Best practice rules for Microsoft Entra ID
- Check for Microsoft Entra ID Guest Users: Ensure there are no Microsoft Entra ID guest users if they aren’t needed.
- Disable Tenant Creation for Non-Admin Users: Ensure that non-admin users are not allowed to create Microsoft Entra ID tenants.
- Enable “All Users” Group: Ensure that “All Users” group is enabled for centralized access management within your Microsoft Entra ID account.
- Enable Security Defaults: Ensure that Security Defaults is enabled for Microsoft Entra ID.
- Guest User Permissions Are Limited{ Ensure that ‘Guest user permissions are limited’ is set to ‘Yes’ (Not Scored).
- Guests Can Invite: Ensure that ‘Guests can invite’ is set to ‘No’ (Not Scored).
- Limit Guest User Invites to Administrators: Ensure that invitations are restricted to users with specific administrative roles only.
- Members Can Invite: Ensure that ‘Members can invite’ is set to ‘No’ (Not Scored).
- Multi-factor Authentication For All Non-privileged Users: Ensure that multi-factor authentication is enabled for all non-privileged users (Not Scored).
- Multi-factor Authentication For All Privileged Users: Ensure that multi-factor authentication is enabled for all privileged users (Not Scored).
- Multi-factor Authentication On Devices: Ensure that ‘Allow users to remember multi-factor authentication on devices they trust’ is ‘Disabled’ (Not Scored)
- Notify All Admins When Other Admins Reset Their Password: Ensure that ‘Notify all admins when other admins reset their password?’ is set to ‘Yes’ (Not Scored).
- Notify Users On Password Resets: Ensure that ‘Notify users on password resets?’ is set to ‘Yes’ (Not Scored).
- Number Of Days Before Authentication Information Re-confirmation: Ensure that ‘Number of days before users are asked to re-confirm their authentication information’ isn’t set to ‘0’ (Not Scored).
- Number Of Methods Required To Reset Password: Ensure that ‘Allow users to remember multi-factor authentication on devices they trust’ is ‘Disabled’ (Not Scored).
- Require Multi-Factor Auth To Join Devices: Ensure that ‘Require Multi-Factor Auth to join devices’ is set to ‘Yes’ (Not Scored).
- Restrict Access To Microsoft Entra ID Administration Portal: Ensure that ‘Restrict access to Microsoft Entra ID administration portal’ is set to ‘Yes’ (Not Scored).
- Restrict Guest User Access to Their Own Directory Data: Ensure that guest user permissions are limited to a secure, compliant level.
- Restrict User Access to Microsoft Entra Group Features in Azure Access Panel: Ensure that the ‘Restrict user ability to access groups features in the Access Panel’ setting is set to ‘Yes’ (Not Scored).
- Self-service Group Management Enabled: Ensure that ‘Self-service group management enabled’ is set to ‘No’ (Not Scored)
- Users Can Add Gallery Apps To Their Access Pane: lEnsure that ‘Users can add gallery apps to their Access Panel’ is set to ‘No’ (Not Scored).
- Users Can Consent To Apps Accessing Company Data On Their Behalf: Ensure that ‘Users can consent to apps accessing company data on their behalf’ is set to ‘No’ (Not Scored).
- Users Can Create Office 365 Groups: Ensure that ‘Users can create Office 365 groups’ is set to ‘No’ (Not Scored).
- Users Can Create Security Groups: Ensure that ‘Users can create security groups’ is set to ‘No’ (Not Scored).
- Users Can Register Applications: Ensure that ‘Users can register applications’ is set to ‘No’ (Not Scored).
- Users Who Can Manage Office 365 Groups: Ensure that ‘Users who can manage Office 365 groups’ is set to ‘None’ (Not Scored).
- Users Who Can Manage Security Groups: Ensure that ‘Users who can manage security groups’ is set to ‘None’ (Not Scored).