Microsoft Entra ID (formerly Azure Active Directory) is the identity hub for most organizations using Microsoft 365, Azure, and SaaS applications. Microsoft Digital Threat Intelligence research (2025) shows that 93% of cloud incidents involve compromised identities. The default Entra ID configuration is not hardened out of the box — it requires deliberate decisions and the implementation of numerous security controls to become a resilient gateway to company resources.
Why Entra ID Is the Primary Target
Entra ID is an attractive target for attackers. It controls access to virtually all organizational resources — Exchange, Teams, SharePoint, applications, Azure resources, and SaaS apps via SAML/OIDC. Compromising a Global Administrator account means full control over the cloud environment.
Second, the default Entra ID configuration leaves legacy authentication protocols active: SMTP AUTH, POP3, IMAP, and basic HTTP authentication. These protocols do not support multi-factor authentication — even if you have enabled MFA for a user, an attacker can bypass MFA by using these protocols with stolen credentials. This is the most common attack vector against Microsoft 365 accounts in 2025.
Third, many organizations still rely on Entra ID Security Defaults or have per-user MFA enabled — an older and less flexible mechanism than Conditional Access policies. Security Defaults are a reasonable starting point for small organizations, but for enterprise environments they are clearly insufficient. Without advanced Conditional Access policies, authentication does not account for sign-in risk, location, device compliance state, or application sensitivity.
Entra ID Hardening Foundations
The first step is enforcing MFA for all users — not just administrators. Use Conditional Access policies, not older per-user MFA. Conditional Access enables granular control: MFA for sensitive applications, MFA from unmanaged devices, reduced requirements for compliant devices.
Blocking legacy authentication is a high-impact hardening step completed in under an hour. In Conditional Access, create a policy blocking all legacy clients. Check sign-in logs first to confirm no production applications use these protocols.
Conditional Access policies should incorporate named locations: corporate and partner IP ranges treated as trusted, all others as untrusted. Access from untrusted locations should require MFA and/or a compliant device. The compliant device requirement ensures that only devices enrolled in Intune and meeting the compliance policy — encrypted, patched, with active EDR — can access corporate resources.
Also implement a Conditional Access policy requiring MFA registration only from a trusted location or device. Without this policy, an attacker who obtains a new employee's password can register their own phone as the MFA method before the legitimate user does.
Privileged Identity Management (PIM)
Privileged Identity Management is one of the most important features of Entra ID P2, eliminating one of the largest weaknesses in cloud environment configurations: permanent privileged role assignments. In most organizations without PIM, accounts with the Global Administrator or Exchange Administrator role have those privileges assigned permanently — 24 hours a day, 7 days a week, even when no one is actively using them.
PIM replaces permanent assignments with eligible assignments: a user has the right to activate a given role but does not hold it day-to-day. Role activation requires justification, may require approval by another person (approval workflow), and is time-limited (for example, to 8 hours). Every activation is logged and can trigger an alert to the SOC.
Key PIM practices include: requiring justification and approval for Global Administrator activation, quarterly access reviews for all privileged role holders with automatic access removal for inactive accounts, and using separate cloud-only accounts for administrators — not synced from on-premises Active Directory. Synced admin accounts create an attack vector: compromising the on-premises AD gives access to cloud accounts.
PIM should be configured for all privileged roles, not only Global Administrator: Exchange Administrator, SharePoint Administrator, Security Administrator, Conditional Access Administrator. Each of these roles provides significant capability to an attacker and should be subject to just-in-time control.
Protecting Global Administrator Accounts
Global Administrator accounts require special protection due to their absolute privileges in the Entra ID environment. The recommended number of Global Administrator accounts is a minimum of 2 (to avoid a single point of failure) and a maximum of 5 — each additional account represents additional attack surface.
Emergency access (break-glass) accounts are special Global Administrator accounts for crisis situations — when standard accounts are unavailable due to MFA failure. Passwords should be stored offline (printed, in a safe), and accounts should not be subject to Conditional Access or PIM policies. Any sign-in should generate a critical SIEM alert.
Privileged Access Workstations (PAW) are dedicated, hardened devices for administrative tasks only. Do not use the same devices for daily work or web browsing. For Entra ID administration, use a separate device or an isolated browser profile.
Phishing-resistant MFA is mandatory for all administrative accounts. Standard MFA based on SMS or mobile apps is vulnerable to MFA fatigue attacks (approval bombing) and adversary-in-the-middle (AiTM) attacks. For administrator accounts, only FIDO2 security keys or Windows Hello for Business should be permitted — both are phishing-resistant authentication methods.
Monitoring and Threat Detection
Entra ID Protection is a built-in risk assessment service that detects suspicious sign-in patterns and user activities. Two key policies must be configured: a sign-in risk policy (block or require MFA when sign-in risk is High or Medium) and a user risk policy (require password change when user risk is High). These policies automatically respond to detected anomalies without requiring manual analyst intervention.
Entra ID Diagnostic Settings should route audit logs and sign-in logs to a Log Analytics Workspace or directly to the corporate SIEM. Without this configuration, all security events are unavailable after the default retention period (30 days for P1, 90 days for P2) — making incident investigations and forensics significantly harder.
Critical alerts to configure include: Global Administrator role activation (every event requires verification), impossible travel (sign-in from two geographically distant locations within a short time), legacy authentication protocol usage attempts, bulk permission changes, and sign-ins from new countries or anonymous IP addresses.
Microsoft Secure Score is an indicator available in the Microsoft Defender portal that measures the security configuration maturity of Entra ID and Microsoft 365. Each recommendation is described, numbered, and assigned a point value. Set a quarterly Secure Score improvement target and assign ownership to a specific member of the IT team. Regular Secure Score reviews are a simple mechanism for sustaining hardening momentum over time.
How ExColo Can Help
Entra ID hardening requires both technical expertise and operational experience — a misconfigured Conditional Access policy can lock users out of critical systems. The ExColo team specialises in identity security in Microsoft 365 and Azure environments.
We offer: Entra ID Security Review (assessment of current configuration), implementation of Conditional Access policies tailored to the customer environment, PIM configuration for privileged roles, Entra ID Protection deployment and log integration with SIEM, and development of procedures for managing break-glass accounts and PAWs. Every engagement begins with an analysis of the existing environment to avoid disrupting production operations.
Contact us to plan an Entra ID security review: ExColo contact form.
