Ad Code

Adsf

Top Recommended Security Settings for Microsoft Entra ID: A Guide for M365 Admins

 

Top Recommended Security Settings for Microsoft Entra ID

In today's digital landscape, where security threats are ever-evolving, simply relying on default settings is rarely sufficient. As an M365 Admin, you have the critical responsibility of tailoring Microsoft Entra ID settings to secure your organization while delivering an optimized, seamless experience for end users. This blog dives into the top recommended settings to strengthen the security posture of your Microsoft Entra ID tenant beyond the defaults.

Whether you’re safeguarding against unauthorized access, streamlining Conditional Access policies, or enabling advanced identity protection features, the configurations outlined here are designed to align with industry best practices and customizable to fit unique business needs. Discover essential adjustments and practical insights to achieve a balance between stringent security controls and enhanced usability, empowering your organization to harness the full potential of Microsoft Entra ID with confidence.

What's New in Microsoft Entra ID

Before diving into the essential security settings of Entra ID, let’s take a quick look at a valuable resource: the "What’s New" tab in the Microsoft Entra ID portal On the left side of the portal, this tab provides quick access to Entra Highlights, including top announcements, new releases, and change notifications. Additionally, under the "Roadmap" tab, you’ll find features in Public Preview and General Availability, complete with their release dates and statuses. As an M365 Admin, regularly checking the "What’s New" tab helps you stay prepared to adopt new features, leverage added benefits, and enhance your environment’s configuration.

Entra ID What's New

Entra ID Highlights

Entra ID Roadmap

Entra ID Change announcements


Entra ID Recommendations

The Microsoft Entra recommendations feature helps monitor your tenant’s security and health, ensuring you get the most out of Microsoft Entra ID. These recommendations now include Identity Secure Score, which provides insights into the security of your tenant, offering a score based on various security factors.

These personalized recommendations give actionable guidance to:

  • Identify opportunities to implement best practices.
  • Improve your tenant’s security state.
  • Optimize configurations for your scenarios.

Microsoft Entra ID analyzes your tenant daily, comparing its configuration to security best practices. Applicable recommendations are prioritized in the Recommendations section of the identity overview, helping you focus on critical areas. Each recommendation includes a description, value summary, step-by-step action plan, and impacted resources, making it easy to address security issues efficiently. The Identity Secure Score at the top of the page provides a numerical representation of your tenant's overall security health.

Entra ID Recommendations


Recommendation Impacted Resources Required License Availability
Enable Microsoft Purview Adaptive Protection and the Insider Risk condition in Conditional Access Users Microsoft Entra Premium P2 Generally Available
Convert per-user MFA to Conditional Access MFA Users All licenses Generally Available
Migrate applications from AD FS to Microsoft Entra ID Applications All licenses Generally Available
Migrate apps and service principals from Azure AD Graph to Microsoft Graph Applications All licenses Public Preview
Migrate from ADAL to MSAL Applications All licenses Generally Available
Migrate from MFA server to Microsoft Entra MFA Tenant level All licenses Generally Available
Migrate to Microsoft Authenticator Users All licenses Preview
Minimize MFA prompts from known devices Users All licenses Generally Available
Remove unused applications Applications Microsoft Entra Workload ID Premium Public Preview
Remove unused credentials from applications Applications Microsoft Entra Workload ID Premium Public Preview
Renew expiring application credentials Applications Microsoft Entra Workload ID Premium Public Preview
Renew expiring service principal credentials Applications Microsoft Entra Workload ID Premium Public Preview


Microsoft Entra recommendations now include email notifications whenever a new recommendation is generated. This preview feature automatically sends emails to a designated set of roles based on the recommendation type. For instance, recommendations related to the health of your tenant's applications are sent to users assigned the Application Administrator role.

The table below lists the built-in Microsoft roles that receive email notifications for each specific recommendation:

Recommendation Title Target Roles
AAD Connect Deprecated Hybrid Identity Administrator
Convert per-user MFA to Conditional Access MFA Security Administrator
Designate more than one Global Administrator Global Administrator
Do not allow users to grant consent to unreliable applications Global Administrator
Do not expire passwords Global Administrator
Enable password hash sync if hybrid Hybrid Identity Administrator
Enable policy to block legacy authentication Conditional Access Administrator, Security Administrator
Enable self-service password reset Authentication Policy Administrator
Ensure all users can complete multifactor authentication Conditional Access Administrator, Security Administrator
Long-lived credentials in applications Global Administrator
Migrate Applications from the retiring Azure AD Graph APIs to Microsoft Graph Application Administrator
Migrate applications from AD FS to Microsoft Entra ID Application Administrator, Authentication Administrator, Hybrid Identity Administrator
Migrate authentication methods off the legacy MFA & SSPR policies Global Administrator
Migrate from ADAL to MSAL Application Administrator
Migrate from MFA Server to Microsoft Entra MFA Global Administrator
Migrate service principals from the retiring Azure AD Graph APIs to Microsoft Graph Application Administrator
MS Graph versioning Global Administrator
Optimize tenant MFA Security Administrator
Protect all users with a sign-in risk policy Conditional Access Administrator, Security Administrator
Protect all users with a user risk policy Conditional Access Administrator, Security Administrator
Protect your tenant with Insider Risk Conditional Access policy Conditional Access Administrator, Security Administrator
Remove overprivileged permissions for your applications Global Administrator
Remove unused applications Application Administrator
Remove unused credentials from applications Application Administrator
Renew expiring application credentials Application Administrator
Renew expiring credentials for service principals Application Administrator
Require MFA for administrative roles Conditional Access Administrator, Security Administrator
Review inactive users with Access Reviews Identity Governance Administrator
Secure and govern your apps with automatic user and group provisioning Application Administrator, IT Governance Administrator
Use least privileged administrative roles Privileged Role Administrator
Verify App Publisher Global Administrator

Entra ID User Settings

You can customize users' default permissions to add additional restrictions for enhanced security. The screenshot below demonstrates custom settings that can be configured to provide an optimal level of protection for your Microsoft Entra ID tenant. These settings can be adjusted to fit your organization's specific business needs.

Entra ID End user Settings

  1. By setting the Register applications option to "No," you prevent users from creating application registrations. To allow specific individuals to register applications, you can assign them the Application Developer role, giving them the necessary permissions. You can read more about Entra ID Application User and Admin consent here.
  2. Restrict non-admin users from creating tenants: Users can create new tenants in the Microsoft Entra portal, The creator becomes the Global Administrator of the new tenant, which doesn’t inherit any existing settings. Setting this to Yes restricts tenant creation to users with the Tenant Creator role. Setting it to No allows non-admin users to create tenants, with actions still logged .Set this to Yes and assign the Tenant Creator role to specific non-admin users to allow them to create new tenants.
  3. Create security groups: Setting this option to No prevents users from creating security groups. However, users with the User Administrator role or higher will still retain the ability to create security groups.
  4. Guest user access restrictions: Setting the Guest user access option to Guest user access is restricted to properties and memberships of their own directory objects limits guest users to viewing only their own profile information. By default, they cannot access other users’ information, even when searching by user principal name, object ID, or display name. Additionally, guest users are restricted from viewing group information, including group memberships.

    However, this setting does not prevent access to groups they are part of in certain Microsoft 365 services, such as Microsoft Teams.

Note: You can customize the guest access settings based on your organization's external collaboration requirements.     

    5. Restrict access to Microsoft Entra administration portal
    • Setting this option to No allows non-administrators to browse the Microsoft Entra administration portal.
    • Setting it to Yes restricts non-administrators from accessing the portal. Non-administrators who are group or application owners won’t be able to use the Entra ID portal to manage their resources.
    • This setting does not restrict access to Microsoft Entra data via PowerShell, Microsoft Graph API, or other tools like Visual Studio. It also does not apply to users who are assigned custom or specific roles.
    • Use this setting to prevent users from accidentally misconfiguring resources they own, but not as a security measure. For security, create a Conditional Access policy targeting the Windows Azure Service Management API to block non-administrators' access.
    • To grant portal access to specific non-administrator users: Set this option to Yes, then assign the Global Reader role or another role to grant access to the portal.
    6. Allow users to connect work or school account with LinkedIn : Setting this option to No prevents users from linking their work or school account to their LinkedIn account.

   7. Show Keep user signed in: When a user selects Yes to the 'Stay signed in?' prompt, a persistent authentication cookie is issued, which must be stored in session for KMSI to function. KMSI does not work with locally stored cookies. If KMSI is not enabled, a non-persistent cookie is issued, lasting for 24 hours or until the browser is closed.

The KMSI prompt is intentionally not shown in the following scenarios:

  • The user signs in via seamless SSO with integrated Windows authentication (IWA).
  • The user signs in via Active Directory Federation Services with IWA.
  • The user is a guest in the tenant.
  • The user has a high-risk score.
  • The sign-in occurs during the user or admin consent flow.
  • Persistent browser session control is enforced via a Conditional Access policy.

Entra ID Device Settings

To manage device identities through the Microsoft Entra admin center, devices must be registered or joined to Microsoft Entra ID. As an administrator, you can control this process by configuring the appropriate device settings.

To read or modify device settings, you must be assigned one of the following roles:
  • Cloud Device Administrator: Full access (read and modify)
  • Intune Administrator: Read-only access
  • Windows 365 Administrator: Read-only access
You can customize Device default settings to add additional restrictions for enhanced security. The screenshot below demonstrates custom settings that can be configured to provide an optimal level of protection for your Microsoft Entra ID devices. These settings can be adjusted to fit your organization's specific business needs.
Entra ID Device Settings

Users may join devices to Microsoft Entra ID:
This setting allows you to specify which users can register devices as Microsoft Entra joined. The default is set to "All." It applies only to Microsoft Entra join on Windows 10 or newer, and doesn't apply to Microsoft Entra hybrid joined devices, Azure VMs, or devices using Windows Autopilot self-deployment mode since these methods operate without user interaction.

Users may register their devices with Microsoft Entra ID:
Configure this setting to let users register personal Windows 10 or newer, iOS, Android, and macOS devices. If set to "None," device registration is not allowed. Microsoft Intune or mobile device management requires registration, so if these services are configured, "All" is selected and "None" becomes unavailable.

Require multifactor authentication to register or join devices:
Microsoft recommend enforcing multifactor authentication (MFA) via Conditional Access for device registration or joining. Set this toggle to "No" if MFA is enforced through a Conditional Access policy. This setting ensures users provide additional authentication when registering or joining devices, with exceptions for hybrid joined devices, Azure VMs, or devices using Windows Autopilot self-deployment.
Check out my blog for detailed instructions on configuring Conditional Access policies: Mastering Microsoft Entra ID Conditional Access Policies: A Comprehensive Guide.

Maximum number of devices:
This setting lets you specify the maximum number of Microsoft Entra joined or registered devices a user can have. The default is 50, and you can increase it up to 100 ,Configure unlimited for more than 100 devices. If users reach this limit, they must remove existing devices to add more. This setting doesn’t apply to hybrid joined devices.

Global administrator role as local administrator during Microsoft Entra join (Preview):
This setting determines if the Global Administrator role is added to the local administrators group during the device’s registration as Microsoft Entra joined.

Registering user as local administrator during Microsoft Entra join (Preview):
This setting adds the user registering the device as a local administrator during Microsoft Entra join.

Manage additional local administrators on Microsoft Entra joined devices:
Specify which users are granted local admin rights by adding them to the Device Administrators role in Microsoft Entra ID.

You can configure Entra ID PIM to manage role assignments. For more details, check out my blog: Microsoft Entra ID PIM Guide - Part 1.
Entra ID Device Administrator Assignments



Entra ID LAPS & Bitlocker Settings

Enable Microsoft Entra Local Administrator Password Solution (LAPS) (preview):
LAPS manages local admin passwords on Windows devices, providing secure password storage and rotation for both Microsoft Entra joined and hybrid joined devices.

Restrict non-admin users from recovering BitLocker keys:
Admins can block non-admin users from accessing their BitLocker recovery keys. Default users without BitLocker read permission won’t be able to view or copy their keys. A Privileged Role Administrator is required to update this setting.

Entra ID Application Consent and Permissions Settings

Before an application can access your organization's data, a user must grant it permission. The level of access varies depending on the permissions granted. By default, users can consent to applications requesting permissions that do not require administrator approval. For instance, a user can grant an app access to their mailbox, but cannot consent to permissions that would give the app unrestricted access to read and write to all files in the organization.

You can customize Application Consent & permissions to add additional restrictions for enhanced security. The screenshot below demonstrates custom settings that can be configured to provide an optimal level of protection for your Microsoft Entra ID tenant. These settings can be adjusted to fit your organization's specific business needs.

You can refer to my blog post, Securing the Gates: Mastering Admin and User Consent in Microsoft Entra ID, for a detailed guide on implementing application consent and permissions for your Entra ID tenant.

Entra ID User Application Consent Settings


Entra ID Admin Application Consent Settings


Identity Protection Settings

Organizations that enable password hash synchronization can allow password changes on-premises to remediate user risk.

This configuration offers two key benefits:

  1. Self-remediation for risky hybrid users: Hybrid users can resolve their own risks without administrator intervention. When a password is changed on-premises, the user's risk is automatically remediated within Microsoft Entra ID Protection, resetting their risk state.
  2. Proactive user risk policies: Organizations can enforce user risk policies that require password changes, providing stronger protection for hybrid users. This improves security and simplifies management by addressing user risks promptly, even in complex hybrid environments.

Note: Allowing on-premises password changes to reset user risk is an opt-in feature. Organizations should evaluate its impact before enabling it in production. Microsoft recommend securing the on-premises password change process, such as requiring multifactor authentication, by using tools like Microsoft Identity Manager's Self-Service Password Reset Portal.

The screenshot below displays the Identity Protection settings, which can be customized to align with your organization's specific business requirements.

Entra ID Protection Settings


Entra ID Conditional Access Policies

Entra ID Conditional Access policies are thoroughly covered in my previous blog. You can refer to it here: Mastering Microsoft Entra ID Conditional Access Policies: A Comprehensive Guide.

Microsoft has enhanced the Conditional Access policy experience by introducing an updated Overview and Coverage section, along with a new Monitoring tab for improved visibility.

  • The Overview page provides a summary of policy status, users, devices, and applications, as well as general and security alerts with actionable recommendations.Entra ID CA Policy Overview
  • The Coverage page offers insights into applications that are and aren’t protected by Conditional Access policies over the past seven days.Entra ID CA Policy Coverage tab
  • The Monitoring page enables administrators to view sign-in activity graphs, helping identify potential gaps in policy coverage with easy-to-use filters.
    Entra ID CA Policy Monitoring tab

Entra ID Authentication Method Policies

Use authentication methods policies to define which authentication methods your users can register and use. If a user is within the scope for a particular method, they may use it for both authentication and password reset. Microsoft Entra multifactor authentication (MFA) adds an extra layer of security beyond a password by prompting users for additional verification, such as a push notification, a code from a software or hardware token, or a text or phone call response.

Some methods, like FIDO2 security keys or passwords, can be used as the primary sign-in factor for applications or devices, while others are only available as secondary factors during MFA or self-service password reset (SSPR).

Microsoft recommends passwordless authentication methods, including Windows Hello, Passkeys (FIDO2), and the Microsoft Authenticator app, for the most secure sign-in experience. While users can sign in with a username and password, it’s best to transition to more secure authentication options to reduce reliance on passwords.


The table below shows when each authentication method can be applied during a sign-in event:

Method Primary Authentication Secondary Authentication
Windows Hello for Business Yes MFA*
Microsoft Authenticator push No MFA and SSPR
Microsoft Authenticator passwordless Yes No*
Microsoft Authenticator passkey (preview) Yes MFA and SSPR
Authenticator Lite No MFA
Passkey (FIDO2) Yes MFA
Certificate-based authentication Yes MFA
OATH hardware tokens (preview) No MFA and SSPR
OATH software tokens No MFA and SSPR
External authentication methods (preview) No MFA
Temporary Access Pass (TAP) Yes MFA
SMS Yes MFA and SSPR
Voice call No MFA and SSPR
Password Yes No

*Windows Hello for Business alone does not act as a step-up MFA credential. For instance, it does not fulfill an MFA challenge from Sign-in Frequency policies or a SAML request with forceAuthn=true. However, it can be used as a step-up MFA credential when combined with FIDO2 authentication, which requires users to be registered for FIDO2.

* Passwordless sign-in can be used as a secondary authentication method only if certificate-based authentication (CBA) is used as the primary authentication.

Security questions & email address verification options – used exclusively for self-service password reset (SSPR)

Note: In Microsoft Entra ID, a password is typically a primary authentication method, and it cannot be disabled. To enhance security, you can add Microsoft Entra multifactor authentication when a password is used as the primary factor.

To review settings in the Authentication methods policy, sign in to the Microsoft Entra admin center as an Authentication Policy Administrator and go to Protection > Authentication methods > Policies

Entra ID Authentication Methods Policy
By default, new tenants have all methods set to "Off." If you’re using legacy Per-user MFA and SSPR policies, a migration option is available in the new Authentication methods policy to unify MFA and SSPR settings. You need to click on Begin Automated guide

Refer to the screenshot below for available SSPR authentication methods.

Entra ID SSPR Authentication methods

You can explore the updated UX for Legacy MFA settings by navigating to Entra Portal > All Users > Per-user MFA section.

Entra ID Per-User MFA settings

Entra ID MFA Authentication methods new UX

The migration guide (preview) in the Microsoft Entra admin center provides an automated way to transition settings. This wizard audits current MFA and SSPR policies and consolidates them into the Authentication methods policy for easier, unified management. Alternatively, you can migrate settings manually at your own pace, and the process is reversible. The wizard lets you migrate with just a few clicks, starting from Protection > Authentication methods > Policies.

Entra ID Authentication Method Policy migration guide
we need to select Next to Proceed with migration

Entra ID legacy MFA or SSPR policy Migration begin
During migration, the wizard will apply existing settings from legacy MFA and SSPR policies, with recommendations to also enable modern methods like passkeysTemporary Access Pass, and Microsoft Authenticator to enhance security. Adjust configurations as needed using the pencil icon, and once satisfied, select Migrate to confirm. Legacy MFA and SSPR settings will then become inactive, and the migration status will update to Migration Complete. You can revert to In Progress anytime if needed to re-enable legacy settings.

Entra ID Authentication method policies Selection


Note: A control for security questions will be available soon. If you currently use security questions and wish to keep them enabled, ensure they remain active in the legacy SSPR policy until the new control is released. You can complete the migration as outlined above, keeping security questions enabled.

You can refer to my previous blog post for details on the following authentication methods and their deployment steps:

Entra ID Password Protection

Smart Lockout

Smart Lockout is a security feature that helps protect against unauthorized access by locking out accounts after failed password attempts, distinguishing between valid and potentially malicious login attempts. It allows genuine users continued access while blocking attackers.

Default Settings:
                Locked after 10 failed attempts.
Initial lockout lasts one minute and increases with each subsequent failed attempt, but the exact rate is undisclosed to prevent circumvention.

Password Hash Tracking: Tracks the last three failed password attempts, preventing account lockout from repeated incorrect entries. This feature is unavailable for pass-through authentication users, as their authentication occurs on-premises.

Smart Lockout Configuration Requirements:
                                                                 Default Activation: Smart Lockout is enabled by default across all Microsoft Entra customers, but customization requires a Microsoft Entra ID P1 or higher license.

Customizable Settings: Administrators can set the lockout threshold (number of failed attempts) and duration, increasing protection for user accounts.

Considerations:
            Consistency Across Data Centers: Lockout state synchronizes across Microsoft Entra data centers, though failed attempts may slightly vary from the set threshold.

        Location-Based Lockout Counters: Differentiates familiar and unfamiliar login locations, with separate lockout counts. Users locked out from unfamiliar locations can reset the lockout counter with Self-Service Password Reset (SSPR).

Integration with On-Premises AD DS
Smart Lockout can be used alongside on-premises Active Directory Domain Services (AD DS) for added protection:

AD DS Threshold: Set higher than the Microsoft Entra threshold to avoid locking out on-premises accounts due to cloud-based attacks.
AD DS Lockout Duration: Should be shorter than Microsoft Entra's duration to ensure consistency.

For example:

Microsoft Entra lockout threshold: 5 failed attempts, AD DS threshold: 10.
Microsoft Entra lockout duration: 120 seconds, AD DS duration: 60 seconds.


Note: Admins can instantly unlock accounts locked by Smart Lockout by resetting the user's password in the Entra ID portal.

To configure smart lockout Sign in to the Microsoft Entra admin center as an Authentication Administrator.
Navigate to Protection > Authentication methods > Password protection.
Set the Lockout threshold and Lockout duration in seconds (default is 10 attempts and 60 seconds, respectively).

Entra ID smart Lockout
When the smart lockout threshold is met, the following message appears while the account remains locked:

"Your account is temporarily locked to prevent unauthorized use. Try again later, and if you still have trouble, contact your admin."

During testing, sign-in requests may be routed through different data centers due to the geo-distributed, load-balanced nature of the Microsoft Entra authentication service.

Smart Lockout also tracks the last three failed password attempts, preventing the lockout counter from incrementing when the same incorrect password is repeatedly entered. In addition to Smart Lockout, Microsoft Entra ID further protects against attacks by analyzing IP traffic and identifying unusual behavior. 

With these configurations, Smart Lockout effectively helps protect against brute-force attacks and enhances overall account security.

Custom Banned Password List

Many security recommendations advise against reusing passwords, encourage complex passwords, and warn against simple passwords like "Password123." Yet, weak passwords are still frequently used. Microsoft Entra Password Protection addresses this by detecting and blocking common weak passwords, their variants, and organization-specific terms.

License Requirements

Cloud-only users:
  • Global banned password list: Microsoft Entra ID Free
  • Custom banned password list: Microsoft Entra ID P1 or P2
Users synchronized from on-premises AD DS:
  • Global banned password list: Microsoft Entra ID P1 or P2
  • Custom banned password list: Microsoft Entra ID P1 or P2

How Microsoft Entra Password Protection Works

  • Global Banned Password List: Automatically applied to all users in a Microsoft Entra tenant, this list includes commonly used weak or compromised passwords identified by Microsoft's security telemetry. This list is maintained by analyzing password trends and does not rely on third-party data. The global list is enforced automatically for all users during password changes or resets and cannot be disabled.
  • Custom Banned Password List: To enhance security, organizations can add up to 1,000 custom terms, such as brand names, product names, or location-based terms unique to their company. This custom list combines with the global list to prevent the use of weak passwords during password updates. For maximum efficiency, it’s best to evaluate potential weak terms before adding them to the custom list.

Note: Microsoft does not publish the content of the global banned password list to prevent attackers from targeting known weak passwords. The password validation process also uses fuzzy-matching algorithms to block variations of common weak passwords, enhancing overall password security across your organization.


Let’s set up the custom banned password list and add specific terms. You can add more entries anytime.

To enable and configure the custom banned password list, follow these steps:

Sign in to the Microsoft Entra admin center as an Authentication Policy Administrator.
Navigate to Protection > Authentication methods > Password protection.
Set Enforce custom list to Yes.
Add terms to the Custom banned password list, one per line.

Considerations:
  • The list can hold up to 1,000 terms.
  • Entries are case-insensitive and detect common substitutions (e.g., "o" and "0", "a" and "@").
  • Each term must be between 4 and 16 characters.
Add custom banned passwords as needed, following this format.

Entra ID Custom Banned Passwords

Set Enable password protection on Windows Server Active Directory to No.
To activate the custom banned passwords and save your entries, click Save.

Note that updates to the custom banned password list may take several hours to apply.

Entra ID Password Protection for Active directory

Extending Protection to On-Premises AD DS

For hybrid identity environments with on-premises Active Directory (AD DS), organizations can extend the protection of Microsoft Entra Password Protection by deploying agents on-premises. These agents enforce the same password standards in AD DS, ensuring consistent security across both cloud and on-premises environments.

Note: On-premises AD DS users not synchronized to Microsoft Entra ID also benefit from Microsoft Entra Password Protection based on existing licensing for synchronized users.

We'll explore this configuration in depth in an upcoming blog series.

Additional Security Layers

To further secure user accounts, it’s recommended to combine password protection with Microsoft Entra multifactor authentication (MFA), rather than relying on strong passwords alone.

Microsoft Authenticator Registration Campaign

With a registration campaign, you can encourage users to set up the Microsoft Authenticator during their sign-in. After users complete their usual sign-in and MFA process, they’re prompted to set up the Authenticator app. You can target specific users or groups to nudge them from less secure authentication methods to Microsoft Authenticator.

Key Features:

  • Snooze Option: Set how many days users can "snooze" the setup prompt. After choosing Skip for now, users will be reminded again during their next MFA attempt after the snooze period. You can allow indefinite snoozing or limit it to three times, after which registration is mandatory.
  • Conditional Access Policies: Conditional Access rules for security info updates apply before prompting users to set up Authenticator. For example, if policies restrict security info changes to internal networks, users will only see the prompt when on that network.

Prerequisites:

  • Microsoft Entra MFA Enabled: MFA must be enabled for your organization. Microsoft Entra ID includes MFA in all editions, so no additional licenses are required.
  • Authenticator Not Already Set Up: Users should not have already set up push notifications in the Authenticator app.
  • Enable Users for Authenticator: Admins should enable users for Authenticator via:
    • MFA Registration Policy: Enable Notification through mobile app.
    • Authentication Methods Policy: Set Authenticator app with Any or Push mode. (If set to Passwordless, users won’t receive a nudge prompt.)

Steps to Enable the Registration Campaign

  • Sign in to the Microsoft Entra admin center as an Authentication Policy Administrator.
  • Navigate to Protection > Authentication methods > Registration campaign, and select Edit.
  • State Options:
    • Enabled: Enable the campaign for all users.
    • Microsoft Managed: Enable only for users using voice call or text messages for MFA. Microsoft manages default values.
  • Snooze Configuration:
    • Limited number of snoozes: Set to Enabled to limit to 3 snoozes, after which registration is mandatory. Set to Disabled for unlimited snoozes.
    • Days allowed to snooze: Set the interval between prompts (e.g., 4 days).
  • Exclude Users or Groups: Select any users or groups to exclude from the campaign, then click Save.
Entra ID Microsoft Authenticator Registration Campaign

Additional Notes:

  • The nudge prompt doesn’t appear on Android or iOS mobile devices.
  • It only appears in embedded browser views within supported apps, not in out-of-the-box or embedded Windows settings experiences.
  • Campaigns can run indefinitely; disable it through the admin center or APIs when ready.
  • Nudges apply only if users are using Microsoft Entra’s multifactor authentication service.
  • Nudges won’t appear if users encounter the Register security information block in Conditional Access, the Terms of Use (ToU) screen, or are redirected by custom Conditional Access controls.

Configuring Microsoft Entra Multifactor Authentication Settings

To customize the user experience for Microsoft Entra MFA, you can set options like account lockout thresholds, fraud alerts, and notifications. The Report suspicious activity feature replaces the legacy Block/unblock users, Fraud alert, and Notifications functions, which will be removed on March 1, 2025.

Entra ID MFA settings

Report Suspicious Activity

The Report suspicious activity feature allows users to report unexpected or suspicious MFA prompts through the Microsoft Authenticator app or by phone. Alerts are integrated with Microsoft Entra ID Protection, adding advanced threat detection.

  • High User Risk: When a suspicious prompt is reported, the user is marked as high risk. Administrators can then use risk-based policies to limit access or enable self-service password reset (SSPR) for user-initiated remediation.
  • Non-P2 License Option: If you don’t have a Microsoft Entra ID P2 license, use risk detection events to manually identify and disable affected users or automate this process using custom workflows with Microsoft Graph.

Enabling Report Suspicious Activity

To enable Report suspicious activity:

  1. Sign in to the Microsoft Entra admin center as an Authentication Policy Administrator.
  2. Go to Protection > Authentication methods > Settings.
  3. Set Report suspicious activity to Enabled. (Choosing Microsoft managed keeps the feature disabled. For details on Microsoft-managed settings, see [Protecting authentication methods in Microsoft Entra ID])
  4. Choose All users or a specific group.
  5. If you’ve uploaded custom greetings for your tenant, select a Reporting code that users will enter to report suspicious activity. By default, the code is set to 0 unless custom greetings are uploaded.
  6. Click Save.
Entra ID MFA Report suspicious activity


Note: If both Report suspicious activity and a custom voice reporting number are enabled, this feature will override any settings from the legacy Fraud Alert feature.

System-Preferred Multifactor Authentication (MFA)

System-preferred MFA prompts users to sign in using the most secure method they’ve registered, prioritizing security and minimizing reliance on less secure methods like SMS.

  • Functionality: If a user has both SMS and Microsoft Authenticator push notifications set up, system-preferred MFA prompts them to sign in with the more secure push notification method. Users may still choose other methods but are encouraged to use the most secure option.
  • Configuration: This is a Microsoft-managed, tristate setting that defaults to Enabled. You can change the setting to Disabled or exclude specific users and groups from the policy if you prefer not to enforce it.
  • User Convenience: With system-preferred MFA enabled, the system automatically selects the most secure registered method for users, so they don’t need to set a default method manually.

Enabling System-Preferred MFA in Microsoft Entra Admin Center
  • Navigate to Protection > Authentication methods > Settings.
  • Under System-preferred multifactor authentication, choose to explicitly enable or disable the feature.
  • Include or exclude specific users or groups as needed, with exclusions taking precedence over inclusions.

Entra ID System-Preferred Multifactor Authentication Settings

By setting up system-preferred MFA, you enhance security by encouraging users to adopt their most secure authentication method.

Microsoft Entra External Collaboration Settings

External collaboration settings in Microsoft Entra allow you to manage who can invite external users for B2B collaboration, specify allowed or blocked domains, and control what guest users can see in your directory. Here’s an overview of the available options:

Key Options

  • Guest User Access Control: Limit what external guest users can view within your directory, such as group memberships or only their profile.

Invite Permissions:

  • Control who can invite external users. By default, all users can send invitations, but you can restrict this to specific roles.

Guest Self-Service Sign-Up via User Flows:

  • Create user flows for applications to allow guest self-sign-up. This lets guests create accounts and register for apps within defined sign-up flows, specifying identity providers and attributes to collect.

Domain Restrictions:

  • Specify which domains can or cannot receive invitations. For cross-tenant sign-ins, the home tenant’s branding appears if custom branding isn’t configured.

Configuring Guest Access

Sign in to the Microsoft Entra admin center as a Privileged Role Administrator.
Navigate to  External Identities > External collaboration settings.

Note: The Guest User Access Restrictions we discussed earlier can be managed under User Settings.

Under Guest invite settings, select from:
    • Anyone in the organization can invite guests (most inclusive).
    • Member users and specific admin roles can invite guests.
    • Only specific admin roles (e.g., User Administrator or Guest Inviter) can invite guests.
    • No one can invite guests (most restrictive).

To enable self-service sign-up for applications, set Enable guest self-service sign-up via user flows to Yes. Create user flows to allow guests to sign up with selected identity providers and custom attributes.

The screenshot below shows the most optimal settings. You can adjust these settings to fit your business requirements.

Entra ID External Collaboration settings

External User Leave Settings:

  • Set Yes to allow external users to leave the organization independently.
  • Set No to require admin approval for user removal requests.
Privacy Information:
  • Add a privacy contact and a privacy statement to your Entra tenant to enable the external user leave settings. Microsoft recommend consulting legal advice to tailor privacy statements.
    Entra ID Privacy Contact & Statement

Configuring Collaboration Restrictions (Allow/Block Domains)

Under Collaboration restrictions, decide to allow or block specific domains.
Enter domain names in the text boxes, placing each domain on a new line for multiple entries.

Important: Limit permissions by assigning roles with minimal necessary access for security. Global Administrator is highly privileged and should be used only in emergency scenarios.

Entra ID External Collaboration Restrictions & User leave settings


Conclusion

Implementing the right security settings in Microsoft Entra ID is essential for safeguarding your organization’s resources while ensuring a seamless user experience. By following these recommended configurations, M365 Admins can strike a balance between robust security measures and usability, enhancing protection across identities, devices, and applications. Remember, these settings can be tailored to meet your specific business needs, so review them regularly and adjust as your organization evolves. With proactive management and a focus on best practices, you can leverage Microsoft Entra ID to build a secure, resilient identity infrastructure for your organization.




Post a Comment

0 Comments

Add

Ad Code