What are security defaults?
Security defaults are a set of basic security measures designed to protect users in your Microsoft 365 organization from common threats like phishing and identity attacks. They include requiring multi-factor authentication (MFA) and blocking legacy authentication protocols.
Using security defaults reduces the risk of security breaches and data loss. If your business doesn’t have dedicated security staff or resources, security defaults can give you a solid security baseline without requiring a lot of configuration or management.
Make sure all users sign up for multi-factor authentication
Once you’ve turned on security defaults, your users have 14 days to register an MFA method. After 14 days, they won’t be able to sign in without an MFA method. Each user's 14-day period starts after their first successful interactive sign-in post-activating security defaults.
During sign-in, users will be asked to use MFA.
Stop the use of legacy authentication protocols
Outdated or legacy authentication refers to requests made by clients that don't use modern authentication (like an Office 2010 client) or those using old mail protocols such as IMAP, SMTP or POP3. You might use these protcols for setting up your email with a specific client or on a multi-function device like a scanner or printer.
However, most fraudulent sign-ins happen through legacy authentication, which doesn't support multi-factor authentication. Activating security defaults blocks all authentication requests from older protocols.
Verify that MFA status is disabled
If your organization previously used per-user-based MFA, don't worry if you see users in a Disabled status on the multi-factor authentication page. Disabled is the correct status for users using security defaults or Conditional Access based multi-factor authentication.
Get your users ready for security defaults
We recommend letting your users know about the upcoming changes, MFA registration requirements and necessary actions. You can use Microsoft’s free email communication templates, and send them our article on setting up MFA and a link to the Security info page where they can register an MFA method.
Related step
More info
- If you disable security defaults, you can still enable MFA for users.
- We recommend also securing your GoDaddy account with 2-step verification.