How to Disable Security Defaults in Office 365?

How to Disable Security Defaults in Office 365? – TheITBros

How to Disable Security Defaults in Office 365?

written by Cyril Kardashevsky 2.2K views

Security Defaults are a set of policies that are enabled by default for Microsoft 365 (Office 365) accounts to provide enhanced account and organizational security. It comes free with all Microsoft 365 subscriptions and overrides the Baseline Conditional Access policies.

As excellent as it is, the Security Defaults are not a one-size-fits-all set of policies. In most cases, organizations prefer to customize their security policies, which requires disabling the Security Defaults. And that’s what we’ll show you in this article.

What Protections Do the Security Defaults Provide?

Security Defaults enable the following settings in the Azure tenant:

• Multi-factor authentication for administrators and users (a request to configure MFA appears on each user sign-in);

• Legacy authentication protocols are disabled, and this blocks access to Office 365 mailboxes from old clients and legacy protocols that do not support Modern Authentication (Office 2010, IMAP, POP3, SMTP, ActiveSync), as well as connecting to Exchange Online via Remote PowerShell;

• Force MFA for privileged accounts in Azure AD when accessing management tools that use the Azure Resource Manager API (Azure Portal Access, Azure PowerShell, Azure CLI).

Why Disable the Security Defaults?

If the Security Defaults are an excellent way to protect your tenant and users, why would you disable them?

Unfortunately, Security Defaults offer an all-or-nothing approach when enforcing policies. Not every organization will find this kind of policy enforcement suitable.

Support for Legacy Applications without Modern Authentication Capabilities

If every application supports modern authentication, then enabling the Security Defaults would be a no-brainer. But in the real world, organizations cannot (or will not) upgrade or replace every application to comply with modern authentication.

In these cases, user accounts used by legacy applications must still be able to authenticate to Microsoft 365 services using the username and password method—which cannot happen with Security Defaults enabled.

Related. How to disable multi-Factor authentication (MFA) in Office 365?

Conditional Access Policy Deployment

Unlike Security Defaults, deploying conditional access policies offers more flexible and customizable security enforcement. It lets you specify which users, groups, or applications to include or exclude from the policy. You can also create multiple policies to cater to different access scenarios.

However, enabling a conditional access policy is not allowed while the Security Defaults are enabled. If you try to enable a conditional access policy, you’ll get the following error message.

How to Disable Security Defaults in Office 365 using the Microsoft Entra Admin Center

The first and most used method to turn on or off the Security Defaults is through the Microsoft Entra Admin Center, and here’s how you can do it.

1. Log in to the Microsoft Entra Admin Center.
2. Navigate to Identity → Overview → Properties and click the Manage security defaults link.
   
3. Select Disabled from the dropdown box, choose a reason for disabling, and click Save.
   
4. Click Disable on the confirmation prompt.
   

The Security Defaults status has changed to “Your organization is not protected by security defaults.”