Why Security Defaults Matter in 2025
ACSC telemetry shows 41 % of Australian Microsoft 365 tenants still rely on Security Defaults as their only identity protection (27 October 2025). Security Defaults are a free baseline, not a replacement for Conditional Access or Zero Trust. Let’s clear the fog.
Myth #1: “Security Defaults Covers MFA for Admins Only”
Fact: After a 14-day grace period, all users are prompted for MFA.
Best practice: communicate to staff and register their methods before the cut-over.
Myth #2: “Turning on Conditional Access Disables Defaults Automatically”
Fact: Conditional Access overrides conflicting policies but Security Defaults remain enabled unless you toggle them off in Entra ID ▶ Protect ▶ Security Defaults.
Myth #3: “Security Defaults Logs Everything You Need”
Fact: It writes sign-in events, but you need Azure AD Premium P1 or above to stream logs to Sentinel and meet Essential Eight audit requirements.
Myth #4: “Security Defaults Breaks Legacy Apps”
Fact: Legacy POP/IMAP apps fail because they lack modern auth—this is by design. Use App Passwords sparingly or migrate.
Myth #5: “Security Defaults Equals Zero Trust”
Fact: Zero Trust also covers device compliance, data classification and segmentation—none addressed by defaults.
Myth #6: “You Can Customise Individual Settings”
Fact: It’s a single on/off switch. If you need granular control, move to Conditional Access.
Myth #7: “Security Defaults Is Free Forever—No Strings Attached”
Fact: Microsoft may move MFA reports and advanced alerts behind premium SKUs; watch licensing notes.
Myth #8: “Admin Bypass Is Impossible”
Fact: Global admins can still create emergency break-glass accounts exempt from MFA; store their creds offline and monitor usage.
Myth #9: “Phishing-Resistant MFA Is Included”
Fact: Defaults offer Authenticator app or SMS—not FIDO2 keys. You’ll need Conditional Access to enforce phishing-resistant MFA.
Myth #10: “Security Defaults Will Stay on After I Enable P1 Trials”
Fact: Activating a P1 trial doesn’t change Defaults, but new CA policies may clash. Audit before purchase.
Quick Checklist—When to Keep vs Replace Security Defaults
Tenant Size | Licence | Apps Using Legacy Auth | Recommendation |
≤50 users | Business Basic/Standard | None | Keep Security Defaults |
50–250 users | Business Premium / E3 | Few | Hybrid: Keep Defaults + add CA for risky users |
>250 users | E3/E5 + P1/P2 | Many | Replace with full Conditional Access baseline |
Frequently Asked Questions
Can I customise Security Defaults options?
No, it’s all-or-nothing. Use Conditional Access for granularity.
Is there a cost to Conditional Access?
Yes—requires Azure AD Premium P1 (bundled in Microsoft 365 Business Premium, E3/E5).
What’s the impact on Outlook POP/IMAP?
Legacy protocols are blocked; users must switch to modern auth or app passwords.
