Microsoft Entra IDOverview
If your organization pays for Microsoft Entra ID licensing (included in Microsoft 365 E3, E5, or F5, and EM&S E3 or E5 licenses) and CAN use Conditional Access, ignore the recommendations in this section and proceed to the Conditional Access section.
Security defaults is available to everyone. The goal is to ensure that all organizations have a basic level of security enabled at no extra cost. You may turn on security defaults in the Azure portal.
Rationale
Security defaults provide secure default settings that we manage on behalf of organizations to keep customers safe until they are ready to manage their own identity security settings.
For example, doing the following:
- Requiring all users and admins to register for MFA.
- Challenging users with MFA - when necessary, based on factors such as location, device, role, and task.
- Disabling authentication from legacy authentication clients, which can't do MFA.
Impact
This recommendation should be implemented initially and then may be overridden by other service/product-specific CIS Benchmarks. Administrators should also be aware that certain configurations in Microsoft Entra ID may impact other Microsoft services, such as Microsoft 365.
Default Value
If your tenant was created on or after October 22, 2019, security defaults may already be enabled in your tenant.
References
- https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/conceptfundamentals-security-defaults
- https://techcommunity.microsoft.com/t5/azure-active-directoryidentity/introducing-security-defaults/ba-p/1061414
- https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-identitymanagement#im-2-protect-identity-and-authentication-systems
Remediation guidance
From Azure Portal
To enable security defaults in your directory:
- Open Entra ID Tenant | Properties
- Select
Manage security defaults - Set
Security defaultstoEnabled - Select Save
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Microsoft Entra ID
Use tenant-wide Conditional Access, role settings, authentication policies, and identity governance baselines so the control is enforced centrally.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Entra connectors with security defaults disabled
Connectors
Covered asset types
Expected check: eq []
{
connectors(where: { cloudProvider: "entra", securityDefaultsEnabled: false }) {
...AssetFragment
}
}
