Security Defaults is Microsoft's free, pre-configured set of identity security settings designed to protect organizations from the most common attacks.
What Security Defaults enables:
1. MFA registration required for all users within 14 days
2. MFA enforcement for admins immediately
3. MFA challenge for all users when needed (risk-based)
4. Legacy authentication blocked (IMAP, POP3, etc.)
5. Protection of privileged actions (require MFA)
- *Who should use Security Defaults:
- Organizations without Entra ID P1/P2 licenses
- Small businesses without security staff
- Organizations just starting their security journey
- Testing/development tenants
- *Who should NOT use Security Defaults:
- Organizations using Conditional Access (mutually exclusive)
- Organizations needing custom MFA requirements
- Organizations with legacy apps that need temporary exceptions
- Organizations requiring granular location-based policies
**Limitations vs Conditional Access:**
| Feature | Security Defaults | Conditional Access |
|---------|------------------|-------------------|
| Cost | Free | Requires P1/P2 |
| Customization | None | Full control |
| Exceptions | None possible | Granular exclusions |
| Legacy auth | Complete block | Selective block |
| Named locations | Not available | Available |
| Device compliance | Not available | Available |
Important: You cannot enable both Security Defaults and Conditional Access policies. Choose one approach.
TrueConfig recommends Conditional Access for production tenants needing flexibility.