Security Defaults Prepare for Conditional Access

To increase security and reduce the number of attacks on Entra ID tenancies with poor and unchanged default security settings, Microsoft deployed Security Defaults in 2019. Security Defaults provide a small number of baseline security settings in every Entra ID tenancy that can prevent a significant number of security issues later.

For example, when Microsoft first offered multifactor authentication (MFA) to all Office 365 and Microsoft 365 tenancies, the company acknowledged that the use of MFA among monthly active users (MAUs) was still quite low (less than 2% of MAU). Organizations are often slow to adopt new security features from identity providers due to real and perceived issues that will arise from the change.

Security Defaults sought to help new tenancies start with a secure foundation, even if they were not licensed for Entra ID P1—then known as Azure Active Directory Premium—but also was beneficial for organizations that had not yet implemented CA or did not have a dedicated IT staff to deploy and manage CA, as is often the case in smaller organizations. While Security Defaults are not CA, and they are not based on CA, they are intended to build in some similar capabilities, without requiring the licensing or IT staff to benefit from it.