Microsoft Entra ID Security Hardening: A Complete Guide
Microsoft Entra ID (formerly Azure Active Directory) is the identity backbone for Microsoft 365, Azure, and thousands of third-party SaaS applications. Its ubiquity makes it the most targeted identity provider in enterprise environments. Attackers pursue Entra ID through phishing, OAuth app abuse, legacy authentication bypass, service principal compromise, and consent grant attacks. This guide covers the controls that matter most, in priority order.
Conditional Access: The Most Important Control
Conditional Access is Entra ID's policy engine for access decisions. Every sign-in is evaluated against your policies before access is granted. A well-configured Conditional Access posture is the single highest-impact hardening investment in Entra ID. Start with these four baseline policies that Microsoft recommends for all tenants:
Require MFA for all users
Block any authentication that does not present a completed MFA challenge. Set to block, not audit. Exclude break-glass accounts from this policy (but those accounts need hardware key protection).
Require compliant or hybrid-joined device
Require that the device accessing Microsoft 365 resources be either Intune-compliant or Entra hybrid-joined. This blocks access from unmanaged personal devices and attacker infrastructure.
Block legacy authentication
SMTP, IMAP, POP3, Basic Auth, and older Office protocols do not support MFA. Blocking legacy authentication is mandatory: attackers use legacy protocol spraying specifically to bypass MFA.
Require phishing-resistant MFA for admins
All accounts with admin roles should require FIDO2 or certificate-based authentication. Push MFA fatigue attacks specifically target admin accounts.
Privileged Identity Management (PIM)
Global Administrator, Privileged Role Administrator, and Application Administrator are the highest-value targets in your tenant. PIM converts permanent role assignments into just-in-time (JIT) activations that expire after a defined window (typically 1 to 8 hours). An attacker who compromises a user account that has a permanent Global Admin assignment gains immediate, persistent admin access. An account that uses PIM requires the attacker to also trigger and approve an elevation request, which generates an audit event and requires MFA at activation time. Configure PIM for all privileged roles, require justification at activation, require MFA at activation regardless of session MFA state, and configure approval workflows for Global Admin activations. Monitor PIM activations in your SIEM: unexpected activations outside of business hours are a high-fidelity alert.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Break-Glass Accounts
Break-glass accounts are emergency admin accounts used when your primary admin infrastructure fails (MFA system outage, PIM unavailability, conditional access policy misconfiguration that locks everyone out). Entra ID requires at least two break-glass accounts. Configuration requirements: exclude break-glass accounts from all Conditional Access policies, protect them with hardware security keys (FIDO2) rather than push MFA or SMS, store credentials in an offline vault (physical safe, not a password manager), grant Global Administrator only, set up an alert for any sign-in from these accounts, and test them quarterly. Break-glass accounts are a control, not a vulnerability. Their risk is in misconfiguration (used as regular admin accounts) or inadequate monitoring.
OAuth App Governance
OAuth consent grant attacks are among the most underestimated Entra ID attack vectors. An attacker registers a malicious application, crafts a consent URL, sends it to users, and when users grant consent, the app gets persistent API access to their mailbox, files, and contacts even after password resets. Hardening steps: disable user consent for apps from unverified publishers, require admin approval for any app requesting high-privilege scopes (Mail.ReadWrite, Files.ReadWrite.All), audit existing OAuth consent grants using the Entra ID app governance blade or PowerShell, and revoke consent from any application not in your approved list. Enable Microsoft Entra app governance if you have Entra ID P2 licensing: it provides automated policy enforcement and anomaly detection for OAuth apps.
Service Principal and Workload Identity Security
Service principals (app registrations) and managed identities are the machine identities in Entra ID. They are frequently over-permissioned, often have long-lived secrets that never rotate, and receive minimal monitoring. Hardening: audit all service principals for their Microsoft Graph permissions and Azure resource role assignments, remove permissions that exceed actual usage (use Entra CIEM or Azure Access Review), rotate all service principal secrets older than 90 days, migrate service principals to managed identities where possible (managed identities have no secret to steal), and monitor for new app registrations and permission grants outside of your change management process.
Detection: What to Monitor in Entra ID
Entra ID logs flow into Microsoft Sentinel, Defender XDR, or your third-party SIEM via Diagnostic Settings. Key detection scenarios:
Impossible travel
Sign-in from two geographically distant locations within a time window that cannot represent physical travel. Entra ID Identity Protection detects this natively; verify it routes alerts to your SIEM.
Legacy authentication sign-ins
Any successful authentication using a legacy protocol after you have deployed a block policy indicates a policy gap. Alert on all legacy auth successes.
Risky sign-in events
Entra ID Identity Protection risk detections (anonymous IP, password spray, impossible travel, malware-linked IP) should generate P2 alerts in your SIEM.
New Global Admin role assignments
Any direct role assignment to Global Administrator outside of PIM activation should be a P1 alert.
New app consent grants
Alert on any OAuth consent grant to new applications, especially those with Mail or Files read/write scope.
PIM activation outside business hours
Privileged role activation between midnight and 6 AM local time for an account's typical geography is a strong lateral movement indicator.
Secure Score as a Tracking Tool
Microsoft Secure Score in the Defender portal provides a weighted score for your Entra ID (and Microsoft 365) security posture. It translates hardening actions into a measurable number, making it useful for tracking improvement over time and communicating progress to leadership. Use it as a backlog generator: the improvement actions list ranks each control by its point value and describes exactly what to configure. Caution: Secure Score optimizes for Microsoft-specific controls and may not reflect your actual risk posture, especially for controls outside the Microsoft ecosystem. Treat it as a useful checklist, not a complete risk measure.
The bottom line
Entra ID hardening has a clear priority order: block legacy authentication, enforce MFA with Conditional Access, deploy PIM for all privileged roles, and audit OAuth consent grants. These four steps eliminate the majority of the attack surface that attackers exploit against Entra ID tenants.
Frequently asked questions
What is the difference between Entra ID P1 and P2 licensing for security?
Entra ID P1 includes Conditional Access, hybrid identity (Entra Connect), self-service password reset, and group-based access management. P2 adds Privileged Identity Management (PIM), Identity Protection (risk-based Conditional Access, risky user/sign-in reports), and Access Reviews. PIM alone typically justifies the P2 cost for organizations with more than a handful of admin accounts. P2 is included in Microsoft 365 E5 and can be purchased as an add-on to E3.
How do I find over-permissioned service principals in my tenant?
Use the Entra ID portal under App Registrations or Enterprise Applications to review API permissions. For bulk analysis, use Microsoft Graph PowerShell or the AzureAD PowerShell module to export all service principals and their assigned roles. The Entra ID Workload Identities blade (requires Workload Identities Premium) provides automated analysis of unused permissions. Third-party tools like Wiz, Varonis, and Authomize also provide service principal entitlement analysis.
What is a consent phishing attack and how common is it?
Consent phishing (also called OAuth phishing or illicit consent grant attack) sends a victim a URL that requests OAuth permissions from a malicious application. If the victim consents, the attacker's app receives persistent API access to the victim's mailbox, files, and contacts. Microsoft reported that consent phishing campaigns targeted hundreds of thousands of users in 2023 and 2024. It bypasses MFA completely because it exploits a legitimate OAuth flow. Blocking user consent for unverified publisher apps is the primary prevention control.
How do I audit existing OAuth consent grants?
In the Entra ID portal, navigate to Enterprise Applications, then filter by Application Type = All Applications. Review the Permissions tab for any application with broad scopes (Mail.ReadWrite, Files.ReadWrite.All, Calendars.ReadWrite). For bulk analysis: use the Microsoft Graph endpoint /oauth2PermissionGrants or the PowerShell command Get-MgOauth2PermissionGrant to export all delegated permission grants. Remove consent from any application not in your approved list.
What is the Entra ID attack path for a typical breach?
A common attack sequence: (1) attacker phishes a standard user and steals credentials, (2) attacker bypasses MFA via AiTM proxy or MFA fatigue, (3) attacker identifies that the user has an app registration or is a member of a group with privileged access, (4) attacker enumerates tenant via Microsoft Graph to find admin accounts, (5) attacker uses OAuth app abuse or service principal manipulation to escalate privileges, (6) attacker activates Global Admin access and establishes persistence via new admin account or backdoored OAuth app. Each step has corresponding detections: monitoring all of these in your SIEM creates a layered detection posture.
Should we use Microsoft Sentinel or a third-party SIEM for Entra ID monitoring?
Microsoft Sentinel has native connectors for all Entra ID log sources, built-in analytics rules that map to the MITRE ATT&CK framework for identity attacks, and deep integration with Defender XDR's identity telemetry. If you are heavily invested in the Microsoft ecosystem, Sentinel is the natural choice. Third-party SIEMs (Splunk, IBM QRadar, Elastic) all support Entra ID log ingestion via the Microsoft Graph Activity Log connector. The quality of detections depends more on the analytics rules you build than on the SIEM platform itself.
Sources & references
- Microsoft Secure Score Documentation
- Microsoft Entra ID Security Operations Guide
- CISA Microsoft 365 Security Guide
- CrowdStrike Identity Protection Best Practices
- Mandiant M-Trends 2025
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.
The Mythos Brief is free.
AI that finds 27-year-old zero-days. What it means for your security program.