Azure AD Identity Configuration Checklist

February 9, 2023 | By IANS Faculty

Azure AD is the foundation of every Microsoft cloud tenant. Getting it wrong can result in significant security incidents, both in the cloud and when attackers use Azure AD to pivot to on-premises attacks. This checklist is designed to help users follow Azure AD best practices and get the most out of its native security settings. 

The recommended settings listed in the following charts are based on guidance from:

Center for Internet Security (CIS) M365 Foundations Benchmark v1.4.0 02.17-2022

Secure Privileged Users 

  • Do not let privileged users co-mingle their accounts in Azure AD. For example, an Exchange Online admin should not be using the account with those privileges to send and receive email. Always create isolated and purpose-provisioned accounts for privileged use in the cloud.
  • Avoid the use of mobile application authenticators for privileged users. Instead, rely on security keys products and tools. 
  • Follow best practice configurations in the following chart:

Security Policy

Configuration Notes
(all within Microsoft Admin Center > Azure Active Directory
or Azure Portal, unless otherwise noted)

Ensure MFA for all administrative users: CIS 1.1.1

Security > Conditional Access > Grant > Require MFA

Enable security keys: Vectra AZ-0001

Security > Authentication Methods > Authentication Policy > Enable and Target Admin Users

Reduce the number of admins across all services: Vectra AZ-0002

Users > Active Users > Filter > Global Admins (and other admins as services are enabled)

Ensure at least two Global Admins: CIS 1.1.3

Users > Active Users > Filter > Global Admins (and other admins as services are enabled)

If E5 licensed, then use just-in-time access privileged identity management: CIS 1.1.10

Services > Azure AD Privileged Identity Management > Manage > Azure AD Roles > Assignment Type > Permanent > Make Eligible

Ensure browser sessions are not persistent for administrative users: CIS 1.1.15

Security > Conditional Access > Sign-in frequency > Persistent browser session > Never persistent

Prevent nonadmin users from using the Azure Portal: Vectra AZ-0014

Azure Active Directory > User Settings > Restrict access to Azure AD administration portal

Alert all administrators on password reset: Vectra
AZ-0025

Azure Active Directory > Users > All Users > Password reset > Notifications > Notify all admins when other admins reset their password

 

DOWNLOAD: Harden M365 Identities and Exchange Online


Secure all Users in the Tenant 

  • Follow best practice global setting configurations in the following chart:

Security Policy

Configuration Notes
(all within Microsoft Admin Center > Azure Active Directory
or Azure Portal, unless otherwise noted)

Ensure MFA for all users: CIS 1.1.2

Security > Conditional Access > Grant > Require MFA

Ensure self-service password reset (SSPR) is enabled: CIS 1.1.4

Azure Active Directory > Users > Password reset > Self-service password reset enabled

Require two methods of authentication for SSPR: Vectra AZ-0017

Azure Active Directory > Users > Password reset > Password Policy > Properties > Authentication Methods

In addition, ensure security questions, authenticator app codes and office phones are DISABLED, but authenticator notifications, personal phones and email one-time passcode (OTP) are ENABLED.

Ensure password protection is enabled: CIS 1.1.5

Read the full instructions in this Microsoft blog.

Block legacy authentication: CIS 1.1.6

Azure Active Directory > Security > Conditional Access > New Policy > Client apps > Access controls > Block access > All users > Exclude

Ensure password hash sync is enabled:
CIS 1.1.7

Run Azure AD Connect > View current configuration > Password synchronization enabled

If E5 licensed, enable Identity Protection risk policies: CIS 1.1.8

Azure Active Directory > Security > Conditional Access > Users or workload identities > All users > All Cloud apps > Conditions > Sign-in risk > Yes > Access Control Require multi-factor authentication

If E5 licensed, enable Identity Protection user risk policies: CIS 1.1.9

Azure Active Directory > Security > Conditional Access > Users or workload identities > All users > All Cloud apps > Conditions > User risk > Yes > Access Control Require password change

Ensure Security Defaults is DISABLED:
CIS 1.1.11

Azure Active Directory > Properties > Manage security defaults > No

Ensure only organizationally managed/approved groups exist:
CIS 1.1.12

Microsoft 365 Admin Portal > Teams and Groups > Active teams and groups > Verify that no groups have “Public” in the privacy column

Ensure collaboration invitations are resent to allowed domains only: CIS 1.1.13

Azure Active Directory > Users > User settings > External users > Manage external collaboration settings > Collaboration restrictions > Allow invitations only to the specified domains > Target domains > Specify domains

Ensure LinkedIn contract synchronization is disabled: CIS 1.1.14

Azure Active Directory > Users > User settings > LinkedIn account connections > No

Ensure persistent sign-in is disabled:
CIS 1.1.16

Azure Active Directory > Company branding > Manage > Create policy > Show option to remain signed in > No

Require MFA to register devices: Vectra
AZ-0009

Azure Active Directory > Devices > Device settings > All > Require Multi-Factor Auth to join devices > Yes

Require users to register multiple factors for MFA: Vectra AZ-0003

Azure Active Directory > Security > Identity Protection > MFA registration policy > Assignments > Users > All users > Enforce policy – On

Require external users to authenticate with email OTP: Vectra AZ-0013

Azure Active Directory > External Identities > All identity providers > Email one-time passcode > Email one-time passcode for guests > Yes

Restrict the default guest user role: Vectra AZ-0027

Azure Active Directory > User settings > External users > Manage external collaboration settings > Guest user access is restricted to properties and memberships of their own directory objects

Restrict entitlement to invite guest users: Vectra AZ-0028

Azure Active Directory > Users > All users > External users > Manage external collaboration settings > Guests can invite > No


Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.


Access time-saving tools and helpful guides from our Faculty.


IANS + Artico Search

Our 2024-2025 CISO Compensation and Budget Benchmark Survey is Live!

Subscribe to IANS Blog

Receive a wealth of trending cyber tips and how-tos delivered directly weekly to your inbox.

Please provide a business email.