I'm trying to wrap my head around the relationship between EntraID's security defaults and conditional access policies. It seems that to use conditional access, you have to disable security defaults. My concern is, what happens if a conditional access policy mistakenly overlooks a specific user? Would that not create a security risk since that user wouldn't receive multi-factor authentication (MFA)? How can Entra administrators ensure that every user is protected with MFA if security defaults are disabled for conditional access?
1 Answer
The main point of security defaults is to provide a basic level of protection, and they should be thoroughly reviewed in conjunction with your conditional access (CA) policies. Remember, when creating policies, aim to cover 'all' users and ensure nobody is mistakenly left out by opting in only specific groups.
I'm actually struggling with that aspect myself; we lack Entra expertise on our project.