Microsoft Entra ID Security Checklist

1. Identity Protection and Authentication

1. Enforce Multi-Factor Authentication for all Users
2. Enforce MFA for All Privileged Roles without exception
3. Disable Legacy Authentication Protocols such as IMAP, POP, SMTP Basic Auth
4. Enable Passwordless Authentication where possible
5. Configure Strong Password Policies and Banned Password Lists
6. Enable Self-Service Password Reset with Secure Verification Methods
7. Monitor Risky Sign-Ins and User Risk Levels
8. Configure Automatic Remediation for High-Risk Users

2. Conditional Access Policies

1. Create a Baseline Conditional Access Policy for all Users
2. Require MFA for all Cloud Applications
3. Enforce Device Compliance for Access to Sensitive Applications
4. Block Access from unknown or High-Risk Locations
5. Require Compliant or Hybrid Joined Devices for Admin Access
6. Apply Session Controls such as Sign-In Frequency and Persistent Browser Settings
7. Test Policies using Report-Only Mode before Enforcement
8. Ensure Break-Glass Emergency Accounts are Excluded but Secured

3. Privileged Access Management

1. Implement Privileged Identity Management for all Admin Roles
2. Enforce Just-In-Time Access for Privileged Roles
3. Require Approval for Role Activation
4. Enforce MFA during Role Elevation
5. Set Time-Bound Access for all Privileged Roles
6. Regularly Review Role Assignments and Remove Unnecessary Access
7. Eliminate Standing Global Administrators where possible
8. Maintain at least two Emergency Access Accounts

4. Application and Consent Security

1. Disable User Consent for Unverified Applications
2. Require Admin Consent for High-Permission Applications
3. Review Enterprise Applications Regularly
4. Remove Unused or Risky Applications
5. Monitor OAuth Permissions and Delegated Access
6. Restrict Multi-Tenant Application Access where not required
7. Enable Publisher Verification Enforcement

5. External Collaboration and Guest Access

1. Restrict Guest User Permissions
2. Limit Guest Access to only Required Resources
3. Enable Terms of Use for External Users
4. Apply Conditional Access Policies to Guest Accounts
5. Regularly Review and Remove Inactive Guest Users
6. Restrict External Sharing settings in Integrated Services

6. Device Security Integration

1. Integrate with Microsoft Intune for Device Compliance
2. Require Compliant Devices for access to Sensitive Resources
3. Block Access from Unmanaged Devices where Required
4. Enable Device-Based Conditional Access Policies
5. Monitor Device Health and Compliance Status

7. Logging, Monitoring, and Auditing

1. Enable Sign-In Logs and Audit Logs
2. Integrate with SIEM such as Microsoft Sentinel
3. Monitor Failed Login Attempts and Anomalies
4. Set up Alerts for Suspicious Activities
5. Retain Logs Based on Compliance Requirements
6. Review Audit Logs Regularly

8. Identity Governance and Lifecycle

1. Implement Access Reviews for Users and Groups
2. Automate User Provisioning and Deprovisioning
3. Enforce Least Privilege Across all Identities
4. Use Entitlement Management for Resource Access
5. Regularly Review Inactive Accounts
6. Remove Orphaned Accounts Immediately

9. Data Protection and Session Control

1. Configure Session Timeout Policies
2. Prevent Persistent Sessions on Shared Devices
3. Enable Conditional Access Session Controls
4. Integrate with Microsoft Defender for Cloud Apps
5. Enforce Download Restrictions for Sensitive Data

10. Break-Glass and Resilience Planning

1. Maintain Emergency Access Accounts with Strong Credentials
2. Exclude Emergency Accounts from Conditional Access Policies
3. Monitor usage of Emergency Accounts
4. Store Credentials Securely Offline
5. Test Emergency Access Procedures Regularly

11. Continuous Security Operations

1. Perform Regular Security Posture Reviews
2. Use Secure Score to Identify Improvement Areas
3. Continuously Validate Conditional Access Effectiveness
4. Conduct Periodic Penetration Testing and Audits
5. Keep policies aligned with Evolving Threats
6. Document and Update Security Configurations Regularly

Always use Best Practices. Never assume Trust. Always verify Identity and Access. Security is not static and must be continuously monitored, validated, and improved.