Most small businesses use Microsoft 365 but never enable Security Defaults, leaving accounts vulnerable to password attacks. Here is why this single setting matters.
What Are Security Defaults and Why They Matter
Security Defaults is a feature in Microsoft 365 that automatically enables multi-factor authentication for all users, blocks legacy authentication protocols, and applies password policies. When enabled, Security Defaults immediately protects your organization from the most common attack vectors: password spraying, leaked credential reuse, and phishing attacks that compromise passwords.
The problem is that Security Defaults are not turned on by default. Microsoft leaves this decision to organizations, and many small businesses do not even know the feature exists.
How to Enable Security Defaults
Go to Microsoft Entra admin center (entra.microsoft.com), navigate to Properties, and look for the "Manage security defaults" option. When you enable it, Microsoft 365 will immediately require MFA for all users and prevent sign-ins from older email clients that do not support modern authentication standards.
Your users will see a prompt to set up authenticator on their phone the next time they sign in. This takes about 2 minutes per person.
Beyond Security Defaults
Security Defaults is a solid foundation but not comprehensive security. After enabling it, configure Conditional Access policies that require MFA specifically for users in sensitive roles and flag suspicious sign-ins from unusual locations. Set up audit logging to track who accessed what in your organization.
Most importantly, pair Security Defaults with user training. Even with MFA enabled, phishing attacks that trick users into entering their credentials into fake websites still work. A quick session on recognizing phishing emails prevents far more breaches than any technical control alone.