diff --git a/clients/barbaragrygutis/session-logs/2026-05-29-session.md b/clients/barbaragrygutis/session-logs/2026-05-29-session.md
index 4366745..6647f15 100644
--- a/clients/barbaragrygutis/session-logs/2026-05-29-session.md
+++ b/clients/barbaragrygutis/session-logs/2026-05-29-session.md
@@ -111,6 +111,18 @@ bash .claude/skills/remediation-tool/scripts/onboard-tenant.sh barbaragrygutis.c
 
 ---
 
+## Update: 16:40 PT — Security Defaults check
+
+Checked `identitySecurityDefaultsEnforcementPolicy` on the barbaragrygutis.com tenant.
+
+**Security Defaults: ENABLED**
+
+Baseline protections active: MFA enforced for all users (14-day grace on new sign-ins), legacy authentication blocked, privileged action protection. This explains why the credential spray is being blocked at the Microsoft layer. Security Defaults and custom CA policies are mutually exclusive — if granular CA is added in future, Security Defaults must be disabled first and replaced with equivalent policies.
+
+Decision: leave account untouched until Barbara confirms she still has the iPhone 13 Pro Max with Authenticator registered. Security Defaults provide adequate baseline protection in the interim.
+
+---
+
 ## Reference Information
 
 - **Syncro ticket:** #32349 — https://computerguru.syncromsp.com/tickets/111566564