MS Partner: Select Security Defaults or Conditional Access

If you are a Microsoft partner then you might have received this email and Microsoft should have just implemented it.

This is an important update regarding the mandatory partner security requirements. Effective February 29, 2020, Azure Active Directory (Azure AD) “baseline” policies will be removed and replaced with “security defaults”, a more comprehensive set of protection policies for you and your customers. Security defaults in Azure AD can help protect your organization from common security attacks with preconfigured settings.

Our system indicates that your organization currently uses baseline policies, but have not yet transitioned to security defaults. If you do not transition to security defaults before February 29, you will lose multi-factor authentication (MFA) enabled with baseline policies on your partner tenants. Please enable security defaults as soon as possible to stay compliant and avoid any business disruptions. If you have already fully transitioned to conditional access, you can ignore this message.

Key considerations

Security defaults policy is one of the options that partners can choose to implement MFA for the security requirements depending on their business needs. It offers a basic level of security enabled at no extra cost. Please review how to enable MFA for your organization with Azure AD and the key considerations below before enabling the security defaults. If security defaults do not meet your needs, consider other options.

• For the partners who are using conditional access, security defaults will not be available.

• Security defaults enforce all policies at once including the required MFA for admins policy, end user protection policy, and required MFA for service management.

• Blocking legacy authentication will not be enforced for partners at this time. However, as most events related to compromised identities come from sign-in attempts using legacy authentication, partners are encouraged to move away from these older protocols.

• Security defaults automatically excludes the Azure AD Connect Sync account.

• Security defaults are the general availability replacement of the preview baseline policies. Once a partner enables the security defaults, they will no longer be able to enable baseline policies.

Next steps and resources for security defaults

Partners who are currently using the baseline policies:

• Learn more about security defaults and enabling MFA for your organization

• Plan the transition from baseline policies to security defaults.

• Enable security defaults with one-click for each partner tenant as soon as possible.

Indirect providers:

• Inform your resellers in the Microsoft CSP program about the change (use this email template). Ensure that your resellers enable the security defaults if they are currently using baseline policies.

• Note: Microsoft will also directly communicate to your resellers who are currently using the baseline policies and have Partner Center contact information.

If you have any questions for the partner security requirements, please check out FAQs document and additional resources here.

We sincerely appreciate your partnership and commitment to ensuring our ecosystem runs on trust.

Baseline policy will be replaced by Security Defaults. If you don’t have security defaults then you are losing MFA and you fall under non-compliant partner.

If you are non-compliant partner then you can lose partnership, so staying compliant is important.

So, enable “Security Defaults” but if you are not willing to implement it then you have to configure the same policy in the conditional policy.

If you need to configure conditional policy then you need “Azure AD P1” license. One of the benefits of AADP1 is trusted IP addresses so that MFA will be prompted only when you are in public internet and internal will work like LAN connection.

We at Golden Five Consulting has implemented it. Let us know if we can be any help.

Best Regards,

Prabhat Nigam

CEO | LAEXUG Foundation

CTO | Golden Five Consulting


Leave Comment

Your email address will not be published. Required fields are marked *