Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Security Defaults

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: ActiveDirectory-024

Ensure that the Security Defaults feature is enabled for Microsoft Entra ID in order to help protect your organization from common attacks. The Security Defaults feature is a set of basic identity security mechanisms recommended by Microsoft and provided at no extra cost in Microsoft Entra ID. The security feature recommendations will be enforced within your organization to help users and administrators to protect themselves against common identity-related attacks. When enabled, the Security Defaults feature will:

  • Require all users and admins to register for Multi-Factor Authentication (MFA).
  • Challenge users with MFA when necessary, based on factors such as location, device, role, and task.
  • Disable authentication from legacy authentication clients, which can't use Multi-Factor Authentication (MFA).

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Managing access security within your organization can be challenging nowadays as common identity-related attacks such as phishing, password spraying, and replay/playback attacks are becoming more popular. Security Defaults make it easier to help protect your organization from identity-based attacks by providing you with preconfigured security settings that Microsoft manages on your behalf. These settings ensure that all organizations have a basic level of security enabled at no extra cost until they are ready to manage their own identity security settings through more advanced features like Conditional Access policies.

Security Defaults should be implemented initially as a baseline security measure and may later be replaced by Conditional Access policies as your organization's security requirements mature. Administrators should be aware that certain Security Defaults configurations in Microsoft Entra ID may impact other Microsoft services such as Microsoft 365. Once Security Defaults is disabled in favor of Conditional Access, ensure that equivalent or stronger security controls are implemented to replace the protections provided by Security Defaults.

Audit

To determine if the Security Defaults feature is enabled for Microsoft Entra ID, perform the following actions:

Using Azure Portal

01 Sign in to the Azure portal.

02 Navigate to Microsoft Entra ID > Properties.

03 Select Manage security defaults to access the feature configuration panel.

04 On the Security defaults panel, verify the configuration status:

  1. If Enabled (recommended) is selected, Security Defaults is enabled for your Microsoft Entra ID.
  2. If Disabled is selected, Security Defaults is not enabled.

05 Repeat steps no. 2 – 4 for each Microsoft Entra ID tenant that you want to examine.

Using Azure CLI

01 Sign in to Azure CLI: 

az login

02 Run az rest command to query the Security Defaults status via Microsoft Graph API: 

az rest --method get \
	--url 'https://graph.microsoft.com/v1.0/policies/identitySecurityDefaultsEnforcementPolicy' \
	--query "isEnabled"

03 The command output should return the Security Defaults status: 

true

If the output is true, Security Defaults is enabled for your Microsoft Entra ID tenant. If the output is false, Security Defaults is not enabled.

Remediation / Resolution

To enable the Security Defaults feature for your Microsoft Entra ID, perform the following actions:

Using Azure Portal

01 Sign in to the Azure portal.

02 Navigate to Microsoft Entra ID > Properties.

03 Select Manage security defaults to access the feature configuration panel.

04 On the Security defaults panel, select Enabled (recommended) to enable the Security Defaults feature for your Microsoft Entra ID.

05 Select Save to apply the changes.

06 If the change request is successful, the following message should be displayed: "Successfully saved Security defaults policy".

07 Repeat steps no. 2 – 6 for each Microsoft Entra ID tenant that you want to reconfigure in order to enable Security Defaults.

Using Azure CLI

01 Sign in to Azure CLI: 

az login

02 Run az rest command to enable Security Defaults via Microsoft Graph API: 

az rest --method patch \
	--url 'https://graph.microsoft.com/v1.0/policies/identitySecurityDefaultsEnforcementPolicy' \
	--body '{"isEnabled":true}'

03 Verify that Security Defaults was enabled: 

az rest --method get \
	--url 'https://graph.microsoft.com/v1.0/policies/identitySecurityDefaultsEnforcementPolicy' \
	--query "isEnabled"

04 The command output should return: 

true

If your Microsoft Entra ID tenant was created on or after October 22, 2019, Security Defaults may already be enabled in your tenant by default. Tenants created before this date will need to manually enable Security Defaults if desired.

References

Publication date Sep 19, 2021

Related ActiveDirectory rules