Microsoft states that Security defaults are baseline protections in Azure Active Directory (now Microsoft Entra ID) that “make it easier to help protect your organization from identity-related attacks.” One of the core behaviors is that security defaults “require all users to register for Azure AD Multi-Factor Authentication,” and enforce “multi-factor authentication for all users,” with special emphasis that “administrators are required to do multi-factor authentication.” Security defaults also “block legacy authentication” and add protections for privileged operations, but the universal control that applies to every user is MFA. Importantly, enabling security defaults does not turn on paid capabilities such as Azure AD Identity Protection or Privileged Identity Management (PIM); those are separate, premium features. The baseline is intentionally simple and tenant-wide: require MFA registration, challenge with MFA when risk or sensitive operations are detected, and reduce exposure by disabling legacy protocols. Therefore, when you enable security defaults, multi-factor authentication (MFA) will be enabled for all Azure AD users, aligning with Microsoft’s guidance that security defaults “help protect all organizations by requiring MFA and disabling legacy authentication.”