Protection coverage
Inventory MFA registration, administrator MFA, user MFA, legacy authentication, device code flow, Azure management access, authentication methods, guests, and synchronization identities.
Microsoft Entra access-control architecture
Choose the Microsoft Entra identity protection model that your organization can license, operate, test, monitor, and recover—then prove that every Security Defaults protection is preserved before a Conditional Access cutover.

Decision principle
Security Defaults and Conditional Access address the same identity threat landscape at different levels of maturity. Security Defaults is an on-or-off baseline available without premium Entra licensing. Conditional Access is a policy engine that requires at least Microsoft Entra ID P1 for users in scope and P2 for risk-based conditions. Microsoft does not design the models to be combined; a Conditional Access transition must reproduce the baseline before adding exceptions or advanced controls.
Inventory MFA registration, administrator MFA, user MFA, legacy authentication, device code flow, Azure management access, authentication methods, guests, and synchronization identities.
Document app-specific rules, remote and BYOD use, device compliance, locations, sign-in risk, administrator protection, guest trust, workload identities, sessions, exceptions, and resilience.
Confirm licensing, named owners, emergency accounts, report-only analysis, pilot users, help-desk readiness, monitoring, change control, policy limits, evidence retention, and rollback drills.
Non-negotiable: do not disable Security Defaults and leave the tenant between protection models. Prepare, test, approve, and schedule the equivalent Conditional Access foundation so enforcement begins immediately after the Security Defaults setting is turned off.
Side-by-side decision
| Decision area | Security Defaults | Conditional Access | Evidence required |
|---|---|---|---|
| Licensing | Available without extra Microsoft Entra ID P1/P2 cost. | At least Entra ID P1 for Conditional Access; P2 for user-risk and sign-in-risk conditions through Identity Protection. | Subscribed SKUs, service-plan state, benefit eligibility, user population, guest treatment, trial status, renewal owner, and license-assignment proof. |
| Customization | One tenant-wide setting. No custom users, apps, locations, devices, grant controls, sessions, or exclusions. | Granular assignments, target resources, conditions, grant controls, authentication strengths, session controls, report-only, and workload identity policies. | Approved requirements, architecture, policy register, inclusion/exclusion owners, data sources, naming standard, review cadence, and residual risk. |
| MFA behavior | All users register; administrators perform MFA every sign-in; users perform MFA when Microsoft determines it is necessary. | Administrators choose who, which resource, which condition, which authentication strength, and which session behavior triggers enforcement. | Registration readiness, method usability, authentication strength, admin roles, guests, real sign-ins, failures, and support results. |
| Legacy authentication | Blocks older protocols tenant-wide, including Exchange ActiveSync basic authentication. | Dedicated policy can block legacy clients with explicit scope and logging, while approved technical remediation is tracked. | Sign-in logs by client app, application/device owner, SMTP/POP/IMAP dependencies, modern-auth remediation, exception expiry, and test evidence. |
| Device code flow | Blocked as part of Security Defaults for new tenants beginning July 1, 2026; no exception path. | Can be blocked or narrowly controlled through policy after application and device dependencies are understood. | Device-code sign-ins, affected applications, business justification, alternative flow, owner, scope, pilot, and monitoring. |
| Azure management | Requires MFA for all users accessing Azure Resource Manager surfaces such as the portal, CLI, or PowerShell. | Dedicated policy can require a selected authentication strength and additional conditions for Azure management. | Target-resource scope, roles and users, emergency exclusions, test clients, authentication method, sign-in results, and privileged workstation strategy. |
| Exceptions | No user-configurable exclusions. Synchronization accounts in the Directory Synchronization Accounts role receive documented product handling. | Exclusions are possible but become a governed bypass that must have an owner, justification, compensating controls, expiry, monitoring, and review. | Exception register, object IDs, approval, reason, control gap, expiration, alerting, usage, renewal decision, and closure evidence. |
| Testing and rollback | No report-only mode or pilot scope; the setting is enabled or disabled for the tenant. | Report-only, policy impact, What If, pilot groups, sign-in logs, templates, soft-delete recovery, and per-policy disable/exclusion support safer change. | Before exports, report-only results, pilot acceptance, cutover plan, disable order, emergency access proof, rollback steps, and post-change evidence. |
Model fit
Security Defaults baseline
The replacement is complete only when each built-in protection has an enforcing Conditional Access or operational control with tested scope. A policy name or template alone is not proof. Validate the actual users, target resources, client types, authentication methods, exclusions, and sign-in results.
All users must register. Security Defaults currently removes the former 14-day user registration grace period. Prepare users, registration methods, support, and token revocation decisions.
Covered administrator roles perform MFA every sign-in. A Conditional Access replacement should address all privileged roles and consider phishing-resistant methods, PIM, and dedicated admin accounts.
Security Defaults prompts users when Microsoft determines MFA is necessary. Conditional Access must deliberately define the target population, resources, grant control or strength, and session behavior.
Older clients and protocols that cannot perform MFA are blocked. Confirm no replacement policy leaves POP, IMAP, SMTP AUTH, ActiveSync basic authentication, or old Office clients exposed.
Security Defaults blocks device code flow for new tenants from July 1, 2026. If the tenant needs an exception, inventory exact apps and use narrow Conditional Access scope with monitoring.
All users accessing Azure Resource Manager services perform MFA. The replacement must cover portal, PowerShell, CLI, and API audiences without excluding critical resource paths.
Method warning: Microsoft cautions against disabling organization methods while Security Defaults is in use because it can cause lockout. Preserve supported Authenticator notification and OATH TOTP registration behavior until the method architecture and recovery paths are deliberately migrated.
Ten-stage transition runbook
Record business requirements, license position, decision owner, Conditional Access Administrator access, change window, acceptance thresholds, monitoring, help-desk lead, emergency authority, evidence retention, and rollback approval.
Export Security Defaults state, users, roles, licenses, authentication methods, MFA registration, sign-in logs, legacy clients, device-code activity, Azure management usage, guests, sync accounts, service accounts, and current Conditional Access objects.
Maintain at least two cloud-only emergency Global Administrator accounts using resilient phishing-resistant methods. Test access, monitoring, authorized custody, network independence, and recovery before any policy changes.
Map every member, guest, and administrator in scope to the required Entra service plan. Separate P1 controls from P2 risk features, document trial or bundled entitlement, and assign renewal ownership.
Create a minimal policy set for legacy authentication, security-information registration, privileged access, user/guest MFA, Azure management, and device code flow. Name, document, and assign an owner to every policy and exclusion.
Use templates or custom policies in report-only, review real sign-ins, What If, policy impact, audiences, authentication methods, clients, locations, devices, failures, and exclusions. Microsoft’s current planning guidance recommends at least one week of report-only observation per policy.
Start with owned test groups, not all users. Test standard, privileged, guest, remote, mobile, unmanaged, managed, legacy client, device code, Azure CLI/PowerShell, new-device, registration, recovery, and emergency scenarios.
Capture a last baseline, confirm the support bridge, disable Security Defaults, and immediately enable the approved equivalent Conditional Access foundation in the documented order. Watch sign-ins, registration, help-desk volume, and emergency alerts.
Advance cohorts only after acceptance gates pass. Add device, app protection, authentication strength, location, risk, token, session, guest, and workload-identity controls as separate governed improvements—not as untested cutover scope.
Preserve final policies, states, object IDs, exclusions, licenses, reports, sign-ins, audit events, incidents, rollback tests, exception register, residual risk, owners, review schedule, and executive acceptance.
Common decision and deployment failures
Conditional Access flexibility increases both control and configuration risk. Treat these patterns as blocking defects before enforcement.
The tenant loses baseline coverage while replacement policies remain report-only, disabled, incomplete, or incorrectly scoped.
Policies are designed around P1 or P2 features without proving entitlement for every user who benefits from or is subject to the control.
Combining unrelated conditions and controls creates opaque outcomes, difficult troubleshooting, broad blast radius, and unsafe rollback.
An overbroad block can lock out the organization. Microsoft specifically warns against dangerous “all” combinations without tested exclusions and impact analysis.
Excluded accounts that depend on federation, personal phones, expired credentials, one network, or unmonitored custody do not provide reliable recovery.
Every exclusion is a bypass. Without owner, business need, compensating control, alert, expiration, and review, exceptions become permanent attack paths.
Users may correctly show Disabled in the legacy per-user MFA page while Security Defaults or Conditional Access enforces MFA. Validate sign-ins, not that legacy status alone.
User-scoped Conditional Access does not control service-principal calls. Replace embedded credentials and use workload-identity controls where licensed and appropriate.
Unnamed owners, duplicate rules, stale exceptions, uncontrolled templates, and no review cadence consume the 240-policy tenant limit and create conflict.
Evidence and operating measures
A mature report connects requirements to policy objects and real sign-in outcomes. Define the population, timeframe, data latency, denominator, exclusions, and expected result for every metric.
Minimum closeout: decision record, license proof, before/after exports and hashes, Security Defaults equivalence matrix, policy registry, object IDs, states, assignments, exclusions, report-only and pilot results, sign-in/audit evidence, emergency test, communications, incidents, rollback proof, residual risk, owners, and next review date.
Related ecosystem guides
Authoritative Microsoft references
Frequently asked questions
Microsoft does not intend the two models to be combined. Conditional Access policies provide a customizable replacement for the baseline. Prepare equivalent policies, test them, and coordinate the cutover so the tenant is never left without enforcement.
Conditional Access requires at least Microsoft Entra ID P1 for users in scope. P2 is required for Identity Protection user-risk and sign-in-risk conditions. Verify actual service-plan entitlement for all users who benefit from or are subject to a policy.
No. The better question is whether the organization accepts a universal, noncustomizable baseline and lacks requirements for app, device, location, risk, session, exception, or workload-identity controls. Requirements and operating capability matter more than headcount alone.
No. Report-only policies do not enforce access. Complete coverage analysis and pilot testing first, then use a coordinated cutover that disables Security Defaults and immediately enables the approved equivalent Conditional Access foundation.
Disabled is the expected per-user MFA state when MFA is enforced through Security Defaults or Conditional Access. Use effective policy, registration data, and sign-in details to prove enforcement rather than relying on the legacy per-user status.
Use a validated emergency access account to disable the affected policy or apply a narrowly approved temporary exclusion, then confirm sign-in recovery and preserve the incident evidence. Maintain exact before-state exports, policy IDs, operator authority, communications, and re-enablement criteria.
IT Perfection Microsoft 365 identity support
IT Perfection helps organizations in Irvine, Orange County, Los Angeles County, and Southern California assess licensing, map Security Defaults coverage, design Conditional Access, validate emergency recovery, test in report-only and pilot scope, execute coordinated cutover, and establish ongoing identity-control governance.
Created by Ali Hassani, CISO — 25+ years of IT, cybersecurity, compliance, and infrastructure experience.
This guide is for initial planning and operational guidance only and does not replace a professional cybersecurity audit, compliance assessment, penetration test, or legal/compliance review. Validate current licensing, tenant behavior, Microsoft documentation, user requirements, and tested rollback procedures before implementation.
We use necessary cookies and limited analytics and advertising-measurement cookies. Select Accept to allow optional cookies or Deny to continue with necessary cookies only. No name or email is required. You may close this website at any time.