Security Defaults

Security defaults is a free, pre-configured security baseline available to every Microsoft Entra ID tenant. When enabled, it enforces MFA for all users, requires MFA for admin operations, blocks legacy authentication, and applies protections to privileged actions. Designed for tenants that haven't deployed Conditional Access — the customisable Entra ID P1 feature that replaces Security defaults. Security defaults are on by default for new tenants since 2019 and have raised the baseline meaningfully. Tenants outgrowing the all-or-nothing approach (need to exempt specific service accounts, need richer policies) move to Conditional Access; the two are mutually exclusive at any given time.