Azure AD (Entra)

MFA Shall Be Required for All Users

High

Azure AD P1

Enforcing Per User MFA or MFA via Security Defaults

MFA is enforced on accounts with Highly Privileged Roles

Low

Azure AD P1

Enforcing Per User MFA or MFA via Security Default

MFA is enforced for Azure Management

Low

Azure AD P1

N/A

MFA registration and usage shall be periodically reviewed

None

Any

Any

Legacy Authentication shall be blocked

Medium

Azure AD P1

Legacy Auth methods can be disabled in an account manually without P1 via Security defaults

High Risk Users Shall Be Blocked

High

Azure AD P2

N/A

High Risk Sign-Ins Shall Be Blocked

High

Azure AD P2

N/A

Browser Sessions shall not be persistent for privileged users

Medium

Azure AD P1

N/A

MFA shall be required to enroll devices to Azure AD

Medium

Any

N/A

Managed Devices shall be required for authentication

High

Azure AD P1 + Intune

N/A

Guest User Access Shall be restricted

Low

Any

N/A

The number of users with highly privileged roles shall be limited

Low

Any

N/A

Users assigned highly privileged roles shall not have permanent permissions

Low

Azure AD P2

N/A

Activation of privileged roles should be monitored and require approval

Low

Azure AD P2

N/A

Highly privileged accounts shall be cloud-only

Low

Any

N/A

Highly privileged role assignments shall be periodically reviewed

Low

Azure AD P2

Manual monitoring can be performed in the Azure Portal or with PowerShell

Passwords shall not expire

Medium

Any

N/A

Azure AD Logs shall be collected

None

Azure AD P1

Without P1, logs are retained for 7 days

Only Admins shall be allowed to register 3rd party applications

Low

Any

N/A

Non-admin users shall be prevented from providing consent to 3rd party applications

Low

Any

N/A

Authorized Applications shall be configured for Single Sign-On

Medium

Azure AD P1

N/A

Inactive accounts shall be blocked or deleted

None

Any

N/A