Secure your organization's identities with Microsoft Entra ID

It can seem daunting trying to secure your workers in today's world, especially when you have to respond rapidly and provide access to many services quickly. This article is meant to provide a concise list of all the actions to take, helping you identify and prioritize which order to deploy the Microsoft Entra features based on the license type you own.

Microsoft Entra ID offers many features and provides many layers of security for your Identities, navigating which feature is relevant can sometimes be overwhelming. This document is intended to help organizations deploy services quickly, with secure identities as the primary consideration.

Each table provides a consistent security recommendation, protecting identities from common security attacks while minimizing user friction.

The guidance helps:

  • Configure access to SaaS and on-premises applications in a secure and protected manner
  • Both cloud and hybrid identities
  • Users working remotely or in the office

Prerequisites

This guide assumes that your cloud only or hybrid identities have been established in Microsoft Entra ID already.

Guided walkthrough

For a guided walkthrough of many of the recommendations in this article, see the Set up Microsoft Entra ID guide when signed in to the Microsoft 365 Admin Center. To review best practices without signing in and activating automated setup features, go to the M365 Setup portal.

Guidance for Microsoft Entra ID Free, Office 365, or Microsoft 365 customers

There are many recommendations that Microsoft Entra ID Free, Office 365, or Microsoft 365 app customers should take to protect their user identities. The following table is intended to highlight key actions for the following license subscriptions:

  • Office 365 (Office 365 E1, E3, E5, F1, A1, A3, A5)
  • Microsoft 365 (Business Basic, Apps for Business, Business Standard, Business Premium, A1)
  • Microsoft Entra ID Free (included with Azure, Dynamics 365, Intune, and Power Platform)
Recommended action Detail
Enable Security Defaults Protect all user identities and applications by enabling MFA and blocking legacy authentication.
Enable Password Hash Sync (if using hybrid identities) Provide redundancy for authentication and improve security (including Smart Lockout, IP Lockout, and the ability to discover leaked credentials).
Enable ADFS smart lock out (If applicable) Protects your users from experiencing extranet account lockout from malicious activity.
Enable Microsoft Entra smart lockout (if using managed identities) Smart lockout helps to lock out bad actors who are trying to guess your users' passwords or use brute-force methods to get in.
Disable end-user consent to applications The admin consent workflow gives admins a secure way to grant access to applications that require admin approval so end users don't expose corporate data. Microsoft recommends disabling future user consent operations to help reduce your surface area and mitigate this risk.
Enable self-service password reset (applicable to cloud only accounts) This ability reduces help desk calls and loss of productivity when a user can't sign into their device or an application.
Use least privileged roles where possible Give your administrators only the access they need to only the areas they need access to. Not all administrators need to be Global Administrators.
Enable Microsoft's password guidance Stop requiring users to change their password on a set schedule, disable complexity requirements, and your users are more apt to remember their passwords and keep them something that is secure.

Guidance for Microsoft Entra ID P1 customers

The following table is intended to highlight the key actions for the following license subscriptions:

  • Microsoft Entra ID P1 (Microsoft Entra ID P1)
  • Enterprise Mobility + Security (EMS E3)
  • Microsoft 365 (E3, A3, F1, F3)
Recommended action Detail
Create more than one Global Administrator Assign at least two cloud-only permanent Global Administrator accounts for use in an emergency. These accounts aren't to be used daily and should have long and complex passwords.
Configure MFA settings for your organization Ensure accounts are protected from being compromised with multifactor authentication.
Enable self-service password reset This ability reduces help desk calls and loss of productivity when a user can't sign into their device or an application.
Implement Password Writeback (if using hybrid identities) Allow password changes in the cloud to be written back to an on-premises Windows Server Active Directory environment.
Create and enable Conditional Access policies MFA for admins to protect accounts that are assigned administrative rights.

Block legacy authentication protocols due to the increased risk associated with legacy authentication protocols.

MFA for all users and applications to create a balanced MFA policy for your environment, securing your users and applications.

Require MFA for Azure Management to protect your privileged resources by requiring multifactor authentication for any user accessing Azure resources.
Enable Password Hash Sync (if using hybrid identities) Provide redundancy for authentication and improve security (including Smart Lockout, IP Lockout, and the ability to discover leaked credentials.)
Enable ADFS smart lock out (If applicable) Protects your users from experiencing extranet account lockout from malicious activity.
Enable Microsoft Entra smart lockout (if using managed identities) Smart lockout helps to lock out bad actors who are trying to guess your users' passwords or use brute-force methods to get in.
Disable end-user consent to applications The admin consent workflow gives admins a secure way to grant access to applications that require admin approval so end users don't expose corporate data. Microsoft recommends disabling future user consent operations to help reduce your surface area and mitigate this risk.
Enable Conditional Access - Device based Improve security and user experiences with device-based Conditional Access. This step ensures users can only access from devices that meet your standards for security and compliance. These devices are also known as managed devices. Managed devices can be Intune compliant or Microsoft Entra hybrid joined devices.
Enable Password Protection Protect users from using weak and easy to guess passwords.
Use least privileged roles where possible Give your administrators only the access they need to only the areas they need access to. Not all administrators need to be Global Administrators.
Enable Microsoft's password guidance Stop requiring users to change their password on a set schedule, disable complexity requirements, and your users are more apt to remember their passwords and keep them something that is secure.
Create an organization specific custom banned password list Prevent users from creating passwords that include common words or phrases from your organization or area.
Create a plan for guest user access Collaborate with guest users by letting them sign into your apps and services with their own work, school, or social identities.

Guidance for Microsoft Entra ID P2 customers

The following table is intended to highlight the key actions for the following license subscriptions:

  • Microsoft Entra ID P2
  • Enterprise Mobility + Security (EMS E5)
  • Microsoft 365 (E5, A5)
Recommended action Detail
Create more than one Global Administrator Assign at least two cloud-only permanent Global Administrator accounts for use in an emergency. These accounts aren't to be used daily and should have long and complex passwords.
Configure MFA settings for your organization Ensure accounts are protected from being compromised with multifactor authentication.
Enable self-service password reset This ability reduces help desk calls and loss of productivity when a user can't sign into their device or an application.
Implement Password Writeback (if using hybrid identities) Allow password changes in the cloud to be written back to an on-premises Windows Server Active Directory environment.
Create and enable Conditional Access policies MFA for admins to protect accounts that are assigned administrative rights.

Block legacy authentication protocols due to the increased risk associated with legacy authentication protocols.

Require MFA for Azure Management to protect your privileged resources by requiring multifactor authentication for any user accessing Azure resources.
Enable Password Hash Sync (if using hybrid identities) Provide redundancy for authentication and improve security (including Smart Lockout, IP Lockout, and the ability to discover leaked credentials.)
Enable ADFS smart lock out (If applicable) Protects your users from experiencing extranet account lockout from malicious activity.
Enable Microsoft Entra smart lockout (if using managed identities) Smart lockout helps to lock out bad actors who are trying to guess your users' passwords or use brute-force methods to get in.
Disable end-user consent to applications The admin consent workflow gives admins a secure way to grant access to applications that require admin approval so end users don't expose corporate data. Microsoft recommends disabling future user consent operations to help reduce your surface area and mitigate this risk.
Enable Conditional Access - Device based Improve security and user experiences with device-based Conditional Access. This step ensures users can only access from devices that meet your standards for security and compliance. These devices are also known as managed devices. Managed devices can be Intune compliant or Microsoft Entra hybrid joined devices.
Enable Password Protection Protect users from using weak and easy to guess passwords.
Use least privileged roles where possible Give your administrators only the access they need to only the areas they need access to. Not all administrators need to be Global Administrators.
Enable Microsoft's password guidance Stop requiring users to change their password on a set schedule, disable complexity requirements, and your users are more apt to remember their passwords and keep them something that is secure.
Create an organization specific custom banned password list Prevent users from creating passwords that include common words or phrases from your organization or area.
Create a plan for guest user access Collaborate with guest users by letting them sign into your apps and services with their own work, school, or social identities.
Enable Privileged Identity Management Enables you to manage, control, and monitor access to important resources in your organization, ensuring admins have access only when needed and with approval.
Complete an access review for Microsoft Entra directory roles in PIM Work with your security and leadership teams to create an access review policy to review administrative access based on your organization's policies.

Zero Trust

This feature helps organizations to align their identities with the three guiding principles of a Zero Trust architecture:

  • Verify explicitly
  • Use least privilege
  • Assume breach

To find out more about Zero Trust and other ways to align your organization to the guiding principles, see the Zero Trust Guidance Center.

Next steps