Security Defaults

Find it in the Microsoft Portals #

Microsoft Entra -> Identity -> General

What does this Default Configuration do? #

This will allow you to set the Security Defaults to be either on or off.

Security Defaults is recommended to be enabled if tenants are not licensed for Conditional Access.

However, if you are using Conditional Access, then Security Defaults must be disabled for Conditional Access policies to work.

Applies To #

Tenant Wide

This Default Configuration applies at the tenant level only.

Recommended Configuration #

If you are using Conditional Access, then the Security Defaults must be disabled.

It is recommended that Security Defaults is enabled if you are not using Conditional Access.

User Impact #

Medium to High

If Security Defaults are disabled, without Conditional Access policies in place and enabled.
The tenant will be in an insecure configuration.

Additional Information #

Security Defaults vs Conditional Access #

Security Defaults and Conditional Access in Microsoft 365 are both designed to enhance security but serve different needs.

Security Defaults is a simple, preconfigured set of protections, like requiring multi-factor authentication (MFA) and blocking legacy authentication. It’s ideal for small organizations that need basic security without complex configurations. Once enabled, it applies universally and offers no customization.

A shortcoming of Security Defaults is that while all users are required to register for MFA, only administrator logins are enforced for MFA. Regular users will only be prompted for MFA when Microsoft decides to MFA the uses based on metrics they received such as the device, browser, location, etc.

Conditional Access, on the other hand, is a more advanced, customizable feature. It allows organizations to create specific security policies based on conditions like user location, device type, or risk. This provides granular control over access and is better suited for larger organizations or those with specific security needs.

For smaller setups, Security Defaults is seen as an easy solution, while Conditional Access offers the flexibility needed for more complex environments.

365Sentri makes it easy to deploy, managed and monitor Conditional Access policies of all complexities!