Data Strategy Breakdown Series - Entra ID (5)
- welka2111
- Jul 2
- 6 min read
Introduction
Welcome back to the final post in this Data Strategy Breakdown series - it’s been a journey! We’ve covered Defence in Depth & Zero Trust (1), Basic Security Hygiene (2), Secure Collaboration (3), and Defender XDR & Intune (4). If you missed any, you can catch up on them here:
This post wraps up the series for everything that lives outside Microsoft Purview - and yes, we’re also steering clear of Conditional Access for now (don’t worry, that’s getting its own series next). So let’s talk about Entra ID, where identity truly becomes the frontline of your security posture.
Table of contents
Why Entra ID?
Entra ID (formerly Azure AD = Azure Active Directory) is the identity control plane for Microsoft cloud environments - your front door, your gatekeeper, your perimeter. We used to talk about firewalls and subnets as the boundaries, but in today’s world of mobile devices, hybrid work, SaaS sprawl, and cloud-native workloads, identity is the perimeter.
And here’s the kicker: even if you've got Microsoft Purview humming with sensitivity labels and encryption, if your identities are compromised, it doesn’t matter. Labels can't stop a compromised user from exfiltrating data they’re authorised to access. That’s why I’m passionate about completing the picture.
Whether it's permissions in Exchange, SharePoint, or Teams, whether you're deploying Defender XDR or Intune, or designing a resilient compliance architecture with Purview - none of it stands up if you leave the identity layer exposed.
Top 20 data strategy Entra ID tips – Welka’s edition
Here are my top 20 controls and recommendations you should be looking at to secure your environment. Each one has come up in the field, often in situations where the damage had already started. Don’t let that be your story.
1. Use Privileged Identity Management (PIM)
Privileged Identity Management (PIM) allows just‑in‑time activation of privileged roles (e.g., Global Admin), requires MFA and/or manager approval, enforces time‑bound assignments, and keeps detailed logs.
Recommendation: Avoid standing admin access. Use PIM for time-based access, MFA enforcement, and approval workflows.
Licence: Requires Entra ID P2 or Entra ID Governance (or Suite) licences assigned to any user using PIM features.
2. Configure Access Reviews
Automatically checks whether users still need group/app/role access. Prevents permission creep over time.
Recommendation: Automate periodic checks to ensure users still need access to apps, groups, or roles.
Licence: Included in Entra ID P2/Governance/Suite .
3. Utilise Entitlement Management
Provides access packages for internal/external users with approval workflows, expiration, reporting, and a “My Access” portal.
Recommendation: Streamline how users request access and how it expires. Reduces “permission bloat.”
Licence: Requires Entra ID P2, Governance/Suite or EMS E5
4. Avoid legacy MFA (SMS, calls, email OTP)
Legacy MFA options, such as SMS or voice calls are vulnerable to SIM swapping and phishing. Better options are Authenticator app, FIDO2, certificate‑based authentication.
Recommendation: SMS and call-based MFA are weak. Prefer Microsoft Authenticator or FIDO2.
Tip: It's also a good idea to restrict email OTP to guests only.
Licence: Authenticator app/basic usage is included; full capabilities (method reporting, CA enforcement) are best with Entra P1 & P2
5. Enable suspicious activity alerts on MFA
Lets users report suspicious MFA prompts (“That wasn’t me”), triggering investigations and risk responses.
Recommendation: Let users report dodgy MFA prompts - a simple feature with big impact.
Licence: Included with Entra ID; no extra licence needed
6. Corporate branding
Customise login pages with logos and colours. Subtle aid but proven to reduce phishing click‑through rates.
Recommendation: Helps users spot phishing by making legit login pages clearly branded. You can even take it a step further and in addition to adding your company logo on the sign-in page, you can make the background a picture of something very unique and easy to spot: think pink flamingo, red bus, etc.
Licence: Included with all Entra tenants - no premium tier required.
7. MFA registration campaign
Automatically prompts users to register their Authenticator app. Turn MFA from optional to standard.
Recommendation: Nudge users to register Authenticator. Make secure defaults default.
Licence: Requires Entra ID (+Entra ID P1 for Conditional Access‑backed campaigns)
8. Disable and audit Azure Access Management elevation
Global Admins can claim Subscription Owner rights even if not explicitly assigned. Monitoring prevents privilege creep.
Recommendation: Global Admins can elevate to Subscription Owner. Monitor this closely.
Licence: Permission auditing is included with Entra. However you may want to configure Log Analytics or similar for additional reporting.
9. Phish-resistant authentication
FIDO2 keys, Authenticator passkeys, and certificate-based auth provide cryptographic proof that prevents phishing and AiTM attacks.
Recommendation: Use FIDO2 or certificate-based methods. Especially for admins and execs.
Licence: Registration works at any Entra ID license, but enforcement and controls need Entra ID P1+. Phish-resistant strength requires P1+ and Conditional Access (CA) usage.
10. Avoid Entra‑joined ‘Device Administrators’
Local admin rights on devices give attackers a vector for lateral movement. Avoid unless absolutely needed.
Recommendation: Don’t use Entra device administrator group unless absolutely necessary.
Licence: Control available in Entra Free and Premium; no extra licence needed
11. Require MFA for device join
Prevent users from registering devices without strong identity validation.
Recommendation: Default settings don’t require MFA - change that.
Licence: Controlled via Conditional Access - requires Entra P1+.
12. Disable app passwords
Legacy "app passwords" do not support MFA. Block them to close that loophole.
Recommendation: Old-school workaround for non-MFA apps. Shut it down.
Licence: Available on Entra Free and Premium; setting exists in Authentication Methods.
13. Restrict tenant creation
By default, anyone can create new tenants. Prevent shadow IT scenarios.
Recommendation: Yes, users can create new tenants by default. Lock it down.
Licence: Controlled via Directory settings; no licence required.
14. Enable system‑preferred MFA
Ensures the strongest registered MFA method is used by default, not simply whichever the user used last.
Recommendation: Prioritise the most secure MFA method, not just whatever the user used last.
Licence: Requires Entra ID P1+
15. Avoid security defaults
Quick to enable, but lack flexibility. Mature environments benefit from bespoke Conditional Access.
Recommendation: Secure defaults are useful to get started, but limiting long-term. Replace your security defaults with conditional access.
Licence: Security defaults are built‑in and free; conditional access policies require P1+.
16. Disable per‑user MFA
Legacy per-user MFA setting is superseded by Conditional Access. Turning it off ensures consistent policy coverage.
Recommendation: Per-user MFA is legacy - move to Conditional Access policies instead.
Licence: Controlled via portal; no licence change needed.
17. User‑risk policy
Automatically flags risky users based on unusual activity, enabling swift remediation.
Recommendation: Use Identity Protection to detect and respond to risky sign-ins.
Licence: Requires Entra ID P2 / Identity Protection
18. Sign‑in risk policy
Detects risky authentication patterns (e.g. impossible travel) and can block or require MFA.
Recommendation: Monitor patterns of suspicious sign-ins and act automatically.
Licence: Requires Entra ID P2 / Identity Protection
19. Replace Microsoft‑managed CA policies
These built-in CA policies are good for baseline protection. Custom policies are needed for auditing, granularity, and edge cases.
Recommendation: Microsoft-managed policies are a decent baseline, but custom policies give you control and visibility.
Licence: Conditional Access requires Entra ID P1+.
20. Plan for service principal‑less auth deprecation
Microsoft is retiring “service principal‑less” pattern by April 2026. Unmanaged multi‑tenant apps using it will fail auth.
Recommendation: Audit and replace any apps using this pattern. Avoid surprise failures.
Licence: Use Entra sign‑in logs (P1+) and Custom app provisioning (P2 helpful but logging basic uses P1) .
Conclusion
Identity is everything. It’s where your controls live, where trust is established, and where attackers aim to get a foothold. If you’ve followed along from part 1 to part 5, you’ve now got a solid blueprint for building a defensible tenant - all the way from policy to protection.
In the next blog series, we’re diving deep into Conditional Access - where the real magic of contextual access control lives.
Before I dive into the Conditional Access series, I’ll be taking a closer look at some of the recommendations I’ve already covered, as well as introducing a few new ones that I haven’t mentioned yet. If you have any specific recommendations you'd like me to explore in more depth, feel free to drop a comment or send me a private message.
コメント