Configure Microsoft Entra for increased security (Preview)

In Microsoft Entra, we group our security recommendations into multiple themes based on the Secure Future Initiative (SFI). This structure allows organizations to logically break up projects into related consumable chunks.

Tip

Some organizations might take these recommendations exactly as written, while others might choose to make modifications based on their own business needs. In our initial release of this guidance, we focus on traditional workforce tenants. These workforce tenants are for your employees, internal business apps, and other organizational resources.

We recommend that all of the following controls be implemented where licenses are available. These patterns and practices help to provide a foundation for other resources built on top of this solution. More controls will be added to this document over time.

Automated assessment

Manually checking this guidance against a tenant's configuration can be time-consuming and error-prone. The Zero Trust Assessment transforms this process with automation to test for these security configuration items and more. Learn more in What is the Zero Trust Assessment?

Protect identities and secrets

Reduce credential-related risk by implementing modern identity standards.

Check Minimum required license
Applications don't have client secrets configured None (included with Microsoft Entra ID)
Service principals don't have certificates or credentials associated with them None (included with Microsoft Entra ID)
Applications don't have certificates with expiration longer than 180 days None (included with Microsoft Entra ID)
Application certificates must be rotated on a regular basis None (included with Microsoft Entra ID)
Enforce standards for app secrets and certificates None (included with Microsoft Entra ID)
Microsoft services applications don't have credentials configured None (included with Microsoft Entra ID)
User consent settings are restricted None (included with Microsoft Entra ID)
Admin consent workflow is enabled None (included with Microsoft Entra ID)
High Global Administrator to privileged user ratio None (included with Microsoft Entra ID)
Administrative privileges are tightly limited to prevent compromise Microsoft Entra ID P1
Application admin rights are constrained to specific Private Access apps Microsoft Entra Suite Add-on for Microsoft Entra ID P2
Privileged accounts are cloud native identities None (included with Microsoft Entra ID)
All privileged role assignments are activated just in time and not permanently active Microsoft Entra ID P2
All Microsoft Entra privileged role assignments are managed with PIM Microsoft Entra ID P2
Passkey authentication method enabled None (included with Microsoft Entra ID)
Security key attestation is enforced None (included with Microsoft Entra ID)
Privileged accounts have phishing-resistant methods registered Microsoft Entra ID P1
Privileged Microsoft Entra built-in roles are targeted with Conditional Access policies to enforce phishing-resistant methods Microsoft Entra ID P1
Conditional Access policies enforce strong authentication for private apps Microsoft Entra Suite Add-on for Microsoft Entra ID P2
Application Proxy applications require preauthentication to block anonymous access Microsoft Entra ID P1
Require password reset notifications for administrator roles Microsoft Entra ID P1
Block legacy authentication policy is configured Microsoft Entra ID P1
Temporary access pass is enabled Microsoft Entra ID P1
Restrict Temporary Access Pass to Single Use Microsoft Entra ID P1
Migrate from legacy MFA and SSPR policies Microsoft Entra ID P1
Block administrators from using SSPR Microsoft Entra ID P1
Self-service password reset doesn't use security questions Microsoft Entra ID P1
SMS and Voice Call authentication methods are disabled Microsoft Entra ID P1
Secure the MFA registration (My Security Info) page Microsoft Entra ID P1
Use cloud authentication Microsoft Entra ID P1
All users are required to register for MFA Microsoft Entra ID P2
Users have strong authentication methods configured Microsoft Entra ID P1
User sign-in activity uses token protection Microsoft Entra ID P1
All user sign-in activity uses phishing-resistant authentication methods Microsoft Entra ID P1
All sign-in activity comes from managed devices Microsoft Entra ID P1
Security key authentication method enabled None (included with Microsoft Entra ID)
Privileged roles aren't assigned to stale identities Microsoft Entra ID P2
Microsoft Authenticator app shows sign-in context Microsoft Entra ID P1
Microsoft Authenticator app report suspicious activity setting is enabled Microsoft Entra ID P1
Password expiration is disabled Microsoft Entra ID P1
Smart lockout threshold set to 10 or less Microsoft Entra ID P1
Smart lockout duration is set to a minimum of 60 Microsoft Entra ID P1
Add organizational terms to the banned password list Microsoft Entra ID P1
Require multifactor authentication for device join and device registration using user action Microsoft Entra ID P1
Local Admin Password Solution is deployed Microsoft Entra ID P1
Entra Connect Sync is configured with Service Principal Credentials None (included with Microsoft Entra ID)
No usage of ADAL in the tenant None (included with Microsoft Entra ID)
Block legacy Azure AD PowerShell module None (included with Microsoft Entra ID)
Enable Microsoft Entra ID security defaults for free tenants None (included with Microsoft Entra ID)

Protect tenants and isolate production systems

Check Minimum required license
Permissions to create new tenants are limited to the Tenant Creator role None (included with Microsoft Entra ID)
Enable protected actions to secure Conditional Access policy creation and changes Microsoft Entra ID P1
Guest access is limited to approved tenants Microsoft Entra ID Free
Guests are not assigned high privileged directory roles Microsoft Entra ID Free
Microsoft Entra ID P2 or Microsoft ID Governance for PIM
Guests can't invite other guests Microsoft Entra ID Free
Guests have restricted access to directory objects Microsoft Entra ID Free
App instance property lock is configured for all multitenant applications Microsoft Entra ID Free
Guests don't have long lived sign-in sessions Microsoft Entra ID P1
Guest access is protected by strong authentication methods Microsoft Entra ID Free
Microsoft Entra ID P1 recommended for Conditional Access
Guest self-service sign-up via user flow is disabled Microsoft Entra ID Free
Outbound cross-tenant access settings are configured Microsoft Entra ID Free
Microsoft Entra ID P1 recommended for Conditional Access
Guests don't own apps in the tenant None (included with Microsoft Entra ID)
All guests have a sponsor Microsoft Entra ID Free
Inactive guest identities are disabled or removed from the tenant Microsoft Entra ID Free
All entitlement management policies have an expiration date Microsoft Entra ID P2 or Microsoft ID Governance for entitlement managed and access reviews
All entitlement management assignment policies that apply to external users require connected organizations Microsoft Entra ID P2 or Microsoft ID Governance for entitlement managed and access reviews
All entitlement management assignment policies that apply to external users require approval Microsoft Entra ID P2 or Microsoft ID Governance for entitlement managed and access reviews
All entitlement management packages that apply to guests have expirations or access reviews configured in their assignment policies Microsoft Entra ID P2 or Microsoft ID Governance for entitlement managed and access reviews
Manage the local administrators on Microsoft Entra joined devices None (included with Microsoft Entra ID)
Restrict nonadministrator users from recovering the BitLocker keys for their owned devices None (included with Microsoft Entra ID)

Protect networks

Protect your network perimeter.

Check Minimum required license
Named locations are configured Microsoft Entra ID P1
Tenant restrictions v2 policy is configured Microsoft Entra ID P1
Internet Access forwarding profile is enabled Microsoft Entra Internet Access
Web content filtering policies are configured Microsoft Entra Internet Access
Web content filtering uses category-based rules Microsoft Entra ID P1
Web content filtering policies are linked to security profiles Microsoft Entra ID P1
Web content filtering integrates with Conditional Access Microsoft Entra Internet Access
TLS inspection is enabled and correctly configured for outbound traffic Microsoft Entra ID P1
Threat intelligence filtering protects internet traffic Microsoft Entra Suite Add-on for Microsoft Entra ID P2
File transfer policies are configured to prevent data exfiltration Microsoft Entra Suite Add-on for Microsoft Entra ID P2
AI Gateway protects enterprise generative AI applications from prompt injection attacks Microsoft Entra Suite Add-on for Microsoft Entra ID P2
Network validation is configured through Universal Continuous Access Evaluation Microsoft Entra ID P1 or Microsoft Entra Suite Add-on for Microsoft Entra ID P2
Universal tenant restrictions block unauthorized external tenant access Microsoft Entra ID P1 or Microsoft Entra Suite Add-on for Microsoft Entra ID P2
External collaboration is governed by explicit cross-tenant access policies Microsoft Entra ID P1
Conditional Access policies use compliant network controls Microsoft Entra ID P1
Traffic forwarding profiles are scoped to appropriate users and groups for controlled deployment Microsoft Entra Suite Add-on for Microsoft Entra ID P2
Private network connectors are active and healthy to maintain Zero Trust access to internal resources Microsoft Entra Suite Add-on for Microsoft Entra ID P2
Private network connectors are running the latest version Microsoft Entra Suite Add-on for Microsoft Entra ID P2
At least two Private Access connectors are active and healthy per connector group Microsoft Entra Suite Add-on for Microsoft Entra ID P2
Private DNS is configured for internal name resolution Microsoft Entra Private Access
DNS traffic for internal domains is routed through Private Access Microsoft Entra ID P1, Microsoft Entra Suite Add-on for Microsoft Entra ID P2
Intelligent Local Access is enabled and configured Microsoft Entra Private Access
Quick Access is enabled and bound to a connector P1, Microsoft Entra Suite Add-on for Microsoft Entra ID P2
Quick Access is bound to a Conditional Access policy Microsoft Entra Suite Add-on for Microsoft Entra ID P2
Entra Private Access Application segments are defined to enforce least-privilege access Microsoft Entra Suite Add-on for Microsoft Entra ID P2
Private Access sensors are enforcing strong authentication policies on domain controllers Microsoft Entra Suite Add-on for Microsoft Entra ID P2
Quick Access has user or group assignments Microsoft Entra Suite Add-on for Microsoft Entra ID P2
All Private Access apps have user or group assignments Microsoft Entra Suite Add-on for Microsoft Entra ID P2
Outbound traffic from VNet integrated workloads is routed through Azure Firewall Azure Firewall Basic
Threat intelligence is enabled in deny mode on Azure Firewall Azure Firewall Premium
IDPS inspection is enabled in deny mode on Azure Firewall Azure Firewall Premium
Application Gateway WAF is enabled in prevention mode Azure Application Gateway WAF_v2
Azure Front Door WAF is enabled in prevention mode Azure Front Door Standard

Protect engineering systems

Protect software assets and improve code security.

Check Minimum required license
Emergency access accounts are configured appropriately Microsoft Entra ID P1
Global Administrator role activation triggers an approval workflow Microsoft Entra ID P2
Global Administrators don't have standing access to Azure subscriptions None (included with Microsoft Entra ID)
Creating new applications and service principals is restricted to privileged users Microsoft Entra ID P1
Inactive applications don't have highly privileged Microsoft Graph API permissions Microsoft Entra ID P1
Inactive applications don't have highly privileged built-in roles Microsoft Entra ID P1
App registrations use safe redirect URIs Microsoft Entra ID P1
Service principals use safe redirect URIs Microsoft Entra ID P1
App registrations must not have dangling or abandoned domain redirect URIs Microsoft Entra ID P1
Resource-specific consent is restricted Microsoft Entra ID P1
Workload Identities are not assigned privileged roles Microsoft Entra ID P1
Enterprise applications must require explicit assignment or scoped provisioning Microsoft Entra ID P1
Enterprise applications have owners None (included with Microsoft Entra ID)
Limit the maximum number of devices per user to 10 None (included with Microsoft Entra ID)
Conditional Access policies for Privileged Access Workstations are configured Microsoft Entra ID P1

Monitor and detect cyberthreats

Collect and analyze security logs and triage alerts.

Check Minimum required license
Diagnostic settings are configured for all Microsoft Entra logs Microsoft Entra ID P1
Privileged role activations have monitoring and alerting configured Microsoft Entra ID P2
Activation alert for Global Administrator role assignments Microsoft Entra ID P2
Activation alert for all privileged role assignments Microsoft Entra ID P2
Privileged users sign in with phishing-resistant methods Microsoft Entra ID P1
All high-risk users are triaged Microsoft Entra ID P2
All high-risk sign-ins are triaged Microsoft Entra ID P2
All risky workload identities are triaged Microsoft Entra ID P2
Tenant creation events are triaged Microsoft Entra ID P1
All user sign-in activity uses strong authentication methods Microsoft Entra ID P1
High priority Microsoft Entra recommendations are addressed Microsoft Entra ID P1
ID Protection notifications are enabled Microsoft Entra ID P2
No legacy authentication sign-in activity Microsoft Entra ID P1
All Microsoft Entra recommendations are addressed Microsoft Entra ID P1
Network access activity is visible to security operations for threat detection and response Microsoft Entra ID P1
Network access logs are retained for security analysis and compliance requirements Microsoft Entra ID P1

Accelerate response and remediation

Improve security incident response and incident communications.

Check Minimum required license
Workload Identities are configured with risk-based policies Microsoft Entra Workload ID
Restrict high risk sign-ins Microsoft Entra ID P2
Restrict access to high risk users Microsoft Entra ID P2

Related content

  • Last updated on