Security defaults / CA baseline applied
Demonstrate that security defaults or a documented Conditional Access baseline policy set is enabled and enforced across all identity tenants, ensuring mandatory authentication controls are applied to users and administrative accounts.
Description
What this control does
Security defaults and Conditional Access (CA) baseline policies enforce minimum authentication and authorization standards across identity platforms, typically within Microsoft Entra ID (Azure AD) or similar identity providers. These defaults automatically enable multi-factor authentication for privileged accounts, block legacy authentication protocols, require MFA for administrative actions, and enforce risk-based sign-in controls without requiring manual policy configuration. Applying security defaults or a well-defined CA baseline ensures consistent protection against credential-based attacks and unauthorized access, particularly for organizations lacking mature identity governance programs.
Control objective
What auditing this proves
Demonstrate that security defaults or a documented Conditional Access baseline policy set is enabled and enforced across all identity tenants, ensuring mandatory authentication controls are applied to users and administrative accounts.
Associated risks
Risks this control addresses
- Attackers exploit weak authentication mechanisms such as password-only sign-ins to compromise user accounts and gain initial access
- Legacy authentication protocols (e.g., SMTP, IMAP, POP3) bypass modern security controls including MFA and risk-based access policies
- Administrative accounts operate without mandatory MFA, enabling privilege escalation following credential theft or phishing attacks
- Inconsistent authentication policies across tenants or business units create security gaps exploitable through targeted reconnaissance
- Absence of risk-based Conditional Access allows sign-ins from compromised devices, anonymous networks, or impossible travel scenarios
- Service accounts and non-interactive authentication flows remain unprotected, allowing lateral movement after initial compromise
- Security policy drift occurs when defaults are disabled without implementing equivalent or stronger Conditional Access policies
Testing procedure
How an auditor verifies this control
- Identify all identity tenants, directories, and authentication domains in scope (e.g., Azure AD, Okta, on-premises AD FS).
- Export the current security defaults configuration or Conditional Access policy baseline from each tenant using administrative portals or PowerShell/API commands.
- Review whether security defaults are enabled; if disabled, obtain documentation justifying the decision and mapping to equivalent or superior CA policies.
- Select a representative sample of 15-20 user accounts spanning standard users, privileged administrators, service accounts, and guest identities.
- For each sampled account, review sign-in logs from the past 30 days to verify MFA challenges, policy enforcement actions, and blocked legacy authentication attempts.
- Simulate a sign-in attempt using a legacy authentication protocol (e.g., IMAP) or from an unapproved location to confirm enforcement of baseline policies.
- Compare the deployed CA policies or security defaults against Microsoft's published baseline recommendations or the organization's documented standard.
- Verify that any exceptions, exclusions, or disabled policies are documented in change control records with compensating controls identified and approved by authorized personnel.
Where this control is tested