Table of Contents
What should I know about these settings?
Security defaults are Microsoft settings that help protect your organization from identity-related attacks such as phishing, hacking, and unauthorized access to your account. By default, these settings protect your account from potential threats by using Multi Factor Authentication (MFA) and provide a basic level of security for all users.
By default, these Security settings prevent applications from using legacy authentication that do not support modern Office 365 authentication. For instance, in order to login to your email account with the security default enabled, you must use an email client that supports modern authentication.
Enabling the Security defaults also changes how you (admin) or your users will login to Office 365 and its services as outlined in the following points.
- Prevents less secure apps from logging into your account and also prevents legacy authentication from outdated email clients. It also restricts login access if you want to login via IMAP, POP3, SMTP, or Remote PowerShell.
- Enables Multi Factor Authentication (MFA) for all users, prompting them to configure MFA during the next sign-in.
- Enforces MFA for privileged accounts in the Azure Active Directory to access Azure CLI, Azure Portal and so on.
Furthermore, if you intend to use Conditional Access policies (where you can customize the security settings), you must first disable the security defaults before configuring the Conditional Access policies.
When You Should Disable Entra ID Security Defaults
The answer to this question depends on your organization and how much control you want. The main downside is that there is no way to provide exclusions for security defaults. It is either turned on for the entire tenant or not. This can make the implementation difficult when you have certain applications or services which are incompatible with multifactor authentication.
Another downside of security defaults is the permitted authentication methods. A regular Conditional Access multifactor authentication roll-out supports the following methods:
After enabling Entra ID security defaults, users only have access to the last two authentication methods, which can be problematic during a roll-out. This is because:
- People cannot create a backup method. If they lose access to their phone, the IT department must reset their authentication method and allow them to register again.
- Some people do not want to install a company app (like Authenticator) on their personal phone. This means the company needs to provide an alternative to support these users.
One thing is for sure, when you have the option to use Conditional Access, it should always be your first choice. Conditional Access allows you to mimic every security control Security Defaults has through a custom policy and allows you to have much more granularity and control. It is why Security Defaults is incompatible with Conditional Access. If you currently use Conditional Access, you cannot enable security defaults.
So, when is Entra ID Security Defaults right for you? It is a perfect tool for smaller organizations who might not have the in-house knowledge to create a security policy, but still want to remain secure. For this type of organization, Security Defaults is an amazing feature that delivers a lot of value.
The Curse of Licensing
For some organizations, security defaults might be a solution for 99% of their users, but some applications or services might not be compatible with these rules. I have seen organizations that planned to purchase AAD Premium licensing for the accounts incompatible with Entra ID Security Defaults, to secure them and use security defaults for all other user accounts. Unfortunately, this is impossible as you cannot turn on Security Defaults if Conditional Access is in place.
Pushing organizations into an all-or-nothing scenario is an infuriating decision by Microsoft. Using Conditional Access for a few outliers but securing the rest of the organization with Security Defaults is a valid scenario, as it incurs minimal cost. But Microsoft blocks this implementation method, much to the chagrin of some customers.
Enable or disable Microsoft security defaults in Office 365
You can enable or disable the security settings at any time through Microsoft Entra admin center. Authentication to your Microsoft 365 account may fail even if you have enabled MFA and App Password.
You may also get the following prompt on your Office 365 login page. If you’re not ready to configure MFA, you can click Ask later do it in 14 days period.
In all of the aforementioned cases, it is necessary to disable security defaults. Keep in mind that changing these settings requires you to login to your tenant as a global administrator. Here are the steps to turn off Security defaults in Microsoft Entra admin center :
1️⃣ Sign in into Microsoft Entra admin center using a Global admin account. Or you can login into Microsoft 365 admin center > Expand the left navigation menu then select Identity.
2️⃣ Select Overview | Properties | Manage security defaults (see the screenshot below).
3️⃣ In the flied-out menu | Toggle the Security default settings, change the Enable security defaults option to No and save the changes. Toggle it to Yes if you want to enable the settings.
After disabling the security settings, you’ll no longer be prompted with the MFA configuration during sign-in.
Enable access to basic authentication protocols
If you’re having trouble connecting to your IMAP / POP accounts from your email clients, make sure you’ve enabled access to legacy authentication protocols. Here’s how to do it step by step.
1️⃣ Login to Microsoft 365 admin center using global administrator credentials. | Expand the left Navigation menu | Expand Settings and click on Org Settings.
2️⃣ Select Modern authentication, select all the protocols you would like to enable and click Save.
Now, you will be able to allow your email clients to send emails using the legacy authentication method.
Closing words
The answer to the question When You Should Disable Entra ID Security Defaults? is a difficult one. Security Defaults delivers a lot of value with a few downsides. There is no customization available which makes it difficult to implement. I would love to see some exclusions possibility for Entra ID Security Defaults, but I fear Microsoft will not allow that because they want to push customers to buy Azure Active Directory Premium licenses. I do recommend looking into Entra ID P1 licensing as it offers a lot of benefits (not only related to multifactor authentication), but if you don’t have these licenses, Security Defaults is a valid alternative to secure your tenant.
