Microsoft Entra ID (formerly Azure Active Directory) is the identity backbone for millions of organizations. It’s also one of the most attacked services on the internet — Microsoft blocks 600 million+ attacks on Entra ID accounts every day. Misconfigured Entra ID is the #1 cause of Microsoft 365 breaches. This guide walks through the most critical hardening steps.
Enable Security Defaults (Baseline For All)
# Security Defaults enable a baseline of security policies:
# - Require MFA for all users
# - Block legacy authentication
# - Require MFA for Azure Portal/admin access
# Enable in Azure Portal:
# Entra ID > Properties > Manage Security Defaults > Yes
# NOTE: Disable Security Defaults if you use Conditional Access
# They conflict - you only want one system controlling auth policiesConditional Access Policies
# Key policies every organization should implement:
# Policy 1: Require MFA for all users:
# CA > New Policy
# Users: All users
# Cloud apps: All cloud apps
# Grant: Require multifactor authentication
# Policy 2: Block legacy authentication (critical!):
# Legacy auth: SMTP, POP3, IMAP, MAPI = no MFA support!
# Users: All users
# Conditions: Client apps = Exchange ActiveSync clients + Other clients
# Grant: Block access
# Policy 3: Require compliant device for sensitive apps:
# Users: All users
# Cloud apps: Salesforce, SAP, Financial systems
# Conditions: Platforms = Windows, macOS, iOS, Android
# Grant: Require compliant device (Intune MDM)
# Policy 4: Block risky sign-ins:
# Users: All users
# Conditions: User risk = High, Sign-in risk = High
# Grant: Block access OR Require password changePrivileged Identity Management (PIM)
# PIM = Just-in-Time privileged access
# Global Admins should NOT be permanently active admins!
# Configure PIM for Global Administrator:
# Entra ID > Privileged Identity Management > Azure AD roles
# Global Administrator > Settings:
# - Activation duration: 8 hours max
# - Require MFA on activation
# - Require justification (audit trail)
# - Require approval (for high-risk roles)
# Activation flow for admin:
# PIM > My Roles > Activate
# Provide reason + MFA challenge
# Role is active for configured duration
# Auto-expires, no permanent admin privilege
# PowerShell to see eligible role assignments:
Connect-MgGraph -Scopes "RoleManagement.Read.All"
Get-MgRoleManagementDirectoryRoleEligibilitySchedule -ExpandProperty "Principal,RoleDefinition" | Format-TableIdentity Protection
# Entra ID Identity Protection uses ML to detect risky logins:
# Enable and configure:
# Entra ID > Security > Identity Protection
# Configure policies:
# User risk policy:
# Risk level: High
# Control: Block access + require password change
# Sign-in risk policy:
# Risk level: Medium and above
# Control: Require MFA
# Risk events Identity Protection detects:
# - Anonymous IP address (Tor, VPN)
# - Atypical travel (logged in from NY, then London 1 hour later)
# - Malware linked IP
# - Leaked credentials (found in breach dumps)
# - Password spray attack
# - Suspicious inbox manipulation rules
# Review risky users:
# Identity Protection > Risky users > Filter by risk level = HighEmergency Access Accounts
# Create "break glass" accounts for emergency access:
# Use case: Your MFA provider is down, no admin can sign in
# Requirements for emergency access accounts:
# - Not synced from on-premises AD (cloud-only)
# - Exclude from all Conditional Access policies
# - Store credentials in physical safe (not in password manager)
# - Use hardware key ONLY (no phone-based MFA)
# - Monitored with alerts for any sign-in
# PowerShell - create emergency access account:
$params = @{
AccountEnabled = $true
DisplayName = "Emergency Access 01"
UserPrincipalName = "emergency01@yourtenant.onmicrosoft.com"
PasswordProfile = @{
Password = (New-Guid).ToString() + "Aa1!" # Random 40-char password
}
}
New-MgUser @params
# Alert on emergency account usage:
# Azure Monitor > Log Analytics:
# SigninLogs | where UserPrincipalName contains "emergency01"
# Alert: Any sign-in from this account = P1 incidentAudit and Monitoring
# Critical events to monitor in Entra ID:
# Microsoft Sentinel query - detect admin MFA bypass:
AuditLogs
| where OperationName == "Add member to role"
| where Result == "success"
| where TargetResources contains "Global Administrator"
| project TimeGenerated, InitiatedBy, TargetResources
# Detect consent grant phishing (OAuth phishing):
AuditLogs
| where OperationName == "Consent to application"
| where Result == "success"
| project TimeGenerated, UserAgent, TargetResources, InitiatedBy
# Alert: Any app consent outside of approved listWrap Up
Entra ID security is not optional — it’s the front door to your entire Microsoft 365 environment. Enable Conditional Access policies to block legacy auth and require MFA, deploy PIM for privileged roles, configure Identity Protection, and create emergency access accounts. These five steps address the majority of Entra ID breaches.