ThoughtContagion
commented
2 years ago Thank you. We are continuously looking to improve this offering and your feedback is appreciated. We will look at the various objects that Secure Defaults enables and provide checks in the affected Inspectors to compensate for those items.
During an analysis, we identified that there are several of the inspectors that properly pull information regarding the tenant and report the issue, however the MS "secure defaults" setting overrides these individual parameters, an example is the setting for user MFA. The inspector for MFA properly reports that there are users with no MFA enforced, but with the Secure Defaults setting enabled it properly restricts MFA across the tenant. Another example is the use of legacy authentication like IMAP, also disabled by secure defaults, but still shows up as a finding from the inspector.
Not sure how to properly get a list of all of the settings that it changes (or doesn't impact) to have it reflect in the results. Maybe the first check should be the secure defaults and if enabled it modifies the list of inspectors needed?
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults