Table of Contents
PowerShell allows us to quickly and effectively make changes to the configuration of our Microsoft Entra Tenant. We can also use PowerShell to ensure that when new Tenants are created or onboarded, they keep to a common standard set by the organization.
Security Defaults are one of the most important settings for any tenant admin to ensure it is enabled and if it isn’t, to ensure that Conditional Access policies are implementing the protection instead.
In this tutorial, we’re going to show you how to enable and disable Security Defaults in your tenant using Microsoft Graph PowerShell.
Before you begin
Make sure you have:
- A Windows computer with Windows PowerShell 5.1+ or PowerShell 7+.
- A Linux or macOS computer with PowerShell core has been installed.
- Install Microsoft Graph PowerShell SDK.
PS C:\> Get-InstalledModule Microsoft.Graph
Version Name Repository Description
------- ---- ---------- -----------
2.6.1 Microsoft.Graph PSGalleryModify Security Defaults with Microsoft Graph PowerShell
1️⃣ Start by connecting to Graph with the minimal required permissions.
Connect-MgGraph -scope 'Policy.ReadWrite.SecurityDefaults', 'Policy.Read.All'2️⃣ To view how your current Security Defaults setting is configured using Microsoft Graph PowerShell you can utilise the Get-MgPolicyIdentitySecurityDefaultEnforcementPolicy cmdlet. While this command retrieves a lot of information, use the following example to view the IsEnabled attribute which will tell you if Security Defaults is enforced or not.
Get-MgPolicyIdentitySecurityDefaultEnforcementPolicy | Select DisplayName, IsEnabledDisplayName IsEnabled
----------- ---------
Security Defaults False3️⃣ To determine if Security Defaults is enabled or disabled in your tenant, review the following list:
- IsEnabled = False: Security Default is disabled.
- IsEnabled = True: Security Defaults it enabled.
4️⃣ To modify these settings with Microsoft Graph PowerShell, use the similar update command Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy.
$body = @{
isEnabled = $false #Change to $true to enable the Security Defaults
}
Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy -BodyParameter $bodyTroubleshooting
As the Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy command is quite specific, there is a chance you may come across an error when trying to run it. You may also notice that although the -IsEnabled parameter is present and configured to accept a Boolean True/False value, it still fails when you try to run.
Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy -IsEnabled $trueUpdate-MgPolicyIdentitySecurityDefaultEnforcementPolicy : A positional parameter cannot be found that accepts argument ‘True’.
At line:1 char:1
+ Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy -IsEnabled $t …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Update-MgPolicy…forcementPolicy], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy
Instead, by removing the $true value from the command, Security Defaults are successfully enabled.
Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy -IsEnabledUpdate-MgPolicyIdentitySecurityDefaultEnforcementPolicy : Conditional access policies are enabled. Please disable and try again.
Not a reader? Watch this related video tutorial:
