4 Steps to Secure Microsoft Entra ID

By applying these 4 simple hardening configurations, an essential base level of security is achieved.

Last Update: Dec 09, 2024 | Published: Dec 02, 2024

microsoft security hero approved

SHARE ARTICLE

Second only to Generative AI, cybersecurity is top of mind for organizations across the globe. But with Microsoft’s rapid release approach to cloud-based and cloud-enabled security features, how do you make sure you have the basics covered? In this short guide, we’ll walk through the first 4 steps you should consider when implementing or securing Microsoft Entra ID.

1. Isolate Microsoft Entra ID privileged roles

Users in IT or Security roles often have a high level of privilege in an Microsoft Entra ID environment, meaning they are a more valuable target for cyber criminals. It’s not surprising, then, that it’s vital to protect these users more than standard, non-privileged users.

Create native Entra ID privileged identities

Privileged user accounts should always be created directly in Microsoft Entra ID, rather than being synchronized from on-premises Active Directory. On-prem accounts are vulnerable to legacy authentication protocols and lateral movement within hybrid environments. This creates unnecessary risks that could cascade into Entra ID during an on-premises breach. By isolating privileged accounts in Entra ID, you ensure they are protected with modern cloud-native controls.

  • License Required: Entra ID Premium P1.
  • End User Impact: Admins may need to manage separate cloud-only accounts. This is minimal for most users but requires communication for those impacted.
Create a new user in Microsoft Entra ID
Create a new user in Microsoft Entra ID (Image Credit: Dean Ellerby/Petri.com)

Enforce MFA for privileged accounts

Multifactor authentication (MFA) should be enforced for privileged accounts at all times, regardless of location or device compliance. This ensures a second authentication factor is always required, even if attackers compromise trusted networks or devices. Entra ID supports robust MFA options, including FIDO2 keys, push notifications, and hardware tokens, to protect against credential theft and brute-force attacks.

A great way to start with Conditional Access is to review the built-in Conditional Access Templates provided directly in the Entra ID portal.

  • License Required: Entra ID Premium P1 for Conditional Access policies.
  • End User Impact: Privileged users will need to perform MFA at every sign-in, adding a small but critical layer of security.
Create a new Conditional Access policy using a template
Secure Microsoft Entra ID by creating a new Conditional Access policy using a template (Image Credit: Dean Ellerby/Petri.com)

Restrict admin access to managed devices

Privileged accounts should only access admin portals from compliant devices enrolled in Microsoft Intune and joined to Entra ID. Managed devices meet compliance policies like encryption, endpoint protection, and up-to-date patches, reducing risks associated with personal or unmanaged devices.

But don’t stop there; a stretch goal would be to restrict privileged accounts to specific Privileged Access Workstations (PAWs). This additional step offers two benefits:

  1. Privileged users enter their credentials on devices that have additional security hardening, and a smaller attack surface, reducing the likelihood of compromise.
  2. Attackers must use a specific device configuration or device type to perform attacks against privileged users
  • License Required: Intune for device compliance and Entra ID Premium P1 for Conditional Access.
  • End User Impact: Admins must transition to managed compliant devices for administrative tasks. This may require onboarding and adjustments for personal device users but significantly enhances security.
Admins should log in from a compliant and managed device
Admins should log in from a compliant and managed device (Image Credit: Dean Ellerby/Petri.com)

2. Enhance security with Entra Password Protection

Use Banned Password Lists

Entra Password Protection prevents users from setting weak or commonly compromised passwords by enforcing a global banned password list. You can also create a custom list tailored to your organization to block terms like company names or frequently used phrases. These measures protect against credential stuffing and brute-force attacks.

Audit Mode logs attempts to set weak or banned passwords without blocking them, providing valuable insights into password hygiene. This allows you to assess the scale of the issue before moving to enforcement.

After assessing Audit Mode logs, switch to Enforced Mode to actively block weak passwords. This improves security by requiring strong credentials across all accounts.

  • License Required: Entra ID Free for global lists, Premium P1 for custom lists or hybrid setups.
  • End User Impact: Users must comply with strong password requirements. This may require additional support during the transition phase but ensures a more secure environment.
Microsoft Entra Password Protection
Microsoft Entra Password Protection (Image Credit: Dean Ellerby/Petri.com)

3. Secure users

Require MFA (Ideally FIDO2)

MFA is essential to protect accounts from credential theft, brute-force attacks, and phishing attempts. FIDO2 keys provide a passwordless, user-friendly option that is both secure and convenient, especially for privileged accounts.

  • License Required: Entra ID Premium P1 for Conditional Access and MFA enforcement.
  • End User Impact: Users will need to register MFA methods, such as FIDO2 keys or authenticator apps, and perform MFA at sign-ins. This is minimal for managed devices but improves overall security.
Require MFA for all Microsoft Entra ID users
Require MFA for all Microsoft Entra ID users (Image Credit: Dean Ellerby/Petri.com)

Implement Conditional Access

Conditional Access policies enforce granular controls based on risk factors like location, device compliance, or app access. This ensures security policies adapt dynamically to different scenarios.
By requiring a compliant or hybrid-joined device, we limit the risk of compromise to devices controlled and secured by the organization.

  • License Required: Entra ID Premium P1 for Conditional Access policies.
  • End User Impact: Users may experience restrictions when attempting to access resources from unmanaged or non-compliant devices. These policies balance security and usability.
Configure a Conditional Access policy to require a compliant device or MFA for all users
Configure a Conditional Access policy to require a compliant device or MFA for all users (Image Credit: Dean Ellerby/Petri.com)

Using risk-based policies

Risk-based policies automatically evaluate sign-in risks, such as unusual locations or compromised credentials, and adjust access requirements dynamically. This minimizes user friction while enhancing security.

  • License Required: Entra ID Premium P2 for advanced risk-based policies.
  • End User Impact: Low-risk users experience minimal disruptions, while high-risk scenarios trigger additional security steps, such as MFA or access blocks.

4. User settings

The default configuration for user settings in Microsoft Entra ID can present significant risks if not properly adjusted. Reviewing and tightening these settings ensures a secure environment while maintaining user productivity. Below are key areas of concern and recommendations for mitigating risks.

Default User role permissions

  • Registering Applications: By default, users can register applications in Microsoft Entra ID, which is a high-risk capability. Application registrations can inadvertently expose sensitive APIs or resources to malicious actors. Since regular users typically have no valid business need to register apps, this permission should be restricted to administrators.
  • Creating Tenants: Ordinary users can create tenants, potentially leading to shadow IT or data leakage. Tenant creation should be reserved for administrators to maintain control over the organization’s environments.
  • Creating Security Groups: Users can create security groups by default, which may lead to mismanagement or unauthorized access. Restrict this capability and allow users to create only Microsoft 365 Groups if needed, as these are sufficient for most collaboration scenarios.

License Required:
Entra ID Free. No premium features are required to restrict these permissions.

End User Impact:
Users will lose the ability to register applications, create tenants, or manage security groups. Admins will need to handle these tasks, but this significantly reduces risk with minimal disruption to daily operations.


Guest user access

Guest users, such as external collaborators, should not have the same permissions as internal employees. Unlike employees, guests often lack training, contracts, or secure company devices. Granting them broad permissions can expose the organization to risks.

Limit guest user permissions to only the objects they own. Configure External Collaboration Settings in Entra ID to restrict guest access to sensitive resources and ensure they cannot view or modify information beyond their specific needs.

License Required:
Entra ID Free. Basic guest access management does not require premium licenses.

End User Impact:
Guests will have access restricted to their own objects, limiting their exposure to sensitive resources. Collaboration remains intact, and internal workflows are unaffected.

Configure user settings in Microsoft Entra ID
Configure user settings in Microsoft Entra ID (Image Credit: Dean Ellerby/Petri.com)

Just the beginning

A recent article by Microsoft explores how they are working to enhance and improve cybersecurity adoption through collaboration with NIST’s National Cybersecurity Center of Excellence (NCCoE), laying out an essential framework to adopt Zero Trust.

In this short guide, we’ve laid out some important first steps, but it’s important to remember that these are just the beginning of an organization’s cybersecurity journey. By applying these simple hardening configurations, an essential base level of security is achieved. It’s vital to continue to adopt other security measures and enhancements.

SHARE ARTICLE