Skip to content

Microsoft 365 and Entra ID security

Microsoft 365 tenants, and the underlying authentication system Entra ID (Azure AD), have many different configuration options to allow your business to implement different levels of security. Many of these options aren't enabled by default. While this document doesn't cover every security option available, or discuss other technologies such as device management and data loss prevention (DLP), it provides guidance to our customers about recommended settings that will help improve identity protection and reduce the chance of Business Email Compromise (BEC).

The guidance is in two sections, recommended settings and optional settings. We urge all customers to implement recommended settings. We also suggest you consider and investigate the optional settings, and apply them as suitable for your environment.

Any change to your environment you're considering should be reviewed and tested in your organization after referring to the appropriate documentation from Microsoft. We recommend that you do any changes in batches, using test accounts, pilot users and small departments before the entire organization. Ensure you have an emergency access account available, as documented below, to avoid being locked out.

License guidance

Some of the configuration items below are available in all M365 tenants, regardless of the licenses being used. However most will require at least 'Entra ID P1' licenses to be available in your tenant, with some requiring 'Entra ID P2' licenses. 'Entra ID P1' is included with the M365 Business Premium E3/A3 bundles, with 'Entra ID P2' licenses available in M365 E5/A5 bundles.

If you're not using licensing that includes at least 'Entra ID P1' licensing, then we strongly recommend the use of Microsoft's 'Security Defaults'. This is a basic set of security policies that are controlled by Microsoft. See Providing a default level of security in Microsoft Entra ID - Microsoft Entra.

When integrating Microsoft alerts to the Sophos MDR service, 'Entra ID P1' is the minimum license that you should use, however we recommend the use of 'Entra ID P2', due to the increased amount of alerts generated by Microsoft. See these articles for examples of these alerts:

We recommend asking your Microsoft licensing specialist for additional licensing information.

  • Require MFA to register or join device


    This ensures that users who attempt to join new Windows devices to Entra ID must perform multifactor authentication.

    Location: Entra ID > Protect & secure > Conditional access

    • Name: Require MFA to register or join devices.
    • Users: All users, be sure to exclude any 'Emergency Access' accounts or groups.
    • Cloud apps or actions: User actions > Register or join devices.
    • Conditions: None.
    • Access controls > Grant: Require multifactor authentication.
  • Only allow sign-ins from authorized countries


    We recommend reducing the risk of account compromise by limiting the number of countries from which users can sign in to your environment. If you have no staff that travel abroad, then prevent all users in your organization from accessing your environment outside of your home country. If you do have users that travel, then these policies can be implemented per group. For example, you can allow access from all countries, or a sub-set of countries for a specific group of users that travel, or break users into geographical regions, limiting their access by region.

    You achieve this by using Conditional Access Policies. Create a Named Location list, for example "Allowed Countries", and add countries that you want to have access. Then create a Conditional Access Policy to block access for All Users, for all Cloud Apps, excluding "Allowed Countries" and any "Emergency Users or Groups".

    Warning

    Test this policy carefully before applying to all users.

    Location: Entra ID > Protect & secure > Conditional access

  • Block high-risk users


    The M365 User risk level is a feature that helps to determine the risk of a user account in Entra ID. It is a part of Entra ID Identity Protection, and is done by analysing various signals from the user account such as IP addresses, device state, suspicious activity and known compromised credentials.

    The user risk level is divided into three categories:

    • Low Risk: Low risk user accounts are considered to be legitimate.
    • Medium Risk: Medium risk user accounts may be legitimate, but are also more likely to be compromised or targeted by a threat actor.
    • High Risk: High risk user accounts are considered to be compromised.

    We recommend blocking user accounts that are deemed high risk, and requiring a secure password change on a user deemed medium risk.

    Location: Entra ID > Protect & secure > Conditional access

    Reference:

  • Block high-risk sign-ins


    The M365 Sign-In Risk level is a feature that helps determine the risk of an individual sign-in attempt to Entra ID. It is a part of Entra ID Identity Protection, and analyses multiple signals as part of the sign-in process to determine the risk level.

    The Sign-In Risk level is divided into three categories:

    • Low Risk: Low-risk sign-in attempts are considered to be legitimate.
    • Medium Risk: Medium-risk sign-in attempts may be legitimate, but are also more likely to be compromised or targeted by a threat actor.
    • High Risk: High-risk sign-in attempts are considered to be compromised.

    We recommend blocking sign-in attempts that are deemed high risk, and requiring MFA on medium risk sign-ins.

    Location: Entra ID > Protect & secure > Conditional access

    Reference:

Optional configuration items

  • Emergency access accounts


    Microsoft recommends emergency access admin accounts which are excluded from Conditional Access Policies. These accounts should have the 'global admin' role, and be secured with extremely long and complex passwords with passwords stored in a secure password vault and only used for emergencies.

    Reference:

  • Configure password expiration policy


    Ensure that your password expiration is in alignment with corporate policy and compliance requirements.

    Note

    Microsoft recommends that passwords are set to 'never expire' if MFA is enforced organization wide.

    Location: Microsoft 365 Admin centre > Settings > Security & Privacy

  • Manage application consent and permissions


    By default, all users can grant permissions to third-party applications and add-ins. This can be risky, as threat actors may create malicious apps and send phishing emails to users, prompting your users to provide unintentional access to their mailboxes and files. We recommend limiting this to trusted publishers or blocking it, requiring admin consent.

    Location: Entra ID > Applications > Enterprise applications > Consent and permissions

    Reference:

  • Require MFA for guests


    We recommend requiring MFA for guests that are invited to access resources within your environment to reduce the chance of your data being accessed by a compromised third-party account. This is can be deployed using a Conditional Access Policy Template.

    Location: Entra ID > Protect & secure > Conditional access