Configure Microsoft Entra for increased security (Preview)

2025-09-26

In Microsoft Entra, we group our security recommendations into several main areas. This structure allows organizations to logically break up projects into related consumable chunks.

Tip

Some organizations might take these recommendations exactly as written, while others might choose to make modifications based on their own business needs. In our initial release of this guidance, we focus on traditional workforce tenants. These workforce tenants are for your employees, internal business apps, and other organizational resources.

We recommend that all of the following controls be implemented where licenses are available. These patterns and practices help to provide a foundation for other resources built on top of this solution. More controls will be added to this document over time.

Protect identities and secrets

Reduce credential-related risk by implementing modern identity standards.

Check	Minimum required license
Applications don't have client secrets configured	Microsoft Entra ID P1
Applications don't have certificates with expiration longer than 180 days	Microsoft Entra ID P1
Application Certificates need to be rotated on a regular basis	Microsoft Entra ID P1
Microsoft services applications don't have credentials configured	Microsoft Entra ID P1
User consent settings are restricted	Microsoft Entra ID P1
Admin consent workflow is enabled	Microsoft Entra ID P1
Privileged accounts are cloud native identities	Microsoft Entra ID P2
All privileged role assignments are activated just in time and not permanently active	Microsoft Entra ID P2
Privileged accounts have phishing-resistant methods registered	Microsoft Entra ID P1
Privileged Microsoft Entra built-in roles are targeted with Conditional Access policies to enforce phishing-resistant methods	Microsoft Entra ID P1
Require password reset notifications for administrator roles	Microsoft Entra ID P1
Block legacy authentication	Microsoft Entra ID P1
Migrate from legacy MFA and SSPR policies	Microsoft Entra ID P1
SMS and Voice Call authentication methods are disabled	Microsoft Entra ID P1
Secure the MFA registration (My Security Info) page	Microsoft Entra ID P1
Use cloud authentication	Microsoft Entra ID P1
Users have strong authentication methods configured	Microsoft Entra ID P1
User sign-in activity uses token protection	Microsoft Entra ID P1
Authenticator app shows sign-in context	Microsoft Entra ID P1
Password expiration is disabled	Microsoft Entra ID P1
Require multifactor authentication for device join and device registration using user action	Microsoft Entra ID P1
Enable Microsoft Entra ID security defaults	None (included with Microsoft Entra ID)

Protect networks

Protect your network perimeter.

Check	Minimum required license
Named locations are configured	Microsoft Entra ID P1
Tenant restrictions v2 policy is configured	Microsoft Entra ID P1

Protect engineering systems

Protect software assets and improve code security.

Check	Minimum required license
Emergency access accounts are configured appropriately	Microsoft Entra ID P1
Global Administrator role activation triggers an approval workflow	Microsoft Entra ID P2
Global Administrators don't have standing access to Azure subscriptions	Microsoft Entra ID P2
Creating new applications and service principals is restricted to privileged users	Microsoft Entra ID P1
Inactive applications don't have highly privileged Microsoft Graph API permissions	Microsoft Entra ID P1
Inactive applications don't have highly privileged built-in roles	Microsoft Entra ID P1
App registrations use safe redirect URIs	Microsoft Entra ID P1
Service principals use safe redirect URIs	Microsoft Entra ID P1
App registrations must not have dangling or abandoned domain redirect URIs	Microsoft Entra ID P1
Resource-specific consent to application is restricted	Microsoft Entra ID P1
Workload Identities are not assigned privileged roles	Microsoft Entra ID P1
Enterprise applications must require explicit assignment or scoped provisioning	Microsoft Entra ID P1
Conditional Access policies for Privileged Access Workstations are configured	Microsoft Entra ID P1

Monitor and detect cyberthreats

Collect and analyze security logs and triage alerts.

Check	Minimum required license
Diagnostic settings are configured for all Microsoft Entra logs	Microsoft Entra ID P1
Privileged role activations have monitoring and alerting configured	Microsoft Entra ID P2
Privileged users sign in with phishing-resistant methods	Microsoft Entra ID P1
All high-risk users are triaged	Microsoft Entra ID P2
All high-risk sign-ins are triaged	Microsoft Entra ID P2
All user sign-in activity uses strong authentication methods	Microsoft Entra ID P1
High priority Microsoft Entra recommendations are addressed	Microsoft Entra ID P1
No legacy authentication sign-in activity	Microsoft Entra ID P1
All Microsoft Entra recommendations are addressed	Microsoft Entra ID P1

Accelerate response and remediation

Improve security incident response and incident communications.

Check	Minimum required license
Workload identities based on risk policies are configured	Microsoft Entra Workload ID
Restrict high risk sign-ins	Microsoft Entra ID P2
Restrict access to high risk users	Microsoft Entra ID P2

Microsoft Entra deployment plans