Skip to main content
All posts
Cybersecurity8 min read

Microsoft Entra ID Security Hardening: The 15-Point Checklist

A 15-point security hardening checklist for Microsoft Entra ID covering conditional access, PIM, MFA, break-glass accounts, and token protection.

Microsoft Entra ID is the identity backbone for most enterprise Microsoft environments. A misconfigured tenant is not just a security gap — it is an open door to your entire estate. This checklist covers the 15 hardening measures that every Entra ID tenant should implement, prioritised by impact.

The 15-Point Checklist

1. Enforce Phishing-Resistant MFA for All Administrators

Standard SMS or voice-call MFA is no longer sufficient for privileged accounts. Attackers routinely bypass these methods through SIM swapping, social engineering, and real-time phishing proxies.

Action items:

  • Require FIDO2 security keys or certificate-based authentication for all Global Administrators, Security Administrators, and Privileged Role Administrators
  • Create a Conditional Access policy targeting the Directory Roles listed above with a grant control requiring authentication strength set to "Phishing-resistant MFA"
  • Set a 90-day migration deadline for admins currently using weaker methods

2. Enforce MFA for All Users

Every user in your tenant should require MFA. No exceptions for "low-risk" users — compromised standard accounts are the most common entry point for lateral movement.

Action items:

  • Create a Conditional Access policy: All users > All cloud apps > Grant: Require authentication strength (MFA)
  • Exclude only your break-glass accounts (see point 3)
  • Monitor the MFA registration campaign in the Authentication Methods activity report

3. Configure Break-Glass Accounts

Break-glass accounts are your emergency access when Conditional Access, MFA, or federation fails. Without them, you risk being permanently locked out of your own tenant.

Action items:

  • Create two break-glass accounts with generic names that do not indicate their purpose
  • Assign Global Administrator role permanently (not via PIM)
  • Exclude from all Conditional Access policies
  • Use a long, complex password stored in a physical safe — not in a password manager within the tenant
  • Enable sign-in monitoring: create a Sentinel analytics rule or Log Analytics alert that triggers on any break-glass account sign-in
  • Test the accounts quarterly — document the test

4. Block Legacy Authentication

Legacy authentication protocols (SMTP, IMAP, POP3, older ActiveSync) do not support MFA. They are the single easiest path for credential-stuffing attacks.

Action items:

  • Create a Conditional Access policy: All users > All cloud apps > Conditions: Client apps = Exchange ActiveSync clients, Other clients > Block
  • Verify there are no legitimate dependencies using the Sign-in logs filtered by client app type
  • Monitor for 30 days before enforcing, then switch from Report-only to On

5. Enable Privileged Identity Management (PIM)

Standing administrative access is unnecessary risk. PIM ensures admins only have elevated privileges when they need them, with approval workflows and time limits.

Action items:

  • Enable PIM for all Entra ID roles and all Azure resource roles
  • Set activation maximum duration to 8 hours for standard roles, 4 hours for Global Admin
  • Require justification and MFA on every activation
  • Require approval for Global Administrator, Privileged Role Administrator, and Exchange Administrator activations
  • Configure activation alerts sent to your security operations team

6. Implement Access Reviews

Role assignments drift over time. People change roles, leave projects, or leave the organisation — but their permissions often remain.

Action items:

  • Configure quarterly access reviews for all PIM-eligible roles
  • Configure quarterly access reviews for all security groups that grant access to sensitive resources
  • Set auto-apply for recommended actions (remove access for users who have not used the role)
  • Assign group owners as reviewers for group-based reviews

7. Configure Risk-Based Conditional Access

Microsoft Entra ID Protection detects risky sign-ins and risky users using machine learning signals. Feed these signals into your Conditional Access policies.

Action items:

  • Create a policy: All users > All cloud apps > Conditions: Sign-in risk = High > Grant: Require MFA + Require password change
  • Create a policy: All users > All cloud apps > Conditions: User risk = High > Grant: Require password change
  • Review risky users weekly in the Identity Protection dashboard
  • Integrate Identity Protection alerts with Microsoft Sentinel

8. Restrict User Consent to Applications

By default, users can consent to third-party applications accessing organisational data. This is a major data exfiltration vector.

Action items:

  • Set user consent to Do not allow user consent or limit to verified publishers only
  • Implement an admin consent workflow so users can request access to applications
  • Review existing application consent grants — revoke any that are overly permissive or from unverified publishers
  • Audit regularly using: Get-MgServicePrincipal | Where-Object {$_.AppOwnerOrganizationId -ne "<your-tenant-id>"}

9. Restrict Azure AD Administration Portal Access

Non-admin users should not browse the Entra ID administration portal. While they cannot make changes, the portal exposes directory information that aids reconnaissance.

Action items:

  • Set Restrict access to Microsoft Entra admin center to Yes in User Settings
  • Restrict the ability to read other users if your directory structure allows it (evaluate impact carefully)

10. Configure Cross-Tenant Access Policies

If you collaborate with external organisations via B2B, your default cross-tenant access settings may be too permissive.

Action items:

  • Review the default cross-tenant access settings — set inbound and outbound defaults to block
  • Create per-organisation policies for trusted partners with scoped access
  • Enable cross-tenant access settings for B2B collaboration with specific application access only
  • Consider tenant restrictions v2 to prevent your users from authenticating to unmanaged external tenants

11. Enable Token Protection (Preview to GA)

Token theft is increasingly common. Attackers steal session tokens from compromised endpoints and replay them from attacker-controlled devices.

Action items:

  • Enable token protection in Conditional Access (requires compliant Windows devices)
  • Create a policy: High-risk users or admin roles > All cloud apps > Session: Require token protection
  • Monitor for token replay events in the sign-in logs and Identity Protection

12. Configure Named Locations and Enforce Location Policies

Define your trusted network locations and use them to make smarter access decisions.

Action items:

  • Define named locations for all office networks, VPN exit points, and trusted IP ranges
  • Create Conditional Access policies that block access from countries where you have no business operations
  • Require additional verification for access from non-trusted locations
  • Use GPS-based named locations for mobile devices where applicable

13. Harden Authentication Methods

Not all MFA methods are created equal. Your authentication methods policy should reflect your risk tolerance.

Action items:

  • Disable SMS and voice call as MFA methods for administrators
  • Enable Microsoft Authenticator with number matching and additional context
  • Enable FIDO2 security keys for high-privilege roles
  • Disable the legacy MFA per-user portal — manage everything through Conditional Access and Authentication Methods policies
  • Review and restrict SSPR (Self-Service Password Reset) methods — ensure they align with your MFA methods

14. Monitor and Alert on Critical Directory Changes

Certain changes to your Entra ID configuration should trigger immediate alerts.

Action items:

  • Configure alerts for:
    • New Global Administrator assignments
    • Conditional Access policy modifications or deletions
    • New federated domains
    • Changes to authentication methods policies
    • New application registrations with high-privilege API permissions
    • Modifications to cross-tenant access settings
  • Route these alerts to your SIEM (Microsoft Sentinel) and ensure they have assigned response playbooks

15. Implement Workload Identity Protection

Service principals, managed identities, and application registrations are often overlooked in identity hardening programmes. They frequently have excessive permissions and no MFA.

Action items:

  • Inventory all application registrations and service principals — identify those with high-privilege API permissions
  • Implement Conditional Access for workload identities (requires Workload Identities Premium)
  • Rotate client secrets and certificates on a defined schedule (90 days for secrets, 12 months for certificates)
  • Prefer managed identities over service principals with secrets wherever possible
  • Monitor workload identity sign-ins for anomalous patterns

Implementation Priority

If you cannot do everything at once, this is the order that delivers the most risk reduction:

  1. Break-glass accounts (points 3) — prevent lockout before tightening controls
  2. Block legacy auth + enforce MFA (points 2, 4) — eliminate the easiest attack paths
  3. Admin MFA + PIM (points 1, 5) — protect your most powerful accounts
  4. Risk-based policies + app consent (points 7, 8) — automate threat response and close data exfiltration paths
  5. Everything else — layered hardening that compounds over time

Validating Your Configuration

After implementing these controls, validate them:

  • Run the Microsoft Secure Score assessment and review identity-specific recommendations
  • Use Microsoft Entra ID Protection reports to confirm risk policies are triggering correctly
  • Conduct a penetration test targeting identity: password spray, token theft, consent phishing
  • Review sign-in logs for any access that bypasses your intended policies

Final Thought

Identity security is not a set-and-forget exercise. Entra ID features evolve monthly, new attack techniques emerge regularly, and your organisation's configuration drifts over time. Schedule a quarterly review of this checklist, assign ownership for each point, and integrate identity security into your ongoing security operations.

Need help hardening your Entra ID tenant? Get in touch — we perform Entra ID security assessments and implement hardening programmes for enterprises across Europe.

Microsoft Entra ID securityconditional access policiesPrivileged Identity ManagementMFA enforcementidentity security hardening

Need expert guidance?

Our team specializes in cloud architecture, security, AI platforms, and DevSecOps. Let's discuss how we can help your organization.

Get in touch

Related articles

Cybersecurity

Building a Zero-Trust AI Platform on Azure Databricks

How we designed a fully private Azure Databricks platform with hub-spoke networking, forced-tunnel firewall, private endpoints, and managed identities — no public IPs, no stored secrets.

Read articleCybersecurity

ISO 27001 in the Cloud: Mapping Controls to Azure Services

How to map ISO 27001 Annex A controls to Azure-native services — from Azure Policy to Defender for Cloud to audit-ready compliance dashboards.

Read articleCybersecurity

Zero Trust Architecture: From Buzzword to Production in 6 Months

A practical 6-month plan to implement Zero Trust architecture in the enterprise, based on NIST 800-207 and real-world deployment patterns.

Read article