How to Modify Security Defaults with Microsoft Graph PowerShell

PowerShell allows us to quickly and effectively make changes to the configuration of our Microsoft Entra Tenant. We can also use PowerShell to ensure that when new Tenants are created or onboarded they keep to a common standard set by the organisation. 

Security Defaults are one of the most important settings for any tenant admin to ensure it is enabled and if it isn’t, to ensure that Conditional Access policies are implementing the protection instead.

In this tutorial, I am going to show you how to enable and disable Security Defaults in your tenant using Microsoft Graph PowerShell.

View the current Security Defaults setting

To view how your current Security Defaults setting is configured using Microsoft Graph PowerShell you can utilise the Get-MgPolicyIdentitySecurityDefaultEnforcementPolicy cmdlet. While this command retrieves a lot of information, use the following example to view the IsEnabled attribute which will tell you if Security Defaults is enforced or not.

Get-MgPolicyIdentitySecurityDefaultEnforcementPolicy | Select DisplayName, IsEnabled

Your output will look like the following:

DisplayName       IsEnabled
-----------       ---------
Security Defaults     False

To determine if Security Defaults is enabled or disabled in your tenant, review the following list:

  • IsEnabled = False: Security Default is disabled.
  • IsEnabled = True: Security Defaults it enabled.

Modify Security Defaults using Microsoft Graph PowerShell

In many cases, you may need to disable Security Defaults in favour of more granular controls using Conditional Access, which is the only reason you should ever disable Security Defaults. 

To modify these settings with Microsoft Graph PowerShell, use the similar update command Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy.

Start by connecting to Graph with the minimal required permissions ‘Policy.ReadWrite.SecurityDefaults’.

Connect-MgGraph -scope Policy.ReadWrite.SecurityDefaults

Once you are connected, run the following commands to enable or disable Security Defaults.

$body = @{
	isEnabled = $false/$true

Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy -BodyParameter $body


As the Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy command is quite specific, there is a chance you may come across an error when trying to run it. You may also notice that although the -IsEnabled parameter is present and configured to accept a Boolean True/False value, it still fails when you try to run.

You can view the IsEnabled attribute by running the following command:

(Get-Command "Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy").Definition

You result will include the following paragraph of text relating to this parameter:

# If set to true, Azure Active Directory security defaults are enabled for the tenant.

However, when you try to run the following command to enable Security Defaults, you are met with these errors:

Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy -IsEnabled $true

Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy : A positional parameter cannot be found that accepts argument ‘True’.

Instead, by removing the $true value from the command, Security Defaults are successfully enabled.

Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy -IsEnabled

If you are enabling Security Defaults you must also ensure that you do not have any Conditional Access policies configured in Microsoft Entra, if you do, the command will fail with the following error:

Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy : Conditional access policies are enabled. Please disable and try again.

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply