Security Defaults – MFA update to four administrator roles

From Microsoft Corporation

MC224734, Stay Informed, Published date: Oct 20, 2020Admin impact, New feature

If you have Security Defaults enabled in your tenant, all Application Administrators, Cloud Application Administrators, Password Administrators, and Privileged Authentication Administrators will soon be required to perform multi-factor authentication (MFA) each time they sign-in.

Key points

  • Timing: late November through early December
  • Roll-out: tenant level
  • Control type:  admin control 
  • Action: review and assess 

How this will affect your organization

SecurityDefaults is an Identity security feature. When enabled, it requires all users in a tenant to register for MFA using the Microsoft Authenticator App and perform MFA whenever required. It blocks all authentication requests coming from legacy authentication protocols.

When SecurityDefaults is enabled, a set of nine highly privileged Azure AD admin roles are required to perform MFA more frequently than other roles due to their privileged nature. This list of admins is expanding to include Application Administrator, Cloud Application Administrator, Password Administrator, and Privileged Authentication Administrator. What you need to do to prepare

Please inform current and new Application Administrators, Cloud Application Administrators, Password Administrators, and Privileged Authentication Administrators that they will be prompted for MFA more frequently.

Bear in mind that Security Defaults is enabled by default for new tenants. If your tenant was created on or after October 22nd, 2019, it is possible security defaults have been enabled in your tenant.