Admins, which includes myself, and also includes all of the administrator roles above in your picture. I created a role to block Legacy Authentication as I already had this in place with Security Defaults. I created a policy for Azure Management. My last policy was specifically for users. Inside the End User Protection policy that I created, I included all users except for my ADSync and management accounts used for relay, such as copy machine scanners, I included All Cloud Apps, I included under Grant Access to Require MFA and selected Require one of the selected controls. I set a session for 90 days before needing to authenticate using Sign in frequency.

    Could you please elaborate more this statement "All of my users were broken" ? With each individual user I am having to go into Azure under User, Authentication Methods, and "Require re-register Multifactor Authentication", because the Microsoft Authenticator won't allow them to use the business account previously created under Security Defaults to authenticate. It doesn't prompt them or give them a One-time passcode. It's broken for all users.
    What were the modifications/conditions made at the moment of doing this ? I switched from Security Defaults to the policy I mentioned above for End User Protection.
    Do you configure any custom action conditions for risky-users or groups? No sir.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.