How to Enable, Disable or Modify Security Defaults with Microsoft Graph PowerShell

PowerShell allows us to quickly and effectively make changes to the configuration of our Microsoft Entra Tenant. We can also use PowerShell to ensure that when new Tenants are created or onboarded, they keep to a common standard set by the organization.

Security Defaults are one of the most important settings for any tenant admin to ensure it is enabled and if it isn’t, to ensure that Conditional Access policies are implementing the protection instead.

In this tutorial, we’re going to show you how to enable and disable Security Defaults in your tenant using Microsoft Graph PowerShell.

Before you begin

Make sure you have:

A Windows computer with Windows PowerShell 5.1+ or PowerShell 7+.
A Linux or macOS computer with PowerShell core has been installed.
Install Microsoft Graph PowerShell SDK.

PS C:\> Get-InstalledModule Microsoft.Graph

Version              Name                                Repository           Description
-------              ----                                ----------           -----------
2.6.1                Microsoft.Graph                     PSGallery

Modify Security Defaults with Microsoft Graph PowerShell

1️⃣ Start by connecting to Graph with the minimal required permissions.

Connect-MgGraph -scope 'Policy.ReadWrite.SecurityDefaults', 'Policy.Read.All'

2️⃣ To view how your current Security Defaults setting is configured using Microsoft Graph PowerShell you can utilise the Get-MgPolicyIdentitySecurityDefaultEnforcementPolicy cmdlet. While this command retrieves a lot of information, use the following example to view the IsEnabled attribute which will tell you if Security Defaults is enforced or not.

Get-MgPolicyIdentitySecurityDefaultEnforcementPolicy | Select DisplayName, IsEnabled

DisplayName       IsEnabled
-----------       ---------
Security Defaults     False

3️⃣ To determine if Security Defaults is enabled or disabled in your tenant, review the following list:

IsEnabled = False: Security Default is disabled.
IsEnabled = True: Security Defaults it enabled.

4️⃣ To modify these settings with Microsoft Graph PowerShell, use the similar update command Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy.

$body = @{
	isEnabled = $false   #Change to $true to enable the Security Defaults
}

Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy -BodyParameter $body

Troubleshooting

As the Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy command is quite specific, there is a chance you may come across an error when trying to run it. You may also notice that although the -IsEnabled parameter is present and configured to accept a Boolean True/False value, it still fails when you try to run.

Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy -IsEnabled $true

Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy : A positional parameter cannot be found that accepts argument ‘True’.
At line:1 char:1
+ Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy -IsEnabled $t …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Update-MgPolicy…forcementPolicy], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy

Instead, by removing the $true value from the command, Security Defaults are successfully enabled.

Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy -IsEnabled

Note Note: If you are enabling Security Defaults you must also ensure that you do not have any Conditional Access policies configured in Microsoft Entra, if you do, the command will fail with the following error.

Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy : Conditional access policies are enabled. Please disable and try again.

Not a reader? Watch this related video tutorial:

5/5 - (1 vote)