Things You Must Configure First in a New Microsoft Entra ID Tenant

Things You Must Configure First in a New Microsoft Entra ID Tenant

1. Add and Verify a Custom Domain

Your tenant initially uses the default domain (tenantname.onmicrosoft.com). Production environments require a verified custom domain for proper branding, SSO configuration, and identity federation.

Where: Microsoft Entra Admin Center Custom domain names

2. Set the Primary Domain

After verifying your custom domain, configure it as the default domain for new users and groups to ensure identity consistency.

Where: Entra Domains

3. Configure Root Management Group (Azure)

Establish the Azure Management Group hierarchy early to enable centralized governance, policy enforcement, and RBAC standards.

Where: Azure Portal Management Groups

4. Assign Global Admin and Break-Glass Accounts

Define top-level administrative control and create at least two emergency access (break-glass) accounts. These should:

  • Be cloud-only accounts
  • Be excluded from Conditional Access lockout
  • Be monitored
  • Have strong authentication controls

Where: Entra Roles and administrators

5. Configure Organizational Standards via Policy

Apply Azure Policy and Entra policy at the root Management Group level to define standards such as:

  • Allowed regions
  • Naming conventions
  • Tagging standards
  • VM SKU restrictions

Where: Azure Policy

6. Enable Security Defaults or Conditional Access Baseline

Immediately enforce identity protection by enabling:

  • Security Defaults (if licensing is limited)
  • Conditional Access baseline policies (recommended)

Block legacy authentication and enforce MFA.

Where: Entra Security Conditional Access

7. Configure Microsoft Entra ID Protection (P1+)

Enable user risk and sign-in risk policies to detect compromised identities and automate remediation.

Where: Entra Protection

8. Review and Set Authentication Methods Policy

Disable weak authentication methods where appropriate, enable passwordless authentication, and configure fallback mechanisms.

Where: Entra Authentication Methods

9. Configure Self-Service Password Reset (SSPR)

Enable SSPR for users. In hybrid environments, configure password writeback to on-premises Active Directory.

Where: Entra Password Reset

10. Configure Company Branding

Apply logos, login hints, and background images to improve user trust and reduce phishing risk.

Where: Entra Company Branding

11. Define Admin Roles via PIM (P2)

Use Privileged Identity Management for:

  • Just-in-time role activation
  • Approval workflows
  • Time-bound access
  • Audit logging

Where: Entra PIM

12. Enable Audit and Sign-In Logging

Enable and retain audit logs and sign-in logs. Export logs to Log Analytics or your SIEM for compliance and forensic visibility.

Where: Entra Monitoring

13. Define Core Groups and Azure RBAC Model

Create security groups for role assignments instead of assigning roles directly to individuals. Implement least privilege and role-based access control standards.

Where: Entra + Azure RBAC

14. Set External Collaboration Settings

Define how guest users are invited, what they can access, and configure expiration settings.

Where: Entra External Identities

15. Configure Naming Policies and Group Expiration

Enforce clean naming standards and enable automatic lifecycle management for Microsoft 365 groups.

Where: Entra Groups Settings

16. Register and Secure Core Applications

Register key enterprise applications, enforce SSO, apply Conditional Access policies, and review API permissions carefully.

Where: Entra App Registrations

17. Enable License Management Strategy

Implement group-based licensing to simplify lifecycle management and track consumption.

Where: Entra Licenses

18. Deploy Baseline Monitoring

Enable Azure Monitor, Defender for Cloud, and Activity Logs to track configuration changes and anomalies.

Where: Azure Portal

19. Configure Admin Consent Workflow

Prevent risky third-party applications from being authorized by end users without administrative review.

Where: Entra Enterprise Applications

20. Enable Terms of Use (If required)

Present legal and compliance agreements during user sign-in when required by regulatory or organizational standards.

Where: Entra Identity Governance

Final Thoughts

A secure Microsoft Entra ID tenant begins with governance and identity control, not user onboarding. Establishing these configurations first ensures authentication, authorization, monitoring, and compliance controls are in place before business operations scale.

Organizations that delay baseline configurations often face security gaps, inconsistent RBAC models, and governance challenges later.

Implement the baseline first. Scale second.

 

0 comments

Leave a comment

Please note, comments need to be approved before they are published.