My tenant has Security defaults enabled and I want to disable them. What to do?

Posted by Harri Jaakkonen Posted on 10/03/2024
Posted in Azure, Conditional access, Entra ID, IAM, Identity, Security, Zero trust

First things first, Security defaults were automatically enabled for all new tenants created after October 22, 2019. This was to ensure a strong security posture right from the start for all users.

Set the stage

Let’s imagine this scenario. You would like to use some of the capabilities of Conditional Access. You open the portal from https://entra.microsoft.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade and start to create your first ever policy but after that you will be informed with the following note, bummer. Or is it?

And stop, let’s see if Conditional Access is a right choice for you.

Choosing right feature

Who needs Conditional Access?

  • Organizations looking to boost security: Especially those who are unsure where to begin or lack a clear plan. Conditional Access offers a structured approach to access control.
  • Organizations with complex security needs: If your security requirements are intricate, Conditional Access provides the granularity and customization to address them effectively.

Who might not need Conditional Access?

  • Organizations on free Microsoft Entra ID tier: The free tier likely includes basic security features. However, Conditional Access offers more advanced controls if needed in the future.
  • Organizations with security defaults and Entra ID P1/P2 licenses: Security defaults might already provide sufficient access control in this scenario.

So now you should be sure that you want to continue with this? Ok, then open the link and the following will be presented.

Choose disable and you will be asked for reasoning to your choice

And when you choose My org is using Conditional Access

You can continue to use Security defaults but if you wish to switch to Conditional Access policies, you have to disable those default.

First steps after disabling

You should consider protecting your normal and admin user logins, you can create manually policies or just enable …

Microsoft-Managed policies

To strengthen your organization’s security, In the first phase Microsoft is automatically enabling the following three protections based on our security insights:

  • Multi-factor authentication (MFA) for admins: This adds an extra layer of security for administrators accessing Microsoft admin portals, preventing unauthorized access even if a password is compromised.
  • MFA enforcement for existing MFA users: This ensures users already enrolled in MFA continue to use it for added protection.
  • MFA and re-authentication for high-risk sign-ins: This requires additional verification for login attempts deemed suspicious, such as those from unrecognized devices or locations.

See more from Learn

Secure your resources with Microsoft-managed Conditional Access policies – Microsoft Entra ID
Microsoft-managed policies take action to require multifactor authentication to reduce the risk of compromise.

Using templates

Open your templates from https://entra.microsoft.com/#view/Microsoft_AAD_ConditionalAccess/CaTemplates.ReactView and choose from the most accurate ones.

These are just templates, you can edit them, remove them. Not to worry, nothing is carved in stone.

See here information from my previous blog posts

Entra ID CA Templates are now Generally Available!
When it was still in Public preview, I wrote this post on it. Conditional Access templates (Preview) and other tips on the sideFirst, I want to mention Microsoft Entra admin center and the announce…

See more on templates from Learn

Secure your resources with Conditional Access policy templates – Microsoft Entra ID
Deploy recommended Conditional Access policies from easy to use templates.

Closure

Like we saw, Conditional Access isn’t for everyone. If you have to licensing for it, like many of you do in form of Entra P1 or P2, you should use it.

Here is an easy to read table for the benefits

BenefitTechnical DetailsImpact on Security Posture
Enhanced Security* Integrates with Azure AD multi-factor authentication (MFA) for strong user verification (e.g., fingerprint, phone call). * Utilizes risk detection signals like location (login from unusual location triggers MFA), device health (unmanaged device requires compliance check), and login anomalies (multiple failed attempts trigger lockout). * Can enforce session controls like data encryption (protects sensitive data at rest and in transit) or application restrictions (limits access to specific features within an application).* Significantly reduces reliance on passwords as the sole security factor. * Blocks unauthorized access attempts based on contextual risk factors. * Minimizes data exposure even if a device or credential is compromised.
Granular Access Control* Leverages Azure AD attributes like user groups (e.g., finance team requires stricter access), device registration status (managed devices get full access, unmanaged require MFA), and application claims (access granted only to specific applications) to define access policies. * Integrates with Microsoft Defender for Endpoint to assess device health (up-to-date security software, no malware detected) and compliance (adheres to organizational security policies) before granting access. * Conditional Access policies can be chained together (e.g., MFA required for high-risk locations AND unmanaged devices).* Enables least privilege access, granting only the permissions necessary for users to perform their tasks. * Ensures only compliant devices can access organizational resources. * Creates a layered security approach with multiple access hurdles for attackers to overcome.
Reduced Risk of Unauthorized Access* Blocks access attempts deemed high-risk based on Conditional Access policies (e.g., login from banned IP address). * Enforces password reset or device compliance checks before granting access (forces compromised accounts to reset credentials and ensures devices meet security standards). * Can quarantine compromised devices (isolate infected devices to prevent lateral movement within the network).* Proactively prevents breaches by stopping unauthorized access attempts at the login stage. * Mitigates the impact of compromised credentials by requiring additional verification steps. * Limits the damage caused by infected devices by isolating them from the network.
Improved Compliance* Supports industry standards like National Institute of Standards and Technology (NIST) Special Publication 800-53 for Secure Access Control (provides a framework for implementing strong access controls). * Integrates with compliance management tools for centralized policy enforcement and reporting (streamlines compliance audits and simplifies reporting).* Ensures organization adheres to regulatory requirements for data security and access control. * Provides centralized visibility and control over access policies, simplifying compliance audits.
Simplified Management & Scalability* Cloud-based platform for easy policy creation (intuitive interface for defining access rules), deployment (policies applied across the organization with a few clicks), and monitoring (real-time insights into access attempts and policy effectiveness). * Integrates with existing Azure AD infrastructure for seamless management (leverages existing user and device identities). * Conditional Access policies can be dynamically applied based on real-time user and device signals (e.g., automatically require MFA for logins from a new location).* Reduces administrative burden for IT staff by automating access control decisions. * Enables consistent security policies across the organization, regardless of user location or device. * Provides real-time feedback on access attempts, allowing for swift adjustments to security policies.
Author: Harri Jaakkonen