Security Defaults Killed Baseline Policies: Your MFA Options When You Have Legacy Auth to Protect
TL;DR
- As of February 29, 2020, Security Defaults are enforced and turned on by default in all net new tenants, enforcing MFA for every user and blocking legacy authentication.
- Security Defaults are a mandatory Partner requirement, not a hard requirement for customer tenants, which leaves MSPs free to choose how they enforce MFA per client.
- Security Defaults only offer the Microsoft Authenticator app as a second factor and break SMTP relay, Exchange Online PowerShell, and any app using IMAP or POP.
- If a tenant has no Conditional Access licensing, turn on MFA and use app passwords to keep legacy authentication apps working.
- If a tenant has Conditional Access licensing, use a Conditional Access policy instead of Security Defaults so you can bypass MFA on trusted networks and for specific apps.
Baseline policies are gone, and Microsoft has replaced them with Security Defaults that enforce MFA for every user in a tenant and block legacy authentication. For MSPs, that is both the right direction and a real operational problem: the same switch that hardens a tenant can also break a copier, a ticketing system, or your Exchange Online PowerShell session. This article explains what changed, what Security Defaults actually do, and the two licensing-dependent paths for enforcing MFA without taking down the apps your clients depend on.

What were baseline policies, and why did MSPs turn them on?

Baseline policies were part of Microsoft's Conditional Access. They let you perform management tasks such as requiring MFA for all admin users or blocking legacy authentication across a tenant in a couple of clicks. The main reason MSPs added these policies was Microsoft's enforcement of the Secure Application Model back on August 1, 2019, which required MFA for all Partner Center user accounts. Some MSPs enabled the baseline policies across customer tenants too, to heighten security; others never enforced the baseline policies and simply enabled MFA manually in their tenant accounts.

Baseline policies were a Conditional Access feature, which is only available in tenants with M365 Business, EMS+E3, or Azure Active Directory Plan 1. You could find these policies a few ways. One of the easiest:
Portal.office.com > Login as a Global Admin > Admin Centers > Azure Active Directory > All Services > AD Conditional Access
What Security Defaults replace them with

Microsoft retired baseline policies and rolled out Security Defaults in their place. You can find the setting a couple of ways. One of the easiest:
Portal.office.com > Login as a Global Admin > Admin Centers > Azure Active Directory > Properties > Manage Security Defaults


What Security Defaults do
- Mandatory Partner requirement, not Customer
- Enforce MFA across all users in the tenant
- Block legacy authentication (IMAP/POP/SMTP protocols)
- Enforce MFA for users who access the Azure portal, Azure PowerShell, and Azure CLI
- Microsoft's full Security Defaults article (opens in new tab)
What you have to watch out for
- On by default in net new tenants
- Users have 14 days to enroll in MFA
- Microsoft Authenticator app is the only second-factor method available
- Printers and copiers with SMTP relay will break
- Exchange Online PowerShell cmdlets will not work
- Ticketing systems and apps that use IMAP or POP will see service disruption
Those concerns are the whole reason this is not a one-click decision. Since Security Defaults are mandatory for the Partner requirement, you need to make sure they do not break your ticketing systems or other apps you rely on. The right approach depends on each tenant's licensing.
Option 1: Turn on MFA and use app passwords for legacy authentication
Applies to: all Partner Center user accounts, and customer tenants without Conditional Access.
Licensing: This does not require a Conditional Access policy, so every 365 license type works. You are simply enabling MFA and using app passwords to bypass MFA on apps that use legacy authentication.
Instead of turning on Security Defaults, enable MFA and add app passwords. For Partner Center accounts that require Security Defaults or Conditional Access to be turned on, create app passwords for your legacy authentication apps. This also ensures your users are not limited to only the Microsoft Authenticator app when enrolling in MFA. Microsoft references this in their partner security requirement documentation (opens in new tab):

For more on app passwords, see Microsoft's app passwords documentation (opens in new tab) and How to create a new app password (opens in new tab).
We recommend app passwords only as a temporary fix. Support for legacy auth is ending in October 2020. Microsoft announced back in 2018 that end of support was coming for Basic Authentication, and we now have an official date of October 13, 2020:
"Today, we are announcing that on October 13th, 2020 we will stop supporting and retire Basic Authentication for Exchange Active Sync (EAS), Post Office Protocol (POP), Internet Message Access Protocol (IMAP), and Remote PowerShell (RPS) in Exchange Online. This means that new or existing applications using one or more of these API's/protocols will not be able to use Basic Authentication when connecting to Office 365 mailboxes or endpoints and will need to update how they authenticate."
"Please note this change does not affect SMTP AUTH and we will continue to support Basic Authentication for it in Exchange Online at this time. With the large number of solutions, devices, and appliances that use SMTP for sending mail we are working on ways to further secure SMTP AUTH and will continue to update you as we make progress."
Turn on MFA for users
Navigate to Portal.office.com > Admin Centers > Azure Active Directory.

Click Azure Active Directory > Users > ... > Multi-Factor Authentication.

From this portal you can enable MFA on demand for users and control behavior under Service Settings.

Option 2: Set up Conditional Access policies
Applies to: all Partner Center user accounts, and customer tenants with Conditional Access licensing.
Licensing: EMS+E3/E5, Azure AD P1 or P2, M365 Business, M365 E3/E5.
If a tenant has Conditional Access, we recommend this option. Either Security Defaults can be turned on or you can add Conditional Access policies. Both cannot be on at the same time: if you try to create a Conditional Access policy in a tenant with Security Defaults on, it will not let you save until you turn the defaults off. Conditional Access lets you bypass MFA on trusted networks and for certain applications. You would use this to whitelist legacy authentication apps and login credentials on your network for SMTP relay (printers/scanners) or Exchange Online PowerShell cmdlets. See the full Conditional Access tutorial (opens in new tab).
Turn on MFA, bypass MFA for legacy auth, bypass MFA on a trusted network
Navigate to Portal.office.com > Admin Centers > Azure Active Directory.

Click All Services > AD Conditional Access.

Click +New Policy.

Name the policy and define its scope. You can apply it to all users, certain groups, or certain directory roles.

Define the scope of apps that apply. If you have legacy authentication apps in the tenant, you can either exclude them using that tab or give them an app password as described earlier.

On the Conditional Access home page, click Named Locations to add a trusted network. In the conditions section, include all locations and exclude trusted locations. This is how you bypass MFA on a trusted network for printers using SMTP relay or Exchange Online PowerShell cmdlets.

On the Grant tab, select Require MFA, then enable the policy to save.

What about printers, scanners, and copiers?
We recommend the Conditional Access policy above to bypass MFA when on a trusted network. In addition, look at Direct Send, Option 2 in Microsoft's support article on multifunction devices (opens in new tab).
Modern vs. legacy authentication, briefly
Legacy authentication refers to protocols that use basic authentication. These protocols typically cannot enforce any kind of second factor. Examples of apps based on legacy authentication include older Microsoft Office apps and apps using mail protocols like POP, IMAP, and SMTP.
Single-factor authentication (a username and password) is not enough anymore. Passwords are easy to guess, people are bad at choosing good ones, and passwords are vulnerable to phishing and password spray. One of the easiest protections is MFA: even if an attacker gets a user's password, the password alone is not enough to authenticate and reach the data.
Modern authentication is an umbrella term for a combination of authentication and authorization methods between a client (your laptop or phone) and a server, plus security measures that rely on access policies. It includes:
- Authentication methods: Multi-factor authentication (MFA), smart card authentication, client certificate-based authentication
- Authorization methods: Microsoft's implementation of Open Authorization (OAuth)
- Conditional access policies: Mobile Application Management (MAM) and Azure Active Directory Conditional Access
Frequently asked questions
What license do I need for Conditional Access?
Azure AD P1 ($6), EMS+E3/E5 ($8.75), M365 Business ($20), or M365 E3/E5 ($32, $64).
Is MFA turned on by default in new tenants?
Yes. After February 29, 2020, Security Defaults are on by default in all net new tenants.
What MFA enrollment methods are available to end users under Security Defaults?
Only the Microsoft Authenticator app.
Is MFA required for all users when Security Defaults are on?
Yes. MFA is required and strictly enforced 14 days after a user's first sign-in.
Is Security Defaults a hard enforcement for customer tenants?
No. The hard requirement is for Partner tenants to meet the Microsoft Partner Security Requirements. Customer tenants are your choice.
How do I turn Security Defaults on or off in a customer tenant?
Sign in as a global admin at Office.com, then Admin Centers > Azure Active Directory > Azure Active Directory > Properties > Manage Security Defaults.
How do I keep Security Defaults from blocking my ticketing system or other apps using legacy protocols?
Use app passwords, or use a Conditional Access policy to bypass MFA for those apps. Both methods are detailed in this article.
How do I allow SMTP relay at customer sites with Security Defaults turned on?
Bypass MFA with a Conditional Access policy, or consider Direct Send for the device.
MFA on every account is the easy part. Proving it stays on is the hard part.
Security Defaults, Conditional Access, app passwords, exclusions. CloudCapsule checks MFA coverage and 250+ other controls across every tenant you manage in about 60 seconds each, so a quiet exclusion last quarter does not become an open door this quarter.
Run a free scan
Written by
Nick Ross
CEO · Microsoft MVP · Founder, T-Minus 365
Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.
Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.
Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.


