Every Microsoft 365 tenant tells a story. Emails flowing, Teams meetings running, SharePoint humming along. From the outside, everything looks operational. But operational is not the same as secure \u2014 and the gap between those two things is where breaches happen.<\/p>\n\n
When our team conducts a Microsoft 365 security assessment, one of the first things we check is the identity baseline. Not the flashy stuff \u2014 the fundamentals. And one of the most common findings we encounter is a tenant where security defaults have been silently disabled, leaving the environment wide open to credential-based attacks.<\/p>\n\n
Security defaults are Microsoft’s baseline security configurations for Microsoft Entra ID (formerly Azure Active Directory). They enforce MFA registration for all users, require MFA for administrators on every sign-in, block legacy authentication protocols, and protect privileged access to the Azure portal.<\/p>\n\n
These controls are enabled by default on all new tenants created after October 2019. Microsoft reports they stop more than 99.9% of common identity-based attacks.<\/p>\n\n
So why do we keep finding them turned off?<\/p>\n\n
In most cases, security defaults were not disabled maliciously. A multi-function printer couldn’t send email. An old application broke when MFA kicked in. A migration consultant turned them off to “get things working” and never turned them back on.<\/p>\n\n
The business moved on. The risk stayed behind.<\/p>\n\n
We have seen tenants operating without security defaults for months \u2014 sometimes years \u2014 with no Conditional Access policies in place to replace them. The entire identity layer is effectively unprotected. Administrators signing in without MFA. Legacy authentication wide open. No enforcement, no alerting, no visibility.<\/p>\n\n
Legacy authentication protocols \u2014 Basic Auth, IMAP, SMTP, POP3 \u2014 do not support MFA. Full stop. If they are allowed in your tenant, an attacker who obtains a username and password can authenticate silently, bypassing every MFA prompt you think is protecting your users.<\/p>\n\n
Password spray attacks rely on this gap. An attacker takes a list of common passwords and tries them across thousands of accounts using legacy protocols. No MFA challenge. No account lockout in some configurations. Just access.<\/p>\n\n
Beyond legacy auth, security defaults enforce MFA for the roles with the most access in your organisation \u2014 Global Administrators, Security Administrators, Exchange Administrators, and more. Without this, a compromised admin account is a full tenant compromise.<\/p>\n\n
There is a common misconception we encounter during assessments. A client has Microsoft Entra ID P1 or P2 licensing, they have some Conditional Access policies in place, and they assume they are covered.<\/p>\n\n
The issue is partial coverage. A Conditional Access policy for one application, or for a subset of users, does not protect the rest. And if security defaults were disabled to make room for Conditional Access \u2014 which is the correct approach \u2014 but the Conditional Access policies were never completed, the tenant now has neither baseline enforced.<\/p>\n\n
This is the gap that attackers find and exploit.<\/p>\n\n
When our team conducts an assessment and finds security defaults disabled, we work with clients to either re-enable them or implement a complete Conditional Access policy set that provides equivalent or stronger coverage. That means:<\/p>\n\n
The goal is not to make life harder for users. Modern authentication with the Microsoft Authenticator app is fast, reliable, and non-disruptive. The friction of MFA is minor compared to the cost of a breach.<\/p>\n\n
Security defaults are free. They require no Entra ID premium licensing and no additional configuration beyond enabling the toggle. For organisations on Microsoft 365 Business Basic or Business Standard, security defaults are the correct starting point.<\/p>\n\n
For organisations with Entra ID P1 or P2 licensing, the path forward is Conditional Access \u2014 but only when implemented completely. Half a Conditional Access deployment is not a security posture. It is a false sense of security.<\/p>\n\n
The Australian Cyber Security Centre’s Essential 8 framework includes multi-factor authentication as a core mitigation strategy. It is not a recommendation \u2014 it is a requirement for organisations seeking to demonstrate cyber maturity and protect against the threats the ACSC considers highest priority.<\/p>\n\n
Checking your tenant’s security defaults takes minutes. Go to the Microsoft Entra admin center, navigate to Entra ID > Overview > Properties, and select Manage Security Defaults. If it is disabled and you do not have a complete Conditional Access policy set in place, that is a finding that needs to be remediated today.<\/p>\n\n
Our team has helped organisations across Australia assess and remediate their Microsoft 365 identity posture. If your tenant looks fine from the outside and you want to know what it looks like from the inside, that conversation is worth having.<\/p>\n\n","protected":false},"excerpt":{"rendered":"
Every Microsoft 365 tenant tells a story. Emails flowing, Teams meetings running, SharePoint humming along. From the outside, everything looks operational. But operational is not the same as secure \u2014 and the gap between those two things is where breaches happen. When our team conducts a Microsoft 365 security assessment, one of the first things […]<\/p>\n","protected":false},"author":1,"featured_media":57513,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_yoast_wpseo_focuskw":"Microsoft 365 security defaults","_yoast_wpseo_title":"M365 Tenant Looked Fine Until We Checked Security Defaults","_yoast_wpseo_metadesc":"Many Microsoft 365 tenants have security defaults silently disabled, leaving identity layers exposed. Learn what we find during M365 security assessments and how to fix it.","_yoast_wpseo_opengraph-title":"M365 Tenant Looked Fine Until We Checked Security Defaults","_yoast_wpseo_opengraph-description":"Many Microsoft 365 tenants have security defaults silently disabled, leaving identity layers exposed. Learn what we find during M365 security assessments and how to fix it.","_yoast_wpseo_twitter-title":"M365 Tenant Looked Fine Until We Checked Security Defaults","_yoast_wpseo_twitter-description":"Many Microsoft 365 tenants have security defaults silently disabled, leaving identity layers exposed. Learn what we find during M365 security assessments and how to fix it.","_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[13,127,107,36,103,14,17],"tags":[],"class_list":["post-57511","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","category-cloud-security","category-cybersecurity","category-entra-id","category-essential-8","category-microsoft-365","category-microsoft-365-security"],"yoast_head":"\n