Attempting to enable Microsoft’s shiny new Azure Security Defaults in Azure Active Directory, it’s possible to run into an error “It looks like you have Classic policies enabled. Enabling Classic policies prevents you from enabling Security defaults.”
What a bummer considering Security Defaults replace the older Baseline Conditional Access Policies as of 29 February 2020. Enabling Security Defaults is also the easiest way to ensure multi-factor authentication is enabled for Azure administrators. Time to fix this error and enable Azure AD Security Defaults!
Browse to https://portal.azure.com/#home (login if prompted)
Click Azure AD Conditional Access
Under the Manage heading, then click Classic policies
Expand the Show listbox, then select All Policies
If any policies have a checkmark in the Enabled column, click the … to the right of that policy. Click Disable, confirming when prompted. Do this for each enabled policy.
Expand the Show listbox, then select Enabled Policies. No policies should appear in the Policy Name column.
Great! Now it’s time to enable the Security Defaults in Azure AD!
Click Azure Active Directory
Under the Manage heading, click Properties
Click Manage Security defaults
In the Enable Security defaults flyout, click the slider to Yes. Click Save
If all goes as expected, a message pops up indicating the Security defaults policy is saved!
That’s it! Now accounts holding any of the following nine Azure AD administrator roles will be required to perform additional authentication every time they sign in:
- Global administrator
- SharePoint administrator
- Exchange administrator
- Conditional Access administrator
- Security administrator
- Helpdesk administrator or password administrator
- Billing administrator
- User administrator
- Authentication administrator
Admins have 14 days from the first time they logon to complete MFA setup. It’s a straightforward process I’ll cover in another blog post soon.
Until next time checkyourlog.net fans!