Plan your Microsoft Entra ID deployment
For organizations that plan to synchronize identities between their on-premises directory service and Microsoft 365, they must ensure they properly configured their Microsoft Entra ID deployment.
Important
Azure Active Directory (Azure AD) is now Microsoft Entra ID. Learn more.
A well-planned and executed identity infrastructure paves the way for secure access to your productivity workloads and data by known users and devices only. It can seem scary to deploy and secure Microsoft Entra ID for your organization. To assist organizations in this effort, this unit identifies common tasks that organizations find helpful. This training breaks down these tasks by phases. Organizations can complete these phases over the course of 30, 60, 90 days, or more, to enhance their security posture. Even organizations that deployed Microsoft Entra ID can use this information to ensure they're getting the most out of their investment.
The following sections identify each of the primary phases in deploying Microsoft Entra ID. They also include extra information links for the major tasks included in each phase. Organizations can implement many of these recommendations with either Microsoft Entra Free or with no license at all. Where licenses are needed, the following sections indicate the minimum license required to complete the task.
Phase 1: Build a foundation of security
In this phase, administrators enable baseline security features to create a more secure and easy to use foundation in Microsoft Entra ID. Organizations should create this security foundation before they import or create normal user accounts. This foundational phase ensures:
- An organization is in a more secure state from the start.
- An organization only has to introduce these new concepts to its end-users one time.
| Task | Detail | Required license |
|---|---|---|
| Create more than one global administrator. | Assign between two and four cloud-only permanent global administrator accounts for use in an emergency. Organizations shouldn't use these accounts daily. They should also have long and complex passwords. | Microsoft Entra Free |
| Use nonglobal administrative roles where possible. | Give your administrators only the access they need to only the areas they need access to. Not all administrators must be global administrators. | Microsoft Entra Free |
| Enable Privileged Identity Management for tracking admin role use. | Enable Privileged Identity Management to start tracking administrative role usage. | Microsoft Entra Premium P2 |
| Roll out self-service password reset. | Reduce helpdesk calls for password resets. This task enables staff to reset their own passwords using policies that administrators can control. | Microsoft Entra Premium P1 |
| Create an organization specific custom banned password list. | Prevent users from creating passwords that include common words or phrases from your organization or area. | Microsoft Entra Premium P1 |
| Enable on-premises integration with Microsoft Entra password protection. | Extend the banned password list to your on-premises directory. This design ensures passwords set on-premises are also in compliance with the global and tenant-specific banned password lists. | Microsoft Entra Premium P1 |
| Enable Microsoft's password guidance. | Stop requiring users to change their password on a set schedule and disable complexity requirements. When users implement these guidelines, they're more apt to remember their passwords and keep them somewhere that's secure. | Microsoft Entra Free |
| Disable periodic password resets for cloud-based user accounts. | Periodic password resets encourage your users to increment their existing passwords. Follow Microsoft's guidelines in its password guidance document and mirror your on-premises policy to cloud-only users. | Microsoft Entra Free |
| Customize Microsoft Entra smart lockout. | Stop cloud-based user lockouts from replicating to on-premises Active Directory users. | Microsoft Entra Premium P1 |
| Enable Extranet Smart Lockout for AD FS. | AD FS extranet lockout protects against brute force password-guessing attacks. It also lets valid AD FS users continue using their accounts. | |
| Block legacy authentication to Microsoft Entra ID with Conditional Access. | Block legacy authentication protocols like POP, SMTP, IMAP, and MAPI that can't enforce multifactor authentication (MFA). Without MFA, these protocols become a preferred entry point for adversaries. | Microsoft Entra Premium P1 |
| Deploy Microsoft Entra multifactor authentication using Conditional Access policies. | Require users to do two-step verification when accessing sensitive applications using Conditional Access policies. | Microsoft Entra Premium P1 |
| Enable Microsoft Entra ID Protection. | Enable tracking of risky sign-ins and compromised credentials for users in your organization. | Microsoft Entra Premium P2 |
| Use risk detections to trigger multifactor authentication and password changes. | Enable automation that can trigger events such as multifactor authentication, password reset, and blocking of sign-ins based on risk. | Microsoft Entra Premium P2 |
| Enable combined registration for self-service password reset and Microsoft Entra multifactor authentication. | Allow your users to register from one common experience for both Microsoft Entra multifactor authentication and self-service password reset. | Microsoft Entra Premium P1 |
Phase 2: Import users, enable synchronization, and manage devices
Phase 2 adds to the foundation created in phase 1. In phase 2, an organization:
- imports users
- enables synchronization
- plans for guest access
- prepares to support more functionality
| Task | Detail | Required license |
|---|---|---|
| Install Microsoft Entra Connect Sync. | Prepare to synchronize users from your existing on-premises directory to the cloud. | Microsoft Entra Free |
| Implement Password Hash Sync. | Synchronize password hashes enable password changes to be replicated, bad password detection and remediation, and leaked credential reporting. | Microsoft Entra Free |
| Implement Password Writeback. | Allow password changes in the cloud to be written back to an on-premises Windows Server Active Directory environment. | Microsoft Entra Premium P1 |
| Implement Microsoft Entra Connect Health. | Enable monitoring of key health statistics for your Microsoft Entra Connect servers (if using Microsoft Entra Connect rather than Microsoft Entra Connect Cloud Sync for directory synchronization), AD FS servers, and domain controllers. | Microsoft Entra Premium P1 |
| Assign licenses to users by group membership in Microsoft Entra ID. | Save time and effort by creating licensing groups. This design enables organizations to enable or disable features by group instead of setting these features per user. | Microsoft Entra Premium P1 |
| Create a plan for guest user access. | Collaborate with guest users by letting them sign in to your apps and services with their own work, school, or social identities. | Microsoft Entra External Identities pricing |
| Decide on device management strategy. | Decide what your organization allows regarding devices. For example, registering versus joining, and Bring Your Own Device versus company provided devices. | |
| Deploy Windows Hello for Business in your organization. | Prepare for passwordless authentication using Windows Hello. | |
| Deploy passwordless authentication methods for your users. | Provide your users with convenient passwordless authentication methods. | Microsoft Entra Premium P1 |
Phase 3: Manage applications
Phase 3 continues to build on the previous phases. In Phase 3, organizations identify candidate applications for migration and integration with Microsoft Entra ID. They then complete the setup of those applications.
| Task | Detail | Required license |
|---|---|---|
| Identify your applications. | Identify the applications used in your organization. Apps include on-premises, SaaS applications in the cloud and other line-of-business applications. Determine if these applications can and should be managed with Microsoft Entra ID. | No license required |
| Integrate supported SaaS applications in the gallery. | Microsoft Entra ID has a gallery that contains thousands of preintegrated applications. Some of the applications your organization uses are probably in the gallery accessible directly from the Microsoft Entra ID portal. | Microsoft Entra Free |
| Use Application Proxy to integrate on-premises applications. | Application Proxy enables users to access on-premises applications by signing in with their Microsoft Entra account. | Microsoft Entra Premium P1 |
Phase 4: Audit privileged identities, complete an access review, and manage user lifecycle
In this final phase, administrators should complete the following tasks:
- Enforce least privilege principles for administration.
- Complete their first access reviews.
- Enable automation of common user lifecycle tasks.
| Task | Detail | Required license |
|---|---|---|
| Enforce the use of Microsoft Entra Privileged Identity Management (PIM). | Remove administrative roles from normal day-to-day user accounts. Make administrative users eligible to use their role after succeeding a multifactor authentication check, providing a business justification or requesting approval from approvers. | Microsoft Entra Premium P2 |
| Complete an access review for Microsoft Entra directory roles in PIM. | Work with your security and leadership teams to create an access review policy. This policy should review administrative access based on your organization's policies. | Microsoft Entra Premium P2 |
| Implement dynamic group membership policies. | Use dynamic groups to automatically assign users to groups based on their attributes from HR (or your source of truth). These attributes include department, title, region, and so on. | Microsoft Entra Premium P1 |
| Implement group based application provisioning. | Use group-based access management provisioning to automatically provision users for SaaS applications. | Microsoft Entra Premium P1 |
| Automate user provisioning and deprovisioning. | Remove manual steps from your employee account lifecycle to prevent unauthorized access. Synchronize identities from your source of truth (HR System) to Microsoft Entra ID. | Microsoft Entra Premium P1 |