Entra ID¶
Entra ID (formerly Azure Active Directory) is the identity backbone of Microsoft 365. This section covers the key configuration areas for a secure tenant.
Checklist¶
- Disable Security Defaults (required before configuring Conditional Access)
- Create break-glass accounts and exclude from all CA policies
- Create Standard MFA and Admin MFA authentication strengths
- Create Approved Countries named location
- Create Overseas Travel security group
- CA001 — Enforce 2FA for All Users (Authentication Strength: Standard MFA)
- CA002 — Enforce 2FA for Admins (Authentication Strength: Admin MFA)
- CA003 — Block Legacy Authentication
- CA004 — Block Device Code Flow
- CA005 — Geoblock — Approved Countries Only
- Review Global Administrator count — keep to 2–4 accounts
- Enable Privileged Identity Management (PIM) for admin roles
Portal Locations¶
| Task | Portal path |
|---|---|
| Conditional Access | Entra admin center → Protection → Conditional Access |
| Authentication Strengths | Entra admin center → Protection → Authentication methods → Authentication strengths |
| Authentication Methods | Entra admin center → Protection → Authentication methods → Policies |
| Named locations | Entra admin center → Protection → Conditional Access → Named locations |
| Identity Protection | Entra admin center → Protection → Identity Protection |
| PIM | Entra admin center → Identity Governance → Privileged Identity Management |