From becoming one of the cloud productivity suites to becoming an absolute norm, Microsoft 365 has achieved the de facto standard! 🚀Moreover, Microsoft 365 has become the go-to option for businesses, facilitating them to redefine possibilities and set forth seamless collaboration in the cloud.
And specifically, on this, the newly rebranded Microsoft Entra tops the list. 📈Comprising various identity and access management features into one place, under one portal, Microsoft Entra has become the foremost option for companies aiming to simplify their operations. While it’s impossible to avoid all types of attacks, we can certainly enhance our defense measures by securing organizational data. Here, not only does MS Entra ID address the evolving needs of modern businesses, but it also prioritizes security concerns. 💯
So, we have identified the 12 must-have Microsoft Entra security settings that every administrator should enable to protect their organization’s data and assets!
Must-Have 12 Microsoft Entra Security Settings:
I sense you’re curious about whether these 12 security configurations in the Azure portal are really packed enough to shield our Microsoft 365 environment. Well, they absolutely are! To put it simply, once these security settings are properly set up, they can provide lasting protection. In essence,
Configure Once; Benefit the Rest
So, let’s delve into these configurations and proactively implement them to enhance your organization’s defense against various phishing and malware attacks.
- Restrict user access to the Azure portal
- Enable MFA number matching and geographic location
- Configure system-preferred multi-factor authentication in Microsoft Entra
- Turn on suspicious activity reporting in the Azure portal
- Require phishing-resistant multi-factor authentication
- Deploy Conditional Access policy templates
- 5 must-know device-based Conditional Access policies
- Use various external user types in Conditional Access policies
- Use company branding in the Azure portal
- Enable idle session timeout in Microsoft 365
- Configure how user’s consent to applications in Microsoft Entra
- Ban custom passwords using Microsoft Entra ID password protection
Want a quick rundown of all the settings without diving into a wall of text? Well, guess what? We’ve prepared an awesome cheat sheet featuring all those essential MS Entra security settings. Just flip through whenever you need and set things up! 🚀
Download Cheat sheet: MS Entra Security Features.
1. Restrict User Access to Azure Portal:
Here’s something you might not have realized – every user within your organization has the power to access the Azure portal. Now, you might think, “Well, that’s not too big of a deal,” but hold on a second. It’s actually a much bigger deal than it appears! 😯
Though users can’t edit any settings, they can peek into others’ information – like group specifics, device details, Microsoft 365 user privileges, and more.
This isn’t just about convenience – it’s a security issue! Hackers can easily nab sensitive data using an unprivileged user account. But fear not, the solution is simple: follow the steps in the blog to tighten access.
More info: https://blog.admindroid.com/restrict-user-access-to-azure-ad-to-prevent-data-exposure/
2. Enable Number Matching & Geographic Location in Multi-factor Authentication:
Picking the right MFA authentication method is super crucial, or else you could be opening the door to risks. Every admin should nudge their users to move from weaker SMS & voice call methods to MS Authenticator – but it’s not all smooth sailing with MS Authenticator either! 😫Hackers have pulled off the “MFA fatigue attack” to sneak into accounts using it and gain access to corporate resources.
So, here is where we can get the benefit of MFA number matching & geographic locations and ensure that MFA push notifications are from legitimate users. Every problem’s got a fix, right? So, if you haven’t set it up, better get on it – enable MFA number matching ASAP.
3. System-preferred Multi-factor Authentication in Microsoft Entra:
With different MFA methods available, it’s harder than ever for an organization to enforce a consistent and secure authentication policy. What if someone can do the work for you? 😌Then, let Microsoft pick the best and secure MFA for you.
Yes, with system-preferred MFA enabled by default, Microsoft will prompt the users to sign in by using the most secure method they registered. If your organization has disabled system-preferred MFA before, turn it on right away!
More info: https://blog.admindroid.com/enforce-system-preferred-mfa-to-improve-microsoft-365-security/
4. Enable “Report Suspicious Activity” Setting in Azure Portal:
Are you still just denying suspicious MFA requests? While hackers probably won’t give up, how long will you continue to reject requests you haven’t even begun? 😫 So, here’s an idea: instead of just saying “no” all the time, why not REPORT those suspicious MFA requests to Microsoft? ⚠️
This “suspicious activity reporting” in Microsoft Entra ID (Azure AD) is an updated version of the MFA fraud alert. It allows users to report unusual authentication requests immediately before they turn into full-blown cyber-attacks.
More info: https://blog.admindroid.com/enable-report-suspicious-activity-in-azure-ad/
5. Conditional Access Authentication Strength:
In today’s digital landscape, securing your Microsoft 365 resources is essential. Here, Conditional Access authentication strength helps you!
This cool feature lets you decide how tough the door’s lock should be based on what’s inside. 🔐 (Means strategically defining the mix of authentication methods required for accessing different resources) For example, require strong MFA authentication for critical resources to counter phishing effectively and use a less secure MFA such as password-SMS combination for less sensitive. Optimize your user experience without compromising on security with the guide below!
More info: https://blog.admindroid.com/use-phishing-resistant-mfa-to-implement-stronger-mfa-authentication/
6. Deploy Conditional Access Policy Templates:
Configuring those Conditional Access policies can be a real headache! 😫 You have to think about every little situation, otherwise, things at work could get messy. But guess what? Microsoft came to the rescue with Conditional Access policy templates. They’re like ready-made sets of rules and settings that make it way easier to put in place new policies, all based on what Microsoft suggests. Super handy, right? Make wise of it right now!
7. Set up Device-based Conditional Access in Microsoft 365:
The whole BYOD (Bring Your Own Device) trend might seem pretty nifty; who doesn’t wish to use their own gadgets to check out work stuffs. But here’s the kicker – if those BYOD devices aren’t locked down tight, you could be walking into a security minefield without even knowing it. 😯But there’s a solution to counter these unknown risks – configure conditional access policies for devices. By implementing these policies, you can take control of access and make sure only the right devices get through the security gates to access sensitive data.
To help you establish a strong defense, here are 5 distinct conditional access policies for devices that every organization should set up! By following these guidelines, you can enhance your security and stay protected moving forward. Let’s delve into the details!
More info: https://blog.admindroid.com/must-know-device-based-conditional-access-policies-in-microsoft-365/
8. Use Different External User Types in Conditional Access Policies:
Conditional access policies within Azure AD used to be applicable to all external users collectively. But to really make the most out of it, instead of just going with the basic ‘All guest or external users’ option, admins should go a step further. 💯Admins can pick out specific types of external users they want to target – the ones that come in through different ways of collaborating. Check out the guide below to learn how to efficiently use the feature and create strong shields to protect your organization.
More info: https://blog.admindroid.com/external-user-types-for-ca-policies-in-azure-ad/
9. Configure Microsoft 365 Company Branding in Azure Portal:
Many attackers employ deceptive tactics like designing fake Microsoft 365 login pages that closely mimic legitimate ones! It’s not always easy to spot those fakes, even though we think we’re smart about it. However, there’s a simple yet highly effective solution at hand: using your organization branding in your Microsoft 365 login portals. This is one nice feature that allows administrators to customize the sign-in experience for their end-users.
Overall, this means adding your own personal touch to Microsoft 365, making it way easier for your users to spot those fishy phishing pages. 🔍Customize your organization profile and give a trusted user experience! And it throws a wrench in the attackers’ plans because copying your style becomes a lot harder. Feeling curious and want to give it a try? Check out the step-by-step guide to help you through the configuration process.
More info: https://blog.admindroid.com/microsoft-365-company-branding-an-easy-way-to-avoid-phishing-attacks/
10. Enable Idle Session Timeout in Microsoft 365:
With so many tasks flowing seamlessly and attention shifting swiftly, it’s easy to occasionally forget to hit that logout button! 📴But what if forgetting to sign out from your Microsoft 365 web apps leads to unintentional data exposure?
Here is where Idle Session Timeout can help you out. It’s your digital memory, recognizing periods of inactivity & taking action. This is a feature that automatically signs out users from Microsoft 365 web apps if they are inactive. It prevents data disclosure when users forget to sign out of web applications.
More info: https://blog.admindroid.com/easy-yet-efficient-solution-to-avoid-data-leakages-idle-session-timeout/
11. Configure How User Consent to Applications in Microsoft Entra:
The “illicit grant consent attack” in Microsoft 365 is a sneaky phishing technique where malicious actors create fake applications. These apps initially ask for permissions, like accessing emails, but then progressively request more sensitive permissions, such as reading and writing files or viewing emails! This looks like a regular “Accept” button, but if you hit that, boom! It’s like you’ve just given the green signal for that app to swipe all your sensitive info.
What makes matters worse is that Microsoft 365’s default setting allows users to decide which apps they grant permission to. So, it’s on the admin to tighten the reins to manage user consent to applications and keep this from turning into a security disaster, safeguarding your organization data from prying eyes. Configure it right away & secure your users!
More info: https://blog.admindroid.com/manage-user-consent-to-applications-in-microsoft-365/
12. Ban Custom Passwords Using Microsoft Entra ID Password Protection:
We’re always told to avoid those common and super hackable passwords like Password@123 or Yourfavouritepet@4321. But people still end up using them! So, Azure AD Password Protection steps in to save the day. With this, admins can make their own list of no-no passwords and put them on lockdown. This way, when users try to use weak and guessable passwords, the system effectively blocks users, contributing to a more robust security environment.
More info: https://blog.admindroid.com/ban-custom-passwords-in-office-365-with-azuread-password-protection/
In conclusion, safeguarding your organization’s valuable sensitive information is not just a goal but a necessity in today’s ever-evolving threat landscape! The 12 carefully chosen Microsoft Entra security settings presented here are not mere recommendations – they are the pillars for your secure organization’s future.
So, make sure to regularly review these Microsoft 365 security configurations in line with emerging threats and ensure that your organization remains ahead in the cybersecurity game!
