![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 84%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Microsoft 365 and Office | Subscription, account, billing | For business | Other
Microsoft 365 features that help users manage their subscriptions, account settings, and billing information.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 50%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDN%3C/text%3E%3C/svg%3E)
Dear @Mick,
Thank you for posting your question in the Microsoft Q&A forum.
Based on your description, security defaults were enabled and all users originally set up MFA, but now Microsoft 365 no longer prompts for MFA on new device sign‑ins. No admin changes were made. You wonder there are something change, and why did MFA stop enforcing under security defaults.Here are some information you can refer to:
Microsoft did not push any New‑Year change that disables MFA prompts. What you are seeing is normal Security Defaults behavior, not a system change.
Security Defaults do NOT guarantee an MFA prompt on every new device or every sign‑in. Microsoft states that users are prompted for MFA only “when necessary”, which is determined by Microsoft’s internal risk engine, not by device alone. Sometimes a new device sign‑in is still considered low‑risk, so no MFA challenge is shown.
This is why everything worked after initial setup in December, but MFA prompts became less frequent later.
It looks like security dropped, but this is actually a known limitation of Security Defaults:
- Security Defaults enforce MFA only when Microsoft decides it is required, not every login and not every device.
- It is risk‑based, not per‑device.
- Over time, cached tokens, trusted sessions, and low‑risk logins can bypass MFA.
- This matches other admins’ experiences: per‑user MFA gives consistent prompts, security Defaults does not.
So, your tenant didn’t weaken itself, Security Defaults simply doesn’t enforce MFA the way you expected.
When you switched to per‑user MFA, prompts immediately returned, confirming the issue was Security Defaults’ design, not a failure.
For more information Set up multifactor authentication for Microsoft 365
I hope information above meet your expectations, if you have any other questions or need more supporting, please feel free to reach out.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.