Why Security Defaults Exist
Identity attacks like password spray, phishing, and credential replay are extremely common. Many organizations do not know where to start with security.
Security defaults exist to:
Microsoft manages these settings for you until you are ready to use Conditional Access.
What Security Defaults Do
Security defaults enforce the following protections.
Who Should Use Security Defaults
| Should Use | Should Not Use |
|---|---|
| Organizations new to identity security. | Organizations already using Conditional Access. |
| Tenants using free Entra ID licensing. | Organizations with Entra ID Premium licenses. |
| Organizations that want quick baseline security. | Organizations needing granular control. |
Unified MFA Registration
All users must register for MFA using Microsoft Authenticator. Users get 14 days after their first successful sign-in to complete registration. After 14 days, sign-in is blocked until MFA registration is complete.
Protecting Administrator Accounts
Administrator accounts are high-value targets. Security defaults force MFA for these roles every time they sign in.
Administrator roles protected include:
Protecting All Users
Attackers often target regular users first, not admins. Once compromised, attackers can escalate privileges or steal data.
Security defaults require MFA for all users when risk is detected. This applies to all Microsoft Entra-integrated apps, including SaaS apps.
Blocking Legacy Authentication
Legacy authentication uses password-only protocols. It does not support MFA.
Examples of legacy authentication:
Most password spray attacks use legacy authentication. Security defaults block these protocols automatically.