Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
Azure AD is
the foundation of every Microsoft cloud tenant. Getting it wrong can result in significant security incidents, both in the cloud and when attackers use Azure AD to pivot to on-premises attacks. This checklist is designed to help users follow Azure AD best practices and get the most out of its native security settings.
The recommended settings listed in the following charts are based on guidance from:
Center for Internet Security (CIS) M365 Foundations Benchmark v1.4.0 02.17-2022
Configuration Notes(all within Microsoft Admin Center > Azure Active Directoryor Azure Portal, unless otherwise noted)
Ensure MFA for all administrative users: CIS 1.1.1
Security > Conditional Access > Grant > Require MFA
Enable security keys: Vectra AZ-0001
Security > Authentication Methods > Authentication Policy > Enable and Target Admin Users
Reduce the number of admins across all services: Vectra AZ-0002
Users > Active Users > Filter > Global Admins (and other admins as services are enabled)
Ensure at least two Global Admins: CIS 1.1.3
If E5 licensed, then use just-in-time access privileged identity management: CIS 1.1.10
Services > Azure AD Privileged Identity Management > Manage > Azure AD Roles > Assignment Type > Permanent > Make Eligible
Ensure browser sessions are not persistent for administrative users: CIS 1.1.15
Security > Conditional Access > Sign-in frequency > Persistent browser session > Never persistent
Prevent nonadmin users from using the Azure Portal: Vectra AZ-0014
Azure Active Directory > User Settings > Restrict access to Azure AD administration portal
Alert all administrators on password reset: VectraAZ-0025
Azure Active Directory > Users > All Users > Password reset > Notifications > Notify all admins when other admins reset their password
DOWNLOAD: Harden M365 Identities and Exchange Online
Configuration Notes(all within Microsoft Admin Center > Azure Active Directory or Azure Portal, unless otherwise noted)
Ensure MFA for all users: CIS 1.1.2
Ensure self-service password reset (SSPR) is enabled: CIS 1.1.4
Azure Active Directory > Users > Password reset > Self-service password reset enabled
Require two methods of authentication for SSPR: Vectra AZ-0017
Azure Active Directory > Users > Password reset > Password Policy > Properties > Authentication Methods
In addition, ensure security questions, authenticator app codes and office phones are DISABLED, but authenticator notifications, personal phones and email one-time passcode (OTP) are ENABLED.
Ensure password protection is enabled: CIS 1.1.5
Read the full instructions in this Microsoft blog.
Block legacy authentication: CIS 1.1.6
Azure Active Directory > Security > Conditional Access > New Policy > Client apps > Access controls > Block access > All users > Exclude
Ensure password hash sync is enabled:CIS 1.1.7
Run Azure AD Connect > View current configuration > Password synchronization enabled
If E5 licensed, enable Identity Protection risk policies: CIS 1.1.8
Azure Active Directory > Security > Conditional Access > Users or workload identities > All users > All Cloud apps > Conditions > Sign-in risk > Yes > Access Control Require multi-factor authentication
If E5 licensed, enable Identity Protection user risk policies: CIS 1.1.9
Azure Active Directory > Security > Conditional Access > Users or workload identities > All users > All Cloud apps > Conditions > User risk > Yes > Access Control Require password change
Ensure Security Defaults is DISABLED:CIS 1.1.11
Azure Active Directory > Properties > Manage security defaults > No
Ensure only organizationally managed/approved groups exist:CIS 1.1.12
Microsoft 365 Admin Portal > Teams and Groups > Active teams and groups > Verify that no groups have “Public” in the privacy column
Ensure collaboration invitations are resent to allowed domains only: CIS 1.1.13
Azure Active Directory > Users > User settings > External users > Manage external collaboration settings > Collaboration restrictions > Allow invitations only to the specified domains > Target domains > Specify
Ensure LinkedIn contract synchronization is disabled: CIS 1.1.14
Azure Active Directory > Users > User settings > LinkedIn account connections > No
Ensure persistent sign-in is disabled:CIS 1.1.16
Azure Active Directory > Company branding > Manage > Create policy > Show option to remain signed in > No
Require MFA to register devices: VectraAZ-0009
Azure Active Directory > Devices > Device settings > All > Require Multi-Factor Auth to join devices > Yes
Require users to register multiple factors for MFA: Vectra AZ-0003
Azure Active Directory > Security > Identity Protection > MFA registration policy > Assignments > Users > All users > Enforce policy – On
Require external users to authenticate with email OTP: Vectra AZ-0013
Azure Active Directory > External Identities > All identity providers > Email one-time passcode > Email one-time passcode for guests > Yes
Restrict the default guest user role: Vectra AZ-0027
Azure Active Directory > User settings > External users > Manage external collaboration settings > Guest user access is restricted to properties and memberships of their own directory objects
Restrict entitlement to invite guest users: Vectra AZ-0028
Azure Active Directory > Users > All users > External users > Manage external collaboration settings > Guests can invite > No
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
December 7, 2023
By IANS Research
Learn how to create an actionable CISO dashboard with meaningful security metrics using the three C’s principle that supports informed decision-making.
December 5, 2023
By Bryson Bort
As the year draws to a close, IANS Faculty provide their 2024 Cyber Predictions. Watch our video with Bryson Bort for tips on planning your 2024 IT/OT security strategy.
November 30, 2023
CISOs, find guidance on what to focus on within the first 30 days, 6 months and first year of your tenure to ensure a fast, successful start.