As organizations adopt cloud services, maintaining visibility and control over user identities across diverse platforms and services can become challenging. Identity and access management solutions must provide centralized visibility and control to effectively manage identities. Microsoft Entra ID is cloud identity and access management solution that connects employees, customers, and partners to their apps, devices, and data.

This article offers useful insights on enhancing the basic security posture of Microsoft Entra ID and ensuring that activities within our tenant are more predictable and effectively managed. We will delve into various configuration parameters to ensure the security of the Microsoft Entra ID tenant, establishing a solid foundation for future enhancements using tools such as Identity Governance. Please note that each organization can have different requirements and scenarios so tips presented in this article should not be treated as “fix-them-all” solution. Each setting should be explored individually to make proper decision.

To start, let’s discuss the current configuration status of Microsoft Entra ID. This will help us identify areas that can be improved from both security and visibility perspectives.

Default User Permissions

In Microsoft Entra ID, every user is initially assigned a default set of permissions. A user’s access is determined by factors such as their user type, role assignments, and ownership of specific objects. The default permissions assigned vary based on whether the user is a native member of the tenant (referred to as a member user) or if they are invited from another directory through business-to-business (B2B) collaboration as a guest user. Let’s discuss some of them to make it easier to understand improvements we are going to apply.

  • Member users – they have the ability to register applications, handle their own profile photo and mobile phone number, update their password, and extend invitations to business-to-business (B2B) guests. Additionally, they can access most directory information, with a few exceptions. Member users can also create security and Microsoft 365 groups.
  • Guest users – they possess limited directory permissions. They can manage their own profiles, update their passwords, and access some information about other users, groups, and apps. However, they do not have the capability to access all directory information. Guests users can also invite other guests to Microsoft Entra ID tenant.

As we can see there are few default permissions which can be updated to increase security and increase visibility in our tenant. Let’s look how we can adjust user permissions to make our tenant more secure and increase visibility into what actions are performed in it.

Default User Permissions – improvements

In the Microsoft Entra Admin Center we can update default member user settings.

  • Users can register applications – This feature restricts users from creating application registrations. If needed, we can selectively restore this capability for specific individuals by assigning them to the Application Developer role. If our tenant has P1 (Premium P1) license enabled, we can also create dedicated security group, then assign Application Developer role to this group and then add specific people to this group. With such approach we have clear overview of members within our organization who have permission to register applications in Microsoft Entra ID tenant. Another way would be to use Microsoft Entra Privileged Identity Management (PIM). In this case If we have been made eligible for an administrative role, then we must activate the role assignment when we need to perform privileged action like application registration. We will talk more about PIM in other article.
  • Restrict non-admin users from creating tenants – In the Microsoft Entra ID and Microsoft Entra Administration Portal, by default, users have the ability to create tenants through the “Manage Tenant” section. It’s important to note that the individual creating the tenant automatically assumes the role of Global Administrator for that specific tenant. Additionally, the newly created tenant does not inherit any pre-existing settings or configurations. However, it is good to disable this option to make sure that new tenants are created in a controlled and well-thought way.
  • Users can create security groups – This feature restricts regular users from creating security groups. However, it’s worth noting that users with Global Administrators and User Administrators roles retain the ability to create security groups. By disabling this feature we make sure that security groups and memberships are handled in controlled way in our Microsoft Entra ID tenant.

After the changes here is how Default user role permissions section looks like in the Microsoft Entra Admin Center:

Default Guest User Access – improvements

As mentioned earlier, by default, guest users in Microsoft Entra ID are assigned a limited permission level. We have the option to control the visibility of information for external guest users in the Microsoft Entra ID tenant. We can make guest user access level even more restricted by selecting the most restrictive option. When guest access is limited, guests are only able to view their own user profile. They do not have permission to view information about other users, even when searching by User Principal Name or ObjectId. Additionally, restricted access prevents guest users from viewing the membership details of groups they are part of.

After the changes here is how Guest user access restrictions section looks like in the Microsoft Entra Admin Center:

This is not enough, there is more! When we click Manage external collaboration settings there are more features we can configure. Let’s discuss them.

As we can see above, we have additional sections which we can use to configure external collaboration settings for guest users. Let’s explain them and talk how we can use them to improve security aspect of external collaboration.

  • Guest invite restrictions – By default, all users in Microsoft Entra ID tenant, including guest users (B2B), can invite external users to B2B collaboration. To make our tenant more secure and make sure we control who is invited, we can select Only users assigned to specific admin roles can invite guest users. It means that only users with Global Administrator, User Administrator, or Guest Inviter role can invite guests to Microsoft Entra ID tenant.
  • Collaboration restrictions – With this setting we can we can limit to which domains invites can be sent. To make sure that only users from specific domains can be invited to our tenant, we can change this setting to Allow invitations only to the specified domains (most restrictive). There will be a list displayed where we have to provide domains:

Directory Level Idle Timeout – improvements

The inactivity timeout setting serves as a safeguard, preventing unauthorized access to resources in case a user forgets to secure their workstation while the Microsoft Azure portal and Microsoft 365 Admin Center are open. Users assigned the Global Administrator role can set the maximum idle time, determining how long a session can remain inactive before being automatically signed out. This inactivity timeout setting is universal and applies to all users in the directory. Once configured, all new sessions will adhere to the updated timeout settings. It’s important to note that this adjustment will only impact signed-in users during their subsequent sessions or the next authentication.

It is worth to keep idle timeout quite short – 15 minutes should be enough. Using the gear icon in Microsoft Entra Admin Center we can change configuration under Signing out + notifications section.

Limit Number of Global Administrators

Users with Global Administrator role assigned can manage all aspects of Microsoft Entra ID tenant and Microsoft services that use Microsoft Entra identities. This is why it is recommended to limit the number of users assigned to this role. Microsoft’s official recommendation is to have less than 5 users with Global Administrator role.

Using Roles & admins tab under Identity section in the Microsoft Entra Admin Center we can check how many users has Global Administrator role assigned. It is good to agree which people in our organization should be assigned to this role to increase security of our Microsoft Entra ID tenant.

Enable Custom Banned Password List

In Microsoft Entra ID, there’s a special feature known as the global banned password list. This list is unique because it’s not derived from any external sources. Instead, it’s continuously updated based on the insights gathered from Microsoft Entra’s security monitoring and analysis. Whenever a user or administrator attempts to change or reset their password, the system cross-checks the proposed password against this list of banned passwords. If there’s a match, the password change request is denied to ensure better security.

For the organizations with P1 or P2 license of Microsoft Entra, there is an option to define custom banned password list. Using Authentication methods tab under Protection section we can enable custom list enforcement. This is the place where we can provide all combinations of potential passwords that can be used by users (like passwords related to our organization’s brand). The custom banned password list collaborates with the global banned password list to uphold robust password practices within our organization.

Enable Security Defaults

If you want start and increase security posture of Microsoft Entra ID tenant, but you do not know where to start and you do not own P1 or P2 license, Security Defaults option is for you.
Microsoft is extending these pre-configured security settings to everyone, recognizing the challenges in managing security. Each new Microsoft Entra ID tenant has Security Defaults enabled.

What is included?

  • Requiring all users to register for multifactor authentication
  • Requiring administrators to do multifactor authentication
  • Requiring users to do multifactor authentication when necessary
  • Blocking legacy authentication protocols
  • Protecting privileged activities like access to the Azure portal

Users are provided with a 14-day window to register using either the Microsoft Authenticator app or any app that supports OATH TOTP. Once this period elapses, the user won’t be able to sign in until the registration process is finalized. The 14-day countdown commences after the user’s initial successful interactive sign-in following the activation of security defaults.

After we enable security defaults in the Microsoft Entra ID tenant, any user accessing the following services must complete multi-factor authentication:

  • Azure portal
  • Microsoft Entra admin center
  • Azure PowerShell
  • Azure CLI

To check if we have Security Defaults enabled, we can open Overview tab in the Microsoft Entra Admin Center and switch to Properties tab. Below there will be information about the status.

Enable Conditional Access Policies

For the organizations with more complex security and which own P1 or P2 license of Microsoft Entra, there is ability to utilize Conditional Access. Conditional Access policies can be understood as straightforward if-then statements. In essence, if a user seeks access to a resource, they must fulfill a specific action. For instance, if a user wishes to access Microsoft Entra Admin Center or Microsoft Azure portals, they are required to undergo multi-factor authentication as a prerequisite for access.

Under Protection section, we can select Conditional Access and from there create new Conditional Access policy. There is great enhancement in the Microsoft Entra Admin Center. When we click Create a new policy, we have access to pre-created templates. If you’re just starting with Microsoft Entra ID, we strongly recommend enabling MFA for all users. There is a dedicated template to do it:

We can configure more policies and adjust them to our organization’s needs. It is also important to mention that once we decide to use Conditional Access policies, we must disable Security Defaults described earlier in the article.

User Consent Settings

In the Microsoft Entra ID tenant, we have option to manage the permissions for end users, determining when they can independently approve applications and when they need to seek administrator review and approval. While empowering users to grant access to applications enhances their ability to utilize helpful tools and boost productivity, it also introduces potential risks. Hence, it’s essential to carefully monitor and control these permissions to ensure a secure and productive environment.

Prior to allowing an application to access your organization’s data, users need to explicitly grant the necessary permissions. These permissions vary, dictating the level of access granted. By default, users are empowered to consent to applications for permissions that don’t demand administrator approval. For instance, a user can grant consent for an app to access their mailbox, but certain permissions, such as unrestricted access to all files in the organization, require administrator consent and cannot be granted by individual users.

Let’s see how we can improve security aspect here.

User Consent Settings – improvements

First, it is important that we have to possible options to reduce the risk:

  • Allow user consent for apps from verified publishers, for selected permissions – With this option we can allow users to consent for applications owned by verified publishers. When an application has a verified publisher, this means that the organization that publishes the app has been verified as authentic by Microsoft corporation.
  • Do not allow user consent – With this option we do not allow users to consent. Instead, they have to request review to be done by the tenant’s administrator. We strongly recommend this one if you want to have full look into the applications used by users in your organization and if you are at the beginning of your journey with Microsoft Entra ID.

With above configuration we have to make sure that users still can request administrator consent to applications they are unable to consent to​ anymore. Under Admin consent settings, we can apply the proper changes. First of all we have to enable first toggle presented in the picture below.

Next, we have to decide who will review admin consent requests. We have three possible reviewer types:

  • Users – There is possibility to indicate specific people in our tenant to be reviewers. The chosen reviewers have the authority to take action (review, block, deny) on new admin consent requests. While all users possess the ability to block and deny admin consent requests, the ability to grant admin consent is exclusive to users holding the Global, Application, or Cloud application administrator role.
  • Groups – We can also assign security groups created in Microsoft Entra ID tenant as reviewers. This works similarly to users. All group members possess the ability to block and deny admin consent requests, the ability to grant admin consent is exclusive to users holding the Global, Application, or Cloud application administrator role.
  • Roles – This last setting enables us to select which roles can take action (review, block, deny) on new admin consent requests. Still, the ability to grant admin consent is exclusive to users holding the Global, Application, or Cloud application administrator role.

If you’re just starting with Microsoft Entra ID, it’s highly advised to designate a few users within your organization to review consent requests from other users. Ensuring that email notifications are activated for reviewers upon the submission of new requests is crucial. Additionally, setting up expiration reminders for reviewers can be beneficial. One more consideration – setting a seven-day time frame for request expiry is generally sufficient.

Summary

Make sure that Microsoft Entra ID tenant has proper security controls established. With these first steps presented in the article we can be sure that we have solid fundamentals to move forward and utilize other tools and features, like Privileged Identity Management or Entitle Management, to increase security, implement identity governance, and increase visibility of actions taken in our tenant.

At Formula5, we firmly believe in the efficiency of Microsoft Entra to assist organizations in deploying modern and secure IAM and CIAM solutions. Our commitment includes substantial investments in both knowledge acquisition and team skill development to effectively support clients on their journey towards identity modernization. Please contact us using this form if you need our help with building modern, resilient, and secure identity solution for your organization with Microsoft Entra.

We also encourage you to check Formula5’s Microsoft Entra Products Overview. To help organizations understand the role and potential behind each Microsoft Entra product, we offer 2-hours free briefing about Microsoft Entra products including Microsoft Entra ID, Microsoft Entra Governance or Microsoft Entra Verified ID.

Written By

Modern Identity Lead

Related Posts

We are using cookies to give you the best experience. You can find out more about which cookies we are using or switch them off in privacy settings.
AcceptPrivacy Settings

GDPR

  • We value your privacy

We value your privacy

We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking “Accept All”, you consent to our use of cookies.

Let’s make your vision a reality!

Want to discuss my work or a challenge you’re facing?  Leave your details and I’ll get back to you!

Popup Form