PowerShell allows us to quickly and effectively make changes to the configuration of our Microsoft Entra Tenant. We can also use PowerShell to ensure that when new Tenants are created or onboarded they keep to a common standard set by the organisation.
Security Defaults are one of the most important settings for any tenant admin to ensure it is enabled and if it isn’t, to ensure that Conditional Access policies are implementing the protection instead.
In this tutorial, I am going to show you how to enable and disable Security Defaults in your tenant using Microsoft Graph PowerShell.
View the current Security Defaults setting
To view how your current Security Defaults setting is configured using Microsoft Graph PowerShell you can utilise the Get-MgPolicyIdentitySecurityDefaultEnforcementPolicy cmdlet. While this command retrieves a lot of information, use the following example to view the IsEnabled attribute which will tell you if Security Defaults is enforced or not.
Get-MgPolicyIdentitySecurityDefaultEnforcementPolicy | Select DisplayName, IsEnabled
Your output will look like the following:
DisplayName IsEnabled
----------- ---------
Security Defaults False
To determine if Security Defaults is enabled or disabled in your tenant, review the following list:
- IsEnabled = False: Security Default is disabled.
- IsEnabled = True: Security Defaults it enabled.
Modify Security Defaults using Microsoft Graph PowerShell
In many cases, you may need to disable Security Defaults in favour of more granular controls using Conditional Access, which is the only reason you should ever disable Security Defaults.
To modify these settings with Microsoft Graph PowerShell, use the similar update command Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy.
Start by connecting to Graph with the minimal required permissions ‘Policy.ReadWrite.SecurityDefaults’.
Connect-MgGraph -scope Policy.ReadWrite.SecurityDefaults
Once you are connected, run the following commands to enable or disable Security Defaults.
$body = @{
isEnabled = $false/$true
}
Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy -BodyParameter $body
Troubleshooting
As the Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy command is quite specific, there is a chance you may come across an error when trying to run it. You may also notice that although the -IsEnabled parameter is present and configured to accept a Boolean True/False value, it still fails when you try to run.
You can view the IsEnabled attribute by running the following command:
(Get-Command "Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy").Definition
You result will include the following paragraph of text relating to this parameter:
[Parameter(ParameterSetName=’UpdateExpanded’)]
[Microsoft.Graph.PowerShell.Category(‘Body’)]
[System.Management.Automation.SwitchParameter]
# If set to true, Azure Active Directory security defaults are enabled for the tenant.
${IsEnabled}
However, when you try to run the following command to enable Security Defaults, you are met with these errors:
Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy -IsEnabled $true
Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy : A positional parameter cannot be found that accepts argument ‘True’.
Instead, by removing the $true value from the command, Security Defaults are successfully enabled.
Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy -IsEnabled
If you are enabling Security Defaults you must also ensure that you do not have any Conditional Access policies configured in Microsoft Entra, if you do, the command will fail with the following error:
Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy : Conditional access policies are enabled. Please disable and try again.