Hello everyone
Today's blog post focuses on default tenant settings. By default, these settings may be enabled, disabled, or not configured at all. It's crucial for every administrator with tenant access to review these settings thoroughly. While there are no mandatory configurations, I will share my recommendations.
Let's start with Entra ID default settings
Go to entra.microsoft.com -> Users -> User settings
Users can register applications
Indicates whether the default user role can create applications in Entra.
Set this to NO, because you don't want that user should be able to create applications.
Users can create security groups
Indicates whether the default user role can create security groups in Entra / Azure.
Set this to NO, because you don't want that user should be able to create applications.
Guest user access restrictions
This setting determines whether guests have full access to enumerate all users and group memberships (most inclusive), limited access to other users and memberships, or no access to other users and group memberships including groups they are a member of (most restrictive).
I recommend to have this setting set to most restrictive.
Restrict access to Microsoft Entra admin center
Use this switch to prevent users from misconfiguring the resources that they own from the Microsoft Entra admin center. This is not a security measure. "No" lets non-administrators browse the Microsoft Entra admin center. "Yes" restricts: - Non-administrators from browsing the Microsoft Entra admin center. - Non-administrator who are owners of groups or applications from using the Microsoft Entra admin center to manage their owned resources.
As mentioned above, this is to prevent users from misconfiguring the resources that they own- groups, etc. They can't configure other settings which requires admin roles anyway, but they can see them if you don't turn this setting ON.
Remember, this is only for Entra ID admin portal. It doesn't cover other admin portals like Intune admin center, Microsoft admin center etc. If you want to restrict access to all admin portals, then you should create a Conditional Access policy instead
Users:
Include: All Users
Exclude: Admins
Target resources:
Include: Microsoft Admin Portals
Exclude: Office 365 and My Apps ( because if you don't exclude those the end users will not be able to request Access packages or download Office package from office.com, Hopefully Microsoft will fix this soon. I have heard about other issues like accessing quarantine page in Defender as well without excluding some opps, but I was not able to replicate this issue in my tenant. The sign in log says that Conditional Access doesn't block the access, so it should only be the settings in Defender.
Grant: Block Access
6. Show keep user signed in
The Microsoft Entra ID sign-in flow gives users the option to remain signed in until they explicitly sign out. This doesn't change Microsoft Entra ID session lifetime but allows sessions to remain active when users close and reopen their browser. Set this to "No" to hide this option from your users.
You have similar setting in Conditional Access named persistent browser session as well which can be activated with another Conditional Access policy. But what happens if we don't turn off this setting in Entra and have a persistent Conditional Access policy scoped and activated?
If the persistent browser session is enabled in Conditional Access, it can enforce session persistence regardless of the user's choice in the KMSI (Keep Me Signed In ) prompt. Conversely, if it is disabled, users will need to reauthenticate even if they selected "Yes" in the KMSI prompt
We have also a setting named Sign in frequency in Conditonal access which can add another layer of control by defining how often reauthentication is required. For example every day or every 8 hours.
With this methods users access and refresh tokens will be generated again. By default users refresh tokens have a lifespan up to 90 days. This is a critical scenario for an user account which gets compromised by hackers and they can stay online for many days without need for reauthentication. But this alone isn't enough today, soo
Passkeys and / or security keys for the rescue here guys! Or at least compliant device policies !
Now, let's take a look on External collaboration settings
7. Guest invite settings
This setting controls who can invite guests to your directory to collaborate on resources secured by your company, such as SharePoint sites or Azure resources.
By default the first one is one. I recommend to edit this setting to settings number 2. If you don't want to have thousands active and inactive guests in your tenant, then create access reviews in Entra and creating group owners and reviewers.
8. Device settings
No let's go to Devices -> All devices -> Device settings
9. Users may join devices to Microsoft Entra
Select the users and groups that are allowed to join devices to Microsoft Entra. This setting is applicable to Microsoft Entra join on Windows and MacOS devices. This setting does not apply to Microsoft Entra hybrid joined devices, Microsoft Entra joined VMs in Azure and Microsoft Entra joined devices using Windows Autopilot self-deployment mode as these methods work in a userless context.
This can also be managed in Intune admin center and the settings will override this one. My recommendation is to create a policy for this and don't allow all versions of Windows and Mac. For example only Windows 11 or newest Mac devices.
10. Users may register their devices with Microsoft Entra
Allow users to register their devices with Microsoft Entra (Workplace Join). Enrollment with Microsoft Intune or Mobile Device Management for Office 365 requires Device Registration. If you have configured either of these services, ALL will be selected and the button will be disabled.
This can also be managed in Intune admin center and they will override this one. My recommendation is disabling BYOD scenario for Windows and Mac's and only allow BYOD for iOS / Android devices with strong app protection policies.
11. Require Multifactor Authentication to register or join devices with Microsoft Entra
Multifactor Authentication when adding devices to Microsoft Entra. When set to 'Yes', users who are adding devices from the internet must add a second method of authentication. This setting does not apply to Microsoft Entra hybrid joined devices, Microsoft Entra joined VMs in Azure and Microsoft Entra joined devices using Windows Autopilot self-deployment mode
Of course have it on YES. This setting is critical and my recommendation here is to create an additional Conditional Access policy and restrict it to only your country IP addresses for example.
12. Maximum number of devices per user
Designates the maximum number of devices a user can have in Microsoft Entra. If a user reaches this quota, they will not be able to add additional devices until one or more of their existing devices are removed.
The default value is 50, but my recommendation here is 5 or 10, depends on your needs.
13. Global administrator role is added as local administrator on the device during Microsoft Entra join (Preview)
This setting determines if Microsoft Entra Global Administrator role be added to the local administrators group. This setting applies only once during the actual registration of the device as Microsoft Entra join.
I have actually tested this preview setting and it works. My recommendation here is to use LAPS or EPM in Intune and set this setting to NO.
14. Registering user is added as local administrator on the device during Microsoft Entra join (Preview)
This setting determines if the Microsoft Entra user registering their device as Microsoft Entra join be added to the local administrators group. This setting applies only once during the actual registration of the device as Microsoft Entra join
Definitely set this to NO. Restrict this with Intune policies or Autopilot profile ( Windows )
or at least use LAPS or EPM for this purpose.
15. Enable Microsoft Entra Local Administrator Password Solution (LAPS)
LAPS is the management of local account passwords on Windows devices. LAPS provides a solution to securely manage and retrieve the built-in local admin password. With cloud version of LAPS, customers can enable storing and rotation of local admin passwords for both Microsoft Entra and Microsoft Entra hybrid join devices.
Better YES , than NO, depends if you use EPM or LAPS. Don't forget to set this up in Intune for your devices.
Now let's go to Applications -> Enterprise applications -> Users settings -> Consent and permissions
16. User consent for applications
My recommendations here is to Select permissions on settings number 2 or switch this to number 1, it depends on your business policies and needs. Also take a look on your existing enterprise / app registrations in Entra and remove any old apps / permissions.
If you choose settings number 1 remember to set up this one
17. Group expiration
Groups-> Group settings -> Expiration
Decide how long your your groups should be active. 180 or 365 days and remember to set up contact email(s) to admins who can decide if it needs to be deleted or not.
18. Authentication methods - policies
Protection -> Authentication methods
By default there is not many options activated and scoped here, specially if you are still using to old Per user MFA / Legacy MFA portal. Decide to ban SMS and other unsafe authentication methods and allow safer methods like TAP, FIDO2 etc. Check also out the new QR code authentication method here which can be used by Frontline workers for example.
Remember that per user mfa/ legacy MFA portal will be deprecated in September this year, so you better migrate before this date and start administrate all you methods in here :) Read my blog post from last year on how you can migrate this.
19. Authentication methods - Password protection
My recommendations in here is to create a custom banned password list for your organization. You can find many good examples on the internet and just copy paste them in here. Take also a closer look on Lockout threshold and lockout duration settings and decide the best practice here.
If you have an hybrid environment I can also recommend you to setup and configure password protection for your Active Directory.
20. Password reset - Registration
Number of days before users are asked to re-confirm their authentication information
Designates the period of time before registered users are prompted to re-confirm their existing authentication information is still valid, up to a maximum of 730 days. If set to 0 days, registered users will never be prompted to re-confirm their existing authentication information
By default this setting is set to 180 days, but my recommendations is to set this to for example 60 or 90 days.
21. Sharepoint - Sharing policies
The first settings is best to edit per site and not in here, so do it per site. There is always sites in an organization which needs to be excluded from external sharing !
Allow guest to share items they don't own , uncheck this one
When this setting is turned off, guests can only share items for which they have full control
Guest access to a site or Onedrive will expire automatically after this many days.
It's recommended to turn of this ON and decide how many days it should be active.
same with this one
turn this setting ON and decide number of days
People who use a verification code must reauthenticate after this many days
Choose the permission that's selected by default for sharing links
Choose View here. It's unnecessary to have this default ON edit by default and let people edit your files.
Choose expiration and permissions options for Anyone links
Activate this setting and decide number of days
22. Sharepoint - Access Control
1. Apps that don't use modern authentication
It's recommended to configure this setting to automatically sign out users on unmanaged devices.
Unmanaged devices
Decide if you want to block access to Sharepoint, Teams Onedrive etc from unmanaged devices or not. This setting can also be managed per site or with Conditional Access policies which will be created if you choose to block access.
Teams - Teams apps
Here we can find almost 3000 different applications and every applications is allowed to be installed be end user. My recommendation is to block ALL applications and exclude only necessary Office / other applications which is in use in your organization.
Teams - Teams settings - Files
My recommendations is to turn off files sharing options in Files tab to avoid simple sharing to private storage.
Teams - meeting policies
1. Anonymous users can join a meeting unverified
In meetings, webinars, and town halls hosted by your organization, anonymous users are users whose identities aren't verified. These users could include:
- Users who aren't logged in to Teams with a work or school account.
- Users from non-trusted organizations (as configured in external access) and from organizations that you trust but which don't trust your organization. When defining trusted organizations for external meetings and chat, ensure both organizations allow each other's domains. Meeting organizers and participants should have user policies that allow external access. These settings prevent attendees from being considered anonymous due to external access settings
Decide if this setting should be turned on or off for your organization.
2. Who can bypass the lobby
My recommendation here is to choose People in my org
Thanks for reading part 1 and see you in part 2 !
Comments