Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The "Protect networks" pillar of the Secure Future Initiative emphasizes the critical importance of securing network access and implementing network-based controls to prevent unauthorized access to organizational resources. The best practices in this pillar focus on actions such as establishing network boundaries, controlling traffic flows, and implementing location-based access policies that verify the trustworthiness of network connections before granting access.
Zero Trust security recommendations
Named locations are configured
Without named locations configured in Microsoft Entra ID, threat actors can exploit the absence of location intelligence to conduct attacks without triggering location-based risk detections or security controls. When organizations fail to define named locations for trusted networks, branch offices, and known geographic regions, Microsoft Entra ID Protection can't assess location-based risk signals. Not having these policies in place can lead to increased false positives that create alert fatigue and potentially mask genuine threats. This configuration gap prevents the system from distinguishing between legitimate and illegitimate locations. For example, legitimate sign-ins from corporate networks and suspicious authentication attempts from high-risk locations (anonymous proxy networks, Tor exit nodes, or regions where the organization has no business presence). Threat actors can use this uncertainty to conduct credential stuffing attacks, password spray campaigns, and initial access attempts from malicious infrastructure without triggering location-based detections that would normally flag such activity as suspicious. Organizations can also lose the ability to implement adaptive security policies that could automatically apply stricter authentication requirements or block access entirely from untrusted geographic regions. Threat actors can maintain persistence and conduct lateral movement from any global location without encountering location-based security barriers, which should serve as an extra layer of defense against unauthorized access attempts.
Remediation action
Tenant restrictions v2 policy is configured
Tenant Restrictions v2 (TRv2) allows organizations to enforce policies that restrict access to specified Microsoft Entra tenants, preventing unauthorized exfiltration of corporate data to external tenants using local accounts. Without TRv2, threat actors can exploit this vulnerability, which leads to potential data exfiltration and compliance violations, followed by credential harvesting if those external tenants have weaker controls. Once credentials are obtained, threat actors can gain initial access to these external tenants. TRv2 provides the mechanism to prevent users from authenticating to unauthorized tenants. Otherwise, threat actors can move laterally, escalate privileges, and potentially exfiltrate sensitive data, all while appearing as legitimate user activity that bypasses traditional data loss prevention controls focused on internal tenant monitoring.
Implementing TRv2 enforces policies that restrict access to specified tenants, mitigating these risks by ensuring that authentication and data access are confined to authorized tenants only.
If this check passes, your tenant has a TRv2 policy configured but more steps are required to validate the scenario end-to-end.
Remediation action
External collaboration is governed by explicit cross-tenant access policies
When default outbound B2B collaboration settings allow all users to access all applications in any external Microsoft Entra organization, organizations can't control where corporate data flows or who employees collaborate with. Users might intentionally or accidentally upload sensitive data to external tenants, accept invitations from spoofed or malicious tenants designed for phishing, or grant OAuth consent to risky applications that compromise corporate data.
For regulated industries, unrestricted external collaboration might violate data residency requirements or prohibitions on sharing data with unapproved organizations.
By blocking default outbound B2B collaboration, organizations enforce a deny-by-default posture that restricts external relationships to vetted partners, protects intellectual property, and ensures visibility over every cross-tenant collaboration.
Remediation action
- Learn about cross-tenant access settings and planning considerations before making changes. For more information, see Cross-tenant access overview.
- Use the cross-tenant access activity workbook to identify current external collaboration patterns before blocking default access. For more information, see Cross-tenant access activity workbook.
- Configure default outbound B2B collaboration settings to block access. For more information, see Modify outbound access settings.
- Add organization-specific settings for approved partner tenants that require B2B collaboration. For more information, see Add an organization.
- Update default cross-tenant access policy via Microsoft Graph API. For more information, see Update default cross-tenant access policy.