All Blogs
Azure AD Identity Configuration Checklist
Azure AD is the foundation of every Microsoft cloud tenant. Getting it wrong can result in significant security incidents, both in the cloud and when attackers use Azure AD to pivot to on-premises attacks. This checklist is designed to help users follow Azure AD best practices and get the most out of its native security settings.
The recommended settings listed in the following charts are based on guidance from:
Center for Internet Security (CIS) M365 Foundations Benchmark v1.4.0 02.17-2022
Secure Privileged Users
- Do not let privileged users co-mingle their accounts in Azure AD. For example, an Exchange Online admin should not be using the account with those privileges to send and receive email. Always create isolated and purpose-provisioned accounts for privileged use in the cloud.
- Avoid the use of mobile application authenticators for privileged users. Instead, rely on security keys products and tools.
- Follow best practice configurations in the following chart:
Security Policy | Configuration Notes |
Ensure MFA for all administrative users: CIS 1.1.1 | Security > Conditional Access > Grant > Require MFA |
Enable security keys: Vectra AZ-0001 | Security > Authentication Methods > Authentication Policy > Enable and Target Admin Users |
Reduce the number of admins across all services: Vectra AZ-0002 | Users > Active Users > Filter > Global Admins (and other admins as services are enabled) |
Ensure at least two Global Admins: CIS 1.1.3 | Users > Active Users > Filter > Global Admins (and other admins as services are enabled) |
If E5 licensed, then use just-in-time access privileged identity management: CIS 1.1.10 | Services > Azure AD Privileged Identity Management > Manage > Azure AD Roles > Assignment Type > Permanent > Make Eligible |
Ensure browser sessions are not persistent for administrative users: CIS 1.1.15 | Security > Conditional Access > Sign-in frequency > Persistent browser session > Never persistent |
Prevent nonadmin users from using the Azure Portal: Vectra AZ-0014 | Azure Active Directory > User Settings > Restrict access to Azure AD administration portal |
Alert all administrators on password reset: Vectra | Azure Active Directory > Users > All Users > Password reset > Notifications > Notify all admins when other admins reset their password |
DOWNLOAD: Harden M365 Identities and Exchange Online
Secure all Users in the Tenant
- Follow best practice global setting configurations in the following chart:
Security Policy | Configuration Notes |
Ensure MFA for all users: CIS 1.1.2 | Security > Conditional Access > Grant > Require MFA |
Ensure self-service password reset (SSPR) is enabled: CIS 1.1.4 | Azure Active Directory > Users > Password reset > Self-service password reset enabled |
Require two methods of authentication for SSPR: Vectra AZ-0017 | Azure Active Directory > Users > Password reset > Password Policy > Properties > Authentication Methods In addition, ensure security questions, authenticator app codes and office phones are DISABLED, but authenticator notifications, personal phones and email one-time passcode (OTP) are ENABLED. |
Ensure password protection is enabled: CIS 1.1.5 | Read the full instructions in this Microsoft blog. |
Block legacy authentication: CIS 1.1.6 | Azure Active Directory > Security > Conditional Access > New Policy > Client apps > Access controls > Block access > All users > Exclude |
Ensure password hash sync is enabled: | Run Azure AD Connect > View current configuration > Password synchronization enabled |
If E5 licensed, enable Identity Protection risk policies: CIS 1.1.8 | Azure Active Directory > Security > Conditional Access > Users or workload identities > All users > All Cloud apps > Conditions > Sign-in risk > Yes > Access Control Require multi-factor authentication |
If E5 licensed, enable Identity Protection user risk policies: CIS 1.1.9 | Azure Active Directory > Security > Conditional Access > Users or workload identities > All users > All Cloud apps > Conditions > User risk > Yes > Access Control Require password change |
Ensure Security Defaults is DISABLED: | Azure Active Directory > Properties > Manage security defaults > No |
Ensure only organizationally managed/approved groups exist: | Microsoft 365 Admin Portal > Teams and Groups > Active teams and groups > Verify that no groups have “Public” in the privacy column |
Ensure collaboration invitations are resent to allowed domains only: CIS 1.1.13 | Azure Active Directory > Users > User settings > External users > Manage external collaboration settings > Collaboration restrictions > Allow invitations only to the specified domains > Target domains > Specify domains |
Ensure LinkedIn contract synchronization is disabled: CIS 1.1.14 | Azure Active Directory > Users > User settings > LinkedIn account connections > No |
Ensure persistent sign-in is disabled: | Azure Active Directory > Company branding > Manage > Create policy > Show option to remain signed in > No |
Require MFA to register devices: Vectra | Azure Active Directory > Devices > Device settings > All > Require Multi-Factor Auth to join devices > Yes |
Require users to register multiple factors for MFA: Vectra AZ-0003 | Azure Active Directory > Security > Identity Protection > MFA registration policy > Assignments > Users > All users > Enforce policy – On |
Require external users to authenticate with email OTP: Vectra AZ-0013 | Azure Active Directory > External Identities > All identity providers > Email one-time passcode > Email one-time passcode for guests > Yes |
Restrict the default guest user role: Vectra AZ-0027 | Azure Active Directory > User settings > External users > Manage external collaboration settings > Guest user access is restricted to properties and memberships of their own directory objects |
Restrict entitlement to invite guest users: Vectra AZ-0028 | Azure Active Directory > Users > All users > External users > Manage external collaboration settings > Guests can invite > No |
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.