Share via

what are Microsoft security recommendation for Microsoft Entra

Richa Kumari 321 Reputation points
2024-04-16T16:14:14.66+00:00

hello,

We are setting up a Microsoft Enterprise tenant; what basic recommendations can we make to make it more secure?
Like we know, we like to implement MFA,CA ,PIM ,Audit log anything apart for this specially from IAM side security.

Thanks
Richa

Microsoft Security | Intune | Security
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Windows for business | Windows Server | Devices and deployment | Configure application groups
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Gudivada Adi Navya Sri 21,095 Reputation points Moderator
    2024-04-17T09:39:12.14+00:00

    Hi @Richa Kumari

    Thank you for posting this in Microsoft Q&A.

    I understand that you are asking for basic recommendations to make their Microsoft Enterprise tenant more secure.

    Minimize MFA prompts from known devices: This recommendation improves your user's productivity and minimizes the sign-in time with fewer MFA prompts. Ensure that your most sensitive resources can have the tightest controls, while your least sensitive resources can be more freely accessible.

    Protect all users with a user risk policy: With the user risk policy turned on, Microsoft Entra ID detects the probability that a user account has been compromised. As an administrator, you can configure a user risk Conditional Access policy to automatically respond to a specific user risk level.

    Convert per-user MFA to Conditional Access MFA: This recommendation improves your user's productivity and minimizes the sign-in time with fewer MFA prompts.

    Renew expiring service principal credentials: Renewing the service principal credential(s) before expiration ensures the application continues to function and reduces the possibility of downtime due to an expired credential.

    You can find these recommendations that are in general availability on the Microsoft Entra recommendations portal by looking for “Generally Available” under the column titled “Release Type” as shown below. 

    For more information on these recommendations, please refer to this document: https://learn.microsoft.com/en-us/entra/identity/monitoring-health/overview-recommendations#recommendation-availability-and-license-requirements

    https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-new-and-upcoming-entra-recommendations-to-enhance/ba-p/3796390

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya.

    If the answer is helpful, please click "Accept Answer" and kindly "upvote" it.

    1 person found this answer helpful.
  2. Marcin Policht 87,895 Reputation points MVP Volunteer Moderator
    2024-04-16T16:50:52.1166667+00:00
    1. Role-Based Access Control (RBAC): Implement RBAC to control access to Azure resources based on the principle of least privilege. Assign roles with appropriate permissions to users and groups to limit access to only what is necessary for their job responsibilities.
    2. Identity Protection: Enable Entra ID Identity Protection to detect and mitigate identity-based risks and threats in real-time. Configure risk-based policies to enforce actions such as blocking or requiring MFA based on risk levels.
    3. Privileged Identity Management (PIM): Utilize Entra ID Privileged Identity Management to manage, control, and monitor access to privileged roles in Entra ID, Azure, and other Microsoft Online Services. Enforce just-in-time access, approval workflows, and auditing for elevated privileges.
    4. Password Policies: Enforce strong password policies, including complexity requirements, expiration, and account lockout settings. Consider implementing Entra ID Password Protection to prevent users from using weak or commonly used passwords.
    5. Conditional Access Policies: Create Conditional Access policies to enforce access controls based on various conditions such as user location, device compliance, risk level, or application sensitivity. Apply policies to specific user groups or applications to tailor access controls.
    6. Identity Governance: Implement identity governance processes to manage the lifecycle of user identities, including provisioning, deprovisioning, and access reviews. Use Entra ID Entitlement Management to automate access reviews and streamline access request workflows.
    7. Monitoring and Logging: Enable Entra ID audit logging to track changes to user accounts, group memberships, and administrative activities. Integrate Entra ID logs with Azure Monitor or third-party SIEM solutions for centralized monitoring and analysis of security events.
    8. Secure Authentication Methods: Encourage the use of modern authentication methods such as Entra ID Seamless Single Sign-On (SSO) or passwordless authentication options (e.g., Windows Hello for Business, FIDO2 security keys) to enhance security and user experience.
    9. Regular Security Assessments: Conduct regular security assessments and reviews of Entra ID configurations, policies, and access controls to identify and remediate security gaps or misconfigurations.

     

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.