Secure your organization's identities with Microsoft Entra ID

It can seem daunting trying to secure your workers in today's world, especially when you have to respond rapidly and provide access to many services quickly. This article helps provide a concise list of actions to take, helping you identify and prioritize features based on the license type you own.

Microsoft Entra ID offers many features and provides many layers of security for your Identities, navigating which feature is relevant can sometimes be overwhelming. This document is intended to help organizations deploy services quickly, with secure identities as the primary consideration.

Each table provides security recommendations to protect identities from common security attacks while minimizing user friction.

The guidance helps:

• Configure access to software as a service (SaaS) and on-premises applications in a secure and protected manner
• Both cloud and hybrid identities
• Users working remotely or in the office

Prerequisites

This guide assumes that your cloud-only or hybrid identities are established in Microsoft Entra ID already. For help with choosing your identity type see the article, Choose the right authentication (AuthN) method for your Microsoft Entra hybrid identity solution.

Microsoft recommends that organizations have two cloud-only emergency access accounts permanently assigned the Global Administrator role. These accounts are highly privileged and aren't assigned to specific individuals. The accounts are limited to emergency or "break glass" scenarios where normal accounts can't be used or all other administrators are accidentally locked out. These accounts should be created following the emergency access account recommendations.

Guided walkthrough

For a guided walkthrough of many of the recommendations in this article, see the Set up Microsoft Entra ID guide when signed in to the Microsoft 365 Admin Center. To review best practices without signing in and activating automated setup features, go to the Microsoft 365 Setup portal.

Guidance for Microsoft Entra ID Free, Office 365, or Microsoft 365 customers

There are many recommendations that Microsoft Entra ID Free, Office 365, or Microsoft 365 app customers should take to protect their user identities. The following table is intended to highlight key actions for the following license subscriptions:

• Office 365 (Office 365 E1, E3, E5, F1, A1, A3, A5)
• Microsoft 365 (Business Basic, Apps for Business, Business Standard, Business Premium, A1)
• Microsoft Entra ID Free (included with Azure, Dynamics 365, Intune, and Power Platform)

Recommended action	Detail
Enable Security Defaults	Protect all user identities and applications by enabling multifactor authentication and blocking legacy authentication.
Enable Password Hash Sync (if using hybrid identities)	Provide redundancy for authentication and improve security (including Smart Lockout, IP Lockout, and the ability to discover leaked credentials).
Enable AD FS smart lock out (If applicable)	Protects your users from experiencing extranet account lockout from malicious activity.
Enable Microsoft Entra smart lockout (if using managed identities)	Smart lockout helps to lock out bad actors who are trying to guess your users' passwords or use brute-force methods to get in.
Disable end-user consent to applications	The admin consent workflow gives admins a secure way to grant access to applications that require admin approval so end users don't expose corporate data. Microsoft recommends disabling future user consent operations to help reduce your surface area and mitigate this risk.
Integrate supported SaaS applications from the gallery to Microsoft Entra ID and enable single sign-on (SSO)	Microsoft Entra ID has a gallery that contains thousands of preintegrated applications. Some of the applications your organization uses are probably in the gallery accessible directly from the Azure portal. Provide access to corporate SaaS applications remotely and securely with improved user experience (single sign-on (SSO)).
Automate user provisioning and deprovisioning from SaaS Applications (if applicable)	Automatically create user identities and roles in the cloud (SaaS) applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change, increasing your organization's security.
Enable Secure hybrid access: Secure legacy apps with existing app delivery controllers and networks (if applicable)	Publish and protect your on-premises and cloud legacy authentication applications by connecting them to Microsoft Entra ID with your existing application delivery controller or network.
Enable self-service password reset (applicable to cloud only accounts)	This ability reduces help desk calls and loss of productivity when a user can't sign in to their device or an application.
Use least privileged roles where possible	Give your administrators only the access they need to only the areas they need access to.
Enable Microsoft's password guidance	Stop requiring users to change their password on a set schedule, disable complexity requirements, and your users are more apt to remember their passwords and keep them something that is secure.

Guidance for Microsoft Entra ID P1 customers

The following table is intended to highlight the key actions for the following license subscriptions:

• Microsoft Entra ID P1
• Microsoft Enterprise Mobility + Security E3
• Microsoft 365 (E3, A3, F1, F3)

Recommended action	Detail
Enable combined registration experience for Microsoft Entra multifactor authentication and SSPR to simplify user registration experience	Allow your users to register from one common experience for both Microsoft Entra multifactor authentication and self-service password reset.
Configure multifactor authentication settings for your organization	Ensure accounts are protected from being compromised with multifactor authentication.
Enable self-service password reset	This ability reduces help desk calls and loss of productivity when a user can't sign in to their device or an application.
Implement Password Writeback (if using hybrid identities)	Allow password changes in the cloud to be written back to an on-premises Windows Server Active Directory environment.
Create and enable Conditional Access policies	Multifactor authentication for admins to protect accounts that are assigned administrative rights. Block legacy authentication protocols due to the increased risk associated with legacy authentication protocols. Multifactor authentication for all users and applications to create a balanced multifactor authentication policy for your environment, securing your users and applications. Require multifactor authentication for Azure Management to protect your privileged resources by requiring multifactor authentication for any user accessing Azure resources.
Enable Password Hash Sync (if using hybrid identities)	Provide redundancy for authentication and improve security (including Smart Lockout, IP Lockout, and the ability to discover leaked credentials.)
Enable AD FS smart lock out (If applicable)	Protects your users from experiencing extranet account lockout from malicious activity.
Enable Microsoft Entra smart lockout (if using managed identities)	Smart lockout helps to lock out bad actors who are trying to guess your users' passwords or use brute-force methods to get in.
Disable end-user consent to applications	The admin consent workflow gives admins a secure way to grant access to applications that require admin approval so end users don't expose corporate data. Microsoft recommends disabling future user consent operations to help reduce your surface area and mitigate this risk.
Enable remote access to on-premises legacy applications with Application Proxy	Enable Microsoft Entra application proxy and integrate with legacy apps for users to securely access on-premises applications by signing in with their Microsoft Entra account.
Enable Secure hybrid access: Secure legacy apps with existing app delivery controllers and networks (if applicable).	Publish and protect your on-premises and cloud legacy authentication applications by connecting them to Microsoft Entra ID with your existing application delivery controller or network.
Integrate supported SaaS applications from the gallery to Microsoft Entra ID and enable single sign-on	Microsoft Entra ID has a gallery that contains thousands of preintegrated applications. Some of the applications your organization uses are probably in the gallery accessible directly from the Azure portal. Provide access to corporate SaaS applications remotely and securely with improved user experience (SSO).
Automate user provisioning and deprovisioning from SaaS Applications (if applicable)	Automatically create user identities and roles in the cloud (SaaS) applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change, increasing your organization's security.
Enable Conditional Access – Device-based	Improve security and user experiences with device-based Conditional Access. This step ensures users can only access from devices that meet your standards for security and compliance. These devices are also known as managed devices. Managed devices can be Intune compliant or Microsoft Entra hybrid joined devices.
Enable Password Protection	Protect users from using weak and easy to guess passwords.
Use least privileged roles where possible	Give your administrators only the access they need to only the areas they need access to.
Enable Microsoft's password guidance	Stop requiring users to change their password on a set schedule, disable complexity requirements, and your users are more apt to remember their passwords and keep them something that is secure.
Create an organization specific custom banned password list	Prevent users from creating passwords that include common words or phrases from your organization or area.
Deploy passwordless authentication methods for your users	Provide your users with convenient passwordless authentication methods.
Create a plan for guest user access	Collaborate with guest users by letting them sign in to your apps and services with their own work, school, or social identities.

Guidance for Microsoft Entra ID P2 customers

The following table is intended to highlight the key actions for the following license subscriptions:

• Microsoft Entra ID P2
• Microsoft Enterprise Mobility + Security E5
• Microsoft 365 (E5, A5)

Recommended action	Detail
Enable combined registration experience for Microsoft Entra multifactor authentication and SSPR to simplify user registration experience	Allow your users to register from one common experience for both Microsoft Entra multifactor authentication and self-service password reset.
Configure multifactor authentication settings for your organization	Ensure accounts are protected from being compromised with multifactor authentication.
Enable self-service password reset	This ability reduces help desk calls and loss of productivity when a user can't sign in to their device or an application.
Implement Password Writeback (if using hybrid identities)	Allow password changes in the cloud to be written back to an on-premises Windows Server Active Directory environment.
Enable Microsoft Entra ID Protection policies to enforce multifactor authentication registration	Manage the roll-out of Microsoft Entra multifactor authentication.
Enable user and sign-in risk-based Conditional Access policies	The recommended sign-in policy is to target medium risk sign-ins and require multifactor authentication. For User policies, you should target high risk users requiring the password change action.
Create and enable Conditional Access policies	Multifactor authentication for admins to protect accounts that are assigned administrative rights. Block legacy authentication protocols due to the increased risk associated with legacy authentication protocols. Require multifactor authentication for Azure Management to protect your privileged resources by requiring multifactor authentication for any user accessing Azure resources.
Enable Password Hash Sync (if using hybrid identities)	Provide redundancy for authentication and improve security (including Smart Lockout, IP Lockout, and the ability to discover leaked credentials.)
Enable AD FS smart lock out (If applicable)	Protects your users from experiencing extranet account lockout from malicious activity.
Enable Microsoft Entra smart lockout (if using managed identities)	Smart lockout helps to lock out bad actors who are trying to guess your users' passwords or use brute-force methods to get in.
Disable end-user consent to applications	The admin consent workflow gives admins a secure way to grant access to applications that require admin approval so end users don't expose corporate data. Microsoft recommends disabling future user consent operations to help reduce your surface area and mitigate this risk.
Enable remote access to on-premises legacy applications with Application Proxy	Enable Microsoft Entra application proxy and integrate with legacy apps for users to securely access on-premises applications by signing in with their Microsoft Entra account.
Enable Secure hybrid access: Secure legacy apps with existing app delivery controllers and networks (if applicable).	Publish and protect your on-premises and cloud legacy authentication applications by connecting them to Microsoft Entra ID with your existing application delivery controller or network.
Integrate supported SaaS applications from the gallery to Microsoft Entra ID and enable single sign-on	Microsoft Entra ID has a gallery that contains thousands of preintegrated applications. Some of the applications your organization uses are probably in the gallery accessible directly from the Azure portal. Provide access to corporate SaaS applications remotely and securely with improved user experience (SSO).
Automate user provisioning and deprovisioning from SaaS Applications (if applicable)	Automatically create user identities and roles in the cloud (SaaS) applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change, increasing your organization's security.
Enable Conditional Access – Device-based	Improve security and user experiences with device-based Conditional Access. This step ensures users can only access from devices that meet your standards for security and compliance. These devices are also known as managed devices. Managed devices can be Intune compliant or Microsoft Entra hybrid joined devices.
Enable Password Protection	Protect users from using weak and easy to guess passwords.
Use least privileged roles where possible	Give your administrators only the access they need to only the areas they need access to.
Enable Microsoft's password guidance	Stop requiring users to change their password on a set schedule, disable complexity requirements, and your users are more apt to remember their passwords and keep them something that is secure.
Create an organization specific custom banned password list	Prevent users from creating passwords that include common words or phrases from your organization or area.
Deploy passwordless authentication methods for your users	Provide your users with convenient passwordless authentication methods
Create a plan for guest user access	Collaborate with guest users by letting them sign in to your apps and services with their own work, school, or social identities.
Enable Privileged Identity Management (PIM)	Enables you to manage, control, and monitor access to important resources in your organization, ensuring admins have access only when needed and with approval.
Complete an access review for Microsoft Entra directory roles in PIM	Work with your security and leadership teams to create an access review policy to review administrative access based on your organization's policies.

Zero Trust

This feature helps organizations to align their identities with the three guiding principles of a Zero Trust architecture:

• Verify explicitly
• Use least privilege
• Assume breach

To find out more about Zero Trust and other ways to align your organization to the guiding principles, see the Zero Trust Guidance Center.

Next steps

• For detailed deployment guidance for individual features of Microsoft Entra ID, review the Microsoft Entra ID project deployment plans.
• Organizations can use identity secure score to track their progress against other Microsoft recommendations.