[{"data":1,"prerenderedAt":1511},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":108,"navbar-resource-highlight":182,"blog/microsoft-rolls-out-security-defaults-for-azure-ad-to-secure-access":226},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"ga0kpxjhh76",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"stageModifiedSincePublish":6,"query":41,"data":42,"variations":97,"lastUpdated":98,"firstPublished":99,"testRatio":23,"createdBy":100,"lastUpdatedBy":101,"folders":102,"meta":103,"rev":107},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":43,"text":44,"url":29,"blocks":45,"state":93},"ewrererw","testrfesssssssssss",[46,73,81],{"@type":47,"@version":48,"id":49,"component":50,"responsiveStyles":63},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":51,"tag":51,"options":52,"isRSC":62},"TopBannerContent",{"text":53,"ctaText":54,"url":55,"mainText":56,"cta":59},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":57,"fontSize":58},"\u003Cp>Meet Push's browser security experts at BlackHat 2026.\u003C/p>","text-base",{"content":60,"fontSize":58,"url":61},"\u003Cp>Book a meeting →\u003C/p>","https://pushsecurity.com/events/blackhat-2026-meeting",null,{"large":64},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"marginTop":70,"marginBottom":70,"fontSize":71,"fontWeight":72},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"@type":47,"@version":48,"id":74,"component":75,"responsiveStyles":79},"builder-a2e1f4b9f30b464bb814d7f5de5b0aa7",{"name":76,"options":77,"isRSC":62},"Custom Code",{"code":78,"scriptsClientOnly":6},"\u003Cstyle>\n  .top-banner.bg-web-orange{background:rgb(114, 79, 255);}\n\u003C/style>\n",{"large":80},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"id":82,"@type":47,"tagName":83,"properties":84,"responsiveStyles":88},"builder-pixel-o503s4fpvk","img",{"src":85,"aria-hidden":86,"alt":29,"role":87,"width":68,"height":68},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":89},{"height":68,"width":68,"display":90,"opacity":68,"overflow":91,"pointerEvents":92},"block","hidden","none",{"deviceSize":94,"location":95},"large",{"path":29,"query":96},{},{},1783541846936,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"kind":104,"lastPreviewUrl":105,"hasLinks":6,"breakpoints":106,"hasErrors":6,"hasAutosaves":6},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},"kyujw1aptq",[109,145],{"createdDate":110,"id":111,"name":112,"modelId":113,"published":13,"stageModifiedSincePublish":6,"query":114,"data":115,"variations":138,"lastUpdated":139,"firstPublished":140,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":141,"meta":142,"rev":144},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":116,"type":117,"testimonialLink":118,"testimonial":119},{},"testimonial","/customer-stories/inductive-automation",{"@type":120,"id":121,"model":117,"value":122},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":123,"folders":124,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":128,"variations":132,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":135,"rev":137},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":129,"jobTitle":130,"quote":126,"image":131},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":136,"hasAutosaves":34},{"small":32,"medium":33},"e8bsg4qrgtu",{},1776247404986,1776247404973,[],{"breakpoints":143,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"g9lqcuxphw7",{"createdDate":146,"id":147,"name":148,"modelId":113,"published":13,"meta":149,"stageModifiedSincePublish":6,"query":151,"data":152,"variations":178,"lastUpdated":179,"firstPublished":180,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":181,"rev":144},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":150,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":153,"link":172,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":155},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":156,"folders":157,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":160,"variations":166,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":169,"rev":171},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":170,"hasAutosaves":34},{"small":32,"medium":33},"ulhc0im1hfo",{"text":173,"url":174},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[183,205],{"createdDate":184,"id":185,"name":148,"modelId":186,"published":13,"meta":187,"stageModifiedSincePublish":6,"query":189,"data":190,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":203,"rev":204},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":188,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":191,"link":199,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":192},{"query":193,"folders":194,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":195,"variations":196,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":197,"rev":171},[],[],{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":198,"hasAutosaves":34},{"small":32,"medium":33},{"text":173,"url":174},{},1776256937553,1776256937540,[],"xggsv10v1q9",{"createdDate":206,"id":207,"name":208,"modelId":186,"published":13,"stageModifiedSincePublish":6,"query":209,"data":210,"variations":220,"lastUpdated":221,"firstPublished":222,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":223,"meta":224,"rev":204},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":211,"type":117,"testimonial":212,"testimonialLink":118},{},{"@type":120,"id":121,"model":117,"value":213},{"query":214,"folders":215,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":216,"variations":217,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":218,"rev":137},[],[],{"author":129,"jobTitle":130,"quote":126,"image":131},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":219,"hasAutosaves":34},{"small":32,"medium":33},{},1776256974140,1776256974130,[],{"breakpoints":225,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"id":227,"title":228,"authorsCollection":229,"content":237,"extension":515,"faqItemsCollection":516,"faqTitle":62,"featured":6,"hashTags":62,"meta":518,"metaTitle":519,"ogImage":62,"publishedDate":520,"relatedBlogPostsCollection":521,"slug":1477,"stem":1478,"subtitle":62,"summary":1479,"synopsis":1500,"sys":1501,"tagsCollection":1504,"__hash__":1510},"blog/blog/microsoft-rolls-out-security-defaults-for-azure-ad-to-secure-access.json","Microsoft rolls out Security Defaults for Azure AD to secure access",{"items":230},[231],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":235},"Sally Soulliere","Sally","Head of Brand & Content",{"url":236},"https://images.ctfassets.net/y1cdw1ablpvd/7Gh4SbbEj6Zsbd6OzGto8Q/885041a4ddeccc5ef3045c0e22975ef4/T016S22KZ96-U036FPETQRH-330f87708d26-192.jpeg",{"json":238,"links":510},{"data":239,"content":240,"nodeType":509},{},[241,278,285,292,312,320,340,347,354,361,381,388,448,468,475,482,489],{"data":242,"content":243,"nodeType":277},{},[244,249,260,264,273],{"data":245,"marks":246,"value":247,"nodeType":248},{},[],"Microsoft announced recently they are starting to roll out ","text",{"data":250,"content":252,"nodeType":259},{"uri":251},"https://docs.microsoft.com/azure/active-directory/fundamentals/concept-fundamentals-security-defaults",[253],{"data":254,"marks":255,"value":258,"nodeType":248},{},[256],{"type":257},"underline","Security Defaults","hyperlink",{"data":261,"marks":262,"value":263,"nodeType":248},{},[]," for tenants who haven’t already turned them on or are using Conditional Access. Alex Weinhart, Director of Identity Security at Microsoft, wrote up a really ",{"data":265,"content":267,"nodeType":259},{"uri":266},"https://techcommunity.microsoft.com/t5/azure-active-directory-identity/raising-the-baseline-security-for-all-organizations-in-the-world/ba-p/3299048",[268],{"data":269,"marks":270,"value":272,"nodeType":248},{},[271],{"type":257},"good summary",{"data":274,"marks":275,"value":276,"nodeType":248},{},[]," of the change that you should read first. ","paragraph",{"data":279,"content":280,"nodeType":277},{},[281],{"data":282,"marks":283,"value":284,"nodeType":248},{},[],"Security Defaults primarily focuses on leveling up your basic security hygiene, turning on identity and access controls like Multi-Factor Authentication (MFA) for everyone and enforcing greater protection for privileged activities like admin actions or accessing Azure. For smaller IT teams, those without IT teams, or those that simply didn’t know where to start securing Azure AD, this is an incredibly powerful move toward improving their overall security. ",{"data":286,"content":287,"nodeType":277},{},[288],{"data":289,"marks":290,"value":291,"nodeType":248},{},[],"Admins of eligible tenants will receive an email giving them heads up of the change and then, according to Microsoft’s post, will get prompts to enable Security Defaults later this month, which they can defer for up to 14 days so you should let Azure admins and users in your company know ASAP - share this post with them and make sure they understand what to expect. Once enabled, users will then get a further 14 days to register for MFA.",{"data":293,"content":294,"nodeType":277},{},[295,299,308],{"data":296,"marks":297,"value":298,"nodeType":248},{},[],"For those of you who have already turned on these defaults or are using Conditional Access, nothing should change. If you’ve previously explicitly opted out of MFA and the other controls included in the defaults, Microsoft says you also ",{"data":300,"content":302,"nodeType":259},{"uri":301},"https://techcommunity.microsoft.com/t5/azure-active-directory-identity/raising-the-baseline-security-for-all-organizations-in-the-world/bc-p/3455314/highlight/true#M4310",[303],{"data":304,"marks":305,"value":307,"nodeType":248},{},[306],{"type":257},"won’t be affected",{"data":309,"marks":310,"value":311,"nodeType":248},{},[],". That said, you may also choose to opt out of this rollout – but please don’t! Microsoft has reported 99.9% of hacked accounts don’t have MFA so this change will prevent a lot of attacks.",{"data":313,"content":314,"nodeType":319},{},[315],{"data":316,"marks":317,"value":318,"nodeType":248},{},[],"What’s included in Security Defaults?","heading-2",{"data":321,"content":322,"nodeType":277},{},[323,327,336],{"data":324,"marks":325,"value":326,"nodeType":248},{},[],"Microsoft has a detailed writeup on what Security Defaults means ",{"data":328,"content":330,"nodeType":259},{"uri":329},"https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults",[331],{"data":332,"marks":333,"value":335,"nodeType":248},{},[334],{"type":257},"here",{"data":337,"marks":338,"value":339,"nodeType":248},{},[],". Primarily, it means all users have to register for MFA and they’ll be prompted to use it when necessary (“based on factors such as location, device, role and task”). Admins, or anyone accessing the Azure portal, have to use MFA on every login. ",{"data":341,"content":342,"nodeType":277},{},[343],{"data":344,"marks":345,"value":346,"nodeType":248},{},[],"Security Defaults also blocks legacy authentication protocols. Microsoft adds, “even if you have a Multi-Factor Authentication policy enabled on your directory, an attacker can authenticate by using an older protocol and bypass Multi-Factor Authentication.” Essentially, if you’re using legacy authentication, MFA really isn’t being enforced and is easily bypassed.",{"data":348,"content":349,"nodeType":277},{},[350],{"data":351,"marks":352,"value":353,"nodeType":248},{},[],"There are a few additional measures taken by the security defaults, so take a look at their full list to know what to expect. ",{"data":355,"content":356,"nodeType":319},{},[357],{"data":358,"marks":359,"value":360,"nodeType":248},{},[],"Do I need to do anything to prepare for the rollout?",{"data":362,"content":363,"nodeType":277},{},[364,368,377],{"data":365,"marks":366,"value":367,"nodeType":248},{},[],"We previously wrote some key points to consider when turning on Security Defaults and those are all still valid, so take a look at ",{"data":369,"content":371,"nodeType":259},{"uri":370},"https://pushsecurity.com/blog/how-to-set-up-multi-factor-authentication-for-microsoft-365/",[372],{"data":373,"marks":374,"value":376,"nodeType":248},{},[375],{"type":257},"that post",{"data":378,"marks":379,"value":380,"nodeType":248},{},[],".",{"data":382,"content":383,"nodeType":277},{},[384],{"data":385,"marks":386,"value":387,"nodeType":248},{},[],"There are a few challenges to consider before enabling Security Defaults that we wanted to mention: ",{"data":389,"content":390,"nodeType":447},{},[391,402,412],{"data":392,"content":393,"nodeType":401},{},[394],{"data":395,"content":396,"nodeType":277},{},[397],{"data":398,"marks":399,"value":400,"nodeType":248},{},[],"Everyone needs to use the Microsoft Authenticator, which means everyone needs access to a smartphone they are willing to use to install the app.","list-item",{"data":403,"content":404,"nodeType":401},{},[405],{"data":406,"content":407,"nodeType":277},{},[408],{"data":409,"marks":410,"value":411,"nodeType":248},{},[],"MFA will be enforced for all accounts - no exceptions. ",{"data":413,"content":414,"nodeType":401},{},[415],{"data":416,"content":417,"nodeType":277},{},[418,422,430,434,443],{"data":419,"marks":420,"value":421,"nodeType":248},{},[],"Legacy authentication is blocked. This is a very very good thing, but it may cause some disruption if you aren’t prepared for it. ",{"data":423,"content":424,"nodeType":259},{"uri":266},[425],{"data":426,"marks":427,"value":429,"nodeType":248},{},[428],{"type":257},"Microsoft have said",{"data":431,"marks":432,"value":433,"nodeType":248},{},[]," that they are going to initially target organizations who aren’t actively using legacy authentication, but you should still be prepared for the change if you are using it. If you aren’t sure, you can follow ",{"data":435,"content":437,"nodeType":259},{"uri":436},"https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-block-legacy-authentication#identify-legacy-authentication-use",[438],{"data":439,"marks":440,"value":442,"nodeType":248},{},[441],{"type":257},"this guide",{"data":444,"marks":445,"value":446,"nodeType":248},{},[]," to see if legacy authentication is still in use for your tenant. ","ordered-list",{"data":449,"content":450,"nodeType":277},{},[451,455,464],{"data":452,"marks":453,"value":454,"nodeType":248},{},[],"If any of those challenges are show stoppers for you, you’ll have to look at other MFA options for 365. Unfortunately, that means you need to make sure everyone has an Azure AD Premium P1 license so you can use ",{"data":456,"content":458,"nodeType":259},{"uri":457},"https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview",[459],{"data":460,"marks":461,"value":463,"nodeType":248},{},[462],{"type":257},"Conditional Access",{"data":465,"marks":466,"value":467,"nodeType":248},{},[],". Or, you could opt-out of using Security Defaults, so nothing changes, but we wouldn’t recommend it - all the changes are being made with good reason. ",{"data":469,"content":470,"nodeType":319},{},[471],{"data":472,"marks":473,"value":474,"nodeType":248},{},[],"This is a good thing for security",{"data":476,"content":477,"nodeType":277},{},[478],{"data":479,"marks":480,"value":481,"nodeType":248},{},[],"Overall, this is a very powerful move for security and will level up the security hygiene for all those organizations who don’t have the resources to think hard about security - Microsoft estimates it will enhance the protection of around 60 million accounts! The only downside in our opinion is that to use granular controls (e.g. break glass accounts, enhanced protection for VIPs etc.) around MFA and access, you need to pay for the higher tier Azure AD Premium P1 license and use Conditional Access.",{"data":483,"content":484,"nodeType":277},{},[485],{"data":486,"marks":487,"value":488,"nodeType":248},{},[],"Microsoft’s rationale is that if you have those sorts of “complex requirements”, you should  already be on the higher tier since Security Defaults are intended for organizations who don’t have the resources to consider security.",{"data":490,"content":491,"nodeType":277},{},[492,496,505],{"data":493,"marks":494,"value":495,"nodeType":248},{},[],"Should tech leaders require that users pay more to get the strongest access controls to their product? I bet you can guess our answer to that question… Hit us up on ",{"data":497,"content":499,"nodeType":259},{"uri":498},"https://twitter.com/PushSecurity",[500],{"data":501,"marks":502,"value":504,"nodeType":248},{},[503],{"type":257},"Twitter ",{"data":506,"marks":507,"value":508,"nodeType":248},{},[],"to discuss. ","document",{"entries":511},{"hyperlink":512,"block":513,"inline":514},[],[],[],"json",{"items":517},[],{},"Microsoft rolls out Security Defaults for Azure AD","2022-06-15T00:00:00.000+01:00",{"items":522},[523,1040],{"__typename":524,"sys":525,"content":527,"title":1015,"synopsis":1016,"hashTags":1017,"publishedDate":1020,"slug":1021,"tagsCollection":1022,"authorsCollection":1032},"BlogPosts",{"id":526},"4mmRSzpyYVed9NMTjePYm6",{"json":528},{"nodeType":509,"data":529,"content":530},{},[531,538,545,577,585,592,599,606,613,620,627,634,653,660,667,674,680,687,762,769,792,809,815,821,864,870,905,921,928,934,998],{"nodeType":277,"data":532,"content":533},{},[534],{"nodeType":248,"value":535,"marks":536,"data":537},"Microsoft often has lots of flexibility but it can be hard or time-consuming to figure out all the options and make an informed decision. This post summarises your options for using MFA in Microsoft 365, helps you quickly eliminate some, and gives you the information you need to consider what’s left.",[],{},{"nodeType":277,"data":539,"content":540},{},[541],{"nodeType":248,"value":542,"marks":543,"data":544},"At a high level, you’ve got three choices:",[],{},{"nodeType":546,"data":547,"content":548},"unordered-list",{},[549,558,567],{"nodeType":401,"data":550,"content":551},{},[552],{"nodeType":277,"data":553,"content":554},{},[555],{"nodeType":248,"value":258,"marks":556,"data":557},[],{},{"nodeType":401,"data":559,"content":560},{},[561],{"nodeType":277,"data":562,"content":563},{},[564],{"nodeType":248,"value":463,"marks":565,"data":566},[],{},{"nodeType":401,"data":568,"content":569},{},[570],{"nodeType":277,"data":571,"content":572},{},[573],{"nodeType":248,"value":574,"marks":575,"data":576},"Legacy MFA (also referred to as “per-user MFA”)",[],{},{"nodeType":578,"data":579,"content":580},"heading-1",{},[581],{"nodeType":248,"value":582,"marks":583,"data":584},"Some quick decisions",[],{},{"nodeType":319,"data":586,"content":587},{},[588],{"nodeType":248,"value":589,"marks":590,"data":591},"Do you have Azure AD Premium licenses?",[],{},{"nodeType":277,"data":593,"content":594},{},[595],{"nodeType":248,"value":596,"marks":597,"data":598},"If everyone has Azure AD Premium P1 or higher licenses, you should use Conditional Access. Conditional Access allows you to deploy MFA with full flexibility, from simply mandating it in all situations, to convenience features like exceptions for things like certain IP ranges, apps, or break-glass accounts. A simple setup doesn’t take long but if you’re really looking for quick and easy, you can still use Security Defaults.",[],{},{"nodeType":319,"data":600,"content":601},{},[602],{"nodeType":248,"value":603,"marks":604,"data":605},"Can you deploy to everyone?",[],{},{"nodeType":277,"data":607,"content":608},{},[609],{"nodeType":248,"value":610,"marks":611,"data":612},"If you don’t have Azure AD Premium P1 licenses, but you are comfortable deploying MFA to everyone, you should use Security Defaults. Security Defaults is intended to be the easy-to-deploy MFA option, available to all, regardless of license. Configuration is simply an on/off switch and some very sensible and useful defaults are configured for you but they can’t be changed and no one can be excluded.",[],{},{"nodeType":319,"data":614,"content":615},{},[616],{"nodeType":248,"value":617,"marks":618,"data":619},"Neither applicable?",[],{},{"nodeType":277,"data":621,"content":622},{},[623],{"nodeType":248,"value":624,"marks":625,"data":626},"If you’ve answered no to both questions, your only remaining option is to use Legacy MFA. As the name suggests, this is not an option Microsoft is endorsing or actively developing - their tools and new features are focused purely on Conditional Access or Security Defaults. However, if neither are an option for you, you should at least ensure MFA is configured on your sensitive accounts, like administrators, and per-user MFA can be used to achieve that, regardless of license.",[],{},{"nodeType":319,"data":628,"content":629},{},[630],{"nodeType":248,"value":631,"marks":632,"data":633},"Can I do this if I'm using on-premise AD?",[],{},{"nodeType":277,"data":635,"content":636},{},[637,641,649],{"nodeType":248,"value":638,"marks":639,"data":640},"These options will turn on MFA for users that exist in Azure AD, for logins to Azure AD. If you have on-premise AD and you want to start using Azure AD, you need to first look at something like ",[],{},{"nodeType":259,"data":642,"content":644},{"uri":643},"https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-azure-ad-connect",[645],{"nodeType":248,"value":646,"marks":647,"data":648},"Azure AD Connect",[],{},{"nodeType":248,"value":650,"marks":651,"data":652}," to sync your users and start your journey in “hybrid” AD.",[],{},{"nodeType":319,"data":654,"content":655},{},[656],{"nodeType":248,"value":657,"marks":658,"data":659},"One last thing…",[],{},{"nodeType":277,"data":661,"content":662},{},[663],{"nodeType":248,"value":664,"marks":665,"data":666},"Regardless of which option you choose, you need to look into disabling “Legacy authentication”. Unrelated to “Legacy MFA”, legacy authentication is just the original way apps authenticated to Azure AD. However, it doesn’t support MFA so leaving it on makes turning on MFA a bit redundant since there will still be a single-factor route into your tenant.",[],{},{"nodeType":277,"data":668,"content":669},{},[670],{"nodeType":248,"value":671,"marks":672,"data":673},"Now that you know which options are available to you let’s explore them in some more detail taking a look at the key features and things you need to think about.",[],{},{"nodeType":578,"data":675,"content":676},{},[677],{"nodeType":248,"value":258,"marks":678,"data":679},[],{},{"nodeType":277,"data":681,"content":682},{},[683],{"nodeType":248,"value":684,"marks":685,"data":686},"Key points:",[],{},{"nodeType":546,"data":688,"content":689},{},[690,700,710,732,742,752],{"nodeType":401,"data":691,"content":692},{},[693],{"nodeType":277,"data":694,"content":695},{},[696],{"nodeType":248,"value":697,"marks":698,"data":699},"Requires no license - available to all.",[],{},{"nodeType":401,"data":701,"content":702},{},[703],{"nodeType":277,"data":704,"content":705},{},[706],{"nodeType":248,"value":707,"marks":708,"data":709},"Once enabled, all users will have to register within 14 days of their next login.",[],{},{"nodeType":401,"data":711,"content":712},{},[713],{"nodeType":277,"data":714,"content":715},{},[716,720,728],{"nodeType":248,"value":717,"marks":718,"data":719},"Users must register using an “Authenticator” app (",[],{},{"nodeType":259,"data":721,"content":723},{"uri":722},"/blog/which-mfa-methods-should-you-use/",[724],{"nodeType":248,"value":725,"marks":726,"data":727},"learn more about MFA methods here",[],{},{"nodeType":248,"value":729,"marks":730,"data":731},")",[],{},{"nodeType":401,"data":733,"content":734},{},[735],{"nodeType":277,"data":736,"content":737},{},[738],{"nodeType":248,"value":739,"marks":740,"data":741},"Once registered, users will be prompted for MFA “as necessary” (i.e. not every time).",[],{},{"nodeType":401,"data":743,"content":744},{},[745],{"nodeType":277,"data":746,"content":747},{},[748],{"nodeType":248,"value":749,"marks":750,"data":751},"Admins will be prompted every time.",[],{},{"nodeType":401,"data":753,"content":754},{},[755],{"nodeType":277,"data":756,"content":757},{},[758],{"nodeType":248,"value":759,"marks":760,"data":761},"Legacy authentication is turned off",[],{},{"nodeType":277,"data":763,"content":764},{},[765],{"nodeType":248,"value":766,"marks":767,"data":768},"Key questions:",[],{},{"nodeType":546,"data":770,"content":771},{},[772,782],{"nodeType":401,"data":773,"content":774},{},[775],{"nodeType":277,"data":776,"content":777},{},[778],{"nodeType":248,"value":779,"marks":780,"data":781},"Can you enable it for all accounts? Remember, Security Defaults is applied to all accounts that use Azure AD.",[],{},{"nodeType":401,"data":783,"content":784},{},[785],{"nodeType":277,"data":786,"content":787},{},[788],{"nodeType":248,"value":789,"marks":790,"data":791},"Do all users have access to a mobile device? Users will be required to register for the authenticator MFA method, which requires a mobile device. ",[],{},{"nodeType":277,"data":793,"content":794},{},[795,799,806],{"nodeType":248,"value":796,"marks":797,"data":798},"Read more here: ",[],{},{"nodeType":259,"data":800,"content":801},{"uri":329},[802],{"nodeType":248,"value":803,"marks":804,"data":805},"What is Security Defaults?",[],{},{"nodeType":248,"value":29,"marks":807,"data":808},[],{},{"nodeType":578,"data":810,"content":811},{},[812],{"nodeType":248,"value":463,"marks":813,"data":814},[],{},{"nodeType":277,"data":816,"content":817},{},[818],{"nodeType":248,"value":684,"marks":819,"data":820},[],{},{"nodeType":546,"data":822,"content":823},{},[824,834,844,854],{"nodeType":401,"data":825,"content":826},{},[827],{"nodeType":277,"data":828,"content":829},{},[830],{"nodeType":248,"value":831,"marks":832,"data":833},"Requires Azure AD Premium P1 licenses",[],{},{"nodeType":401,"data":835,"content":836},{},[837],{"nodeType":277,"data":838,"content":839},{},[840],{"nodeType":248,"value":841,"marks":842,"data":843},"Allows you to create a set of conditions under which users should be allowed access. For example, you can control which users a policy applies to, which apps they are trying to access, how often they should be prompted, where they are logging in from, and which type of device they are permitted to use.",[],{},{"nodeType":401,"data":845,"content":846},{},[847],{"nodeType":277,"data":848,"content":849},{},[850],{"nodeType":248,"value":851,"marks":852,"data":853},"Policies can be put into audit mode first to allow you to ensure they won’t be disruptive.",[],{},{"nodeType":401,"data":855,"content":856},{},[857],{"nodeType":277,"data":858,"content":859},{},[860],{"nodeType":248,"value":861,"marks":862,"data":863},"Legacy authentication should be disabled, but you must do this yourself.",[],{},{"nodeType":277,"data":865,"content":866},{},[867],{"nodeType":248,"value":766,"marks":868,"data":869},[],{},{"nodeType":546,"data":871,"content":872},{},[873,883],{"nodeType":401,"data":874,"content":875},{},[876],{"nodeType":277,"data":877,"content":878},{},[879],{"nodeType":248,"value":880,"marks":881,"data":882},"Does everyone have the requisite license?",[],{},{"nodeType":401,"data":884,"content":885},{},[886],{"nodeType":277,"data":887,"content":888},{},[889,893,901],{"nodeType":248,"value":890,"marks":891,"data":892},"What should your policies look like? Microsoft has a ",[],{},{"nodeType":259,"data":894,"content":896},{"uri":895},"https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common",[897],{"nodeType":248,"value":898,"marks":899,"data":900},"sensible set of base policies",[],{},{"nodeType":248,"value":902,"marks":903,"data":904},"; implementing the first four policies listed would replicate Security Defaults.",[],{},{"nodeType":277,"data":906,"content":907},{},[908,911,918],{"nodeType":248,"value":796,"marks":909,"data":910},[],{},{"nodeType":259,"data":912,"content":913},{"uri":457},[914],{"nodeType":248,"value":915,"marks":916,"data":917},"What is Conditional Access?",[],{},{"nodeType":248,"value":29,"marks":919,"data":920},[],{},{"nodeType":578,"data":922,"content":923},{},[924],{"nodeType":248,"value":925,"marks":926,"data":927},"Legacy MFA",[],{},{"nodeType":277,"data":929,"content":930},{},[931],{"nodeType":248,"value":684,"marks":932,"data":933},[],{},{"nodeType":546,"data":935,"content":936},{},[937,946,956,966,988],{"nodeType":401,"data":938,"content":939},{},[940],{"nodeType":277,"data":941,"content":942},{},[943],{"nodeType":248,"value":697,"marks":944,"data":945},[],{},{"nodeType":401,"data":947,"content":948},{},[949],{"nodeType":277,"data":950,"content":951},{},[952],{"nodeType":248,"value":953,"marks":954,"data":955},"You can configure MFA enforcement per user, and you can specify which methods can be used.",[],{},{"nodeType":401,"data":957,"content":958},{},[959],{"nodeType":277,"data":960,"content":961},{},[962],{"nodeType":248,"value":963,"marks":964,"data":965},"Users are prompted for MFA on every login.",[],{},{"nodeType":401,"data":967,"content":968},{},[969],{"nodeType":277,"data":970,"content":971},{},[972,976,984],{"nodeType":248,"value":973,"marks":974,"data":975},"Management tooling is well...legacy. Only available via a legacy portal that is quite clunky. You can still configure ",[],{},{"nodeType":259,"data":977,"content":979},{"uri":978},"https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates#change-state-using-powershell",[980],{"nodeType":248,"value":981,"marks":982,"data":983},"via PowerShell",[],{},{"nodeType":248,"value":985,"marks":986,"data":987}," though.",[],{},{"nodeType":401,"data":989,"content":990},{},[991],{"nodeType":277,"data":992,"content":993},{},[994],{"nodeType":248,"value":995,"marks":996,"data":997},"Not recommended by Microsoft or being actively developed.",[],{},{"nodeType":277,"data":999,"content":1000},{},[1001,1004,1012],{"nodeType":248,"value":796,"marks":1002,"data":1003},[],{},{"nodeType":259,"data":1005,"content":1007},{"uri":1006},"https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates",[1008],{"nodeType":248,"value":1009,"marks":1010,"data":1011},"How to enable per-user MFA",[],{},{"nodeType":248,"value":29,"marks":1013,"data":1014},[],{},"How to set up Multi-Factor Authentication for Microsoft 365","Conditional Access, Security Defaults, or Legacy? Figuring out how to deploy MFA in Microsoft 365 can be complex. This post summarises your options.",[1018,1019],"MFA","Microsoft365","2021-03-15T00:00:00.000+01:00","how-to-set-up-multi-factor-authentication-for-microsoft-365",{"items":1023},[1024,1028],{"sys":1025,"name":1027},{"id":1026},"1gZi8NrRy2v9OqPV7C4dwD","Risk management",{"sys":1029,"name":1031},{"id":1030},"3pjES4THCIfSAwhGdNwBcy","Browser security",{"items":1033},[1034],{"fullName":1035,"firstName":1036,"jobTitle":1037,"profilePicture":1038},"Andy Waugh","Andy","VP Product",{"url":1039},"https://images.ctfassets.net/y1cdw1ablpvd/3Rf76rJn6S9inMb4dUnAIJ/0a787f8141d05b95300e2fe77c4493fa/DSC_6868.jpg",{"__typename":524,"sys":1041,"content":1043,"title":1458,"synopsis":1459,"hashTags":1460,"publishedDate":1020,"slug":1462,"tagsCollection":1463,"authorsCollection":1469},{"id":1042},"5Zy1Kj162pY69NT6001gAa",{"json":1044},{"data":1045,"content":1046,"nodeType":509},{},[1047,1054,1060,1069,1075,1082,1089,1225,1231,1237,1244,1251,1258,1265,1272,1279,1286,1293,1300,1320,1327,1334,1439],{"data":1048,"content":1049,"nodeType":277},{},[1050],{"data":1051,"marks":1052,"value":1053,"nodeType":248},{},[],"Multi-Factor Authentication (MFA) - also known as 2 Step Verification (2SV), or 2 Factor Authentication (2FA) - is an additional step when users login to a service in addition to their username and password. Common implementations are things like SMS security codes, or login confirmations on smartphones.",{"data":1055,"content":1056,"nodeType":277},{},[1057],{"data":1058,"marks":1059,"value":29,"nodeType":248},{},[],{"data":1061,"content":1067,"nodeType":1068},{"target":1062},{"sys":1063},{"id":1064,"type":1065,"linkType":1066},"3VqrRPLsLo8yynXCUeigZA","Link","Entry",[],"embedded-entry-block",{"data":1070,"content":1071,"nodeType":277},{},[1072],{"data":1073,"marks":1074,"value":29,"nodeType":248},{},[],{"data":1076,"content":1077,"nodeType":578},{},[1078],{"data":1079,"marks":1080,"value":1081,"nodeType":248},{},[],"MFA is a security control everyone can agree on",{"data":1083,"content":1084,"nodeType":277},{},[1085],{"data":1086,"marks":1087,"value":1088,"nodeType":248},{},[],"Security people find it notoriously difficult to agree on what the most important security controls are, but there is broad agreement on the value of MFA. This has been accepted and adopted by some big names who are pushing MFA hard because they know it works:",{"data":1090,"content":1091,"nodeType":546},{},[1092,1121,1148,1176,1203],{"data":1093,"content":1094,"nodeType":401},{},[1095],{"data":1096,"content":1097,"nodeType":277},{},[1098,1104,1108,1117],{"data":1099,"marks":1100,"value":1103,"nodeType":248},{},[1101],{"type":1102},"bold","Microsoft",{"data":1105,"marks":1106,"value":1107,"nodeType":248},{},[],": “",{"data":1109,"content":1111,"nodeType":259},{"uri":1110},"https://www.microsoft.com/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/",[1112],{"data":1113,"marks":1114,"value":1116,"nodeType":248},{},[1115],{"type":257},"One simple action you can take to prevent 99.9 percent of attacks on your accounts",{"data":1118,"marks":1119,"value":1120,"nodeType":248},{},[],"”",{"data":1122,"content":1123,"nodeType":401},{},[1124],{"data":1125,"content":1126,"nodeType":277},{},[1127,1132,1136,1145],{"data":1128,"marks":1129,"value":1131,"nodeType":248},{},[1130],{"type":1102},"AWS",{"data":1133,"marks":1134,"value":1135,"nodeType":248},{},[],": “MFA is the best way to protect accounts from inappropriate access” - ",{"data":1137,"content":1139,"nodeType":259},{"uri":1138},"https://aws.amazon.com/blogs/security/top-10-security-items-to-improve-in-your-aws-account/",[1140],{"data":1141,"marks":1142,"value":1144,"nodeType":248},{},[1143],{"type":257},"Top 10 security items to improve in your AWS account",{"data":1146,"marks":1147,"value":29,"nodeType":248},{},[],{"data":1149,"content":1150,"nodeType":401},{},[1151],{"data":1152,"content":1153,"nodeType":277},{},[1154,1159,1163,1172],{"data":1155,"marks":1156,"value":1158,"nodeType":248},{},[1157],{"type":1102},"Google",{"data":1160,"marks":1161,"value":1162,"nodeType":248},{},[],": “On-device prompts helped prevent 100% of automated bots, 99% of bulk phishing attacks and 90% of targeted attacks.\" - ",{"data":1164,"content":1166,"nodeType":259},{"uri":1165},"https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html",[1167],{"data":1168,"marks":1169,"value":1171,"nodeType":248},{},[1170],{"type":257},"New research: How effective is basic account hygiene at preventing hijacking",{"data":1173,"marks":1174,"value":1175,"nodeType":248},{},[]," ",{"data":1177,"content":1178,"nodeType":401},{},[1179],{"data":1180,"content":1181,"nodeType":277},{},[1182,1187,1191,1200],{"data":1183,"marks":1184,"value":1186,"nodeType":248},{},[1185],{"type":1102},"UK National Cyber Security Centre",{"data":1188,"marks":1189,"value":1190,"nodeType":248},{},[]," (NCSC): “One of the most effective ways of providing additional protection to a password protected account is to use MFA.” - ",{"data":1192,"content":1194,"nodeType":259},{"uri":1193},"https://www.ncsc.gov.uk/collection/passwords/updating-your-approach",[1195],{"data":1196,"marks":1197,"value":1199,"nodeType":248},{},[1198],{"type":257},"Password policy: updating your approach",{"data":1201,"marks":1202,"value":1175,"nodeType":248},{},[],{"data":1204,"content":1205,"nodeType":401},{},[1206],{"data":1207,"content":1208,"nodeType":277},{},[1209,1213,1222],{"data":1210,"marks":1211,"value":1212,"nodeType":248},{},[],"and even Obama: “The President is calling on Americans to move beyond just the password to leverage multiple factors of authentication when logging-in to online accounts.” - ",{"data":1214,"content":1216,"nodeType":259},{"uri":1215},"https://obamawhitehouse.archives.gov/the-press-office/2016/02/09/fact-sheet-cybersecurity-national-action-plan",[1217],{"data":1218,"marks":1219,"value":1221,"nodeType":248},{},[1220],{"type":257},"FACT SHEET: Cybersecurity National Action Plan | whitehouse.gov",{"data":1223,"marks":1224,"value":1175,"nodeType":248},{},[],{"data":1226,"content":1230,"nodeType":1068},{"target":1227},{"sys":1228},{"id":1229,"type":1065,"linkType":1066},"2P5lUU0cEsFy424iV8sNJD",[],{"data":1232,"content":1233,"nodeType":277},{},[1234],{"data":1235,"marks":1236,"value":29,"nodeType":248},{},[],{"data":1238,"content":1239,"nodeType":578},{},[1240],{"data":1241,"marks":1242,"value":1243,"nodeType":248},{},[],"MFA prevents the most common attacks against SMEs",{"data":1245,"content":1246,"nodeType":277},{},[1247],{"data":1248,"marks":1249,"value":1250,"nodeType":248},{},[],"To understand why MFA is a good idea, it helps to understand what you are defending your business against. A number of the most common attacks SMEs will face, including business email compromise and ransomware attacks typically start with the compromise of a single employee’s password. This can happen in many ways - but most often because an employee has used the same password on another website (which got compromised) or because they have been tricked by a phishing attack.",{"data":1252,"content":1253,"nodeType":277},{},[1254],{"data":1255,"marks":1256,"value":1257,"nodeType":248},{},[],"It’s easy to blame employees, or imagine that employee training is the answer. This is probably a mistake because if the last few decades have taught us anything it is that 1) humans are bad at passwords, and 2) they have near boundless creativity when it comes to tricking people.",{"data":1259,"content":1260,"nodeType":277},{},[1261],{"data":1262,"marks":1263,"value":1264,"nodeType":248},{},[],"Instead the data shows you should not rely on passwords for your security. This takes users off the hook, and closes the door on the most common starting point for the most common attacks.",{"data":1266,"content":1267,"nodeType":578},{},[1268],{"data":1269,"marks":1270,"value":1271,"nodeType":248},{},[],"MFA isn’t perfect (but it’s very good)",{"data":1273,"content":1274,"nodeType":277},{},[1275],{"data":1276,"marks":1277,"value":1278,"nodeType":248},{},[],"You might come across nay-sayers that will point out reasons MFA could be bypassed, or why it won’t stop certain attacks - and it’s true, MFA isn't a silver bullet and doesn’t protect against everything, but don’t let this dissuade you! As you can see from all the references at the top of this page, MFA is really good at stopping some of the most common, and consequential attacks out there today. Arguing that it isn’t worth doing because it isn’t perfect is like arguing that there is no point putting a lock on your front door because someone might drive a tank through it - it’s not wrong, it just misses the point.",{"data":1280,"content":1281,"nodeType":578},{},[1282],{"data":1283,"marks":1284,"value":1285,"nodeType":248},{},[],"Start with cloud services",{"data":1287,"content":1288,"nodeType":277},{},[1289],{"data":1290,"marks":1291,"value":1292,"nodeType":248},{},[],"It’s possible to protect almost any type of system using MFA, but the cost and effort might differ wildly. We recommend that you start with cloud services because they are accessible from anywhere in the world, making password compromise a one-step affair for attackers. ",{"data":1294,"content":1295,"nodeType":277},{},[1296],{"data":1297,"marks":1298,"value":1299,"nodeType":248},{},[],"Also, most cloud services make it easy to adopt MFA without buying any third-party software or devices - it’s a bit of a no-brainer. This is where you will get the greatest bang-for-buck (although MFA is often free or already included in your license - so the buck here is your time). ",{"data":1301,"content":1302,"nodeType":277},{},[1303,1307,1316],{"data":1304,"marks":1305,"value":1306,"nodeType":248},{},[],"You can check out ",{"data":1308,"content":1310,"nodeType":259},{"uri":1309},"https://2fa.directory/",[1311],{"data":1312,"marks":1313,"value":1315,"nodeType":248},{},[1314],{"type":257},"Two Factor Auth (2FA)",{"data":1317,"marks":1318,"value":1319,"nodeType":248},{},[]," to see which services support MFA.",{"data":1321,"content":1322,"nodeType":578},{},[1323],{"data":1324,"marks":1325,"value":1326,"nodeType":248},{},[],"Success is all about user experience - and users might even thank you for it (no, really)",{"data":1328,"content":1329,"nodeType":277},{},[1330],{"data":1331,"marks":1332,"value":1333,"nodeType":248},{},[],"Being mindful that MFA has a direct impact on the user experience is key to making it a success. Thankfully, the MFA user experience on cloud services is better today than it’s ever been, and with most users already using MFA somewhere in their personal lives it's less of an ask than it used to be. That said, here are some things you can do to make it a success:",{"data":1335,"content":1336,"nodeType":546},{},[1337,1364,1379,1409,1424],{"data":1338,"content":1339,"nodeType":401},{},[1340],{"data":1341,"content":1342,"nodeType":277},{},[1343,1348,1352,1360],{"data":1344,"marks":1345,"value":1347,"nodeType":248},{},[1346],{"type":1102},"Sweeten the pot for users",{"data":1349,"marks":1350,"value":1351,"nodeType":248},{},[]," - once you have MFA in place you might disable some of the most hated password policies like regular password expiry. This is actually recommended by modern password policies anyway. (Don't believe us? ",{"data":1353,"content":1355,"nodeType":259},{"uri":1354},"https://www.ncsc.gov.uk/collection/passwords/updating-your-approach#PasswordGuidance:UpdatingYourApproach-Don'tenforceregularpasswordexpiry",[1356],{"data":1357,"marks":1358,"value":1359,"nodeType":248},{},[],"Read this password guidance",{"data":1361,"marks":1362,"value":1363,"nodeType":248},{},[]," from NCSC).",{"data":1365,"content":1366,"nodeType":401},{},[1367],{"data":1368,"content":1369,"nodeType":277},{},[1370,1375],{"data":1371,"marks":1372,"value":1374,"nodeType":248},{},[1373],{"type":1102},"Minimise MFA prompts",{"data":1376,"marks":1377,"value":1378,"nodeType":248},{},[]," - these days most platforms allow you to ask for MFA prompts only when users login from new systems or browsers. This provides a much better user experience and has almost no impact on security.",{"data":1380,"content":1381,"nodeType":401},{},[1382],{"data":1383,"content":1384,"nodeType":277},{},[1385,1390,1394,1405],{"data":1386,"marks":1387,"value":1389,"nodeType":248},{},[1388],{"type":1102},"Choose an easy to use MFA method",{"data":1391,"marks":1392,"value":1393,"nodeType":248},{},[]," - getting MFA codes from a phone call isn’t very easy to use, where clicking a button on your mobile, or pressing the fingerprint reader on your laptop is far less irritating. A bit of thought here goes a long way. ",{"data":1395,"content":1399,"nodeType":1404},{"target":1396},{"sys":1397},{"id":1398,"type":1065,"linkType":1066},"73JjdrO5GKRzYum97MqJ9q",[1400],{"data":1401,"marks":1402,"value":1403,"nodeType":248},{},[],"See our blog post","entry-hyperlink",{"data":1406,"marks":1407,"value":1408,"nodeType":248},{},[]," on which MFA methods you should use.",{"data":1410,"content":1411,"nodeType":401},{},[1412],{"data":1413,"content":1414,"nodeType":277},{},[1415,1420],{"data":1416,"marks":1417,"value":1419,"nodeType":248},{},[1418],{"type":1102},"Make sure your IT support team is ready for all scenarios",{"data":1421,"marks":1422,"value":1423,"nodeType":248},{},[]," - ensuring that IT support knows exactly what to do in emergencies or when users are locked out is critical to a good user experience. This is not hard to do, but you definitely don’t want to do it for the first time when the user in question is the CEO, and it’s 20 minutes before his big presentation in a country half way across the world - this is how good security dies!",{"data":1425,"content":1426,"nodeType":401},{},[1427],{"data":1428,"content":1429,"nodeType":277},{},[1430,1435],{"data":1431,"marks":1432,"value":1434,"nodeType":248},{},[1433],{"type":1102},"Nothing wrong with taking it slow",{"data":1436,"marks":1437,"value":1438,"nodeType":248},{},[]," - too much change too fast tends to ruffle feathers, and rolling out MFA over months rather than weeks can give your IT support team time to scale up their experience and iron out issues before you roll-out to everyone. You might even choose to enable it only for critical most-attacked users such as administrators or finance teams at first. Make sure your security team doesn’t lose focus and never quite gets it finished!",{"data":1440,"content":1441,"nodeType":277},{},[1442,1446,1454],{"data":1443,"marks":1444,"value":1445,"nodeType":248},{},[],"If you found this useful and are thinking about rolling out MFA, you might consider taking a look at ",{"data":1447,"content":1449,"nodeType":259},{"uri":1448},"https://pushsecurity.com",[1450],{"data":1451,"marks":1452,"value":1453,"nodeType":248},{},[],"Push Security",{"data":1455,"marks":1456,"value":1457,"nodeType":248},{},[]," - our entire reason for being is to take the grunt work out of doing this kind of thing.","Multi-Factor Authentication is the top security control for most small and medium-sized businesses","Why Multi-Factor Authentication (MFA aka 2FA) is so useful for small and medium-sized businesses, and how to deploy it successfully.",[1018,1461],"Guidance","multi-factor-authentication-is-the-top-security-control-for-most-small-and",{"items":1464},[1465,1467],{"sys":1466,"name":1027},{"id":1026},{"sys":1468,"name":1031},{"id":1030},{"items":1470},[1471],{"fullName":1472,"firstName":1473,"jobTitle":1474,"profilePicture":1475},"Jacques Louw","Jacques","Co-founder / CRO",{"url":1476},"https://images.ctfassets.net/y1cdw1ablpvd/39m8bektV23lnCRcEq0G8h/2a08f6276a50744f1a4b499b273f6bb2/Push_Founders_at_Cahoots_October_28_2022_by_Doug_Coombe-21.jpg","microsoft-rolls-out-security-defaults-for-azure-ad-to-secure-access","blog/microsoft-rolls-out-security-defaults-for-azure-ad-to-secure-access",{"json":1480},{"data":1481,"content":1482,"nodeType":509},{},[1483],{"data":1484,"content":1485,"nodeType":277},{},[1486,1490,1496],{"data":1487,"marks":1488,"value":1489,"nodeType":248},{},[],"Microsoft is starting to roll out ",{"data":1491,"content":1492,"nodeType":259},{"uri":251},[1493],{"data":1494,"marks":1495,"value":258,"nodeType":248},{},[],{"data":1497,"marks":1498,"value":1499,"nodeType":248},{},[]," for Azure AD for those who haven’t turned them on yet. Here’s what you need to know about it to prepare your team.","Microsoft is starting to roll out Security Defaults for Azure AD for those who haven’t turned them on yet. Here’s what you need to know.",{"id":1502,"publishedAt":1503},"7tv69i16JL4cQiNyD8zlqT","2024-03-21T09:26:29.831Z",{"items":1505},[1506,1508],{"sys":1507,"name":1031},{"id":1030},{"sys":1509,"name":1027},{"id":1026},"QSu2BWwY7dtv8kJEFsI9ouktiCjaAPkFb3BfUW3TeZA",1784196718292]