Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Security defaults make it easier to help protect your organization from identity-related attacks like password spray, replay, and phishing common in today's environments.
Microsoft is making these preconfigured security settings available to everyone, because we know managing security can be difficult. Based on our learnings more than 99.9% of those common identity-related attacks are stopped by using multifactor authentication and blocking legacy authentication. Our goal is to ensure that all organizations have at least a basic level of security enabled at no extra cost.
These basic controls include:
- Requiring all users to register for multifactor authentication
- Requiring administrators to do multifactor authentication
- Requiring users to do multifactor authentication when necessary
- Blocking legacy authentication protocols
- Protecting privileged activities like access to the Azure portal
Who's it for?
- Organizations who want to increase their security posture, but don't know how or where to start.
- Organizations using the free tier of Microsoft Entra ID licensing.
Who should use Conditional Access?
- If you're an organization with Microsoft Entra ID P1 or P2 licenses, security defaults are probably not right for you.
- If your organization has complex security requirements, you should consider Conditional Access.
Enabling security defaults
If your tenant was created on or after October 22, 2019, security defaults might be enabled in your tenant. To protect all of our users, security defaults are being rolled out to all new tenants at creation.
To help protect organizations, we're always working to improve the security of Microsoft account services. As part of this protection, customers are periodically notified for the automatic enablement of the security defaults if they:
- Don't have any Conditional Access policies
- Don't have premium licenses
- Aren’t actively using legacy authentication clients
After this setting is enabled, all users in the organization will need to register for multifactor authentication. To avoid confusion, refer to the email you received and alternatively you can disable security defaults after it's enabled.
To configure security defaults in your directory, you must be assigned at least the Conditional Access Administrator role.
By default, the user who creates a Microsoft Entra tenant is automatically assigned the Global Administrator role.
To enable security defaults:
- Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
- Browse to Entra ID > Overview > Properties.
- Select Manage security defaults.
- Set Security defaults to Enabled.
- Select Save.
Revoking active tokens
As part of enabling security defaults, administrators should revoke all existing tokens to require all users to register for multifactor authentication. This revocation event forces previously authenticated users to authenticate and register for multifactor authentication. This task can be accomplished using the Revoke-AzureADUserAllRefreshToken PowerShell cmdlet.