Microsoft likens MFA to 1960s seatbelts, buckles admins in yet keeps eject button

Microsoft is introducing three Conditional Access policies for sysadmins as it continues to promote the implementation of multi-factor authentication (MFA) in organizations.

The trio of optional policies will be automatically deployed to eligible customers’ tenants in a report-only mode at first. Customers will have a 90-day window in which to review and if necessary opt out of them, otherwise they will be automatically enabled after this time.

This process will start next week but Microsoft will notify customers before it deploys policies on the orgs.

Of the three options, Microsoft is pushing the first one the strongest, which will apply to Entra ID Premium Plans 1 and 2. It mandates privileged admin accounts to complete MFA when accessing Microsoft admin portals such as Azure, Microsoft 365 admin center, and Exchange admin center.

Admins can choose to opt out of the policy despite the warning, but Microsoft said in the future it will place an increasing number of MFA requirements on specific interactions regardless. 

The other two policies apply to a smaller subset of customers. For those running the legacy per-user implementation of MFA, logins to cloud apps will require MFA across the board.

Per-user MFA is not Microsoft’s preference for customers and it said this policy aims to ease the transition away from a per-user deployment and toward using Conditional Access as standard.

Those on the Microsoft Entra ID Premium Plan 2 also have their own policy, requiring MFA for all high-risk sign-ins – access attempts from accounts that have recently shown behavior outside of what is considered to be normal.

These policies represent the latest step taken by Microsoft to increase MFA uptake to an idealistic 100 percent of all customers. Currently, just 37 percent utilize MFA but the proportion of newer tenants adopting it is considerably higher.

The 2019 “security defaults” initiative from Microsoft, which involved the automatic application of basic security controls as standard for all new Microsoft customers – including MFA – has led to more than 80 percent of newbies since then keeping MFA enabled.

Microsoft started rolling security defaults out to pre-existing customers in 2022, starting with smaller, simpler customers that had never touched their security settings. Now, more than 94 percent of these SMEs have kept MFA enabled, we’re told.

The overall uptake is still much lower than what Microsoft would want, though. It cited its own research that showed MFA can reduce the risk of account takeover by more than 99 percent. It also claims that customers who have security defaults enabled experience 80 percent fewer compromises compared to those that don’t.

“Today, many customers use security defaults, but many others need more granular control than security defaults offer,” said Alex Weinert, VP Identity Security at Microsoft. 

“Customers may not be in a position to disable legacy authentication for certain accounts (a requirement for security defaults), or they may need to make exceptions for certain automation cases. Conditional Access does a great job here, but often customers aren’t sure where to start. They’ve told us they want a clear policy recommendation that’s easy to deploy but still customizable to their specific needs. And that’s exactly what we’re providing with Microsoft-managed Conditional Access policies.

“Microsoft-managed Conditional Access policies provide clear, self-deploying guidance. Customers can tune the policies (or disable them altogether), so even the largest, most sophisticated organizations can benefit from them. Over time, we’ll offer policies tailored to specific organizations, but we’re starting simple.”

Funnily enough, Weinert likened MFA to 1960s seatbelts, saying that before 1965, car owners had to install them manually but after they were made a legal requirement, traffic-related injuries plummeted.

Like whiplash and dashboard-induced head lumps, consumer account compromises also fell substantially when Microsoft turned MFA on by default in 2013, Weinert said. ®

READ MORE HERE