This chapter covers Security Defaults in Microsoft Entra ID, a critical baseline security feature that protects tenants from common identity attacks. For the SC-900 exam, questions on Security Defaults appear in roughly 5-8% of the Identity and Access Management domain (Objective 2.2). Understanding what Security Defaults enforces, when to use it, and its limitations is essential for answering scenario-based questions about MFA enforcement and legacy authentication blocking.
Jump to a section
Imagine a small office building where every door has a lock, but the building manager has never set any policy on when locks should be used. Some employees lock their doors, some don't. Visitors can wander in. Now, the manager decides to enforce a 'security default' policy: all doors automatically lock after 5 minutes of inactivity, require a keycard for entry, and force visitors to sign in using a kiosk. This is exactly what Security Defaults does for an Entra ID tenant. It enforces a baseline of security policies — like requiring multifactor authentication for all users, blocking legacy authentication protocols (think: old skeleton keys that can't be upgraded), and mandating privileged role activation through MFA. Just as the building's automatic locks ensure that even if an employee forgets to lock up, the door secures itself, Security Defaults ensures that even if an admin doesn't explicitly configure MFA or conditional access, the tenant is protected against common identity attacks. The key mechanistic parallel: Security Defaults is a tenant-wide toggle that, when enabled, enforces a set of pre-defined, immutable policies. You cannot selectively disable individual defaults — it's all or nothing, similar to a building-wide lockdown that cannot be bypassed per door without disabling the entire system.
What Are Security Defaults?
Security Defaults are a set of baseline security policies automatically enforced by Microsoft Entra ID when enabled. They are designed to protect organizations from common identity attacks such as password spray, replay, and phishing. Microsoft introduced Security Defaults to simplify security for small and medium-sized organizations that lack dedicated identity security expertise. When enabled, they override many individual Conditional Access policies and cannot be selectively disabled.
Why Security Defaults Exist
Before Security Defaults, many tenants had no MFA enforcement, allowing legacy authentication protocols (POP3, IMAP, SMTP, etc.) that do not support modern security features. Attackers could exploit these weaknesses. Security Defaults provide a 'set and forget' security baseline. They are free for all Azure AD (now Entra ID) licenses, including the Free tier. This makes them accessible to organizations that cannot afford Premium P1 or P2 licenses, which are required for more granular Conditional Access policies.
How Security Defaults Work Internally
When you enable Security Defaults, the tenant automatically applies the following policies: - Require MFA registration for all users: Within 14 days of enabling Security Defaults, every user must register for MFA using the Microsoft Authenticator app (or other approved methods). Users cannot bypass this registration. - Require MFA for all users during sign-in: Every time a user signs in from an untrusted location or device, they must complete MFA. Trusted locations are defined based on the tenant's location (not custom IP ranges). The system uses risk-based evaluation: if the sign-in is from a familiar device or location, MFA may not be prompted. - Block legacy authentication: Protocols like POP3, IMAP, SMTP, and older versions of Office clients that do not support modern authentication are blocked. This prevents attackers from using password spray attacks against these protocols. - Protect privileged roles: When a user is assigned a privileged role (e.g., Global Administrator), they must perform MFA every time they sign in, regardless of location or device.
Key Components, Values, Defaults, and Timers
MFA registration grace period: 14 days from the first sign-in after enabling Security Defaults. After that, the user is blocked until they register.
MFA prompt frequency: By default, users are prompted for MFA every 14 days on a trusted device. This is not configurable.
Legacy authentication block: Applied globally; no exceptions unless you disable Security Defaults entirely.
Trusted locations: Based on the tenant's home location (country/region) as defined in Entra ID. Custom trusted IP ranges are not supported.
User scope: All users in the tenant, including guests. No exclusion groups.
Configuration and Verification
To enable Security Defaults: 1. Sign in to the Entra admin center (https://entra.microsoft.com). 2. Navigate to Identity > Overview > Properties. 3. Under Security Defaults, select Enabled. 4. Click Save.
To verify:
Use the Entra admin center to check the status under Properties.
Use Microsoft Graph PowerShell:
Connect-MgGraph -Scopes "Policy.Read.All"
Get-MgPolicyIdentitySecurityDefaultEnforcementPolicyThe output shows isEnabled property as true or false.
Interaction with Related Technologies
Conditional Access: Security Defaults cannot coexist with Conditional Access policies. If you enable Security Defaults, any existing Conditional Access policies are ignored. To use Conditional Access, you must disable Security Defaults.
Legacy authentication: Security Defaults block legacy auth. If your organization uses legacy protocols (e.g., SMTP for print servers), you must either update those services to support modern auth or disable Security Defaults and use Conditional Access to selectively block legacy auth.
MFA registration: Security Defaults force MFA registration via the Microsoft Authenticator app. Other MFA methods (like SMS or phone call) are available but the default prompt encourages Authenticator.
What Happens When You Enable Security Defaults
All users receive an email notification about MFA registration requirements.
Admins cannot create Conditional Access policies until Security Defaults are disabled.
Service accounts using legacy authentication will fail to authenticate. You must switch to app passwords or modern auth.
B2B guest users are also required to register for MFA.
Limitations
No granular control: you cannot exclude specific users or applications.
No custom trusted IP ranges: the tenant's home location is the only trusted location.
No risk-based policies beyond basic location/device recognition.
Cannot be used with Conditional Access; you must choose one or the other.
Exam Relevance
SC-900 tests your understanding of when to use Security Defaults versus Conditional Access. Key exam points:
Security Defaults are for organizations that need a simple, secure baseline without advanced customization.
They block legacy authentication entirely.
They require MFA for all users, including admins.
They are free and available on all Entra ID licenses.
They cannot be used alongside Conditional Access.
Enable Security Defaults in Portal
An administrator navigates to the Entra admin center, selects Identity > Overview > Properties, and toggles Security Defaults to Enabled. This action triggers a tenant-wide configuration change. The system immediately begins enforcing the policies: all users must register for MFA within 14 days, legacy authentication is blocked from the moment of enablement, and privileged roles require MFA on every sign-in. There is no gradual rollout — the change is instant. The admin receives a confirmation message and can verify the status in the same blade.
Users Receive MFA Registration Prompt
After enabling Security Defaults, the next time a user signs in, they are prompted to register for MFA. The registration process guides them to download the Microsoft Authenticator app and set up either push notifications or a one-time password code. The user has 14 days to complete registration; after that, they are blocked from signing in until they register. The system sends reminder emails at intervals. During registration, the user's device is added as a trusted device, reducing future MFA prompts.
Legacy Authentication Blocked
Immediately upon enabling Security Defaults, all authentication requests using legacy protocols (POP3, IMAP, SMTP, ActiveSync without modern auth) are denied. The Entra ID authentication endpoint returns an error: 'AADSTS53003: Legacy authentication is blocked by security defaults.' Applications that rely on these protocols, such as older Outlook clients or script-based mail senders, will fail. Administrators must update these applications to use modern authentication (OAuth 2.0) or disable Security Defaults and use Conditional Access to selectively block legacy auth.
MFA Prompt During Sign-In
When a user signs in from an untrusted location (outside the tenant's home country) or from a new device, they are prompted for MFA after entering their password. The system evaluates the sign-in risk: if the device is known and the location matches the user's typical pattern, MFA may be skipped. The MFA prompt frequency is set to 14 days on trusted devices. This means that once a user completes MFA on a trusted device, they won't be prompted again for 14 days unless they sign in from an untrusted location.
Privileged Role Activation
For users assigned to privileged roles (e.g., Global Administrator, User Administrator), Security Defaults require MFA on every sign-in, regardless of device trust or location. This ensures that high-privilege accounts are always protected. When a privileged user signs in, they must complete MFA every time. This is non-negotiable and cannot be bypassed. If a privileged user fails MFA, they are denied access. This step is crucial for exam questions about protecting administrative accounts.
Scenario 1: Small Business with No IT Staff
A small law firm with 15 employees uses Office 365 Business Basic. They have no dedicated IT administrator. The firm wants to ensure that all accounts are protected against password attacks. The solution: enable Security Defaults. This automatically enforces MFA for all users, blocks legacy authentication (which the firm doesn't use anyway), and protects the global admin account. The deployment is straightforward: the admin enables the toggle, sends a brief email to staff about MFA registration, and within a few weeks, all users are registered. The firm benefits from a strong security baseline without any ongoing management. The only challenge is that one employee uses an old scanner that sends emails via SMTP; that scanner stops working. The firm replaces the scanner with a modern model that supports OAuth. This scenario is typical for organizations with fewer than 100 users and no Conditional Access license.
Scenario 2: Enterprise Migrating from Security Defaults to Conditional Access
A mid-sized company with 500 users initially enabled Security Defaults for quick protection. Later, they purchase Entra ID Premium P1 licenses to gain granular control. They need to exclude a group of service accounts from MFA and allow legacy authentication for a legacy ERP system. The plan: disable Security Defaults and create Conditional Access policies that replicate the baseline (MFA for all users, block legacy auth) but with exceptions. The migration requires careful planning: first, create the Conditional Access policies in report-only mode to verify impact, then switch to enforce mode, and finally disable Security Defaults. A common pitfall is forgetting to re-block legacy authentication in Conditional Access, leaving the tenant exposed. The company also discovers that Security Defaults had been blocking some legitimate legacy applications that now need to be allowed via Conditional Access exclusions.
Scenario 3: Non-Profit with Guest Users
A non-profit organization uses Entra ID Free and frequently collaborates with external partners via B2B guest accounts. They enable Security Defaults to protect all accounts, including guests. However, guest users from organizations that do not support MFA (e.g., small partners without modern authentication) are unable to sign in. The non-profit must either ask partners to enable MFA or disable Security Defaults and use Conditional Access (requires Premium license) to exclude guest users from MFA. This scenario highlights a limitation: Security Defaults apply to all users, including guests, and cannot be scoped. The non-profit ultimately decides to stick with Security Defaults and work with partners to enable MFA, as the security benefit outweighs the inconvenience.
Exactly What SC-900 Tests on This Topic
SC-900 Objective 2.2: 'Describe the identity authentication and authorization capabilities of Microsoft Entra ID.' Under this, Security Defaults are tested as a baseline security configuration. You must know:
What Security Defaults enforce (MFA for all users, block legacy auth, protect privileged roles).
When to use Security Defaults vs. Conditional Access (Security Defaults for simple, no-license-needed baseline; Conditional Access for granular control).
That Security Defaults are available on all Entra ID licenses, including Free.
That enabling Security Defaults disables Conditional Access policies.
The 14-day MFA registration grace period.
Common Wrong Answers and Why Candidates Choose Them
'Security Defaults require Entra ID Premium P1 license.' Many candidates think that because MFA is often associated with Premium licenses, Security Defaults also require it. In reality, Security Defaults are free and available on Free tier. The exam tests this distinction directly.
'Security Defaults allow you to exclude specific users from MFA.' Candidates confuse Security Defaults with Conditional Access. Security Defaults apply to all users with no exclusions. The exam may present a scenario where an admin wants to exclude a service account; the correct answer is to use Conditional Access (if licensed) or not use Security Defaults.
'Security Defaults can be combined with Conditional Access policies.' This is false. They are mutually exclusive. The exam might ask: 'An organization has Security Defaults enabled and wants to add a Conditional Access policy. What should they do first?' Answer: Disable Security Defaults.
'Security Defaults block all legacy authentication except for Exchange ActiveSync.' No, they block all legacy protocols including ActiveSync if it uses basic authentication. Modern auth for ActiveSync (OAuth) is allowed.
Specific Numbers, Values, and Terms That Appear on the Exam
14-day MFA registration grace period.
'All users' (including guests and privileged roles).
'Legacy authentication blocked' — protocols: POP3, IMAP, SMTP, older Office clients.
'Cannot be used with Conditional Access'.
'Free with any Entra ID license'.
Edge Cases and Exceptions the Exam Loves to Test
If an organization has both Security Defaults and Conditional Access policies enabled, the Conditional Access policies are ignored. The exam might ask: 'A company has Security Defaults enabled and also has a Conditional Access policy requiring MFA for external users. What happens?' Answer: The Conditional Access policy is not evaluated; Security Defaults override.
Service accounts: Since Security Defaults cannot exclude them, service accounts that use legacy auth will break. The exam may present a scenario where an admin needs to allow legacy auth for a specific app; the correct answer is to disable Security Defaults and use Conditional Access with a 'Grant' control to allow legacy auth for that app (if licensed).
Guest users: They are also required to register for MFA. If a guest user's home tenant does not support MFA, they cannot access resources. The exam may test that Security Defaults apply to guests.
How to Eliminate Wrong Answers Using the Underlying Mechanism
Understand that Security Defaults are a single toggle that enforces a fixed set of policies. Any answer suggesting granularity, exclusions, or coexistence with Conditional Access is wrong. If a question mentions 'customization' or 'exceptions', the correct answer is likely Conditional Access, not Security Defaults. Also, if the scenario mentions a free license, Security Defaults are the only option for MFA enforcement.
Security Defaults are a free, tenant-wide baseline that enforces MFA for all users, blocks legacy authentication, and protects privileged roles.
They are available on all Entra ID editions, including Free, and require no additional licensing.
Security Defaults cannot be used alongside Conditional Access; enabling one disables the other.
The MFA registration grace period is 14 days; after that, unregistered users are blocked.
Legacy authentication protocols (POP3, IMAP, SMTP, etc.) are completely blocked with no exceptions.
Privileged role users must always perform MFA on every sign-in, regardless of device trust.
Security Defaults apply to all users, including guest users and service accounts — no exclusions.
For granular control, such as excluding specific users or applications, you must disable Security Defaults and use Conditional Access (requires Premium license).
These come up on the exam all the time. Here's how to tell them apart.
Security Defaults
Free with any Entra ID license, including Free tier.
Single toggle enables a fixed set of policies: MFA for all users, block legacy auth, protect privileged roles.
No granular control: applies to all users, no exclusions, no custom trusted IPs.
Cannot be used with Conditional Access; they are mutually exclusive.
Ideal for small organizations with simple security needs and no dedicated IT security staff.
Conditional Access
Requires Entra ID Premium P1 or P2 license.
Highly customizable: create policies based on user, group, location, device, application, risk level, etc.
Granular control: exclude specific users, groups, or apps; define custom trusted IP ranges; set session controls.
Cannot be used with Security Defaults; you must disable Security Defaults to use Conditional Access.
Ideal for enterprises that need fine-grained access control and have licensing budget.
Mistake
Security Defaults require Azure AD Premium P1 or P2 license.
Correct
Security Defaults are available on all Entra ID editions, including the Free tier. They are designed to provide a baseline security posture without additional licensing costs.
Mistake
You can exclude specific users from Security Defaults policies.
Correct
Security Defaults apply to all users in the tenant, including guest users and service accounts. There is no mechanism to exclude individuals or groups. To achieve exclusions, you must disable Security Defaults and use Conditional Access (requires Premium license).
Mistake
Security Defaults can be used together with Conditional Access policies.
Correct
Security Defaults and Conditional Access are mutually exclusive. When Security Defaults are enabled, any existing Conditional Access policies are ignored. You must choose one approach.
Mistake
Security Defaults only require MFA for administrators.
Correct
Security Defaults require MFA for all users, not just admins. However, privileged roles are required to perform MFA on every sign-in, whereas regular users may be prompted less frequently on trusted devices.
Mistake
Legacy authentication is only partially blocked by Security Defaults.
Correct
Security Defaults block all legacy authentication protocols entirely. This includes POP3, IMAP, SMTP, and older versions of Office clients that do not support modern authentication. There are no exceptions.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Security Defaults are a set of baseline security policies that Microsoft Entra ID enforces when enabled. They require all users to register for and use MFA, block legacy authentication protocols, and mandate MFA for privileged roles on every sign-in. They are designed for organizations that want a simple, secure configuration without needing advanced licensing or customization. They are free and available on all Entra ID editions.
To enable Security Defaults, sign in to the Entra admin center (https://entra.microsoft.com), go to Identity > Overview > Properties, and under Security Defaults, select 'Enabled' and click Save. This instantly activates the policies. You can verify the status in the same blade or using PowerShell: Get-MgPolicyIdentitySecurityDefaultEnforcementPolicy.
No, Security Defaults and Conditional Access are mutually exclusive. If you enable Security Defaults, any existing Conditional Access policies are ignored. To use Conditional Access, you must first disable Security Defaults. This is a key exam point.
All legacy authentication protocols (POP3, IMAP, SMTP, and older Office clients that use basic authentication) are blocked. Applications that rely on these protocols will fail to authenticate. You must update them to use modern authentication (OAuth 2.0) or disable Security Defaults and use Conditional Access to selectively allow legacy auth.
No, Security Defaults are available on all Entra ID editions, including the Free tier. They do not require any additional licensing. This is a common exam trap — candidates often think MFA requires Premium licenses, but Security Defaults provide a free baseline MFA.
Users have 14 days from their first sign-in after Security Defaults are enabled to register for MFA. If they do not register within 14 days, they are blocked from signing in until they complete registration. The system sends reminder emails during this period.
No, Security Defaults apply to all users, including guest users. Guest users must also register for MFA. If a guest user's home tenant does not support MFA, they will be unable to access resources. To exclude guests, you must disable Security Defaults and use Conditional Access (requires Premium license).
You've just covered Security Defaults in Entra ID — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?