Share via

Disabling Security Defaults (What do Security Defaults do?)

Mountain Pond 1,676 Reputation points
2026-03-24T18:07:48.9133333+00:00

Hello.

The organization has E5 and Entra ID P2 licenses.

Security Defaults is currently enabled.

I would like to switch from Security Defaults to a Conditional Access policy.

However, I need to understand what Security Defaults includes. Is it sufficient to create basic conditional access policies (for example, from templates) that require a second factor for users and administrators?

As far as I understand, Security Defaults provides the following:

Require all users to register for Microsoft Entra multifactor authentication

Require administrators to perform multifactor authentication

Block legacy authentication protocols

Is that all, or is there something else?

Thanks in advance.

Microsoft Security | Microsoft Entra | Microsoft Entra External ID
0 comments
Answer accepted by question author
  1. Rukmini 36,445 Reputation points Microsoft External Staff Moderator
    2026-03-24T18:31:48.36+00:00

    Hello Mountain Pond

    Security Defaults in Microsoft Entra ID is a baseline security feature that automatically enforces essential protections without manual configuration.

    It includes of:

    • Requires all users to register for MFA.
    • MFA is required for administrative positions (with more stringent enforcement) Users are prompted for MFA based on risk (e.g., new device/location).
    • Prevents the use of legacy authentication (simple authentication protocols like POP, IMAP, and SMTP without modern authentication).
    • Uses MFA to safeguard privileged actions

    Security Defaults is more than just static MFA enforcement; if you disable it, you will have to manually reinstall its built-in protections and smart/risk-based checks.

    You can safely switch to Conditional Access because you have Entra ID P2, but make sure to cover:

    • MFA for every user
    • More robust MFA for administrators
    • Prevent legacy authentication
    • Risk-based regulations (identity protection for user/sign-in risk)

    Basic CA templates alone are not fully equivalent unless you also include risk-based policies.

    • Security Defaults = quick baseline protection.
    • Conditional Access = more flexible, but you must replicate all controls manually for equivalent security.

    Let me know if any further queries - feel free to reach out!

    Hello Mountain Pond If the resolution was helpful, kindly take a moment to click on 210246-screenshot-2021-12-10-121802.pngand click on Yes for was this answer helpful. And, if you have any further query do let us know.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-03-24T18:08:03.32+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Security defaults in Microsoft Entra ID implement a fixed baseline set of protections. They are more than just “MFA for users and admins” and “block legacy auth.” When moving to Conditional Access, equivalent (or stronger) policies must be created before disabling security defaults.

    Security defaults include the following controls:

    1. Require all users to register for multifactor authentication
      • All users are prompted to register MFA.
      • Registration is done using the Microsoft Authenticator app (notification-based) as the primary method; users can also use OATH TOTP codes once registered.
      • Users are directed to register via the Security Info experience (for example, via https://myprofile.microsoft.com → Security Info).
    2. Require administrators to perform multifactor authentication
      • Administrators must use MFA, especially for privileged actions.
      • This includes protecting privileged activities such as access to the Azure portal.
    3. Require users to perform multifactor authentication when necessary
      • MFA is not only for admins; users are challenged for MFA based on riskier scenarios (for example, certain sign-in conditions), providing a baseline of conditional enforcement rather than MFA on every single sign-in.
    4. Block legacy authentication protocols
      • Legacy authentication protocols that do not support modern authentication and MFA are blocked.
      • This significantly reduces exposure to password spray and credential stuffing attacks.
    5. Protect privileged activities like access to the Azure portal
      • Access to Azure management (Azure portal and related endpoints) is protected by MFA for privileged roles.

    In summary, security defaults provide:

    • Mandatory MFA registration for all users.
    • Enforced MFA for admins and for users “when necessary.”
    • Blocking of legacy authentication.
    • Protection of privileged operations such as Azure management.

    When moving to Conditional Access (which is recommended for organizations with Entra ID P1/P2 such as E5), the baseline that should be recreated at minimum is:

    • Require MFA for all users.
    • Require MFA for administrators (ideally phishing-resistant MFA for admins).
    • Block legacy authentication.
    • Require MFA for Azure management.

    These baseline policies can be created using Conditional Access templates such as:

    • “Require MFA for all users”
    • “Require MFA for administrators”
    • “Block legacy authentication”
    • “Require MFA for Azure management”

    After these are in place and validated, security defaults can be safely disabled, and additional Conditional Access policies can be added for more granular control.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.