Microsoft announced this week that it’s rolling out security defaults to existing customers who have yet to enable the defaults or Azure AD Conditional Access, applying the defaults to millions of more customers.

The software giant introduced security defaults in October 2019 for new tenants with basic security hygiene in place, especially multi-factor authentication (MFA) and modern auth requirements, regardless of license, Alex Weinert, Microsoft’s director of identity security, wrote in the announcement. 

Since then, more than 30 million organizations are protected by the defaults and experience 80% fewer compromises than the overall tenant population, he continued. However, tenants created before October 2019 were not included in the defaults unless they explicitly enabled features such as Conditional Access, Identity Protection and MFA — until now.

Microsoft will start the security defaults for customers who don't use Conditional Access, and who aren't actively using legacy authentication clients. Redmond will notify global admins by email, and begin to apply the defaults in late June. The security defaults are expected to protect an additional 60 million accounts. 

“When we look at hacked accounts, more than 99.9% don’t have MFA, making them vulnerable to password spray, phishing, and password reuse,” Weinert said.