Description: 

Security Defaults in Microsoft Entra ID (formerly Azure Active Directory) are built-in security settings that help protect your organization from common attacks. When enabled, they provide basic protection by requiring Multi-Factor Authentication (MFA) for all users, enforcing secure sign-in practices, and blocking older, less secure authentication methods. Security Defaults make it easier to keep your organization safe without needing advanced configuration.


Rationale:

Enabling Security Defaults gives your organization a strong, built-in level of protection without needing complex setup. It helps defend against common attacks by applying essential security controls automatically. This ensures a safe baseline is in place until you choose to configure more advanced or detailed security settings.


Impact:

Turning on Security Defaults greatly improves security, but it may affect some older applications or services that still use legacy authentication. Because MFA is required and outdated sign-in methods are blocked, certain workflows may need updates to work with modern authentication. Organizations relying on older systems may need to make adjustments before enabling this feature.


Default Value:

By default, Security Defaults are not enabled in Microsoft Entra ID. They must be turned on manually.


Pre-requisites:

  1. Global Administrator or Privileged Authentication Administrator permissions in Microsoft Entra ID.

  2. No Conditional Access policies.

  3. Legacy authentication is not in use.

Test Plan:

  1. Sign in to the Azure portal at https://portal.azure.com.

  2. In the portal, search for Microsoft Entra ID (Azure Active Directory).

  3. In the Entra ID overview page, select Properties.

  4. At the bottom of the Properties page, click Manage security defaults under Security Defaults.

  5. Check whether Security Defaults is enabled or disabled.

            

  1. If Security Defaults is not enabled, follow the Implementation Steps.

Implementation Steps:

  1. Sign in to the Azure portal at https://portal.azure.com.

  2. In the portal, search for Microsoft Entra ID (Azure Active Directory).

  3. In the Entra ID overview page, select Properties.

                               

  1. At the bottom, click Manage security defaults.

                               

3. In the Manage security defaults page, you will see an option labeled Security defaults. Choose Enabled and click Save.

                

Backout Plan : 

  1. Sign in to the Azure portal at https://portal.azure.com

  2. Search for Microsoft Entra ID.

  3. On the Entra ID overview page, select Properties.

  4. At the bottom, click on Manage security defaults under the Security Defaults section.

  5. Set Enable security defaults to disable and click Save.

References:

  • https://learn.microsoft.com/azure/active-directory/fundamentals/security-defaults

  • https://learn.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-security-defaults

  • https://login.microsoftonline.com/common/webbridgereprocess