Entra ID Security for MSPs

Standardise and secure your client tenants with these essential, scalable practices for Managed Service Providers.

Transition to GDAP Immediately

Granular Delegated Admin Privileges (GDAP) is the modern, secure way to manage customer tenants. It replaces the legacy DAP model, which granted high-level, standing Global Admin access.

  • Least Privilege: Assign only the specific Entra ID roles your technicians need for their job (e.g., Helpdesk Administrator, not Global Admin).
  • Time-Bound: GDAP relationships are time-limited and must be renewed, preventing indefinite standing access.
  • Security Groups: Assign GDAP roles to security groups in your MSP tenant (e.g., "1st Line IT," "Cloud Engineers") for scalable management.

The Break-Glass Account

Every tenant you manage (and your own) must have at least two emergency access accounts, often called "break-glass" accounts.

  • Purpose: For use only when normal administrative accounts are unusable.
  • Configuration: Exclude from all Conditional Access policies, MFA requirements, and SSPR.
  • Security: Use a very long, complex password stored securely offline. Monitor sign-ins vigilantly.
  • Locking Down: Use a dedicated Conditional Access policy to only allow access from your MSP HQ IP or a trusted customer location.

Standardise Your RBAC Model

Never use the Global Administrator role for daily tasks. Define a standard Role-Based Access Control (RBAC) model for your team. A basic example could be:

  • Tier 1 / Helpdesk: Helpdesk Administrator.
  • Tier 2 / Admins: User Administrator, Groups Administrator, Teams Administrator.
  • Tier 3 / Projects: Exchange Administrator, SharePoint Administrator.

Enforce a Baseline Security Policy

Apply a non-negotiable set of security policies to every client tenant to establish a secure foundation. Use Conditional Access to enforce them.

  • Require Phishing-Resistant MFA: Enforce Microsoft Authenticator with number matching or FIDO2 keys for all users, especially admins.
  • Block Legacy Authentication: This is a critical step to prevent password spray attacks that bypass MFA.
  • Enable SSPR: Empower users to reset their own passwords to reduce helpdesk tickets, but ensure strong registration requirements (e.g., 2 methods).
  • Block High-Risk Countries: If your clients don't do business internationally, use the location condition to block sign-ins from high-risk regions.

Secure Customer Handovers

A structured process for onboarding and offboarding customers is critical to prevent lingering access and ensure a secure transition between IT providers.

Onboarding a New Customer

  • Audit Privileged Roles: Immediately identify all Global Admins and other high-privilege roles.
  • Remove Previous Provider: Work with the customer to remove all access for the former IT provider, including old DAP and GDAP relationships.
  • Establish Your GDAP: Create a new GDAP relationship with the least-privilege roles necessary for your service agreement.
  • Secure Admins: Force password resets for all remaining administrative accounts and ensure they are secured with phishing-resistant MFA.
  • Run Baseline Scan: Use a tool like AetherCred to get an immediate snapshot of the tenant's security posture.

Offboarding a Customer

  • Confirm Customer GA: Ensure the customer has at least two of their own Global Admin / Break-Glass accounts that you do not control.
  • Coordinate Handover: Work with the new IT provider to help them establish their own GDAP access.
  • Provide Final Report: Give the customer a final security report, detailing the state of the tenant as you leave it.
  • Remove Your Access: Once the new provider confirms access, completely remove your GDAP relationship from the customer's tenant.
  • Document Everything: Keep a record of all handover communications and actions taken.

Implement 24/7 SOC Monitoring

Your security policies are the locks on the doors; a Security Operations Centre (SOC) is the automated CCTV and alarm system. It spots threats far faster than a human ever could, providing the continuous monitoring essential for protecting client tenants at scale. While not a replacement for skilled engineers, a SOC is the critical first line of automated defence against sophisticated attacks.

Key Identity Threats to Monitor

  • Impossible Travel: A user signing in from two geographically distant locations in a short time.
  • Sign-ins from Anonymous IPs: Access from Tor nodes or anonymous proxies.
  • Privilege Escalation: A user being added to a high-privilege role outside of a normal process.
  • Unusual Login Properties: First-time sign-ins from a new country or unfamiliar device.
  • Massive Data Deletion: A user deleting an unusual volume of files from SharePoint or OneDrive.

Tooling Options

  • Microsoft Native: For customers with the right licences (e.g., Entra ID P2), **Identity Protection** automates detection of risky users and sign-ins. These signals can be fed into **Microsoft Sentinel** (a cloud-native SIEM/SOAR) for advanced analysis and response.
  • Third-Party SOC: Many MSPs partner with dedicated SOC providers like **RocketCyber** or others that specialise in integrating with the Microsoft ecosystem to provide a managed detection and response service across all clients.

Secure Your Own House First

Your MSP tenant holds the "keys to the kingdom." A compromise of your own tenant could lead to a catastrophic supply-chain attack against all your clients. It must be your most secure environment.

  • Enforce PIM for Everything: All roles, including those for managing GDAP, should require Privileged Identity Management (PIM) activation with approval.
  • Strict CA Policies: Your internal Conditional Access policies should be the most stringent, requiring phishing-resistant MFA and compliant, managed devices for all admin tasks.
  • Limit GDAP Management: Only a small, select group of senior engineers should have the ability to manage GDAP relationships and role assignments.
  • Intense Auditing: Regularly audit your own tenant's sign-in and audit logs, paying close attention to administrative activities and alerts from your SOC.

Standardise & Automate

Efficiency, consistency, and security at scale are only possible through standardisation and automation.

  • Scripted Policies: Use PowerShell or Microsoft Graph scripts to deploy your baseline Conditional Access policies to all new clients.
  • Microsoft 365 Lighthouse: Use Lighthouse to get a multi-tenant view of security posture and deploy baseline configurations across clients.
  • Consistent Naming: Enforce a strict naming convention for all policies, groups, and administrative accounts to avoid confusion and errors.

Implement Entitlement Management

Automate and govern access for client projects or internal roles using Entra ID's Entitlement Management features (requires Entra ID P2).

  • Access Packages: Bundle all the resources for a specific role (e.g., group memberships, application access) into a single package.
  • Automated Lifecycle: Use approval workflows and time-limited assignments to ensure access is revoked automatically.
  • Scheduled Reviews: Conduct regular attestation campaigns (Access Reviews) to prevent stale permissions.
  • Audit Trail: Maintain compliance with exportable audit reports for all access requests and reviews.

Secure Score Monitoring

Treat AetherCred User Score and Microsoft Secure Score as a key performance indicator (KPI) for your clients' security posture, not just a passive report.

  • Baseline & Trend Analysis: Establish a baseline score for each client and track trends to demonstrate improvement over time.
  • Automated Alerts: Use Logic Apps or Sentinel to create alerts for significant score drops or new high-impact recommendations.
  • Remediation Playbooks: Develop standardised procedures for common Secure Score actions to enable quick resolution.

Periodic Security Reviews

Well-Designed Security isn't set once and forget. You should conduct security reviews as often as possible, to demonstrate ongoing diligence and provide strategic insights.

  • Detect Configuration Drift: Check for any changes that deviate from your established security baseline.
  • Validate Compliance: Assess the tenant's configuration against standards like Cyber Essentials, ISO 27001, or SOC2.
  • Deliver Executive Reports: Provide clients with clear, concise reports that show security improvements and highlight remaining risks.