Summary
Security defaults (also called "security defaults") in Microsoft Entra ID can automatically require multi-factor authentication (MFA) for users and administrators. If you need to stop the tenant from enforcing MFA via security defaults, you can disable security defaults in the Entra admin center.
Important security note
• Disabling security defaults lowers your security posture. If possible, replace them with Conditional Access policies (requires Microsoft Entra ID P1 or higher) that meet Microsoft baseline recommendations.
• Some Microsoft enforced MFA requirements may still apply in certain scenarios (for example, for admin portals or specific tenant types). If you cannot disable security defaults, this may be due to Microsoft enforced tenant level requirements or licensing restrictions.
Prerequisites
• A Global Administrator account (recommended) or another role permitted to manage tenant security settings.
• Access to the Microsoft Entra admin center.
• Plan a replacement approach (Conditional Access or per-user MFA) before turning security defaults off, to avoid leaving the tenant unprotected.
Step-by-step: Disable security defaults
1. Sign in to the Microsoft Entra admin center (https://entra.microsoft.com) using a Global Administrator account.
2. In the left navigation, go to Identity.
3. Select Overview.
4. Select Properties.
5. Scroll to the bottom of the Properties page and select Manage security defaults.
6. Set Enable security defaults to Disabled.
7. Choose a reason for disabling security defaults (or enter a custom reason if prompted).
8. Select Save.
Verify security defaults are disabled
• Return to Identity - Overview - Properties and confirm the security defaults status indicates they are disabled.
• Test sign-in with a non-admin user account to confirm whether MFA prompts have stopped (note: MFA can still be required by Conditional Access policies, per-user MFA, or Microsoft enforced requirements).
If users are still being prompted for MFA
MFA prompts can be caused by more than security defaults. If prompts continue after disabling security defaults, check the following:
• Conditional Access policies: Entra admin center - Protection - Conditional Access - Policies (look for policies that require MFA).
• Per-user MFA (legacy): Entra admin center - Users - All users - Multi-factor authentication (or the per-user MFA portal) and confirm the user is not set to Enabled or Enforced.
• Registration campaigns or authentication methods policies that require registration.
• Microsoft enforced MFA requirements for admin portals or certain tenant programs (these may not be bypassable).
Recommended next steps
• If you have Entra ID P1 or higher, create baseline Conditional Access policies that match the security defaults protections (MFA for admins, MFA for users, block legacy authentication).
• Document the business reason for disabling security defaults and obtain approval, since this is a high-risk change.
• Ensure at least two emergency access (break-glass) accounts exist and are protected appropriately.
References
• Microsoft Learn - Configure security defaults for Microsoft Entra ID: https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults
• Microsoft Learn - Set up multifactor authentication for Microsoft 365 (includes "Turn off security defaults"): https://learn.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide
• Microsoft Learn - Planning for mandatory multifactor authentication (Entra): https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mandatory-multifactor-authentication