Azure Conditional Access - Disable Security Defaults

I've had a few questions from people whom are trying to create conditional access policies - but are unable to due to the error message "It looks like you're about to manage your organization's security configurations. That's great! You must first disable Security defaults before enabling a Conditional Access policy."

Security Defaults

When this is switched on this makes it easier to manage security as soon as you create your tenant. It provides a decent base-level of security such as

  • Require all users + admins to register for MFA
  • Block legacy authentication protocols
  • Protect privileged activities like access to the Azure portal

This is generally if you don't know where to start or if you are using AAD free-tier then this is a useful default.

When security in your tenant begins to evolve, which it probably is if you're here and trying to create your first conditional access policy then you'll certainly need to switch off security defaults in order to progress with custom security.

Read more here...

Azure Active Directory security defaults
Security default policies that help protect organizations from common attacks in Azure AD

Conditional policy

Attempting to create a conditional access policy

The error...

Presented with this error message and unable to save it

How to switch off security defaults

It's a simple change, but I only recommend this if you are ready to create custom security policies and want to further evolve your security ecosystem. If you switch this off and do not engineer your security then this would be a bad move.

Simply head to AAD > Properties

You'll notice "Manage Security defaults" discretely at the bottom of the page. Click on this and you'll see a right fly-in window with a Yes or No toggle. Flick this off.

No more error message and now free to create custom conditional access policies!