Microsoft's Security Defaults is the simplified identity-protection baseline available on every M365 tenant for free. It enforces MFA for admins, blocks legacy auth, and applies sensible defaults. For a small tenant with low risk tolerance and no compliance pressure, it's a reasonable starting point.
It is not, however, a substitute for Conditional Access. Conditional Access (included in Business Premium and standalone via Entra ID P1/P2) lets you write policies that depend on context: this user, from this location, on this device, attempting this app, at this risk level. Block legacy auth specifically. Require MFA for admin actions, but skip it for trusted browsers on managed devices. Block sign-ins from unfamiliar countries. Require device compliance for SharePoint.
The granularity matters because user experience matters. Conditional Access lets you be strict where it counts and frictionless where it doesn't — which is the difference between security people use and security people work around.