Remediation Guides

Step-by-step guidance for implementing key Entra ID security controls. These guides provide a high-level overview of the process.

Block Legacy Authentication

Why: Prevents password spray attacks and ensures all sign-ins can be protected by modern controls like MFA.

Licensing Note: Requires Entra ID P1 or higher.

How to Implement:

  1. Navigate to the Entra admin centre > Protection > Conditional Access.
  2. Create a new policy named "Block Legacy Authentication".
  3. Under 'Assignments', target 'All users'. Exclude your break-glass accounts.
  4. Under 'Target resources', target 'All cloud apps'.
  5. Under 'Conditions', select 'Client apps' and configure it to target 'Mobile apps and desktop clients' > 'Other clients'.
  6. Under 'Grant', select 'Block access'.
  7. Enable the policy in 'Report-only' mode first to assess impact, then switch to 'On'.
Microsoft Learn Documentation →

Enforce Phishing-Resistant MFA

Why: Protects against phishing and credential theft by requiring a secure second factor that cannot be easily intercepted.

Licensing Note: Requires Entra ID P1 or higher.

How to Implement:

  1. Navigate to Protection > Authentication methods > Policies.
  2. Enable modern methods like 'Microsoft Authenticator', 'FIDO2 security key', and disable legacy options like 'SMS' and 'Voice call'.
  3. In the Microsoft Authenticator settings, ensure 'Number matching' is enabled for all users.
  4. Create a Conditional Access policy targeting 'All users' (excluding break-glass accounts) and 'All cloud apps'.
  5. Under 'Grant', select 'Grant access' but require 'Multifactor authentication'.
  6. For the highest security, you can specify 'Require phishing-resistant multifactor authentication'.
Microsoft Learn Documentation →

Implement Privileged Identity Management (PIM)

Why: Enforces least-privilege access by making admin roles "just-in-time" instead of permanent, drastically reducing the risk from compromised admin accounts.

Licensing Note: Requires Entra ID P2.

How to Implement:

  1. Navigate to Identity governance > Privileged Identity Management.
  2. Select 'Entra ID roles' and then 'Assignments'.
  3. Identify users with permanent high-privilege roles (e.g., Global Administrator).
  4. Remove their permanent assignment and re-add them as 'Eligible' for the same role.
  5. Select the role under 'Settings' to configure activation requirements, such as requiring MFA, justification, or approval from another admin.
  6. Repeat for all critical administrative roles.
Microsoft Learn Documentation →

Disable Password Expiry

Why: Modern research shows that forced password changes lead to weaker, predictable passwords. Disabling expiry, when combined with strong MFA, is more secure.

Licensing Note: Available in all Entra ID tiers.

How to Implement (PowerShell):

  1. Connect to Microsoft Graph PowerShell: `Connect-MgGraph -Scopes "User.Read.All", "Policy.ReadWrite.Authorization"`
  2. Check the current policy: `Get-MgPolicyAuthorizationPolicy | Select-Object DefaultUserRolePermissions, GuestUserRole, AllowedToUseSSPR`
  3. To set passwords to never expire for all users, run: `Get-MgUser -All | ForEach-Object { Update-MgUser -UserId $_.Id -PasswordPolicies "DisablePasswordExpiration" }`
  4. For individual users: `Update-MgUser -UserId 'user@domain.com' -PasswordPolicies "DisablePasswordExpiration"`
Microsoft Learn Documentation →

Restrict User Consent to Applications

Why: The default setting allows users to grant permissions to third-party apps, creating a risk of "consent phishing" where malicious apps steal data.

Licensing Note: Available in all Entra ID tiers.

How to Implement:

  1. Navigate to the Entra admin centre > Identity > Applications > Enterprise applications > Consent and permissions.
  2. Under 'User consent settings', select the option 'Do not allow user consent'.
  3. This change prevents non-admins from authorising new applications.
  4. To allow users to request access to new apps, configure the 'Admin consent workflow' on the same page. This creates a formal review process for administrators.
Microsoft Learn Documentation →

Configure a Break-Glass Account

Why: Ensures you can always access a tenant, even if all other admin accounts are locked out due to a misconfiguration or security incident.

Licensing Note: Available in all Entra ID tiers.

How to Implement:

  1. Create two new, cloud-only user accounts (e.g., `breakglass@tenant.onmicrosoft.com`).
  2. Assign the 'Global Administrator' role to both.
  3. Generate a very long (30+ character), complex password for each and store them securely in separate, offline locations.
  4. Do not configure any MFA methods or SSPR details for these accounts.
  5. Create a dedicated security group named "EXCLUDE - Break-Glass Accounts" and add both accounts to it.
  6. In all your Conditional Access policies, add this group to the 'Exclude' list to ensure they are never blocked.
  7. Consider using a dedicated Conditional Access Policy to only allow these Breakglass Users to sign in from specific IPs (Such as your Office)
  8. Set up high-priority alerts in your SOC/monitoring tool to trigger on any sign-in from these accounts.
Microsoft Learn Documentation →

Enable Self-Service Password Reset (SSPR)

Why: Reduces helpdesk tickets and empowers users, but must be configured securely to prevent it from becoming a weak link.

Licensing Note: Basic SSPR is free for cloud users. Password writeback to on-premises AD requires Entra ID P1 or higher.

How to Implement:

  1. Navigate to Protection > Password reset.
  2. Under 'Properties', choose to enable SSPR for 'Selected' groups or 'All' users. Start with a pilot group.
  3. Go to 'Authentication methods'. Set 'Number of methods required to reset' to 2
  4. Select secure methods for users. Avoid relying solely on 'Email' or security questions.
  5. Under 'Registration', set 'Require users to register when signing in?' to 'Yes' to enforce enrolment.
  6. If you have a hybrid environment, configure password writeback for your On-Premises Sync Method
Microsoft Learn Documentation →