Security Defaults are a set of policies that are enabled by default for Microsoft 365 (Office 365) accounts to provide increased account and organizational security. These settings include using Multi-Factor Authentication (MFA) for logins, disabling legacy mail protocols (IMAP, POP3, and SMTP), etc. In some cases, the Microsoft 365 administrator needs to turn off some of the Security Defaults settings in Microsoft 365 tenants.
Azure Ad security defaults are a set of identity security mechanisms recommended by Microsoft. When enabled, these recommendations will be automatically enforced in your organization. Administrators and users will be better protected from common identity-related attacks. Security Defaults are free for all Microsoft 365 subscriptions and replace the Baseline Conditional Access policies.
Security Defaults enable the following settings in the Azure tenant:
- Multi-Factor Authentication for administrators and users (a request to configure MFA appears on each user sign-in);
- Legacy authentication protocols are disabled, and this blocks access to Office 365 mailboxes from old clients and legacy protocols that do not support Modern Authentication (Office 2010, IMAP, POP3, SMTP, ActiveSync), as well as connecting to Exchange Online via Remote PowerShell;
- Force MFA for privileged accounts in Azure AD when accessing management tools that use the Azure Resource Manager API (Azure Portal Access, Azure PowerShell, Azure CLI).
You can enable or disable Security Defaults in your Azure tenant settings:
- Open the Microsoft Azure Portal login page and log in with an Azure or Microsoft 365 tenant Global Administrator account;
- Select Azure Active Directory > Properties;
- At the very bottom of the tenant settings page, click on the Manage Security Defaults link;
- You will see a window in which only one Enable Security defaults (Yes/No) switch is available. Security Defaults are enabled by default for all new Azure (Microsoft 365) tenants. If you want to disable Security Defaults, select No, and walk through a small Microsoft survey:
We’d love to understand why you’re disabling Security defaults so we can make improvements.
– My organization is using Conditional Access;
– My organization is unable to use critical business applications;
– My organization is getting too many MFA challenges;
- Press the Save button;
Now users will no longer be prompted to configure the MFA when sign-in. If Multi-Factor Authentication is already configured for some users, you can disable it.
- Sign in to Microsoft 365 Admin Center (https://admin.microsoft.com/#/users);
- Select Users > Active Users;
- Press the Multi-factor authentication;
- Find the user you want to disable MFA for, select it, and click Disable;
To enable the use of legacy email protocols, you need to:
- Go to the https://admin.microsoft.com;
- Select Settings > Org Settings > Modern authentication;
- Select the legacy protocols that you want to allow to use for email clients;
The following protocols are available:
- Outlook client — Includes Exchange Web Services, MAPI over HTTP, Offline Address Book and Outlook Anywhere protocols;
- Exchange ActiveSync (EAS) — Used by some email clients on mobile devices;
- Auto discover — Used by Outlook and EAS clients to find and connect to mailboxes in Exchange Online;
- IMAP4 — Used by IMAP email clients;
- POP3 — Used by POP email clients;
- Authenticated SMTP — Used by POP and IMAP clients to send email messages;
- Exchange Online PowerShell — Used to connect to Exchange Online with remote PowerShell.
Now you will be able to authenticate with Legacy email clients.