Updated — 01/11/2024 — As part of the Microsoft Secure Future Initiative, Microsoft announced that it would improve security across Entra tenants with security defaults enabled by making multifactor authentication (MFA) registration mandatory, and the user can’t skip their MFA registration. This will help reduce the risk of account compromise during the 14-day window, as MFA can block over 99.2% of identity-based attacks.
In today’s digital landscape, safeguarding your data is paramount. Microsoft understands this necessity, automatically enabling security defaults in new Microsoft 365 tenants to shield users from phishing and other identity-related threats. However, disabling these security defaults becomes imperative if you’re looking to configure Entra ID Multi-Factor Authentication or set up a Conditional Access policy.
This article will guide you through the process of safely disabling security defaults in Microsoft Entra ID, ensuring your organization’s security while maintaining operational flexibility.
Table of Contents
Why Disable Security Defaults in Microsoft Entra ID?
The first question you may ask is, why disable security defaults in Microsoft Entra ID?
Microsoft enabled security defaults on October 22, 2019. Security defaults might be enabled by default if your tenant was created on or after that date. Security defaults are being rolled out to all new tenants at creation to protect all users.
Security defaults act as a blanket protection mechanism, but there are scenarios where their presence can hinder specific configurations. Disabling security defaults becomes necessary, especially when configuring Entra ID Multi-Factor Authentication or implementing Conditional Access policies. Failure to do so can result in errors and limitations in policy enforcement.
This is especially true if you deploy and manage Conditional Access policies through Infrastructure as a Code (IaC). Thus, the deployment will fail if Security Defaults are enabled.
// Please note that Microsoft Entra ID P1 or P2 licenses are required for Conditional Access. However, Security Defaults can be used in Microsoft Entra ID Free without a license.
Updated — 16/08/2024 — Starting in October 2024, Microsoft will soon implement additional tenant-level security measures to require multi-factor authentication (MFA). Implementing this security baseline at the tenant level enhances protection for your cloud investments and company. The scope of this change includes all users signing into the Azure portal, CLI, PowerShell, or Terraform to administer Azure resources of this enforcement. However, service principals, managed identities, workload identities, and similar token-based accounts used for automation are excluded. Learn how to prepare for the MFA change.
Disabling Security Defaults in Microsoft Entra Admin Center
Our first option is disabling Security Defaults in the Microsoft Entra Admin Center portal.
Step 1: Sign in to Microsoft Entra Admin Center
To begin, access the Microsoft Entra admin center portal using your administrator credentials.
Step 2: Navigate to Identity > Overview > Properties
Once logged in, navigate to the “Identity” tab, then select “Overview” followed by “Properties.”
Step 3: Manage Security Defaults
Within the Properties section, scroll down to “Security defaults” and click “Manage security defaults.”
Step 4: Disable Security Defaults
Toggle the “Security defaults” setting to “Disabled.”
Step 5: Provide a Reason
Select one of the reasons below for disabling security defaults, aiding in audit trails and future reference:
- My organization is unable to use apps/devices.
- My organization is planning to use Conditional Access.
- Too many sign-in multifactor authentication challenges.
- Too many multifactor authentication sign-up requests.
- Other.
Step 6: Save Changes
Finally, click “Save” to apply the changes.
Last, confirm and disable the security defaults status, which now reflects, “Disabling security defaults will leave your organization vulnerable to common attacks.”
You successfully turned off security defaults for the Microsoft Entra tenant.
Disabling Security Defaults with Microsoft Graph PowerShell
The second option to disable Security Defaults is using Microsoft Graph PowerShell.
Microsoft Graph PowerShell SDK is the way forward. It is a PowerShell module that you can use to interact with Microsoft Entra ID and other Microsoft online services (SharePoint, Exchange, and Teams). It replaces the legacy Microsoft Online (MSOL) and AzureAD PowerShell modules.
Step 1: Install Microsoft Graph PowerShell Module
Begin by installing the Microsoft Graph PowerShell module using the following commands:
# Install Graph module for Current User
Install-Module -Name Microsoft.Graph -Scope CurrentUser
# Or install Graph module for All Users (Admin privilege)
Install-Module -Name Microsoft.Graph -Scope AllUsersAs a side note, if you want to run beta commands against the MS Graph Beta endpoint, then you need to install a separate module “Microsoft.Graph.Beta” by running the following command. The beta endpoint includes APIs currently in preview and aren’t yet generally available. We don’t need the MS Graph beta endpoint to disable “Security defaults” in Microsoft Entra ID.
# Install Graph Beta module
Install-Module -Name Microsoft.Graph.BetaRelated: Getting Started with Microsoft Graph PowerShell for Microsoft Entra ID.
Step 2: Connect to Microsoft Graph PowerShell
The next step is to connect to Microsoft Graph PowerShell using the following command with specified scopes: “Policy.Read.All” And “Policy.ReadWrite.ConditionalAccess” to manage “Security defaults.” The following command will let you connect to Microsoft Graph interactively via delegated access where you want to authenticate with your account and consent, as shown in the figure below. You can also connect to Microsoft Graph non-interactively, such as through device authentication, access token, managed identity, and registered application, which is useful for CI/CD and automation.
# Connect to Microsoft Graph with specified Tenant and Scopes
Connect-MgGraph -TenantId tenantname.onmicrosoft.com `
-Scopes "Policy.Read.All", "Policy.ReadWrite.ConditionalAccess"
If you connect to Microsoft Graph without specifying scopes, you will have some default access, but you might not be able to do anything with it. You need to specify what kind of information you’re looking for. So, if you’re running without scopes, you can only check your user account.
Related: Check the Microsoft Graph permissions reference to learn about all the different scopes.
After connecting to Microsoft Graph, you can check the current status of Security defaults by running the following command:
# Check the current status of Security defaults
Get-MgPolicyIdentitySecurityDefaultEnforcementPolicy | `
Format-Table DisplayName, IsEnabled
We can see that “Security defaults” are enabled in this tenant; let’s disable it programmatically.
Step 3: Disable Security Defaults
You can execute the following command to disable Security defaults:
# Disable Security defaults
Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy -IsEnabled:$falseLast but not least, let’s verify and confirm the current status of security defaults:
# Check the current status of Security defaults
Get-MgPolicyIdentitySecurityDefaultEnforcementPolicy | `
Format-Table DisplayName, IsEnabledWe can see that “Security defaults” are disabled now.
You can execute the following command to enable security defaults again:
# Enable Security defaults
Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy -IsEnabled:$trueThat’s it, there you have it!
In Conclusion
In this article, we illustrated all the steps to safely disable security defaults in Microsoft Entra ID. While security defaults are a good baseline from which to start your security posture, they don’t allow for the customization many organizations require. Conditional Access policies provide a full range of customization that more complex organizations require.
Mastering the process of disabling security defaults empowers you to tailor Microsoft Entra ID’s security settings to your organization’s unique needs. Whether through the intuitive interface of the admin center portal or the command-line efficiency of Microsoft Graph PowerShell, you can confidently navigate and manage your Microsoft Entra default security settings.
Frequently Asked Questions (FAQs)
Can security defaults be re-enabled after disabling them?
Yes! You can re-enable security defaults anytime using the same configuration steps outlined above.
What are the implications of leaving security defaults enabled?
Leaving security defaults enabled provides a baseline level of protection but may limit advanced security configurations.
Is it advisable for all organizations to disable security defaults?
Judiciously disabling security defaults should be done, considering your organization’s specific security requirements and compliance standards.
Are there any risks associated with disabling security defaults?
Disabling security defaults may expose your organization to heightened risks if alternative security measures, such as Conditional Access policies, are not adequately implemented.
Can security defaults be managed programmatically?
Yes, as this article outlines, security defaults can be managed programmatically using tools such as Microsoft Graph PowerShell.
What factors should be considered before Disabling Security defaults?
Before disabling security defaults, consider your organization’s security policies, compliance requirements, and the availability of alternative security measures.
Does disabling Security Defaults remove MFA?
Yes and No. Suppose your organization has previously used and enabled per-user-based multifactor authentication. In that case, MFA will still be enabled per-user-based MFA for the users who have MFA Enabled or Enforced. If your organization has not previously used per-user-based multifactor authentication, disabling Security Defaults in a tenant removes MFA for all users.
Furthermore, don’t be alarmed not to see users in an Enabled or Enforced status if you look at the multifactor authentication status page. Disabled is the appropriate status for users using security defaults or Conditional access-based multifactor authentication.
Can we turn off MFA for one user when Security Defaults are enabled?
When Security Defaults are enabled in a tenant, Multi-Factor Authentication (MFA) is enabled for all users. Unfortunately, it is not possible to turn off MFA for specific users while Security Defaults are enabled. Since Security Defaults is a free feature, no fine-grain control is available.
Does Security Defaults require a license?
No. Security Defaults can be used in Microsoft Entra ID Free without a license.
Can the user skip Security defaults MFA registration?
As of April 2024, when MFA registration is enforced by security defaults, a 14-day period allows users to skip it. However, this might change since this 14-day window exposes an account to be more vulnerable without enforced MFA.
Updated — 01/11/2024 — Microsoft announced that it will remove the option to skip multifactor authentication (MFA) registration for 14 days when security defaults are enabled. All users must register for MFA on their first login after security defaults are turned on. This will help reduce the risk of account compromise during the 14-day window, as MFA can block over 99.2% of identity-based attacks.
How can we prepare for Microsoft’s MFA Enforcement?
Starting in October 2024, Microsoft will enforce multi-factor authentication (MFA) for all Azure users to enhance security measures across its services. This change aims to protect against the increasing frequency and sophistication of cyberattacks, as MFA can block over 99.9% of account compromise attempts.
How does this change impact the Tenant and Service Accounts?
Tenant User Accounts
– All users signing into Azure to administer resources must use MFA.
– This includes accessing the Azure portal, CLI, PowerShell, and Terraform.
– Microsoft will notify customers via email and Azure Portal notifications before the enforcement begins.
Service Accounts
– Non-interactive service accounts, such as those used for automation, will be excluded from this requirement as MFA cannot be completed programmatically.
– Administrators should use Conditional Access policies to manage these exclusions effectively.
Preparing for the MFA Change
1. **Enable MFA Now**: Use the MFA wizard available in the Microsoft Entra admin center to set up MFA for your tenant. This proactive step can ensure a smooth transition and prevent disruptions once the enforcement starts.
2. **Review Conditional Access Policies**: Make sure your Conditional Access policies are updated to include MFA requirements for all necessary accounts while excluding service accounts and any specific applications that do not require MFA.
3. **Communicate with Users**: Inform your team about the upcoming changes and provide guidance on how to register for and use MFA. Ensure everyone understands the importance of these security measures.
4. **Monitor and Report**: Utilize tools such as the authentication methods registration report and PowerShell scripts to monitor MFA adoption across your organization. This will help identify any gaps and ensure full compliance.
These steps allow you to safeguard your Azure environment and be fully prepared for this global tenant change. Stay secure and ahead of potential threats!
__
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.
-Charbel Nemnom-
