question

JackPoston-8240 avatar image
0 Votes"
JackPoston-8240 asked vipulsparsh-MSFT commented

Legacy O365 MFA vs Azure Security Defaults

I'm trying to set up MFA for my users. At some point I thought I read something that indicated my users needed business premium accounts to enforce MFA. So I got a few, but then I find out that o365 admin center allows me to enable and disable MFA per user with something called "Legacy MFA". Then I read according to Microsoft Docs I should turn off Legacy MFA and turn on Security Defaults in Azure AD. Why? What's the difference? Then I read security defaults are not recommended for those with business premium accounts. Why?

All I want is a solid MFA protocol that secures my users but doesn't make it too difficult to sign in. Should I just stick with business standard accounts and use legacy MFA in O365?

azure-ad-multi-factor-authentication
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

vipulsparsh-MSFT avatar image
0 Votes"
vipulsparsh-MSFT answered vipulsparsh-MSFT commented

@JackPoston-8240 If your goal is just to prompt for MFA for all users, then security defaults is sufficient. Security default comes for free and is responsible for MFA for all users and every time MFA prompt for Azure AD Admin role users.
Although, Security defaults lacks features of conditional access, where you can target each cloud app/service and perform decisions based on the network, device, app the end user uses. If you want reach features of controlling user access with different variables, you can use CA policies with a premium license.

One important point to note is, after security defaults are enabled in your tenant, all authentication requests made by an older protocol will be blocked. Security defaults blocks Exchange Active Sync basic authentication.

Since you only have premium license, I would encourage you to read more about the capabilities of Conditional Access policy here : https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview


With security defaults you do not have MFA options for call or text, it only with notification through Authenticator app or verification code from Auth app or hardware tokens for FIDO keys :

126563-image.png

Depending on how much options and capabilities you want, you can choose accordingly. Let me know if you have any questions.


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.




image.png (15.7 KiB)
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

To clarify, premium licenses are not all I have. 85% of my team is on a business standard license. Some of them I have turned on MFA through Office 365 admin center. I believe this is referred to as "legacy MFA". It utilizes call or text. It sounds like premium licenses are only needed for conditional access is that correct? Otherwise if the rest of my team is on business standard, what's the difference between "legacy MFA" through O365 admin center and "security defaults" through Azure AD?

0 Votes 0 ·

@JackPoston-8240 Legacy MFA is a normal older way of asking for MFA to users for which it is enabled. Security defaults adds some more security in a way where it automatically prompts all admins for MFA and block legacy authentication protocols. It can also detect when there is a anomaly in sign in and can prompt for MFA.
Legacy MFA just care about the user for which the MFA has been turned with no other logic on its own.

0 Votes 0 ·

Ok so to be clear. Should I remove legacy MFA, keep my staff on their business standard accounts and turn on security defaults? Or is legacy mfa fine for now? Is it going to be phased out eventually?

0 Votes 0 ·
Show more comments