Entra Security Defaults Not Enabled

MEDIUM

Note: This indicator is in Early Access.

Description

Microsoft Entra ID Security Defaults provide easy-to-enable, Microsoft-recommended protections against common identity-related threats.

Security Defaults are auto-enabled in post-October 2019 tenants, but require manual activation in older ones. They're available in all Microsoft Entra ID tiers, including free, unlike conditional access policies.

If any Conditional Access policy is active in your tenant (i.e. "On" state), this IoE won't evaluate Security Defaults or generate findings. It assumes you're managing security yourself via custom Conditional Access policies, which can provide similar protections. Note that Security Defaults can't be enabled alongside active Conditional Access policies. Other IoEs specifically address Conditional Access policies.

Solution

Tenable advises activating Security Defaults in your tenant after reviewing the security policies they enforce and the deployment considerations. These defaults are available across all Microsoft Entra ID license tiers, including the free version.

For greater flexibility, consider transitioning to Conditional Access policies. However, note that these require Microsoft Entra ID P1 or P2 licenses.

Indicator Details

Name: Entra Security Defaults Not Enabled

Codename: ENTRA-SECURITY-DEFAULTS-NOT-ENABLED

Severity: Medium

MITRE ATT&CK Information:

Tactic: TA0001 - Initial Access
- Techniques: T1078.004 - Valid Accounts: Cloud Accounts
Tactic: TA0004 - Privilege Escalation
- Techniques: T1098 - Account Manipulation
Tactic: TA0006 - Credential Access
- Techniques: T1110 - Brute Force, T1556.006 - Modify Authentication Process: Multi-Factor Authentication

Detections

Analytics

Entra Security Defaults Not Enabled

MEDIUM

Description

Solution

Indicator Details