What are Microsoft 365 Security Defaults?

In today’s digital world, protecting your organization from identity-related attacks is crucial. Microsoft 365 comes with a built-in feature called Security Defaults to help secure user accounts and data with minimal configuration.

But what exactly are Security Defaults, why are they important, and how do you turn them on—especially if they’re currently disabled? This blog provides the answers.

What are Security Defaults?

Security Defaults are pre-configured security settings provided by Microsoft to help protect your organization from common threats such as phishing, password spray, and credential stuffing attacks.

When enabled, Security Defaults enforce:

• Multi-Factor Authentication (MFA) for all users and admins
• Blocking of legacy authentication protocols (which are more vulnerable)
• Protection for privileged accounts
• User sign-ins monitoring for suspicious activities

These settings apply without needing any paid licenses or advanced configuration—making them ideal for small and mid-sized organizations that want to stay secure without diving into complex identity policies.

Why Use Security Defaults?

Using Security Defaults is a quick win for securing your Microsoft 365 environment. Here’s why you should consider enabling them:

• Simplicity: No custom policies to configure—Microsoft handles it for you.
• Security Best Practices: Enforces industry-standard protection (like MFA).
• Free: No Azure AD Premium license required.
• Reduces Risk: Helps prevent common identity-based attacks automatically.

Security Defaults offer a baseline level of protection, especially useful for tenants without custom Conditional Access (CA) policies.

Are Security Defaults Turned On By Default?

If your Microsoft 365 tenant was created after October 22, 2019, Security Defaults are likely enabled by default.

However, for older tenants or those that have previously customized Conditional Access policies, Security Defaults may be disabled.

How to Turn on Disabled Security Defaults?

You can enable Security Defaults using two methods:

Turn on Security Defaults Using Entra ID (formerly Azure AD) Admin Center

Follow these steps:

1. Go to the Microsoft Entra Admin Center
2. Sign in with your Global Administrator account
3. Navigate to:


Identity > Overview > Properties

4. Scroll down and find "Manage Security defaults".
5. Click "Yes" under Enable Security defaults, and hit Save.

📌 Note: If Conditional Access policies are already in place, the Security Defaults toggle will be unavailable.

Turn on Security Defaults Using Graph PowerShell

You can also enable or disable Security Defaults programmatically via Microsoft Graph PowerShell.

Here’s how:

1. Install the Graph module (if not already installed):

Install-Module Microsoft.Graph -Scope CurrentUser

2. Connect to Graph with the required permissions:

Connect-MgGraph -Scopes "Policy.ReadWrite.Authorization"

3. Check if Security Defaults are enabled:

Get-MgPolicyAuthorizationPolicy | Select-Object -Property Id, DisplayName, DefaultUserRolePermissions

4. Enable Security Defaults:

Update-MgPolicyAuthorizationPolicy -AuthorizationPolicyId "authorizationPolicy" -IsSecurityDefaultsEnforced $true

5. To disable (if needed):

Update-MgPolicyAuthorizationPolicy -AuthorizationPolicyId "authorizationPolicy" -IsSecurityDefaultsEnforced $false

Conclusion

Security Defaults offer a no-cost, no-fuss way to elevate your organization’s security posture. Especially if you’re not ready to manage Conditional Access policies, enabling Security Defaults is the best first step.

🔑 Enable it today through the Entra ID Admin Center or Microsoft Graph PowerShell, and take a simple yet impactful stride toward protecting your Microsoft 365 tenant.