So far in this series I’ve covered Admin Center Updates, Office 365 Business deployment and Office 365 Business vs. Office 365 Pro Plus, and today’s topic includes some of the recent Azure Active Directory enhancements that have been announced, and what they mean for Microsoft 365 Business customers. This isn’t an all encompassing list of what’s coming in AAD, but rather a selection of updates that will have a trickle-down impact.

Let’s start with Baseline Protection, provided by predefined Conditional Access policy. While the inclusion of full Conditional Access capabilities from AAD Premium P1 is something that many Microsoft 365 Business administrators would like to see, what we have right now is that users with priveleged accounts are going to have this predefined Conditional Access policy applied, and as of the time of writing it applies to the following roles – Global Admins, SharePoint admins, Exchange admins, CA admins and Security admins.

Baseline policy enablement

What you can see in the above screenshot is what is provided, you can’t tweak the underlying policy, all you can do is enable or disable it, and set up some specific user exclusions, which are hopefully not something that is used extensively in your organisation, otherwise you just end up poking holes through the protection. If you need granularity for these admins beyond what you see here, you will need to acquire AAD Premium P1 licences to get started, and depending on how far you want to take Conditional Access capabilities you can also layer AADP P2, MCAS and Intune.

So now that we’ve got baseline protection for admins, what about protecting users? That’s not something that is lighting up in the portal yet, but baseline protection is coming for all users, as you will see in the following table.

For admins MFA enabled for Azure AD privileged roles
For all users MFA enabled

Enrolled in the Microsoft authenticator app for MFA

Require MFA when sign-in risk is detected

Block legacy authentication protocols

Block logins from compromised users

While there are several items of interest, one of the big ones for many will be Block legacy authentication protocols. This policy will apply to older Microsoft Office clients that don’t support modern authentication, and also applies to clients that use mail protocols like POP, IMAP, and SMTP. Reviewing your AAD logs to track legacy auth methods is going to be an important way to identify them and eliminate them from your tenants.

Strengthen sign-in security sample
Strengthen user sign-in security sample

Before moving on to the next item, which is a good follow on item to the baseline policies, it’s important to point out again that these will be preconfigured policies that can be applied, and you won’t have the ability to edit them. If you need that granularity for admins and users, AADP P1 licences will need to be acquired.

Next up are some of the enhancements with the Microsoft Authenticator app, one being more end user targeted than the other, and the other being more critical for Microsoft 365 Business administrators. Let’s start off with the more user appropriate feature, Password-less Sign Ins. When we enable this functionality we use key-based authentication to enable a user credential that is tied to a device via PIN or biometric option. In some ways it’s similar to what we get with Windows Hello for Business.

When we use password-less phone sign ins the user won’t be prompted for a password, instead they will be provided with a number which needs to then be selected from a set of numbers presented to them from Microsoft Authenticator.

MFA prompt from browser
MFA prompt from browser

First you will see the browser or app prompt you with the number you need to select in Microsoft Authenticator.

Microsoft Authenticator Password-less
Microsoft Authenticator Password-less

Then you will get the prompt and have to select from a list of three numbers.

To enable this in your tenant to need to make sure you have the latest preview of the Azure Active Directory V2 PowerShell module, so you might need to uninstall the previous version. You can uninstall, install the latest, connect to your AAD tenant and enable password-less sign in with the following.

Uninstall-Module -Name AzureADPreview
Install-Module -Name AzureADPreview
New-AzureADPolicy -Type AuthenticatorAppSignInPolicy -Definition '{"AuthenticatorAppSignInPolicy":{"Enabled":true}}' -isOrganizationDefault $true -DisplayName AuthenticatorAppSignIn

I mentioned that this is something that is more of an end user targeted feature, and the reason why I see it this way is that this should be primary account an individual is using, and we can only have one password-less sign in per Microsoft Authenticator install. This occurs because Microsoft Authenticator device needs to be registered with AAD, and the device can only be registered with one AAD tenant. Having it associated with your user account versus an admin account makes more sense as that is the account you should be using more often, and once the baseline conditional access policy is enabled in your tenant this should help to make MFA better for users.

The final item to mention is that that admins also benefit from new Authenticator/MFA enhancements, with up to five devices per account instead of the single instance previously allowed. For environments where multiple people need to sign in using the same accounts, such as a partner environment managing multiple Microsoft 365 Business tenants, this means that Microsoft Authenticator can be used more broadly rather than some of the workarounds that may have been used previously.

If you reached the end of this post, hopefully you’ve got an idea of how some of these underlying enhancements are going to make your environments safer and easier to protect moving forward. While the Office 365 Secure Score and Microsoft 365 Secure Score have been around for a while, if you are focused on identity, take a look at the Identity Secure Score to get some ideas of what you can do to increase your security posture.