Back to Blog
Security
8 min read

Microsoft 365 Security Defaults Are Not Enough: 5 Gaps Putting Your Tenant at Risk

Security Defaults block common attacks, but they leave critical gaps in privileged access, guest controls, and policy granularity. Here are the five areas where you need to go beyond the basics.

Nikolai Poverud

Founder & CEO

·January 8, 2025

The False Sense of Security

You enabled Security Defaults. Microsoft says your tenant is now protected against 99.9% of identity attacks. You check the box on your security checklist and move on.

Six months later, your compliance audit reveals standing Global Admin accounts with no access reviews, unrestricted guest invitations, and no Conditional Access policies beyond the basics.

Security Defaults did what they promised: they blocked legacy authentication and required MFA registration. What they didn't do is give you the granular control that mid-market organizations actually need.

Here's the gap between "Security Defaults enabled" and "actually secure."

What Security Defaults Actually Do

Let's be clear: Security Defaults aren't bad. For small organizations without dedicated IT staff, they're a significant improvement over nothing. Microsoft designed them to stop the most common identity attacks with zero configuration.

When enabled, Security Defaults:

  • Require all users to register for Azure AD MFA
  • Block legacy authentication protocols
  • Require MFA for admin portal access
  • Challenge users with MFA when risky sign-ins are detected

For a 20-person company with no IT department, this is genuinely valuable. But for organizations with 100+ employees, dedicated IT staff, and compliance requirements, Security Defaults are just the starting point.

The 5 Critical Gaps

1. No Conditional Access Policies

Security Defaults are all-or-nothing. You can't:

  • Allow trusted locations
  • Apply different policies to different user groups
  • Require compliant devices
  • Block access from risky sign-ins

Conditional Access gives you the granularity that real-world security requires. A contractor needs temporary access from a personal device? Security Defaults say no. Conditional Access lets you create a policy for that scenario.

2. No Privileged Identity Management

Security Defaults don't touch PIM. That means:

  • Admins have standing access 24/7
  • No just-in-time elevation
  • No access reviews
  • No approval workflows

Standing admin access is one of the biggest risks in any tenant. If an admin account is compromised, the attacker has immediate access to everything.

3. Limited Guest Access Controls

Security Defaults apply MFA to guests, but that's it. They don't address:

  • Who can invite guests
  • What guests can access
  • How long guest access lasts
  • External collaboration policies

4. No Configuration Drift Detection

Enable Security Defaults today, and someone disables them tomorrow. You won't know until something bad happens.

Security Defaults don't:

  • Alert on configuration changes
  • Maintain an audit trail
  • Prevent unauthorized modifications

5. No Visibility Into Your Actual Risk

Security Defaults give you a binary status: enabled or disabled. They don't tell you:

  • How many admins have standing privileged access
  • Whether your Conditional Access policies have gaps
  • If someone disabled a critical setting last week
  • What your actual attack surface looks like

What We See in Practice

Based on our work with mid-market Microsoft 365 tenants, organizations relying solely on Security Defaults commonly have:

  • Standing Global Admin accounts: Most tenants have 3-5 users with permanent Global Admin access, often including service accounts and former employees
  • Unrestricted guest access: External collaboration enabled with no controls on who can invite guests
  • No session management: Users stay signed in indefinitely, increasing risk from shared or compromised devices
  • Legacy authentication exceptions: Security Defaults should block legacy auth, but many tenants have apps or service accounts configured to bypass it

The pattern is consistent: Security Defaults handle the basics, but leave significant gaps in privileged access management and granular policy control.

The Path Forward

Step 1: Enable Conditional Access

Even basic Conditional Access policies dramatically improve your security posture:

  • Require MFA for all users
  • Block legacy authentication (yes, again—with exceptions tracked)
  • Require compliant or hybrid-joined devices for sensitive apps

Step 2: Implement PIM

Start with your most privileged roles:

  • Global Administrator
  • Exchange Administrator
  • SharePoint Administrator

Require justification and approval for elevation. Set 4-hour maximum activation.

Step 3: Lock Down Guest Access

Define explicit policies:

  • Only specific users can invite guests
  • Guests can't access certain resources
  • Review and remove guests quarterly

Step 4: Monitor for Drift

This is where TrueConfig comes in. We'll:

  • Alert you when Security Defaults are disabled
  • Track Conditional Access policy changes
  • Notify you of new standing admin assignments
  • Provide weekly posture reports

The Bottom Line

Security Defaults aren't bad. They're just not enough for organizations with real compliance requirements and actual security risks to manage.

Think of Security Defaults as the foundation. You still need to build the house: Conditional Access for granular policy control, PIM for privileged access management, and continuous monitoring to catch drift before it becomes a breach.

The organizations getting compromised aren't the ones with zero security. They're the ones with some security who assumed they were covered.

TrueConfig evaluates your Microsoft 365 tenant against security baselines that go far beyond Security Defaults. See exactly where your gaps are and how to fix them. Start your assessment

Microsoft 365
Security Defaults
Conditional Access
PIM
Entra ID

Related Articles

Security

Microsoft Entra ID Privileged Role Drift: The Silent Risk in Your Tenant

That "temporary" Global Admin from six months ago still has access. Here is how privileged role drift happens in every organization, why it creates serious security and compliance risk, and how to catch it before auditors do.

9 min read
Security

Stop Chasing Alerts: How Desired State Configuration Transforms M365 Security

IT teams waste 15+ hours weekly on compliance reports that never fix the root cause. Desired State Configuration flips the model: define your security baseline once, and let automation maintain it.

8 min read
Guides

Microsoft Entra Conditional Access: The 4-Tier Policy Framework That Works

Most Conditional Access deployments fail because of policy conflicts, admin lockouts, or gaps that leave attack vectors open. This framework organizes policies into four tiers that are secure, maintainable, and won not break your users.

9 min read