# Azure AD (Entra)
**Section Purpose:** The security section shows recommend security controls for Azure AD based on the CIS Controls. Each control contains the following subsections:
* Description
* Policy Definition
* Licensing Considerations
* Set Up Instructions
* End-User Impact
* PowerShell Scripts
* Video Tutorials
| Policy | End-User Impact | License | Lower License Alternative |
| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------- | -------------------- | ------------------------------------------------------------------------------------------- |
| [mfa-shall-be-required-for-all-users](https://docs.tminus365.com/security/azure-ad-entra/mfa-shall-be-required-for-all-users "mention") | High | Azure AD P1 | Enforcing Per User MFA or MFA via Security Defaults |
| [mfa-is-enforced-on-accounts-with-highly-privileged-roles](https://docs.tminus365.com/security/azure-ad-entra/mfa-is-enforced-on-accounts-with-highly-privileged-roles "mention") | Low | Azure AD P1 | Enforcing Per User MFA or MFA via Security Default |
| [mfa-is-enforced-for-azure-management](https://docs.tminus365.com/security/azure-ad-entra/mfa-is-enforced-for-azure-management "mention") | Low | Azure AD P1 | N/A |
| [mfa-registration-and-usage-shall-be-periodically-reviewed](https://docs.tminus365.com/security/azure-ad-entra/mfa-registration-and-usage-shall-be-periodically-reviewed "mention") | None | Any | Any |
| [legacy-authentication-shall-be-blocked](https://docs.tminus365.com/security/azure-ad-entra/legacy-authentication-shall-be-blocked "mention") | Medium | Azure AD P1 | Legacy Auth methods can be disabled in an account manually without P1 via Security defaults |
| [high-risk-users-shall-be-blocked](https://docs.tminus365.com/security/azure-ad-entra/high-risk-users-shall-be-blocked "mention") | High | Azure AD P2 | N/A |
| [high-risk-sign-ins-shall-be-blocked](https://docs.tminus365.com/security/azure-ad-entra/high-risk-sign-ins-shall-be-blocked "mention") | High | Azure AD P2 | N/A |
| [browser-sessions-shall-not-be-persistent-for-privileged-users](https://docs.tminus365.com/security/azure-ad-entra/browser-sessions-shall-not-be-persistent-for-privileged-users "mention") | Medium | Azure AD P1 | N/A |
| [mfa-shall-be-required-to-enroll-devices-to-azure-ad](https://docs.tminus365.com/security/azure-ad-entra/mfa-shall-be-required-to-enroll-devices-to-azure-ad "mention") | Medium | Any | N/A |
| [managed-devices-shall-be-required-for-authentication](https://docs.tminus365.com/security/azure-ad-entra/managed-devices-shall-be-required-for-authentication "mention") | High | Azure AD P1 + Intune | N/A |
| [guest-user-access-shall-be-restricted](https://docs.tminus365.com/security/azure-ad-entra/guest-user-access-shall-be-restricted "mention") | Low | Any | N/A |
| [the-number-of-users-with-highly-privileged-roles-shall-be-limited](https://docs.tminus365.com/security/azure-ad-entra/the-number-of-users-with-highly-privileged-roles-shall-be-limited "mention") | Low | Any | N/A |
| [users-assigned-highly-privileged-roles-shall-not-have-permanent-permissions](https://docs.tminus365.com/security/azure-ad-entra/users-assigned-highly-privileged-roles-shall-not-have-permanent-permissions "mention") | Low | Azure AD P2 | N/A |
| [activation-of-privileged-roles-should-be-monitored-and-require-approval](https://docs.tminus365.com/security/azure-ad-entra/activation-of-privileged-roles-should-be-monitored-and-require-approval "mention") | Low | Azure AD P2 | N/A |
| [highly-privileged-accounts-shall-be-cloud-only](https://docs.tminus365.com/security/azure-ad-entra/highly-privileged-accounts-shall-be-cloud-only "mention") | Low | Any | N/A |
| [highly-privileged-role-assignments-shall-be-periodically-reviewed](https://docs.tminus365.com/security/azure-ad-entra/highly-privileged-role-assignments-shall-be-periodically-reviewed "mention") | Low | Azure AD P2 | Manual monitoring can be performed in the Azure Portal or with PowerShell |
| [passwords-shall-not-expire](https://docs.tminus365.com/security/azure-ad-entra/passwords-shall-not-expire "mention") | Medium | Any | N/A |
| [azure-ad-logs-shall-be-collected](https://docs.tminus365.com/security/azure-ad-entra/azure-ad-logs-shall-be-collected "mention") | None | Azure AD P1 | Without P1, logs are retained for 7 days |
| [only-admins-shall-be-allowed-to-register-3rd-party-applications](https://docs.tminus365.com/security/azure-ad-entra/only-admins-shall-be-allowed-to-register-3rd-party-applications "mention") | Low | Any | N/A |
| [non-admin-users-shall-be-prevented-from-providing-consent-to-3rd-party-applications](https://docs.tminus365.com/security/azure-ad-entra/non-admin-users-shall-be-prevented-from-providing-consent-to-3rd-party-applications "mention") | Low | Any | N/A |
| [authorized-applications-shall-be-configured-for-single-sign-on](https://docs.tminus365.com/security/azure-ad-entra/authorized-applications-shall-be-configured-for-single-sign-on "mention") | Medium | Azure AD P1 | N/A |
| [inactive-accounts-shall-be-blocked-or-deleted](https://docs.tminus365.com/security/azure-ad-entra/inactive-accounts-shall-be-blocked-or-deleted "mention") | None | Any | N/A |