Azure-docs: Classic policies blocking security defaults

@EdAlexander please share the documentation you are following so we can better assist.

Enabling security defaults in https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-security-defaults

EAC Partners/317.762.3331

@EdAlexander thanks for that. I am assigning to the correct engineer to look into this further.

Hi @EdAlexander ,

Check under Azure Active Directory > Security > Conditional Access > Manage > Classic policies.

Hope this helps! I am closing this out but if you're still having issues feel free to post to Microsoft Q&A and I will gladly continue the discussion. Since this seems to be more of a product question than a doc bug, that is the best place to put this.

[cid:[email protected]]

Documented process does not work…. I would argue that there needs to be some errata added.

[cid:[email protected]]

EAC Partners/317.762.3331

From: Marilee Turscak - MSFTnotifications@github.com
Sent: Thursday, December 5, 2019 4:28 PM
To: MicrosoftDocs/azure-docsazure-docs@noreply.github.com
Cc: Edward Alexandered@eacpartners.com; Mentionmention@noreply.github.com
Subject: Re: [MicrosoftDocs/azure-docs] Classic policies blocking security defaults (#43961)

Hi @EdAlexanderhttps://github.com/EdAlexander ,

Check under Azure Active Directory > Security > Conditional Access > Manage > Classic policies.

[image]https://user-images.githubusercontent.com/13383753/70275513-20efa980-1763-11ea-85c2-9b5bc9bd134f.png

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/azure-docs/issues/43961?email_source=notifications&email_token=ADI6FEWYKWHBTOKP6SAW3ALQXFXAJA5CNFSM4JUYOPG2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEGCGW2A#issuecomment-562326376, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ADI6FEXX4Y7PMOT5TA3VOWTQXFXAJANCNFSM4JUYOPGQ.

Hi,
I have same problem but "classic policies" is grayed and I cannot open it.. :(

any idea?
thanks

Also having the same problem, disabling the classic policies and still getting the "It looks like you have Classic policies enabled. Enabling Classic policies prevents you from enabling Security defaults."

We were eventually able to find another “classic” policies list farther down the page that did have items that needed to be removed.

EAC Partners/317.762.3331

From: Sam Sheridannotifications@github.com
Sent: Thursday, January 9, 2020 9:05 AM
To: MicrosoftDocs/azure-docsazure-docs@noreply.github.com
Cc: Edward Alexandered@eacpartners.com; Mentionmention@noreply.github.com
Subject: Re: [MicrosoftDocs/azure-docs] Classic policies blocking security defaults (#43961)

Also having the same problem, disabling the classic policies and still getting the "It looks like you have Classic policies enabled. Enabling Classic policies prevents you from enabling Security defaults."

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/azure-docs/issues/43961?email_source=notifications&email_token=ADI6FEXHPBFDINKEWQGO6PLQ44VLXA5CNFSM4JUYOPG2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEIQNBAY#issuecomment-572575875, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ADI6FEVGJOMHWNTN5XS2NBLQ44VLXANCNFSM4JUYOPGQ.

Same problem here... @EdAlexander, could you please provide further information regarding where did you find the additional "classic" policies list?

Thanks!

Same problem here ..., removed some old "classic" policies. Still have the problem that I am not able to acivate the new security standards.

I have raised a call with Microsoft tech support yesterday regarding this, after going through and showing the initial ms tech guy what the issue was the issue was escalated, had a second MS tech take a look (shown the same thing as the first) and was instructed they would have to escalate the case again.

Currently awaiting MS to get back to me on this issue, obviously not something people are doing wrong but a bug with their systems.

I've got a case open as well, much the same. Haven't made it very far - it looks like this may not be that widespread?

I've just received a response from Microsoft on this issue.

The options were also greyed out for myself. This was due to Classic Policies now requiring an Azure AD Premium P1 licence (or higher). That said there is a direct URL available to access your classic policies. Microsoft advised me to delete, however simply disabling was enough to allow be to apply the security defaults.

Classic Policies Direct URL: https://portal.azure.com/?microsoft_aad_iam_classicPolicyDontHide=true&microsoft_aad_iam_enableClassicPoliciesMenu=true#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/ClassicPolicies

Hopefully this will help get everyone to a quick resolution.

* Quick Edit
The classic policies were created via intune which is why they existed in the first place. My users all still retain the intune licences, however, as it is now the AAD licence that is covering this that is why the issue has occurred, it may also explain why the issue doesn't appear to be that widespread

Thank you!!! This worked!! Fast and easy :)

I delete 3 or 4 policies I found.
But: Failed to delete '[Outlook Service for OneDrive] Device policy :(

I disabled it, but still I cannot enable security defaults

Have you confirmed all baseline policies are also also deactivated? Once all baseline and classic policies are deactivated you should be able to proceed with the security defaults.

Hmmm. We have a P1 grant via the MAP program, so I've been able to see the Classic Policies node since the beginning. In our case, I had initially tried to disable (no change) and have since deleted them - and we still get the blocking error about Classic policies being enabled. Haven't made any headway yet via the case we opened with Azure support, but I'll follow up if/when they come back with a fix.

After opening a support case, and some phone calls with MS - I was able to activate "security defaults", basline policies were deleted after enabling security defaults

The docbug is that we message says classic policies are enabled, but does not indicate how to disable them. Had to dig through a closed issue to find information that should be covered in the main document.

Disable classic policies from:
Azure AD > Conditional Access, and
Azure AD Conditional Access > Classic Policies

Classic Policies Direct URL: https://portal.azure.com/?microsoft_aad_iam_classicPolicyDontHide=true&microsoft_aad_iam_enableClassicPoliciesMenu=true#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/ClassicPolicies

I have both deleted every policy from classic policies (and now, I don't know why, the link is enabled so I can access the page without the direct URL), and disabled the old policies under conditional access.
And still I cannot enable security defaults.

Or there is something still missing in the doc, or there is some other problem in Azure AD... :(

After logging a call with Microsoft tech support, they had to do something on the backend to enable me to remove classic policies, which I was unable to see until they did something their end - all sorted here.

For anyone who was unable to switch on the Security Defaults due to 'Classic Policies' - even after locating and removing the Classic Policies that were present - try again now.

I was advised earlier this week that a bug had been ID'd with regards to this, and to try again today (Friday Jan 24, 2020).

On doing so today, I was able to enable Security Defaults without issue.

I confirm that today it works.
thanks

But all, be careful. If you disable and delete also Classic Conditional Access Policies to Microsoft Defender ATP or other MTD integrated with Intune, it gets broken!

@Kazzan Is there a fix? I purged my Classic Conditional Policies during troubleshooting and don't currently use MD-ATP/Intune, but we are planning to deploy them eventually. So I'm hoping there is a method to restore these - do you know if that's the case?

Yes @netresults-scott. Product Group deployed a fix to this. Just disable and enable connector for MTD and the classic CA policy will be re-created. But you need to turn/think off the Risk policies, because they will not be evaluated in such time.