Azure Active Directory — rebranded as Microsoft Entra ID in 2023 — is the identity backbone for hundreds of millions of Microsoft 365, Azure, and SaaS application users globally. As the primary authentication and authorization control plane for Microsoft cloud environments, Entra ID is a high-value target for adversaries: compromising a privileged Entra ID account can provide access to email, SharePoint, Teams, Azure subscriptions, and every SaaS application in the tenant. This guide covers the most impactful security controls for hardening Entra ID environments.
The Entra ID Attack Surface
Understanding what attackers target in Entra ID is prerequisite to effective hardening. The attack surface is broader than many organizations recognize:
Legacy Authentication Protocols
Legacy authentication protocols — Basic Auth for SMTP, IMAP, POP3, and older Exchange ActiveSync — do not support modern authentication challenges including MFA. An attacker with a valid username and password can authenticate using these protocols regardless of your Conditional Access MFA policy, bypassing MFA entirely. Despite Microsoft having deprecated legacy auth for Exchange Online (October 2022), many tenants still have legacy auth traffic from older email clients, on-premises applications, or misconfigured mail flows. Blocking legacy authentication is one of the highest-impact single security controls available in Entra ID.
Service Principals and OAuth App Permissions
Service principals and OAuth application registrations represent a significant, often under-monitored attack surface. A malicious OAuth application with Mail.Read and Files.ReadWrite.All delegated permissions can read all of a user's email and OneDrive files without ever needing the user's password — only their consent. OAuth consent phishing attacks trick users into granting these permissions by posing as legitimate productivity apps.
Application registrations with AppRoleAssignment.ReadWrite.All or RoleManagement.ReadWrite.Directory application permissions (not delegated — running as the app itself) can grant themselves Global Administrator privileges without any user interaction. These are the highest-severity permissions in Entra ID and should be restricted to explicitly approved, heavily monitored service principals only.
Guest User Access
Entra ID's default guest user permissions are more permissive than most administrators realize. By default, guest users can enumerate other users, groups, and some directory information. In organizations that have heavily used B2B collaboration with partner organizations or contractors, the guest population can be large and long-lived — guests added years ago for a project that has since concluded. Review guest user access quarterly and implement the most restrictive guest access settings compatible with your collaboration requirements.
Conditional Access Policy Design
Conditional Access (CA) is Entra ID's policy engine for access control decisions — it evaluates signals (user identity, device state, location, application, real-time risk score) and enforces grant controls (MFA, device compliance, Terms of Use). Well-designed CA policies are the most impactful security control in Entra ID.
Core CA policies every tenant should implement:
- Require MFA for all users, all apps: The baseline policy. Exclude emergency access accounts (break-glass) only. Use Microsoft Authenticator with number matching and additional context enabled — not SMS OTP, which is vulnerable to SIM swapping.
- Require compliant or hybrid-joined device for all cloud apps: Ensures that only managed, patched devices with EDR and configuration baselines can access corporate resources. Blocks the "personal unmanaged device with stolen credentials" threat model.
- Block legacy authentication: A Conditional Access policy targeting all users, all cloud apps, with the client app condition set to "Exchange ActiveSync clients" and "Other clients" with a Block grant control. Verify you have no legitimate legacy auth traffic before enforcing (use Sign-in logs filtered by legacy auth client apps for 30 days).
- Location-based restrictions for admin roles: Require named location (trusted corporate IP range) or compliant device for all privileged role members. Alert on privileged logins from anomalous locations even when MFA is satisfied.
- High-risk user and sign-in policies: Use Entra ID Identity Protection risk detections — integrate CA policies that require password change for high-risk users and step-up MFA for high-risk sign-ins. These policies respond to real-time risk signals including leaked credential detection and unfamiliar sign-in properties.
Privileged Identity Management (PIM)
Privileged Identity Management is Microsoft's just-in-time (JIT) privileged access solution for Entra ID. Without PIM, administrative role assignments are permanent — a user assigned Global Administrator retains that access 24/7 even when not performing administrative tasks. A compromised account with a permanent admin role assignment is immediately a critical incident. With PIM, privileged roles are eligible — the administrator must request activation, which can require MFA, business justification, and approver sign-off, and the access expires after a configured duration (typically 1-8 hours).
PIM implementation priorities:
- Convert all permanent Global Administrator, Privileged Role Administrator, and Application Administrator assignments to PIM-eligible roles immediately. These three roles have the highest blast radius.
- Require MFA and justification for all PIM activations. Enable notifications to a security distribution list for all privileged role activations.
- Set activation duration to the minimum needed for tasks — 1 hour for most administrative work.
- Review PIM access reviews quarterly for all privileged roles. Remove stale eligible assignments.
- Never have more than 2-4 permanent Global Administrators — these should be break-glass accounts with hardware keys, stored credentials in a physical safe, and monitored for any sign-in activity.
Identity Secure Score and Common Misconfigurations
Microsoft's Identity Secure Score (visible in the Entra ID admin center and Microsoft Secure Score) provides a prioritized list of configuration improvements with an estimated impact score. The score is imperfect — it does not capture all relevant controls — but it provides a useful baseline and identifies low-hanging-fruit improvements.
The most common critical misconfigurations found in Entra ID assessments:
- No break-glass emergency access accounts: Conditional Access policies that apply to all users can lock out all Global Admins if MFA is unavailable. Two break-glass accounts excluded from CA policies, with hardware FIDO2 keys and monitored for any activity, are essential.
- Users permitted to register applications: Default Entra ID settings allow all users to register OAuth applications and grant admin consent to low-impact permissions. Disable both settings and restrict app registration and consent to specific approved roles.
- Unmanaged external identities (shadow tenants): Users may have created personal Microsoft accounts using their corporate email before the organization adopted Microsoft 365, creating "shadow" accounts outside corporate control. These are discoverable in Entra ID and should be investigated and remediated.
Entra ID hardening is a core component of our Microsoft 365 security assessment service. Our assessments evaluate your Conditional Access policy coverage, privileged role assignments, OAuth application permissions, and Identity Protection configuration. Review your identity security posture or contact us to discuss a Microsoft 365 security assessment.