2 Ways to Disable Security Defaults in Entra ID

In this post, I will show you 2 ways to disable Security defaults in Entra ID. Security defaults provide out-of-the-box protections such as blocking legacy authentication and requiring MFA. They are great for small or new tenants that do not have Conditional Access.

Many organizations grow beyond these basics and need granular controls, staged rollouts, and exceptions. In those cases, you will typically switch from security defaults to Conditional Access so you can enforce stronger, targeted policies without breaking critical workflows.

Why should you disable Security Defaults?

Disable security defaults only when you will replace them with equal or stronger controls. Common reasons:

  • You require granular MFA enforcement with Conditional Access policies.
  • You must exempt service accounts, break-glass accounts, or specific apps from MFA.
  • You require location, device state, sign-in risk, or session controls not possible with security defaults.
  • You are integrating third-party identity or MFA solutions.
  • You require staged rollouts, pilot groups, or per-app enforcement.
  • You want to unblock secure non-interactive flows that are impacted by security defaults

Important: Turning security defaults off without replacing them increases risk. At minimum, create Conditional Access policies that 1) block legacy authentication, 2) require MFA for privileged roles, and 3) require MFA for users outside trusted scenarios.

If you want to use Conditional access in your organization, then you must disable Security defaults, else you will get an error message while creating a conditional access policy: Security defaults must be disabled to enable Conditional Access policy. You may also see below warning message as well.

It looks like you’re about to manage your organization’s security configurations. That’s great! You must first disable security defaults before enabling a Conditional Access policy.

Security defaults must be disabled to enable Conditional Access policy

Prerequisites

  • Role: Global Administrator in the tenant.
  • Entra ID P1 for Conditional Access.
  • If using PowerShell, Microsoft Graph PowerShell module installed and ability to consent required scopes

1. Disable Security Defaults using Entra admin center

Follow below steps to disable security defaults using Entra admin center.

  • Sign in to the Entra admin center > Entra ID > Overview > Properties.
  • Click on Manage security defaults link.
  • Set Security defaults to Disabled and then select a Reason for disabling security defaults.
  • Click Save.
Disable Security Defaults using Entra admin center
  • You will get another prompt to confirm, click on Disable button.
Security Defaults disable prompt
  • To check and confirm if Security defaults are disabled in your tenant, Go to Entra admin center > Entra ID > Overview > Properties and scroll down on the page to check a warning message Your organization is not protected by security defaults. That means, it’s disabled.
Your organization is not protected by security defaults message

2. Disable Security Defaults using Microsoft Graph PowerShell

You can also disable Security defaults using Microsoft Graph PowerShell. Open a PowerShell console and execute below commands.

# Install the Graph module if needed

Install-Module Microsoft.Graph -Scope CurrentUser -Force

# Connect to Graph with the right scope

Connect-MgGraph -Scopes "Policy.ReadWrite.SecurityDefaults"

# Disable Security Defaults

Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy -IsEnabled:$false

# Verify if Security Defaults are disabled

Get-MgPolicyIdentitySecurityDefaultEnforcementPolicy | Select-Object DisplayName, Id, IsEnabled
DisplayName       Id                                   IsEnabled
----------- -- ---------
Security Defaults 00000000-0000-0000-0000-000000000005 False
Disable Security Defaults using Microsoft Graph PowerShell

Leave a Comment