Skip to main content

Microsoft automatically enables security defaults in new Microsoft 365 tenants to protect you from phishing and other identity-related attacks. If you set up a Conditional Access policy, you can’t enable it before you turn off security defaults. In this article, you will learn how to disable security defaults in Microsoft Entra ID.

Why disable security defaults?

Security defaults should be disabled when you configure Azure AD Multi-Factor Authentication. Otherwise, you can’t enable the Conditional Access policy and below error appears.

Disable security defaults in Microsoft Entra error

Disable security defaults in Microsoft Entra admin center

To disable security defaults in the Microsoft tenant, follow these steps:

  1. Sign in to Microsoft Entra admin center
  2. Click on Identity > Overview > Properties
  3. Select Manage security defaults
  4. Set security defaults to Disabled
  5. Select a reason for disabling security defaults
  6. Click Save
Disable security defaults Microsoft Entra
  1. Confirm that Security defaults appear as Your organization is not protected by security defaults
Disable security defaults verify

You did successfully turn off security defaults in the Microsoft tenant.

Disable security default with Microsoft Graph PowerShell

To disable security defaults with Microsoft Graph PowerShell, follow the below steps:

  1. Install Microsoft Graph PowerShell module.
Install-Module Microsoft.Graph -Force
Install-Module Microsoft.Graph.Beta -AllowClobber -Force

Important: Always install the Microsoft Graph PowerShell and Microsoft Graph Beta PowerShell modules. That’s because some cmdlets are not yet available in the final version, and they will not work. Update both modules to the latest version before you run a cmdlet or script to prevent errors and incorrect results.

  1. Connect to Microsoft Graph PowerShell.
Connect-MgGraph -Scopes "Policy.Read.All", "Policy.ReadWrite.ConditionalAccess"
  1. Run the below command to disable security defaults.
Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy -IsEnabled:$false
  1. Verify that security defaults is disabled with this command.
Get-MgPolicyIdentitySecurityDefaultEnforcementPolicy | ft DisplayName, IsEnabled
  1. Confirm that the output shows like below.
DisplayName       IsEnabled
-----------       ---------
Security Defaults     False

Leave a Reply