# Azure AD (Entra)
**Section Purpose:** The security section shows recommend security controls for Azure AD based on the CIS Controls. Each control contains the following subsections:
* Description
* Policy Definition
* Licensing Considerations
* Set Up Instructions
* End-User Impact
* PowerShell Scripts
* Video Tutorials
| Policy | End-User Impact | License | Lower License Alternative |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------- | -------------------- | ------------------------------------------------------------------------------------------- |
| [MFA Shall Be Required for All Users](/security/azure-ad-entra/mfa-shall-be-required-for-all-users.md) | High | Azure AD P1 | Enforcing Per User MFA or MFA via Security Defaults |
| [MFA is enforced on accounts with Highly Privileged Roles](/security/azure-ad-entra/mfa-is-enforced-on-accounts-with-highly-privileged-roles.md) | Low | Azure AD P1 | Enforcing Per User MFA or MFA via Security Default |
| [MFA is enforced for Azure Management](/security/azure-ad-entra/mfa-is-enforced-for-azure-management.md) | Low | Azure AD P1 | N/A |
| [MFA registration and usage shall be periodically reviewed](/security/azure-ad-entra/mfa-registration-and-usage-shall-be-periodically-reviewed.md) | None | Any | Any |
| [Legacy Authentication shall be blocked](/security/azure-ad-entra/legacy-authentication-shall-be-blocked.md) | Medium | Azure AD P1 | Legacy Auth methods can be disabled in an account manually without P1 via Security defaults |
| [High Risk Users Shall Be Blocked](/security/azure-ad-entra/high-risk-users-shall-be-blocked.md) | High | Azure AD P2 | N/A |
| [High Risk Sign-Ins Shall Be Blocked](/security/azure-ad-entra/high-risk-sign-ins-shall-be-blocked.md) | High | Azure AD P2 | N/A |
| [Browser Sessions shall not be persistent for privileged users](/security/azure-ad-entra/browser-sessions-shall-not-be-persistent-for-privileged-users.md) | Medium | Azure AD P1 | N/A |
| [MFA shall be required to enroll devices to Azure AD](/security/azure-ad-entra/mfa-shall-be-required-to-enroll-devices-to-azure-ad.md) | Medium | Any | N/A |
| [Managed Devices shall be required for authentication](/security/azure-ad-entra/managed-devices-shall-be-required-for-authentication.md) | High | Azure AD P1 + Intune | N/A |
| [Guest User Access Shall be restricted](/security/azure-ad-entra/guest-user-access-shall-be-restricted.md) | Low | Any | N/A |
| [The number of users with highly privileged roles shall be limited](/security/azure-ad-entra/the-number-of-users-with-highly-privileged-roles-shall-be-limited.md) | Low | Any | N/A |
| [Users assigned highly privileged roles shall not have permanent permissions](/security/azure-ad-entra/users-assigned-highly-privileged-roles-shall-not-have-permanent-permissions.md) | Low | Azure AD P2 | N/A |
| [Activation of privileged roles should be monitored and require approval](/security/azure-ad-entra/activation-of-privileged-roles-should-be-monitored-and-require-approval.md) | Low | Azure AD P2 | N/A |
| [Highly privileged accounts shall be cloud-only](/security/azure-ad-entra/highly-privileged-accounts-shall-be-cloud-only.md) | Low | Any | N/A |
| [Highly privileged role assignments shall be periodically reviewed](/security/azure-ad-entra/highly-privileged-role-assignments-shall-be-periodically-reviewed.md) | Low | Azure AD P2 | Manual monitoring can be performed in the Azure Portal or with PowerShell |
| [Passwords shall not expire](/security/azure-ad-entra/passwords-shall-not-expire.md) | Medium | Any | N/A |
| [Azure AD Logs shall be collected](/security/azure-ad-entra/azure-ad-logs-shall-be-collected.md) | None | Azure AD P1 | Without P1, logs are retained for 7 days |
| [Only Admins shall be allowed to register 3rd party applications](/security/azure-ad-entra/only-admins-shall-be-allowed-to-register-3rd-party-applications.md) | Low | Any | N/A |
| [Non-admin users shall be prevented from providing consent to 3rd party applications](/security/azure-ad-entra/non-admin-users-shall-be-prevented-from-providing-consent-to-3rd-party-applications.md) | Low | Any | N/A |
| [Authorized Applications shall be configured for Single Sign-On](/security/azure-ad-entra/authorized-applications-shall-be-configured-for-single-sign-on.md) | Medium | Azure AD P1 | N/A |
| [Inactive accounts shall be blocked or deleted](/security/azure-ad-entra/inactive-accounts-shall-be-blocked-or-deleted.md) | None | Any | N/A |
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.tminus365.com/security/azure-ad-entra.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.