Ensure Security Defaults is enabled on Azure Active Directory

Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks.

Risk Level: High
Cloud Entity: AD Security Defaults
CloudGuard Rule ID: D9.AZU.IAM.38
Covered by Spectral: No
Category: Active Directory


ADSecurityDefaults should have isEnabled=true


From Portal
To enable security defaults in your directory:

  1. From Azure Home select the Portal Menu.
  2. Browse to Azure Active Directory and select 'Properties'.
  3. Select 'Manage security defaults' link down below.
  4. Set the 'Enable security defaults' toggle to Yes.
  5. Select Save.

Note: For all new Tenants, Security Default is enabled by Default.Please note that at this point of time, there is no Azure CLI or other API commands available to programmatically conduct security configuration for this recommendation.


  1. https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults
  2. https://techcommunity.microsoft.com/t5/azure-active-directory-identity/introducing-security-defaults/ba-p/1061414
  3. https://workbench.cisecurity.org/sections/722878/recommendations/1182655

AD Security Defaults

Security Defaults is to ensure that all organizations have at least a basic level of security enabled at no extra cost

Compliance Frameworks

  • AZU PCI-DSS 4.0
  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset