
Things You Must Configure First in a New Microsoft Entra ID Tenant
1. Add and Verify a Custom Domain
Your tenant initially uses the default domain (tenantname.onmicrosoft.com). Production environments require a verified custom domain for proper branding, SSO configuration, and identity federation.
Where: Microsoft Entra Admin Center → Custom domain names
2. Set the Primary Domain
After verifying your custom domain, configure it as the default domain for new users and groups to ensure identity consistency.
Where: Entra → Domains
3. Configure Root Management Group (Azure)
Establish the Azure Management Group hierarchy early to enable centralized governance, policy enforcement, and RBAC standards.
Where: Azure Portal → Management Groups
4. Assign Global Admin and Break-Glass Accounts
Define top-level administrative control and create at least two emergency access (break-glass) accounts. These should:
- Be cloud-only accounts
- Be excluded from Conditional Access lockout
- Be monitored
- Have strong authentication controls
Where: Entra → Roles and administrators
5. Configure Organizational Standards via Policy
Apply Azure Policy and Entra policy at the root Management Group level to define standards such as:
- Allowed regions
- Naming conventions
- Tagging standards
- VM SKU restrictions
Where: Azure Policy
6. Enable Security Defaults or Conditional Access Baseline
Immediately enforce identity protection by enabling:
- Security Defaults (if licensing is limited)
- Conditional Access baseline policies (recommended)
Block legacy authentication and enforce MFA.
Where: Entra → Security → Conditional Access
7. Configure Microsoft Entra ID Protection (P1+)
Enable user risk and sign-in risk policies to detect compromised identities and automate remediation.
Where: Entra → Protection
8. Review and Set Authentication Methods Policy
Disable weak authentication methods where appropriate, enable passwordless authentication, and configure fallback mechanisms.
Where: Entra → Authentication Methods
9. Configure Self-Service Password Reset (SSPR)
Enable SSPR for users. In hybrid environments, configure password writeback to on-premises Active Directory.
Where: Entra → Password Reset
10. Configure Company Branding
Apply logos, login hints, and background images to improve user trust and reduce phishing risk.
Where: Entra → Company Branding
11. Define Admin Roles via PIM (P2)
Use Privileged Identity Management for:
- Just-in-time role activation
- Approval workflows
- Time-bound access
- Audit logging
Where: Entra → PIM
12. Enable Audit and Sign-In Logging
Enable and retain audit logs and sign-in logs. Export logs to Log Analytics or your SIEM for compliance and forensic visibility.
Where: Entra → Monitoring
13. Define Core Groups and Azure RBAC Model
Create security groups for role assignments instead of assigning roles directly to individuals. Implement least privilege and role-based access control standards.
Where: Entra + Azure RBAC
14. Set External Collaboration Settings
Define how guest users are invited, what they can access, and configure expiration settings.
Where: Entra → External Identities
15. Configure Naming Policies and Group Expiration
Enforce clean naming standards and enable automatic lifecycle management for Microsoft 365 groups.
Where: Entra → Groups Settings
16. Register and Secure Core Applications
Register key enterprise applications, enforce SSO, apply Conditional Access policies, and review API permissions carefully.
Where: Entra → App Registrations
17. Enable License Management Strategy
Implement group-based licensing to simplify lifecycle management and track consumption.
Where: Entra → Licenses
18. Deploy Baseline Monitoring
Enable Azure Monitor, Defender for Cloud, and Activity Logs to track configuration changes and anomalies.
Where: Azure Portal
19. Configure Admin Consent Workflow
Prevent risky third-party applications from being authorized by end users without administrative review.
Where: Entra → Enterprise Applications
20. Enable Terms of Use (If required)
Present legal and compliance agreements during user sign-in when required by regulatory or organizational standards.
Where: Entra → Identity Governance
Final Thoughts
A secure Microsoft Entra ID tenant begins with governance and identity control, not user onboarding. Establishing these configurations first ensures authentication, authorization, monitoring, and compliance controls are in place before business operations scale.
Organizations that delay baseline configurations often face security gaps, inconsistent RBAC models, and governance challenges later.
Implement the baseline first. Scale second.
0 comments