The Azure AD Best Practices ChecklistAlex Fields
Update: Downloadable/printable copies of the Microsoft 365 Best practices checklists and guides are now available. Thanks for your support!
Disclaimer: This checklist is NOT a comprehensive overview of every consideration when implementing Azure AD. For instance, the list was built with a typical SMB/SME in mind. That means there is no discussion of separating admin roles and limiting privilege based on task/functions, or PIM, or any of those features which typically show up in larger enterprise organizations, who actually have teams of people managing the environment. But, I did include a couple extra bullet points for E5 customers to consider at the end of this list, just in case.
I have been working on additional resources for the community, but I wanted to focus on email initially since:
- Exchange Online is the most widely adopted service in Office 365
- Email is still the most common attack vector
Today I have a new resource which focuses on Azure AD (and of course every application in Microsoft 365 depends on this service for identity).
In the guide, I walk you through several settings in the Azure AD admin center which I think should be modified or at least carefully considered when implementing new tenants (or sprucing up older ones).
Below is summary of the items included in the Azure AD setup checklist:
- Create an emergency access global admin account
- Setup Multi-Factor Authentication (MFA) service settings and enable MFA for all accounts (or as many as possible)
- Enable Conditional access baseline policies* (and other recommended policies)
- Note: enabling MFA via Conditional access will require users to register for MFA (and they should)
- Block users’ ability to consent to apps requesting permission
- Note: new tenants will have this as a default now
- Configure the password expiration policy
- find out why I don’t agree with “Never expire”–yet
- Configure Company branding (and yes: this is important to security also)
- Configure user settings, specifically: Restrict user access to the Azure AD admin portal
- Enable self-service password reset (SSPR)
- Configure device settings to require MFA in order to Azure AD join devices, and enable Enterprise State Roaming
- Configure external collaboration settings to block guests from inviting other guests
- Enable combined registration of MFA and SSPR*
- Configure Enterprise applications
- Configure optional settings for groups (e.g. expiration)
These are the global settings I think should be considered when implementing any new tenant (for the SMB).
*These features are still in preview, use preview features at your own risk.
BONUS: E5 subscribers, I decided to update this article with just a couple of extra bullet points, that you should look at. Not included in my published checklist, however.
- Setup Privileged Identity Management (PIM), so you can track admin activity and prevent potentially harmful admin activities from happening.
- Enable Azure AD Identity Protection including the MFA registration policy, the Sign-in Risk policy and the User risk policy.
Great post as always Alex, I’ve taken a number of ideas from this to implement in our own setup process. Thank you!
Great guides. Nice, consistent layout and to the point. Keep on keeping on.