Critical

Tenant security baseline check

Evaluates whether the tenant has baseline identity protection via either Security Defaults or Conditional Access policies.

Category: Authentication
Default severity: Critical
Rule key: CHECK_SECURITY_DEFAULTS
Last updated: April 17, 2026

How to fix it

Either enable Security Defaults or configure Conditional Access policies. Security Defaults and CA are mutually exclusive — choose one strategy.

Required Microsoft Graph permissions

EntraAnalyzer needs the following read-only Graph permissions to evaluate this rule:

Policy.Read.All

Further reading

Microsoft documentation →

Run this check on your tenant

EntraAnalyzer evaluates this rule automatically on every scan and emails you the results.

Get started — free first scan →