Security Defaults are a set of policies that are enabled by default for Microsoft 365 (Office 365) accounts to provide enhanced account and organizational security. It comes free with all Microsoft 365 subscriptions and overrides the Baseline Conditional Access policies.
As excellent as it is, the Security Defaults are not a one-size-fits-all set of policies. In most cases, organizations prefer to customize their security policies, which requires disabling the Security Defaults. And that’s what we’ll show you in this article.
Table of Contents
What Protections Do the Security Defaults Provide?
Security Defaults enable the following settings in the Azure tenant:
- Multi-factor authentication for administrators and users (a request to configure MFA appears on each user sign-in);
- Legacy authentication protocols are disabled, and this blocks access to Office 365 mailboxes from old clients and legacy protocols that do not support Modern Authentication (Office 2010, IMAP, POP3, SMTP, ActiveSync), as well as connecting to Exchange Online via Remote PowerShell;
- Force MFA for privileged accounts in Azure AD when accessing management tools that use the Azure Resource Manager API (Azure Portal Access, Azure PowerShell, Azure CLI).
Why Disable the Security Defaults?
If the Security Defaults are an excellent way to protect your tenant and users, why would you disable them?
Unfortunately, Security Defaults offer an all-or-nothing approach when enforcing policies. Not every organization will find this kind of policy enforcement suitable.
Support for Legacy Applications without Modern Authentication Capabilities
If every application supports modern authentication, then enabling the Security Defaults would be a no-brainer. But in the real world, organizations cannot (or will not) upgrade or replace every application to comply with modern authentication.
In these cases, user accounts used by legacy applications must still be able to authenticate to Microsoft 365 services using the username and password method—which cannot happen with Security Defaults enabled.
Related. How to disable multi-Factor authentication (MFA) in Office 365?
Conditional Access Policy Deployment
Unlike Security Defaults, deploying conditional access policies offers more flexible and customizable security enforcement. It lets you specify which users, groups, or applications to include or exclude from the policy. You can also create multiple policies to cater to different access scenarios.
However, enabling a conditional access policy is not allowed while the Security Defaults are enabled. If you try to enable a conditional access policy, you’ll get the following error message.
Related. How to set up conditional access in Azure AD (Office 365)?
How to Disable Security Defaults in Office 365 using the Microsoft Entra Admin Center
The first and most used method to turn on or off the Security Defaults is through the Microsoft Entra Admin Center, and here’s how you can do it.
- Log in to the Microsoft Entra Admin Center.
- Navigate to Identity → Overview → Properties and click the Manage security defaults link.
- Select Disabled from the dropdown box, choose a reason for disabling, and click Save.
- Click Disable on the confirmation prompt.
The Security Defaults status has changed to “Your organization is not protected by security defaults.”
How to Disable Security Defaults in Office 365 using Microsoft Graph PowerShell
If you prefer to do things in PowerShell, you can also disable the Security Defaults using the Microsoft Graph PowerShell.
- Install the Microsoft Graph PowerShell module on your computer. Skip this step if it is already installed.
# Install for the current user profile Install-Module Microsoft.Graph -Scope CurrentUser# Install for all users Install-Module Microsoft.Graph -Scope AllUsers
- Connect to the Microsoft Graph PowerShell.
Connect-MgGraph -Scopes Policy.ReadWrite.ConditionalAccess, Policy.Read.All -TenantId <tenant>.onmicrosoft.com
- Run this command to get the current state of the Security Defaults.
Get-MgPolicyIdentitySecurityDefaultEnforcementPolicy | Format-List
As you can see below, the IsEnabled value is True, which means that Security Defaults is enabled.
- Run this command to disable the Security Defaults:
Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy -IsEnabled:$false
The command returns nothing if the operation is successful.
- Further, confirm by getting the current Security Defaults status:
Get-MgPolicyIdentitySecurityDefaultEnforcementPolicy | Format-List
Conclusion
While the Security Defaults offers optimal access policies for your Microsoft 365 users and apps, it is not for everyone. Some organizations will need to customize their access policies and cannot do so until Security Defaults are disabled.
The good news is it is relatively simple to disable the Security Defaults, whether in the Entra Admin Center or from the Microsoft Graph PowerShell.
2 comments
Hi Cyril
i want to automate this task using powershell,can you provide some insights to make this happen using script
it helps me routine work on my tasks.
Thank you much
Thanks for your comment, we will add this info on the next update cycle of the article.