I'm dealing with an older Office 365 tenant, using a combination of Basic and Standard licenses, and I'm facing a tricky situation with Multi-Factor Authentication (MFA) and Security Defaults. Previously, all of my users had MFA set up and enforced, and it was working smoothly. However, after enabling Security Defaults, all those users suddenly show their MFA status as 'Disabled.' Despite this, I've noticed that some users can log in from new IP addresses (even when using a VPN) without being prompted for MFA. It feels like we're losing essential security here.
What's concerning me is that when I toggle the legacy MFA setting back to 'Enabled,' it prompts for MFA again as expected. So I'm stuck wondering: Should I keep Security Defaults enabled and also switch on legacy MFA? I know Conditional Access is the better route, but for various reasons, we can't pursue that right now. Am I overlooking anything crucial that might explain this MFA issue?
1 Answer
The main issue with Microsoft's Security Defaults is that it enforces an all-or-nothing setup for MFA, which takes away your ability to customize settings for individual users. Transitioning to Conditional Access might reveal some of the older authentication methods still being used could cause problems during that transition. It’s best practice to check the Entra ID sign-in logs for failures before making changes, so you don't end up locking yourself out! Basic defaults are alright for a foundational setup but can complicate troubleshooting when identity issues arise.
I get that, but I need all accounts protected by MFA, not just some! When I create new accounts, I want them forced to set up MFA right away. It’s just frustrating that after enabling Security Defaults, the legacy users seem to have fallen off the MFA requirement entirely. Shouldn't they still be protected? It makes no sense that they can just log in with just a password now.