Skip to main content

MFA & Entra ID Hardening

Canonical baseline. Audience-neutral. Referenced by the Operational pages for MSPs and Internal IT Teams.

Identity is the modern security perimeter. For a cloud-first Microsoft 365 organisation, compromise almost always starts with a compromised identity, which makes hardening Entra ID the single highest-leverage security work available. This page is the baseline to deploy and hold every environment to.

Warning — Validate before you deploy

These are baseline recommendations for a typical Australian SMB Microsoft 365 tenant. Conditional Access in particular can lock you out if misapplied. Always pilot with a test group, configure break-glass accounts first, and validate against current Microsoft guidance.

Break-glass accounts first

Before tightening anything, create two cloud-only emergency-access ("break-glass") accounts, excluded from Conditional Access policies, with long random passphrases stored securely offline, and monitored for any sign-in. These are your way back in if a policy or a federated identity provider locks everyone out. Configure these before you deploy the policies below.

Multi-factor authentication

MFA is non-negotiable and is increasingly a precondition of cyber insurance. The baseline:

  • Require phishing-resistant MFA where possible — passkeys/FIDO2 or certificate-based — and at minimum the Microsoft Authenticator app with number matching. Avoid SMS as a primary factor; it's vulnerable to SIM-swap and interception.
  • Enforce MFA for all users, not just admins. Attackers pivot through standard accounts.
  • Roll out via Conditional Access (below) rather than per-user MFA or relying solely on Security Defaults, so you get consistent, reportable control.

Conditional Access baseline

Conditional Access is where the identity perimeter is actually enforced. A sensible starting policy set:

  • Require MFA for all users, all cloud apps. This is the cornerstone policy.
  • Block legacy authentication. Legacy protocols (POP, IMAP, SMTP AUTH, older Office clients) can't enforce MFA and are a favourite attacker path. Block them, after checking for dependencies.
  • Require compliant or hybrid-joined devices for access to sensitive applications, so access is tied to managed, healthy endpoints.
  • Risk-based policies (with Entra ID P2): require MFA or block on sign-in/user risk detected by Identity Protection.
  • Consider location and session controls appropriate to your business — for example, blocking or challenging sign-ins from regions you never operate in.

Deploy every policy in report-only mode first, review the impact in the sign-in logs, then enforce.

Privileged access

Standing administrative access is a standing risk. Harden it:

  • Apply the principle of least privilege — grant the narrowest role that does the job, not Global Administrator by default.
  • Use Privileged Identity Management (PIM) for just-in-time, time-bound, approved elevation, so admin rights are activated only when needed and every activation is logged.
  • Keep the number of Global Administrators small (Microsoft suggests a handful), all MFA-enforced and reviewed.
  • Run regular access reviews so privilege that's no longer needed is removed.

What "good" looks like

A hardened tenant has MFA enforced for everyone via Conditional Access, legacy authentication blocked, admin access minimised and brokered through PIM, break-glass accounts in place and monitored, and the whole configuration documented so drift is detectable. Map this baseline to Essential Eight: Multi-factor authentication and Restrict administrative privileges — see the Essential Eight Baseline.