Microsoft Entra essential configuration (security settings you can't afford to miss)

Microsoft Entra (formerly Azure Entra ID/Azure Active Directory) is the backbone of modern enterprise identity management, but a misconfigured tenant is a hacker's dream. After analyzing countless security incidents and Microsoft's latest 2025 updates, I've compiled the essential configurations that separate secure organizations from tomorrow's breach headlines.

The stakes have never been higher

Recent attacks like Midnight Blizzard's exploitation of OAuth applications demonstrate how identity misconfigurations enable sophisticated threat actors. Microsoft's data shows that 99.9% of identity-related attacks are stopped by proper MFA and legacy authentication blocking – yet many organizations still leave these fundamentals unconfigured.

Critical security foundations

1. Mandatory Multi-Factor Authentication (MFA)

The most impactful security control you can implement

For Free Tier users

• Navigate to Identity > Overview > Properties
• Click Manage Security Defaults and enable them
• Important change in 2025: The 14-day MFA grace period was removed starting July 29, 2024

For Premium License holders: Skip Security Defaults and use Conditional Access policies:

• Go to Protection > Conditional Access
• Create policy: Require MFA for All Users
• Set assignments to All Users (exclude emergency accounts)
• Access controls: Grant > Require multifactor authentication

2. Lock Down User Permissions

By default, all users can register applications and consent to apps accessing company data – this is a security nightmare.

Navigate to Identity > Users > User Settings and configure:

• App registrations: Set to No
• Users can consent to apps: Set to No
• Guest user access: Set to Limited access
• Users can create security groups: Set to No

3. Restrict Admin Portal access

The Entra ID administrative center contains sensitive data and permission settings that non-administrators shouldn't access.

• Identity > Users > User Settings
• Restrict access to Azure AD administration portal: Set to Yes

4. Enable Audit Logging

Essential for compliance and incident investigation:

• Navigate to Entra ID > Monitoring & health > Audit logs
• If prompted, click Start recording user and admin activity
• Provides 30-day retention by default (extendable with diagnostic settings)

What's New in 2025: game-changing features

Conditional Access Optimization Agent (Private Preview)

This AI-powered agent monitors for new users or apps not covered by existing policies and recommends one-click fixes.

Prerequisites (Important):

• Security Copilot subscription with Security Compute Units (minimum 1 SCU, recommended 3)
• Security Administrator or Global Administrator role
• Microsoft Entra ID P1 license minimum

Access path:

• From the Entra Admin Center home page, look for the agent notification card
• Click Go to agents → View details → Run agent

Microsoft Entra Agent ID

New in 2025, this provides a unified directory of all agent identities from Copilot Studio and Azure AI Foundry.

• Navigate to Enterprise Applications
• Set filter to Application type: Agent ID (Preview)
• View and manage all AI agents in your tenant

Protected Actions for critical operations

Adds an extra security layer for dangerous operations:

• Go to Protection > Protected Actions
• Enable for user deletions and application deletions

Critical 2025 migration deadlines

PowerShell Module Retirement

MSOnline PowerShell retirement starts April 2025, completing in May 2025. More on the subject can be found here.

# Old way (DON'T USE)
Install-Module MSOnline
Connect-MsolService

# New way (USE THIS)
Install-Module Microsoft.Graph
Connect-MgGraph

Mandatory Azure MFA rollout

• February 2025: Azure portal access requires MFA
• September 2025: Azure CLI, PowerShell, and REST APIs require MFA

Azure AD B2B/B2C Changes

Microsoft stops selling Azure AD B2B/B2C on May 1, 2025. New customers must use Entra External ID.

Essential configurations often missed

Named Locations

• Protection > Conditional Access > Named Locations
• Add your office IP ranges and mark as Trusted locations

Self-Service Password Reset

• Protection > Password reset
• Enable for Selected or All users
• Configure at least 2 authentication methods

External Collaboration Settings

Navigate to External Identities > External collaboration settings:

• Guest user access: Most restrictive
• Guest invite settings: Only admins and users in guest inviter role
• Collaboration restrictions: Configure domain allowlists

Emergency access: your safety net

Never lock yourself out! Create emergency access accounts:

1. Create 2 cloud-only accounts (no on-premises sync)
2. Use complex passwords (store securely)
3. Assign Global Administrator role
4. Exclude from ALL Conditional Access policies
5. Monitor usage religiously

Set up monitoring:

• Identity > Monitoring > Workbooks
• Enable the Sensitive Operations Report
• Configure alerts for emergency account usage

Cost reality check

While discussing new features, let's be transparent about costs:

• Conditional Access Optimization Agent: Requires paid Security Copilot subscription (minimum ~$2800/month for SCUs)
• Protected Actions: Available with standard licensing
• Agent ID: Public preview, no additional licensing required
• Enhanced Sign-in Logs: Rolled out automatically

The bottom line

Identity misconfigurations are among the most exploited attack vectors, but they're also the most preventable. The configurations outlined above provide a robust foundation that will stop the vast majority of common attacks.

Start with the fundamentals: MFA, user permission lockdown, and audit logging. These three changes alone will dramatically improve your security posture. Then layer on the advanced features as your licensing and budget allow.

The threat landscape evolves rapidly, but with these configurations in place, you're building a security foundation that can adapt and protect your organization for years to come.

Key takeaways:

• Enable MFA immediately (Security Defaults or Conditional Access)
• Lock down default user permissions
• Restrict admin portal access to actual administrators
• Enable audit logging for compliance and incident response
• Create and monitor emergency access accounts
• Migrate from deprecated PowerShell modules before the deadline
• Plan for mandatory Azure MFA requirements

Resources:

• Microsoft Entra Admin Center
• Microsoft Learn: Entra ID Documentation
• Microsoft Security Blog
• Microsoft to End Sale of Azure AD B2B/B2C on May 1, 2025
• MSOnline and AzureAD PowerShell retirement - 2025

Have questions about Microsoft Entra configuration? Drop them in the comments below, and I'd be happy to answer. Stay secure!