← All glossary terms
Microsoft Entra ID5 min read

Microsoft Entra ID Security Checklist for Beginners

A practical, beginner-friendly checklist for hardening Microsoft Entra ID — from privileged access and Conditional Access to apps, hybrid sync, and continuous monitoring.

Microsoft Entra ID Security Checklist for Beginners

This checklist is a practical starting point for hardening Microsoft Entra ID. It is grouped by area, ordered by impact, and based on Microsoft's Secure Score, CISA / NSA cloud guidance, and major incident-response playbooks.

Don't try to do everything at once. Start with the highest-impact items and re-score quarterly.


1. Privileged Access

  • Standing Global Admins reduced to <5.
  • 2 break-glass GAs hardened (FIDO2, cloud-only, monitored).
  • All other privileged roles PIM-eligible.
  • PIM activation requires MFA + justification.
  • Approval required for GA, Privileged Role Admin, Application Admin.
  • Activation duration ≤ 4 hours.
  • Application Administrator and Privileged Authentication Administrator usage minimized.
  • No service accounts in privileged roles.
  • Quarterly access review on all privileged roles.

2. Authentication

  • MFA required for all users (via Conditional Access).
  • Phishing-resistant MFA (FIDO2 / passkeys) required for admins.
  • Number matching + context display enabled.
  • Legacy authentication blocked tenant-wide.
  • Authentication strength policies in place for high-value apps.
  • Continuous Access Evaluation (CAEP) enabled.
  • Self-service password reset (with strong methods) enabled.

3. Conditional Access

  • Block legacy auth policy active.
  • Require MFA for all users policy active.
  • Risk-based policies (User and Sign-in risk).
  • Device compliance required for sensitive apps.
  • Admin-tier policies require phishing-resistant MFA + compliant device.
  • Workload Identities CA where licensed.
  • Break-glass accounts excluded carefully.
  • Policies tested in report-only first.
  • Quarterly policy review.
  • Sign-in logs streamed to SIEM.

4. Identity Protection

  • Identity Protection enabled (P2).
  • Risky user CA policy → password change on Medium/High.
  • Risky sign-in CA policy → MFA / block.
  • SOC playbook for risky user response with SLA.
  • Risk events streamed to SIEM (Sentinel).
  • App Registration inventory with owners.
  • Enterprise Application inventory with owners.
  • User consent restricted to verified publishers + low-risk scopes.
  • Admin consent workflow enabled.
  • Quarterly OAuth app review.
  • Stale apps decommissioned.
  • Application permissions audited and minimized.
  • Multi-tenant apps governed deliberately.

6. Service Principals and Workload Identities

  • All SPs have owners.
  • Managed Identities used for Azure workloads.
  • Workload Identity Federation for CI/CD.
  • Client secrets short-lived (≤ 180 days), rotated.
  • Certificates preferred over secrets.
  • SPs with privileged roles treated as Tier 0.
  • Conditional Access for Workload Identities (where licensed).
  • Audit log monitoring on SP credential changes.

7. Governance

  • Entra ID Governance licensed for in-scope users.
  • Entitlement Management used for new access requests.
  • Quarterly Access Reviews on privileged roles + role-assignable groups.
  • Annual Access Reviews on broader access.
  • Auto-deny / auto-remove on no-action.
  • Lifecycle Workflows for joiner/mover/leaver.
  • Guest access reviewed quarterly.
  • Access Packages owned and documented.

8. Tenant and Cross-Tenant

  • All organization tenants inventoried.
  • Consistent baselines across tenants.
  • Cross-tenant access settings reviewed.
  • Multi-tenant apps locked down.
  • Sandbox/test tenants kept clear of production data.
  • B2B guest defaults restricted (cannot view directory, etc.).

9. Hybrid Identity

  • Entra Connect server treated as Tier 0.
  • MSOL_ account credentials vaulted; replication rights minimized.
  • Synced privileged accounts audited.
  • Federation (ADFS) hardened per Microsoft guidance, signing certs rotated.
  • Cloud-native admin accounts used for Entra admin work.
  • PHS / PTA / Federation choice documented; security tradeoffs known.
  • Cloud Kerberos Trust evaluated where applicable.

10. Devices

  • Devices joined to Entra (Entra join, hybrid join).
  • Intune compliance policies enforced.
  • Conditional Access requires compliant or hybrid joined device for sensitive apps.
  • Mobile devices have App Protection Policies.
  • BYOD scenarios deliberately governed.

11. Logging and Monitoring

  • Sign-in logs (interactive and non-interactive) exported to SIEM.
  • Audit logs exported to SIEM.
  • Provisioning / sync logs exported.
  • Long retention (≥ 1 year) for identity logs.
  • Detections for: new GA assignment, Conditional Access changes, federation changes, OAuth admin consent, application credential addition, MFA disabled.

12. Detection and Response

  • Microsoft Sentinel or other SIEM connected to Entra.
  • Microsoft Defender for Identity (on-premises) integrated.
  • Microsoft Defender for Cloud Apps OAuth discovery enabled.
  • Risky workload identities monitored.
  • Playbooks for tenant-takeover scenarios.
  • Incident response runbooks kept current.
  • Tabletop exercises annually.

13. Recovery

  • Tenant recovery procedures documented.
  • Break-glass tested periodically.
  • Backups of critical configurations (CA, PIM, app permissions) retained where supported.
  • Plan for federation rollback if needed.

14. Continuous Improvement

  • Microsoft Secure Score tracked over time.
  • Forestall (or equivalent) attack-path analysis continuous.
  • Choke points to GA prioritized for remediation.
  • Quarterly identity risk briefing to leadership.

How to Use This Checklist

  1. Score every item as Implemented / Partial / Not Started.
  2. Identify the worst 5–10 in high-impact sections (Privileged Access, MFA, CA, OAuth).
  3. Make them this quarter's goals.
  4. Re-score quarterly.
  5. Use trend (items implemented over time) as your KPI.

How Forestall Helps

Forestall connects to Entra ID and continuously evaluates posture against the items above. It surfaces attack paths to Global Admin, identifies choke points, ranks findings by impact, and tracks remediation over time — turning this checklist into measurable identity security improvement.


Conclusion

Microsoft Entra ID has many surfaces — roles, apps, consent, policies, hybrid, governance — and most environments have years of accumulated configuration. But a small set of high-impact controls (minimal standing GAs, phishing-resistant MFA, strong Conditional Access, restricted consent, hybrid hardening, identity-focused detection) close most of the risk for most organizations. Use this checklist as your map, fix the highest-impact items first, and watch the path-to-Global-Admin shrink quarter over quarter.

Microsoft Entra IDChecklistBeginners GuideHardening

Turn this checklist into measurable Entra ID risk reduction.

Forestall maps Entra ID misconfigurations and attack paths, then helps you close them in priority order.

We respect your privacy

We use cookies to keep this site secure and working properly. With your permission, we also use optional cookies to understand usage and improve the experience. Cookie Policy

You can change your choice at any time.

Microsoft Entra ID Security Checklist for Beginners | Forestall