You dont have javascript enabled! Please enable it! How To Safely Disable Security Defaults In Microsoft Entra ID: A Step-by-Step Guide - CHARBEL NEMNOM - MVP | MCT | CCSP | CISM - Cloud & CyberSecurity

How to Safely Disable Security Defaults in Microsoft Entra ID: A Step-by-Step Guide

5 Min. Read

In today’s digital landscape, safeguarding your data is paramount. Microsoft understands this necessity, automatically enabling security defaults in new Microsoft 365 tenants to shield users from phishing and other identity-related threats. However, disabling these security defaults becomes imperative if you’re looking to configure Entra ID Multi-Factor Authentication or set up a Conditional Access policy.

This article will guide you through the process of safely disabling security defaults in Microsoft Entra ID, ensuring your organization’s security while maintaining operational flexibility.

Why Disable Security Defaults in Microsoft Entra ID?

The first question you may ask is, why disable security defaults in Microsoft Entra ID?

Microsoft enabled security defaults on October 22, 2019. Security defaults might be enabled by default if your tenant was created on or after that date. Security defaults are being rolled out to all new tenants at creation to protect all users.

Security defaults act as a blanket protection mechanism, but there are scenarios where their presence can hinder specific configurations. Disabling security defaults becomes necessary, especially when configuring Entra ID Multi-Factor Authentication or implementing Conditional Access policies. Failure to do so can result in errors and limitations in policy enforcement.

Why Disable Security Defaults?
Why Disable Security Defaults?

This is especially true if you deploy and manage Conditional Access policies through Infrastructure as a Code (IaC). Thus, the deployment will fail if Security Defaults are enabled.

// Please note that Microsoft Entra ID P1 or P2 licenses are required for Conditional Access. However, Security Defaults can be used in Microsoft Entra ID Free without a license.

Disabling Security Defaults in Microsoft Entra Admin Center

Our first option is disabling Security Defaults in the Microsoft Entra Admin Center portal.

Step 1: Sign in to Microsoft Entra Admin Center

To begin, access the Microsoft Entra admin center portal using your administrator credentials.

Step 2: Navigate to Identity > Overview > Properties

Once logged in, navigate to the “Identity” tab, then select “Overview” followed by “Properties.”

Identity > Overview > Properties
Identity > Overview > Properties

Step 3: Manage Security Defaults

Within the Properties section, scroll down to “Security defaults” and click “Manage security defaults.”

Step 4: Disable Security Defaults

Toggle the “Security defaults” setting to “Disabled.”

Step 5: Provide a Reason

Select one of the reasons below for disabling security defaults, aiding in audit trails and future reference:

  • My organization is unable to use apps/devices.
  • My organization is planning to use Conditional Access.
  • Too many sign-in multifactor authentication challenges.
  • Too many multifactor authentication sign-up requests.
  • Other.

Step 6: Save Changes

Finally, click “Save” to apply the changes.

Disabling Security Defaults in the Microsoft Entra Admin Center portal
Disabling Security Defaults in the Microsoft Entra Admin Center portal

Last, confirm and disable the security defaults status, which now reflects, “Disabling security defaults will leave your organization vulnerable to common attacks.”

Your organization is not protected by Security defaults
Your organization is not protected by Security defaults

You successfully turned off security defaults for the Microsoft Entra tenant.

Disabling Security Defaults with Microsoft Graph PowerShell

The second option to disable Security Defaults is using Microsoft Graph PowerShell.

Microsoft Graph PowerShell SDK is the way forward. It is a PowerShell module that you can use to interact with Microsoft Entra ID and other Microsoft online services (SharePoint, Exchange, and Teams). It replaces the legacy Microsoft Online (MSOL) and AzureAD PowerShell modules.

Step 1: Install Microsoft Graph PowerShell Module

Begin by installing the Microsoft Graph PowerShell module using the following commands:

# Install Graph module for Current User 
Install-Module -Name Microsoft.Graph -Scope CurrentUser 

# Or install Graph module for All Users (Admin privilege) 
Install-Module -Name Microsoft.Graph -Scope AllUsers

As a side note, if you want to run beta commands against the MS Graph Beta endpoint, then you need to install a separate module “Microsoft.Graph.Beta” by running the following command. The beta endpoint includes APIs currently in preview and aren’t yet generally available. We don’t need the MS Graph beta endpoint to disable “Security defaults” in Microsoft Entra ID.

# Install Graph Beta module
Install-Module -Name Microsoft.Graph.Beta

Related: Getting Started with Microsoft Graph PowerShell for Microsoft Entra ID.

Step 2: Connect to Microsoft Graph PowerShell

The next step is to connect to Microsoft Graph PowerShell using the following command with specified scopes: “Policy.Read.All” And “Policy.ReadWrite.ConditionalAccess” to manage “Security defaults.” The following command will let you connect to Microsoft Graph interactively via delegated access where you want to authenticate with your account and consent, as shown in the figure below. You can also connect to Microsoft Graph non-interactively, such as through device authentication, access token, managed identity, and registered application, which is useful for CI/CD and automation.

# Connect to Microsoft Graph with specified Tenant and Scopes 
Connect-MgGraph -TenantId tenantname.onmicrosoft.com `
 -Scopes "Policy.Read.All", "Policy.ReadWrite.ConditionalAccess"
Microsoft Graph Command Line Tools
Microsoft Graph Command Line Tools

If you connect to Microsoft Graph without specifying scopes, you will have some default access, but you might not be able to do anything with it. You need to specify what kind of information you’re looking for. So, if you’re running without scopes, you can only check your user account.

Related: Check the Microsoft Graph permissions reference to learn about all the different scopes.

After connecting to Microsoft Graph, you can check the current status of Security defaults by running the following command:

# Check the current status of Security defaults
Get-MgPolicyIdentitySecurityDefaultEnforcementPolicy | `
 Format-Table DisplayName, IsEnabled
Get-MgPolicyIdentitySecurityDefaultEnforcementPolicy
Get-MgPolicyIdentitySecurityDefaultEnforcementPolicy

We can see that “Security defaults” are enabled in this tenant; let’s disable it programmatically.

Step 3: Disable Security Defaults

You can execute the following command to disable Security defaults:

# Disable Security defaults
Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy -IsEnabled:$false

Last but not least, let’s verify and confirm the current status of security defaults:

# Check the current status of Security defaults
Get-MgPolicyIdentitySecurityDefaultEnforcementPolicy | `
 Format-Table DisplayName, IsEnabled

We can see that “Security defaults” are disabled now.

Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy
Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy

You can execute the following command to enable security defaults again:

# Enable Security defaults
Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy -IsEnabled:$true

That’s it, there you have it!

In Conclusion

In this article, we illustrated all the steps to disable security defaults in Microsoft Entra ID safely. While security defaults are a good baseline from which to start your security posture, they don’t allow for the customization many organizations require. Conditional Access policies provide a full range of customization that more complex organizations require.

Mastering the process of disabling security defaults empowers you to tailor Microsoft Entra ID’s security settings to your organization’s unique needs. Whether through the intuitive interface of the admin center portal or the command-line efficiency of Microsoft Graph PowerShell, you can confidently navigate and manage your Microsoft Entra default security settings.

Frequently Asked Questions (FAQs)

Can security defaults be re-enabled after disabling them?

Yes! You can re-enable security defaults anytime using the same configuration steps outlined above.

What are the implications of leaving security defaults enabled?

Leaving security defaults enabled provides a baseline level of protection but may limit advanced security configurations.

Is it advisable for all organizations to disable security defaults?

Judiciously disabling security defaults should be done, considering your organization’s specific security requirements and compliance standards.

Are there any risks associated with disabling security defaults?

Disabling security defaults may expose your organization to heightened risks if alternative security measures, such as Conditional Access policies, are not adequately implemented.

Can security defaults be managed programmatically?

Yes, as this article outlines, security defaults can be managed programmatically using tools such as Microsoft Graph PowerShell.

What factors should be considered before Disabling Security defaults?

Before disabling security defaults, consider your organization’s security policies, compliance requirements, and the availability of alternative security measures.

Does disabling Security Defaults remove MFA?

Yes and No. Suppose your organization has previously used and enabled per-user-based multifactor authentication. In that case, MFA will still be enabled per-user-based MFA for the users who have MFA Enabled or Enforced. If your organization has not previously used per-user-based multifactor authentication, disabling Security Defaults in a tenant removes MFA for all users.

Furthermore, don’t be alarmed not to see users in an Enabled or Enforced status if you look at the multifactor authentication status page. Disabled is the appropriate status for users using security defaults or Conditional access-based multifactor authentication.

Can we turn off MFA for one user when Security Defaults are enabled?

When Security Defaults are enabled in a tenant, Multi-Factor Authentication (MFA) is enabled for all users. Unfortunately, it is not possible to turn off MFA for specific users while Security Defaults are enabled. Since Security Defaults is a free feature, no fine-grain control is available.

Does Security Defaults require a license?

No. Security Defaults can be used in Microsoft Entra ID Free without a license.

Can the user skip Security defaults MFA registration?

Yes. As of April 2024, when MFA registration is enforced by security defaults, a 14-day period allows users to skip it. However, this might change since this 14-day window exposes an account to be more vulnerable without enforced MFA.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Photo of author
About the Author
Charbel Nemnom
Charbel Nemnom is a Senior Cloud Architect with 21+ years of IT experience. As a Swiss Certified Information Security Manager (ISM), CCSP, CISM, Microsoft MVP, and MCT, he excels in optimizing mission-critical enterprise systems. His extensive practical knowledge spans complex system design, network architecture, business continuity, and cloud security, establishing him as an authoritative and trustworthy expert in the field. Charbel frequently writes about Cloud, Cybersecurity, and IT Certifications.
Previous

Vaulted Backup for Azure Files – Comprehensive Guide

Stay Ahead of Threats: Investigate Defender XDR Incident with Copilot for Security

Next

Let us know what you think, or ask a question...