Forum Discussion
Secure Score - Enable conditional access policies to block legacy authentication.
Hi all, it reports me to block legacy authentications for all users, however I have already done so by configuring conditional access; does anyone else have the same report despite the fact that we have already implemented blocking?
- All sorted now! I've had my 8 points restored for blocking legacy authentication. Glad it's finally resolved 😄
mikebravo Good , I'm glad 😊
With this post and everyone's help we were able to maybe make it matter 💪- while i am glad to hear that some folks' errors have been remediated, my tenant is still incorrectly regressed for a total of 35 points on Identity and I still have a ticket open.
- Just to complete the circle, all mine are now showing as Points Gained - In fact, I've up 0.54% on the original baseline score so (at least from my end) they've fixed some other anomalies as well.
- Same issue here - policy status is fine but isn't being reflected in secure scores correctly since earlier this month.
- Same issue here - seen across 7+ tenants
Jclay__SSP Just as a refresher: two days ago I created a new tenant and immediately created the offending policies; to date the score has not changed; so I doubt that removing the tenant policies and putting them back in will update the score.
Let's stand by and wait for news
micheleariis Just wanted to add my name to the thread. I have the same problem with Secure Score regressions in the Identity stream. For me this occurred on the 4th of October at 01:00 AM (British Summer Time). I suffered regression as follows...
- 1.00 points regressed for Designate more than one global admin
- 1.00 points regressed for Use least privileged administrative roles
- 8.00 points regressed for Enable Conditional Access policies to block legacy authentication
- 8.00 points regressed for Ensure the 'Password expiration policy' is set to 'Set passwords to never expire (recommended)'
...but I have achieved all these points already. This bug has resulted in a drop in our identity score from 71% to 25%!, which really does not present well to our management team.
TrevorRusher Are you able to highlight this issue with the appropriate team? Or do you know if they are working on a fix? Thanks
- On October 5th at 8pm my tenant was regressed 35 points erroneously on six different Identity based criteria. All six policies that were regressed have been in place and unchanged for months and were recognized previously.
I have opened a support request which they immediately asked me to archive for some reason even though there has been no fix.
The support tech suggested that I also post all of this here.cbcraig Okay, let's wait for news
- You would think there would be some news already or more activity, seems a lot have falsely lost a lot of points.
- I have this same issue. On 10/5 my scores for at least the following actions have been reset to 0 and not returned to their completed status:
Designate more than one global admin
Enable Conditional Access policies to block legacy authentication
Ensure the 'Password expiration policy' is set to 'Set passwords to never expire (recommended)'
Ensure user consent to apps accessing company data on their behalf is not allowed - As MSP we've have experienced exactly the same on a lot of tenants...
Problem is the customers is pretty aware of this secure score, and now we have to come up with a rather sick explanation like: It's Microsoft's fault 🙂
Waste of time.. hope it's soon fixed- I was planning on recreating our CA policy, but it's setup exactly as the MS template. Luckily my management team understands that Microsoft has these bugs with various items in their scoring system and how and where it tracks at times to award the score.
- We have the exact same issue, Secure Score docked us points for not having the Block Legacy Authentication policy as of 4th October...we've had it in place for at least 5 years.
I've tried re-creating it as a new policy using MS supplied template, hopefully it will recognise it and re-asses our score in the next day or so...- Having looked on a few forums (Reddit, etc), this seems to be consistent with a lot of people - 4th Oct big drop, mainly on Authentication, MFA, Password Expiry, and Global Admin Numbers...
We've had all this setup correctly for a while, so does appear to be a possible bug - will give it a week and see what happens.CopeStarr Yes, I also noticed around the same problem; there is that there may be a bug, however I expect it to be fixed; otherwise don't give this score service
AndyPointon I also created the rules with conditional accesses but the score remains stationary 😤
- We had the same happen on our secure score for this item over the weekend. We lost points even though we have the policy in place according to how Microsoft requires it and tells people how to configure it. We figure it's a Defender bug and Microsoft will address it.
dkearns950 Okay, I have many recommendations besides this one that have already been implemented but now result to be done
- I experience that a lot, I chase score often. A new Defender recommendation came out and we lost points on the same weekend, so we saw a 12 point dip. That new one, we actually have set more secure than what Microsoft recommends, so will Microsoft update it, who knows. We have other items that we configure as Microsoft states but Defender doesn't recognize it, either because they are looking at one area for it to be configured, but not the new area where they say we should configure it. For example create a CA policy as Microsoft says that is the way going forward, but only award the points if it is configured in the legacy manner, recommendation doesn't get updated for some reason. For those ones that have changed on you, double check that Microsoft hasn't decided to change where it wants to look for it to be completed or they didn't change the standard for which they now give the points.
