Best practices for securely deploying Microsoft Entra ID Governance

This document provides best practices for securing deploying Microsoft Entra ID Governance.

Least privilege

The principle of least privilege means giving users and workload identities the minimum level of access or permissions they need to perform their tasks. By limiting access to only required resources based on the specific roles or job functions of users, providing just-in-time access, and performing regular audits, you can reduce the risk of unauthorized actions and potential security breaches.

Microsoft Entra ID Governance limits the access a user has based on the role that they have been assigned. Ensure that your users have the least privileged role to perform the task that they need.

For more information, see least privilege with Microsoft Entra ID Governance

Preventing lateral movement

Recommendation: Don't use nested groups with PIM for groups.

Groups can control access to various resources, including Microsoft Entra roles, Azure SQL, Azure Key Vault, Intune, other application roles, and third-party applications. Microsoft Entra ID allows you to grant users just-in-time membership and ownership of groups through Privileged Identity Management (PIM) for Groups.

These groups can be “flat” or “nested groups” (a non-role assignable group is a member of a role assignable group). Roles such as the groups admin, exchange admin, and knowledge admin can manage the non-role assignable group, providing these admins a path to gain access to privileged roles. Ensure that role-assignable groups don't have non-role assignable groups as members.

For more information, see Privileged Identity Management (PIM) for Groups

Recommendation: Use Entitlement Management to provide access to sensitive resources, instead of hybrid groups.

Organizations have historically relied on Active Directory groups to access applications. Synchronizing these groups to Microsoft Entra ID makes it easy to reuse these groups and provide access to resources connected with Microsoft Entra ID. However, this creates lateral movement risk as a compromised account / group on-premises can be used to gain access to resources connected in the cloud.

When providing access to sensitive applications or roles, use entitlement management to drive assignment to the application instead of security groups synchronized from Active Directory Domain Services.

Deny by default

The principle of "Deny by Default" is a security strategy that restricts access to resources by default, unless explicit permissions are granted. This approach minimizes the risk of unauthorized access by ensuring that users and applications don't have access rights until they're specifically assigned. Implementing this principle helps create a more secure environment, as it limits potential entry points for malicious actors.

Entitlement Management

Connected organizations are a feature of entitlement management that allows users to gain access to resources across tenants. Follow these best practices when configuring connected organizations.

Recommendations:

• Require an expiration date for access-to-access packages in a connected organization. If, for example, users need access for the duration of a fixed contract, set the access package to expire at the end of the contract.
• Require approval prior to granting access to guests from connected organizations.
• Periodically review guest access to ensure that users only have access to resources that they still need.
• Carefully consider which organizations you're including as connected orgs. Periodically review the list of connected organizations and remove any that you don't collaborate with anymore.

PIM for roles

Recommendation: Require approval of PIM requests for Global Admin.

With Privileged Identity Management (PIM) in Microsoft Entra ID you can configure roles to require approval for activation, and choose one or multiple users or groups as delegated approvers.

For more information, see Approve or deny requests for Microsoft Entra roles in Privileged Identity Management

Defense in depth

The following sections provide additional guidance on multiple security measures you can take to provide a defense in depth strategy for your governance deployments.

Applications

Recommendation: Securely manage credentials for connectivity to applications

Encourage application vendors to support OAuth on their SCIM endpoints, rather than relying on long-lived tokens. Securely store credentials in Azure Key Vault, and regularly rotate your credentials.

Backup and recovery

Backup your configuration so you can recover to a known good state in case of a compromise. Use the following list to create a comprehensive backup strategy that covers the various areas of governance.

• Microsoft Graph APIs can be used to export the current state of many Microsoft Entra configurations.
• Microsoft Entra Exporter is a tool you can use to export your configuration settings.
• Microsoft 365 Desired State Configuration is a module of the PowerShell Desired State Configuration framework. You can use it to export configurations for reference and application of the prior state of many settings.

Monitoring

Monitoring helps detect potential threats and vulnerabilities early. By watching for unusual activities and configuration changes, you can prevent security breaches and maintain data integrity.

• Alert when users activate privileged roles. Security alerts for Microsoft Entra roles in PIM - Microsoft Entra ID Governance
• Proactively monitor your environment for configuration changes and suspicious activity by integrating Microsoft Entra ID Audit Logs with Azure Monitor. Identity Governance custom alerts - Microsoft Entra ID Governance

Next steps

• What is identity governance?
• Understanding least privileged
• Govern the employee and guest lifecycle