Microsoft 365 Security Defaults Are Not Enough

Microsoft 365 Security Defaults are Microsoft's answer to "how do we make the baseline tenant less dangerous by default". Since 2019, every new tenant has had Security Defaults switched on unless the admin turned it off. That has prevented a lot of incidents that used to be routine.

Security Defaults are a good floor. They are not a ceiling, and for most businesses with client data, regulated obligations, or more than a handful of staff, they are genuinely not enough. Here is the honest breakdown.

What Security Defaults actually give you

Security Defaults are a preset bundle of controls. When enabled, they:

• Prompt every user to register for multi-factor authentication
• Require MFA when a sign-in looks suspicious (new device, unusual location)
• Require MFA every time for administrator accounts
• Block legacy authentication protocols (partially — some older mail clients still slip through)
• Require MFA to access the Azure portal, the Microsoft 365 admin centre, and administrative command-line interfaces

If your tenant has been sitting on Security Defaults since day one, you are already in better shape than a lot of businesses running custom-configured tenants without MFA. Give Microsoft credit for the floor.

What they do not give you

The problem with Security Defaults is that they are a single on-or-off switch. You cannot tune them. That design is intentional, because they are meant for businesses that do not have an IT team. But it means several things that matter for real businesses are simply absent:

• Conditional Access policies. No ability to say "block sign-ins from outside Australia", or "require a compliant device for email access", or "allow unmanaged devices read-only access but not downloads".
• Per-user MFA enforcement for every sign-in. Security Defaults only prompt for MFA when Microsoft's risk engine thinks something is off. If the attacker's sign-in looks clean (correct password, same country as the user), it may not prompt at all.
• Sign-in risk and user risk detection. The richer detections that power Entra ID Protection need P1 or P2 licensing. Security Defaults do not.
• Mailbox audit logging tuned for incidents. The defaults log some actions, but not the ones you need the most during a business email compromise investigation.
• Data loss prevention. No controls over sensitive data leaving the tenant over email, SharePoint, or OneDrive.
• Sensitivity labels. No enforcement of who can read, print, or forward classified documents.
• Litigation hold and advanced retention. If legal asks you to preserve a user's mailbox during a dispute, you need Exchange plans above the basics.

The gap matters the moment your business has something worth protecting: client records, financial data, intellectual property, or simply the reputation hit of a publicised breach.

Where Security Defaults are designed to stop

It helps to understand Microsoft's intent. Security Defaults are aimed at the small shop with five people and a shared login, or the sole trader who bought Microsoft 365 to get Outlook. For those users, Security Defaults are a real improvement.

For a business with ten to two hundred staff, regulated obligations, or clients who expect you to be secure, you need to move beyond Security Defaults to Conditional Access. That requires either Microsoft 365 Business Premium or Entra ID P1 licensing. For most SMBs, Business Premium is the better bundle because it also includes Intune for device management.

The cost is real but not dramatic. A twenty-person business moving from Business Standard to Business Premium is looking at roughly an extra twelve dollars per user per month. Against the cost of a single business email compromise, that maths is not hard.

Three things to do this week

Even without buying new licensing, there are three things every Microsoft 365 tenant should do, right now.

1. Enforce MFA for every user, not just "when risky"

In Entra ID, check the MFA status per user. Make sure every account, including service accounts and break-glass accounts, has a method registered. For Business Premium or P1 tenants, build a Conditional Access policy that requires MFA on every sign-in, full stop. Security Defaults' "only when risky" behaviour is a bet you do not have to take.

2. Turn on unified audit logging

Unified audit logging is on by default in newer tenants, but many older tenants still have it off. Go to the Microsoft Purview portal, Audit section, and confirm it is enabled. Then extend the retention from the default to at least 180 days, and ideally one year if your licensing supports it. The day you need audit logs is the day you wish you had turned this on twelve months ago.

3. Review who has Global Administrator

Pull the list of Global Administrators in Entra ID. A healthy tenant has exactly two: one break-glass account with a long, offline password and MFA, used only in emergencies, and one primary admin account for your IT team or provider. If there are more, figure out why, and remove the ones that do not need it. Every extra Global Admin is an extra blast radius if an account is compromised.

The honest summary

Security Defaults are not bad. They are the minimum, and for a very small business that is often enough. For everyone else, they are a starting point, not a destination. The controls that separate a routine security posture from a serious one — Conditional Access, device compliance, sign-in risk, DLP, sensitivity labels — are not included in Defaults by design.

If you are not sure what your tenant is running, or whether you are getting value out of the licensing you already pay for, our free IT health check includes a Microsoft 365 configuration review. We will tell you what is on, what is off, and what is worth changing.

Learn more about our Microsoft 365 services