Powershell script to disable Security Defaults in Azure Active Directory

Question

Powershell script to disable Security Defaults in Azure Active Directory

Jeanne De Villiers 0

I am looking after numerous Microsoft 365 Tenants. I am trying to create a Powershell script that I can run to check if Security Defaults are enabled/disabled in Azure Active directory.

Once I know the status, I want to be able to enable/disable Security Defaults in AAD using the powershell script.

Is there anyone that can point me in the right direction. I have come across some solutions but none of them worked.

Akshay-MSFT 17,961 Reputation points Microsoft Employee Moderator

2023-05-12T11:01:18.43+00:00

@Jeanne De Villiers

We noticed your recent experience on the Q&A community platform was rated a "Not helpful". I appreciate you taking the time to share your feedback. As I mentioned in my answer you may try the commands and let me know if there is anything else I can do to help improve your experience? Thank you again for your time and patience throughout this issue!

Thanks,

Akshay Kaushik

3 answers

Your answer

Akshay-MSFT 17,961 Reputation points Microsoft Employee Moderator

2023-05-12T11:01:18.43+00:00

@Jeanne De Villiers

We noticed your recent experience on the Q&A community platform was rated a "Not helpful". I appreciate you taking the time to share your feedback. As I mentioned in my answer you may try the commands and let me know if there is anything else I can do to help improve your experience? Thank you again for your time and patience throughout this issue!

Thanks,

Akshay Kaushik

Answer 1

Akshay-MSFT 17,961 Microsoft Employee Moderator

@Jeanne De Villiers

The other alternative you could use is :

To validate if security default is enabled or not:

Connect-MgGraph -Scopes Policy.ReadWrite.ConditionalAccess, Policy.Read.All
Get-MgPolicyIdentitySecurityDefaultEnforcementPolicy | select IsEnabled

To enable it use the following command:

$params = @{
	IsEnabled = $true
}
Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy -BodyParameter $params

To disable it use the following command:

$params = @{
	IsEnabled = $true
}
Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy -BodyParameter $params

Please do let me know if you have any queries in the comments.

Thanks,

Akshay Kaushik

Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.

Akshay-MSFT 17,961 Reputation points Microsoft Employee Moderator

2023-05-08T08:48:43.27+00:00

@Jeanne De Villiers

Hope you got a chance to review the action plan suggested. Please do let me know if you have any queries in the comments section. If you don't have any further queries and the suggestion works as per your business need. Please "Accept the answer(Yes)" and "share you feedback ". This will help us and others in the community as well.

Thanks,

Akshay Kaushik

Answer 2

Andy David - MVP 157.8K MVP Volunteer Moderator

Hi, I would look at Vasil's method:

https://www.michev.info/Blog/Post/3087/toggle-azure-ad-security-defaults-on-or-off-programmatically

Jeanne De Villiers 0 Reputation points

2023-04-30T18:57:45.2466667+00:00

Hi Andy, this is one of the options that I had a look at. The problem that I'm having is that I need to log into AAD and go all the way to get this information:

$tenantID = "tenant.onmicrosoft.com" #your tenantID or tenant root domain

$appID = "12345678-1234-1234-1234-1234567890AB" #the GUID of your app. For best result, use app with Policy.Read.All and Policy.ReadWrite.ConditionalAccess scopes granted

$client_secret = "XXXXXXXXXXXXXXXxxxx" #client secret for the app

If I need to login and go all the way to AAD, I can enable/disable Security Details while I'm logged into the tenant. Is there any quicker way to do this?
Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator

2023-05-01T11:23:43.8766667+00:00

I dont think there is. In all cases, you would need to know this information to do this with a script no matter the method.
Jeanne De Villiers 0 Reputation points

2023-05-01T21:07:49.9366667+00:00

If you look at this script. This retreive the Tenant Name for instance. If I can do this and disable/enable Security Defaults, that would be a win.

#Connect to Microsoft Online Services

Connect-MsolService

#Retreive Tenant Name to be able to login to SharePoint Online Services

$TenantName = Get-MsolAccountSku | Select-Object -ExpandProperty AccountSkuId | ForEach-Object {($_ -split ':')[0]}

#Connect to SharePoint Online Services

Connect-SPOService -Url https://$TenantName-admin.sharepoint.com

#Set Idle Session Sign-Out Policy to - Warning at 45min, Signout After 1 hour)

Set-SPOBrowserIdleSignOut -Enabled:$true -WarnAfter (New-TimeSpan -Minutes 45) -SignOutAfter (New-TimeSpan -Hours 1)

Answer 3

Requires the module installed previously:

Set-executionPolicy RemoteSigned
Install-Module -Name Microsoft.Graph
Connect-MgGraph -Scopes Policy.ReadWrite.ConditionalAccess, Policy.Read.All
Get-MgPolicyIdentitySecurityDefaultEnforcementPolicy | select IsEnabled

Now we can talk, To disable

$params = @{ IsEnabled = $false } 
Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy -BodyParameter $params

To Enable

$params = @{ IsEnabled = $true } 
Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy -BodyParameter $params

Share via

Powershell script to disable Security Defaults in Azure Active Directory

3 answers

Your answer