Security Defaults and MFA

Copper Contributor

I have three 365 E3 accounts and a couple accounts without licenses.  Today I enabled Security Defaults.  I previously had MFA enabled on all accounts.  I think this is legacy MFA.  Now with Security Defaults enabled, do I need to change anything with MFA?  Do I need to do it through Azure Free? 


Also, under Azure Active Directory / Properties, I see this at the bottom:


Access management for Azure resources
My Name (email address) can manage access to all Azure subscriptions and management groups in this tenant. 


It is set to No.  Should I set this to yes?




3 Replies


One of the aims of security default was easy basic security enablement with much IT involvement, you just need to check one check box to enable but please read it carefully for any protection impact to users:


Thanks. I read through that. I went ahead and enabled security defaults since on 2/1/23 I had a Microsoft Azure popup that it would be automatically enabled in 13 days. I believe I also read one of the admin alerts that said that would be coming.

I thought where I administer MFA would change.


I also thought a couple months ago it noted I had to disable MFA in the legacy admin (under Users / Active Users / MFA at the top) before I control under Azure with Secuirty Defaults, but I cannot find that reference so I might be mistaken


In the article it notes the below. 

Disabled MFA status
If your organization is a previous user of per-user based Azure AD Multi-Factor Authentication, don't be alarmed to not see users in an Enabled or Enforced status if you look at the Multi-Factor Auth status page. Disabled is the appropriate status for users who are using security defaults or Conditional Access based Azure AD Multi-Factor Authentication.



Mine Still shows Enforced under Users / Active Users / MFA at the top.

Hi all,

Security Defaults requires all users to register for MFA within 14 days; however, users can postpone this registration. After 14 days, they will be forced to do the registration; however, this happens during interactive sign-ins.

If a user doesn't perform the MFA registration and a bad actor figures out the user's password, they can register their phone or authentication app as an MFA method.

It is recommended to revoke existing tokens to require all users to register for multifactor authentication. This revocation event forces previously authenticated users to authenticate and register for multifactor authentication.