The Azure AD Best Practices ChecklistAlex Fields
Update: Downloadable/printable copies of the Microsoft 365 Best practices checklists and guides are now available for purchase at GumRoad. Thanks for your support!
Disclaimer: This checklist is NOT a comprehensive overview of every consideration when implementing Azure AD. For instance, the list was built with a typical SMB/SME in mind. That means there is no discussion of separating admin roles and limiting privilege based on task/functions, or PIM, or any of those features which typically show up in larger enterprise organizations, who actually have teams of people managing the environment. But, I did include a couple extra bullet points for E5 customers to consider at the end of this list, just in case.
I received a lot of positive feedback for recent publications including the Office 365 Email Security Checklist and my recent guide on Recommended Conditional access policies. Several people have asked about similar guidance for provisioning and fine-tuning other Microsoft 365 services, too.
I have been working on additional resources for the community, but I wanted to focus on email initially since:
- Exchange Online is the most widely adopted service in Office 365
- Email is still the most common attack vector
Today I have a new resource which focuses on Azure AD (and of course every application in Microsoft 365 depends on this service for identity).
In the guide, I walk you through several settings in the Azure AD admin center which I think should be modified or at least carefully considered when implementing new tenants (or sprucing up older ones).
Furthermore, I have updated the Recommended Conditional access policies in conjunction with this release. The new policy design includes a couple of subtle but critical adjustments worth considering, so be sure to review that as well.
Here is the complete kit:
- The Azure AD Best Practices Checklist: “Checklist” of the items described in the corresponding guide; also contains a spreadsheet whose concept and ideas I borrowed and adapted from another blogger by the name of Daniel Chronlund
- The Azure AD Best Practices Checklist Guide: A short publication describing in detail the thirteen steps I recommend for every new Azure AD tenant setup, as well as some notes on hybrid at the end
- Recommended Conditional access policies: This is the updated guide detailing those policies, describing their impacts and the steps to set them up
Below is summary of the items included in the Azure AD setup checklist:
- Create an emergency access global admin account
- Setup Multi-Factor Authentication (MFA) service settings and enable MFA for all accounts (or as many as possible)
- Enable Conditional access baseline policies* (and other recommended policies)
- Note: enabling MFA via Conditional access will require users to register for MFA (and they should)
- Block users’ ability to consent to apps requesting permission
- Note: new tenants will have this as a default now
- Configure the password expiration policy
- find out why I don’t agree with “Never expire”–yet
- Configure Company branding (and yes: this is important to security also)
- Configure user settings, specifically: Restrict user access to the Azure AD admin portal
- Enable self-service password reset (SSPR)
- Configure device settings to require MFA in order to Azure AD join devices, and enable Enterprise State Roaming
- Configure external collaboration settings to block guests from inviting other guests
- Enable combined registration of MFA and SSPR*
- Configure Enterprise applications
- Configure optional settings for groups (e.g. expiration)
These are the global settings I think should be considered when implementing any new tenant (for the SMB).
*These features are still in preview, use preview features at your own risk.
BONUS: E5 subscribers, I decided to update this article with just a couple of extra bullet points, that you should look at. Not included in my published checklist, however.