AetherCred
Best Practices for Entra Security
Actionable guidance and licence-aware recommendations to strengthen your identity posture in Microsoft Entra.
Core Security Recommendations
| Policy / Action | Why It Matters | Recommended Process |
|---|---|---|
| Disable Password Expiry | Forced changes often lead to weaker, predictable passwords. Modern authentication makes expiry obsolete. | Set user password policies to "Never Expire" unless regulatory requirements mandate it. Combine with strong MFA. |
| Enforce Modern MFA | Legacy methods (SMS, voice) are vulnerable to phishing and interception. Modern methods are phishing-resistant. | Use Conditional Access to enforce Microsoft Authenticator (with number matching), FIDO2 keys, or Passwordless. |
| Block Legacy Authentication | These protocols (IMAP, POP3) bypass MFA, making them a primary vector for password spray attacks. | Use a Conditional Access policy to block legacy authentication. Monitor sign-in logs to migrate reliant apps first. |
| Review & Limit Admin Roles (PIM) | Standing admin access violates least privilege. A compromised Global Admin account is catastrophic. | Use PIM for Just-In-Time (JIT) role eligibility with MFA, justification, and approval workflows. |
| Enable Identity Protection | Automatically detects and remediates identity risks like leaked credentials, anonymous IPs, and impossible travel. | Configure risk policies to automatically force MFA or a secure password reset when high risk is detected. |
| Enforce Device Compliance | Ensures only healthy devices (encrypted, up-to-date) can access corporate data, reducing risk from compromised endpoints. | Create Intune compliance policies and use Conditional Access to require compliant devices for access. |
| Restrict User Consent to Apps | Malicious OAuth apps can trick users into granting permissions, leading to data exfiltration without password theft. | Block user consent and establish an admin consent workflow to vet and approve all new applications. |
| Remove Stale Accounts | Dormant accounts increase the attack surface, especially if they are unmonitored or retain privileges. | Use AetherCred to identify unused accounts and implement a process to disable and eventually delete them. |
How AetherCred Scores User Risk
AetherCred assigns each user a score from 0 to 100 to help you quickly identify the highest-risk accounts. The score starts at 100 and deducts points for specific misconfigurations. A lower score indicates a higher risk.
Scoring Breakdown
- -50 MFA Disabled: The single most effective way to secure an account. Its absence is a critical vulnerability.
- -20 Password Expires: Encourages weak password habits and is obsolete when modern controls are used.
- -20 Never Signed In: A potential stale or orphaned account that increases the attack surface.
- -10 Privileged Role: Any administrative role makes an account a higher-value target for attackers.
PowerShell Logic
function Calculate-UserScore($mfaEnabled, $passwordNeverExpires, $neverSignedIn, $privilegedRole) {
$score = 100
if (-not $mfaEnabled) { $score -= 50 }
if (-not $passwordNeverExpires) { $score -= 20 }
if ($neverSignedIn) { $score -= 20 }
if ($privilegedRole) { $score -= 10 }
if ($score -lt 0) { $score = 0 }
return $score
}Understanding MFA: Legacy vs. Modern
Not all Multi-Factor Authentication methods are created equal. Modern, phishing-resistant methods provide significantly higher security assurance than their legacy counterparts.
Legacy MFA (Phishable)
These methods are vulnerable to social engineering, interception, and phishing attacks.
- SMS (Text Message): Codes can be stolen via SIM-swapping attacks.
- Voice Call: Prone to interception and can be confusing for users.
- Email OTP: If the email account is compromised, so is MFA.
Common Attack Vectors
- Social Engineering: Tricking users into revealing their one-time codes.
- Adversary-in-the-Middle (AiTM): Using spoofed login pages to capture credentials and session tokens in real-time.
- Prompt Bombing (Fatigue): Overwhelming users with push notifications until one is approved by mistake.
Modern MFA (Phishing-Resistant)
These methods use secure channels or cryptography, making them highly resistant to the attacks that plague legacy MFA.
- Microsoft Authenticator: Push notifications with Number Matching prevent accidental approval and show context.
- Passwordless Sign-in: Removes the password as an attack vector entirely.
- FIDO2 Security Keys: Hardware keys (e.g., YubiKey) provide the highest assurance via public-key cryptography that cannot be phished.
- Windows Hello for Business: Uses biometrics tied to a device's secure TPM chip.
Strong vs. Phishing-Resistant MFA
While related, these are two distinct concepts. Phishing resistance is the gold standard for security.
Strong Authentication
Refers to any resilient verification method that provides high assurance of a user's identity. This can still include some legacy methods like SMS, which are considered "stronger" than a password alone, but are not immune to phishing.
Phishing-Resistant Authentication
Specifically focuses on preventing social engineering and credential theft. These methods, like FIDO2, are inherently secure by design because their cryptographic protocols cannot be used on fraudulent sites, regardless of user behavior.
Entra ID Feature & License Comparison
Understanding which features are in each tier is crucial for security planning and budgeting.
| Feature / Capability | Entra ID Free | Entra ID P1 | Entra ID P2 |
|---|---|---|---|
Conditional Access (CA) The core engine for enforcing access policies. | |||
Token Protection (in CA) Mitigates token theft by binding the token to a device. | |||
Identity Protection (Risk-Based CA) Automates detection and response to identity risks. | |||
Privileged Identity Management (PIM) Provides Just-In-Time (JIT) admin access. | |||
Access Reviews Automates review of user access to resources. | |||
Self-Service Password Reset (SSPR) Adds password writeback for hybrid identities. |