Plan your Microsoft Entra deployment
For organizations that plan to synchronize identities between their on-premises directory service and Microsoft 365, they must first ensure their Microsoft Entra deployment is properly configured. A well-planned and executed identity infrastructure paves the way for secure access to your productivity workloads and data by known users and devices only.
It can seem scary to deploy and secure Microsoft Entra ID for your organization. To assist organizations in this effort, this unit identifies common tasks that organizations find helpful. These tasks are broken down by phases. These phases can be completed over the course of 30, 60, 90 days, or more, to enhance an organization's security posture. Even organizations that have already deployed Microsoft Entra ID can use this information to ensure they're getting the most out of their investment.
The following sections identify each of the primary phases in deploying Microsoft Entra ID. They also include additional information links for the major tasks that should be completed in each phase. Many of these recommendations can be implemented with Microsoft Entra ID Free or no license at all. Where licenses are needed, the following sections indicate the minimum license required to complete the task.
Phase 1: Build a foundation of security
In this phase, administrators enable baseline security features to create a more secure and easy to use foundation in Microsoft Entra ID. This security foundation should be created before organizations import or create normal user accounts. This foundational phase ensures:
- An organization is in a more secure state from the start.
- An organization's end-users only have to be introduced to new concepts one time.
Task
Detail
Required license
Assign between two and four cloud-only permanent global administrator accounts for use in an emergency. These accounts shouldn't be used daily. They should also have long and complex passwords.
Microsoft Entra ID Free
Give your administrators only the access they need to only the areas they need access to. Not all administrators must be global administrators.
Microsoft Entra ID Free
Enable Privileged Identity Management to start tracking administrative role usage.
Microsoft Entra ID P2
Reduce helpdesk calls for password resets. This task enables staff to reset their own passwords using policies that administrators can control.
Microsoft Entra ID P1
Prevent users from creating passwords that include common words or phrases from your organization or area.
Microsoft Entra ID P1
Extend the banned password list to your on-premises directory. This design ensures passwords set on-premises are also in compliance with the global and tenant-specific banned password lists.
Microsoft Entra ID P1
Stop requiring users to change their password on a set schedule and disable complexity requirements. When users implement these guidelines, they're more apt to remember their passwords and keep them somewhere that's secure.
Microsoft Entra ID Free
Periodic password resets encourage your users to increment their existing passwords. Follow Microsoft's guidelines in its password guidance document and mirror your on-premises policy to cloud-only users.
Microsoft Entra ID Free
Stop lockouts from cloud-based users from being replicated to on-premises Active Directory users.
Microsoft Entra ID P1
AD FS extranet lockout protects against brute force password-guessing attacks. It also lets valid AD FS users continue using their accounts.
Block legacy authentication protocols like POP, SMTP, IMAP, and MAPI that can't enforce multifactor authentication (MFA). Without MFA, these protocols become a preferred entry point for adversaries.
Microsoft Entra ID P1
Require users to do two-step verification when accessing sensitive applications using Conditional Access policies.
Microsoft Entra ID P1
Enable tracking of risky sign-ins and compromised credentials for users in your organization.
Microsoft Entra ID P2
Enable automation that can trigger events such as multifactor authentication, password reset, and blocking of sign-ins based on risk.
Microsoft Entra ID P2
Allow your users to register from one common experience for both Microsoft Entra multifactor authentication and self-service password reset.
Microsoft Entra ID P1
Phase 2: Import users, enable synchronization, and manage devices
Phase 2 adds to the foundation that was created in phase 1. In phase 2, an organization:
- imports users
- enables synchronization
- plans for guest access
- prepares to support more functionality
Task
Detail
Required license
Prepare to synchronize users from your existing on-premises directory to the cloud.
Microsoft Entra ID Free
Synchronize password hashes to allow password changes to be replicated, bad password detection and remediation, and leaked credential reporting.
Microsoft Entra ID Free
Allow password changes in the cloud to be written back to an on-premises Windows Server Active Directory environment.
Microsoft Entra ID P1
Enable monitoring of key health statistics for your Microsoft Entra Connect servers (if using Microsoft Entra Connect rather than Microsoft Entra Connect cloud sync for directory synchronization), AD FS servers, and domain controllers.
Microsoft Entra ID P1
Save time and effort by creating licensing groups. This design enables organizations to enable or disable features by group instead of setting these features per user.
Microsoft Entra ID P1
Collaborate with guest users by letting them sign in to your apps and services with their own work, school, or social identities.
Decide what your organization allows regarding devices. For example, registering versus joining, and Bring Your Own Device versus company provided devices.
Prepare for passwordless authentication using Windows Hello.
Provide your users with convenient passwordless authentication methods.
Microsoft Entra ID P1
Phase 3: Manage applications
Phase 3 continues to build on the previous phases. In Phase 3, organizations identify candidate applications for migration and integration with Microsoft Entra ID. They then complete the setup of those applications.
Task
Detail
Required license
Identify your applications.
Identify the applications used in your organization. Apps include on-premises, SaaS applications in the cloud and other line-of-business applications. Determine if these applications can and should be managed with Microsoft Entra ID.
No license required
Microsoft Entra ID has a gallery that contains thousands of pre-integrated applications. Some of the applications your organization uses are probably in the gallery accessible directly from the Azure portal.
Microsoft Entra ID Free
Application Proxy enables users to access on-premises applications by signing in with their Microsoft Entra account.
Microsoft Entra ID P1
Phase 4: Audit privileged identities, complete an access review, and manage user lifecycle
In this final phase, administrators should complete the following tasks:
- Enforce least privilege principles for administration.
- Complete their first access reviews.
- Enable automation of common user lifecycle tasks.
Task
Detail
Required license
Remove administrative roles from normal day-to-day user accounts. Make administrative users eligible to use their role after succeeding a multifactor authentication check, providing a business justification or requesting approval from approvers.
Microsoft Entra ID P2
Work with your security and leadership teams to create an access review policy. This policy should review administrative access based on your organization's policies.
Microsoft Entra ID P2
Use dynamic groups to automatically assign users to groups based on their attributes from HR (or your source of truth). These attributes include department, title, region, and so on.
Microsoft Entra ID P1
Use group-based access management provisioning to automatically provision users for SaaS applications.
Microsoft Entra ID P1
Remove manual steps from your employee account lifecycle to prevent unauthorized access. Synchronize identities from your source of truth (HR System) to Microsoft Entra ID.
Microsoft Entra ID P1