Security & Compliance
Gap Analysis
CISA Baseline
Safeguarding your organization’s data, infrastructure, and users.
Gap Analysis
Microsoft Entra ID
Microsoft Entra ID is a cloud-based identity and access control service that provides security and functional capabilities. This Secure Configuration Baseline provides specific policies to help secure Microsoft Entra ID.
The Cybersecurity and Infrastructure Security Agency (CISA) score provides guidance and capabilities to secure federal civilian executive branch (FCEB) agencies’ cloud business application environments and protect federal information that is created, accessed, shared, and stored in those environments.
Assumptions
The License Requirements sections of this document assume the organization is using an M365 E3 license level at a minimum. Therefore, only licenses not included in E3 are listed.
Some of the policies in this baseline may link to Microsoft instruction pages which assume that an agency has created emergency access accounts in Microsoft Entra ID and implemented strong security measures to protect the credentials of those accounts.
Key Terminology
The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in RFC 2119.
The following are key terms and descriptions used in this document.
Hybrid Microsoft Entra ID – This term denotes the scenario where an organization has an on-premises Microsoft Entra ID domain that contains the master user directory but federates access to the cloud M365 Microsoft Entra ID tenant.
Resource Tenant & Home Tenant: In scenarios where guest users are involved the resource tenant hosts the M365 target resources that the guest user is accessing. The home tenant is the one that hosts the guest user’s identity.
Highly Privileged Roles
This section provides a list of what CISA considers highly privileged built-in roles in Microsoft Entra ID.
- Global Administrator
- Privileged Role Administrator
- User Administrator
- SharePoint Administrator
- Exchange Administrator
- Hybrid Identity Administrator
- Application Administrator
- Cloud Application Administrator
Throughout this document, this list of highly privileged roles is referenced in numerous baseline policies. Agencies should consider this list a foundational reference and apply respective baseline policies to additional Microsoft Entra ID roles as necessary.
Conditional Access Policies
Numerous policies in this baseline rely on Microsoft Entra ID Conditional Access. Conditional Access is a feature that allows administrators to limit access to resources using conditions such as user or group membership, device, IP location, and real-time risk detection. This section provides guidance and tools to support implementation of baseline policies that rely on Microsoft Entra ID Conditional Access.
As described in Microsoft’s literature related to conditional access policies, CISA recommends initially setting a policy to Report-only when it is created and then performing thorough hands-on testing to help prevent unintended consequences before toggling the policy from Report-only to On. The policy will only be enforced when it is set to On. One tool that can assist with running test simulations is the What If tool. Microsoft also describes Conditional Access insights and reporting that can assist with testing.
Security Solutions
1. Legacy Authentication
This section provides policies that reduce security risks related to legacy authentication protocols that do not support multifactor authentication (MFA).
Policies
MS.AAD.1.1v1 – Legacy authentication SHALL be blocked.
- Rationale: The security risk of allowing legacy authentication protocols is they do not support MFA. Blocking legacy protocols reduces the impact of user credential theft.
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
Resources
License Requirements
- N/A
Security Solutions
2. Risk Based Policies
This section provides policies that reduce security risks related to potentially compromised user accounts. These policies combine Microsoft Entra ID Protection and Microsoft Entra ID Conditional Access. Microsoft Entra ID Protection uses numerous signals to detect the risk level for each user or sign-in and determine if an account may have been compromised.
Additional mitigations to reduce risks associated with the authentication of workload identities: Although not covered in this baseline due to the need for an additional non-standard license, Microsoft provides support for mitigating risks related to workload identities (Microsoft Entra ID applications or service principals). Agencies should strongly consider implementing this feature because workload identities present many of the same risks as interactive user access and are commonly used in modern systems. CISA urges organizations to apply Conditional Access policies to workload identities.
Note: In this section, the term “high risk” denotes the risk level applied by the Microsoft Entra ID Protection service to a user account or sign-in event.
Users detected as high risk SHALL be blocked.
- Rationale: Blocking high-risk users may prevent compromised accounts from accessing the tenant.
- Last modified: June 2023
- Note: Users identified as high risk by Microsoft Entra ID Identity Protection can be blocked from accessing the system via a Microsoft Entra ID Conditional Access policy. A high-risk user will be blocked until an administrator remediates their account.
- MITRE ATT&CK TTP Mapping:
A notification SHOULD be sent to the administrator when high-risk users are detected.
- Rationale: Notification enables the admin to monitor the event and remediate the risk. This helps the organization proactively respond to cyber intrusions as they occur.
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
Sign-ins detected as high risk SHALL be blocked.
- Rationale: This prevents compromised accounts from accessing the tenant.
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
- Requires a Microsoft Entra ID P2 license
- Create a conditional access policy blocking users categorized as high risk by the Identity Protection service. Configure the following policy settings in the new conditional access policy as per the values below:
Users > Include > All users Target resources > Cloud apps > All cloud apps Conditions > User risk > High Access controls > Grant > Block Access
- Configure Microsoft Entra ID Protection to send a regularly monitored security mailbox email notification when user accounts are determined to be high risk.
- Create a Conditional Access policy blocking sign-ins determined high risk by the Identity Protection service. Configure the following policy settings in the new Conditional Access policy as per the values below:
Users > Include > All users Target resources > Cloud apps > All cloud apps Conditions > Sign-in risk > High Access controls > Grant > Block Access
Security Solutions
3. Strong Authentication and a Secure Registration Process
Phishing-resistant MFA is required per Office of Management and Budget Memorandum 22-09, but for a variety of reasons, implementing it for all users may be challenging. This section provides additional backup security policies to mitigate risk associated with lesser forms of MFA. For example, Policy MS.AAD.3.2v1 below enforces MFA without stipulating the specific MFA method.
Figure 1: Depiction of MFA methods from weakest to strongest. Adapted from Microsoft Page
Policies
MS.AAD.3.1v1 – Phishing-resistant MFA SHALL be enforced for all users.
The phishing-resistant methods Microsoft Entra ID certificate-based authentication (CBA), FIDO2 Security Key, Windows Hello for Business, and device-bound passkeys (in the authenticator app of choice) are the recommended authentication options since they offer forms of MFA with the least weaknesses. For federal agencies, Microsoft Entra ID CBA supports federal PIV card authentication directly to Microsoft Entra ID.
If on-premises PIV authentication and federation to Microsoft Entra ID is used, enforce PIV logon via Microsoft Active Directory group policy.
- Rationale: Weaker forms of MFA do not protect against sophisticated phishing attacks. By enforcing methods resistant to phishing, those risks are minimized.
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
MS.AAD.3.2v1 – If phishing-resistant MFA has not been enforced, an alternative MFA method SHALL be enforced for all users.
- Rationale: This is a stopgap security policy to help protect the tenant if phishing-resistant MFA has not been enforced. This policy requires MFA enforcement, thus reducing single-form authentication risk.
- Last modified: June 2023
- Note: If a conditional access policy has been created enforcing phishing-resistant MFA, then this policy is not necessary. This policy does not dictate the specific MFA method.
- MITRE ATT&CK TTP Mapping:
MS.AAD.3.3v2 – If Microsoft Authenticator is enabled, it SHALL be configured to show login context information.
- Rationale: This policy helps protect the tenant when Microsoft Authenticator is used by showing user context information, which helps reduce MFA phishing compromises.
- Last modified: March 2025
- MITRE ATT&CK TTP Mapping:
MS.AAD.3.4v1 – The Authentication Methods Manage Migration feature SHALL be set to Migration Complete.
- Rationale: To disable the legacy authentication methods screen for the tenant, configure the Manage Migration feature to Migration Complete. The MFA and Self-Service Password Reset (SSPR) authentication methods are both managed from a central admin page, thereby reducing administrative complexity and potential security misconfigurations.
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
- None
MS.AAD.3.5v1 – The authentication methods SMS, Voice Call, and Email One-Time Passcode (OTP) SHALL be disabled.
- Rationale: SMS, voice call, and email OTP are the weakest authenticators. This policy forces users to use stronger MFA methods.
- Last modified: June 2023
- Note: This policy is only applicable if the tenant has their Manage Migration feature set to Migration Complete.
- MITRE ATT&CK TTP Mapping:
MS.AAD.3.6v1 – Phishing-resistant MFA SHALL be required for highly privileged roles.
- Rationale: This is a backup security policy to help protect privileged access to the tenant if the conditional access policy, which requires MFA for all users, is disabled or misconfigured.
- Last modified: June 2023
- Note: Refer to the Highly Privileged Roles section at the top of this document for a reference list of roles considered highly privileged.
- MITRE ATT&CK TTP Mapping:
MS.AAD.3.7v1 – Managed devices SHOULD be required for authentication.
- Rationale: The security risk of an adversary authenticating to the tenant from their own device is reduced by requiring a managed device to authenticate. Managed devices are under the provisioning and control of the agency. OMB-22-09 states, “When authorizing users to access resources, agencies must consider at least one device-level signal alongside identity information about the authenticated user.”
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
MS.AAD.3.8v1 – Managed Devices SHOULD be required to register MFA.
- Rationale: Reduce risk of an adversary using stolen user credentials and then registering their own MFA device to access the tenant by requiring a managed device provisioned and controlled by the agency to perform registration actions. This prevents the adversary from using their own unmanaged device to perform the registration.
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
MS.AAD.3.9v1 – Device code authentication SHOULD be blocked.
- Rationale: The device code authentication flow has been abused by threat actors to compromise user accounts via phishing. Since most organizations using M365 don’t need device code authentication, blocking it mitigates the risk of this attack vector.
- Last modified: February 2025
- MITRE ATT&CK TTP Mapping:
Resources
What authentication and verification methods are available in Microsoft Entra ID?
Set up automatic enrollment for Windows devices (for Intune)
Microsoft 365 Device Code Phishing Cyber Attack – Demonstration, Analysis and Mitigation
License Requirements
- Policies related to managed devices require Microsoft Intune.
Security Solutions
4. Centralized Log Collection
Policies
MS.AAD.4.1v1 – Security logs SHALL be sent to the agency’s security operations center for monitoring.
- Rationale: The security risk of not having visibility into cyber attacks is reduced by collecting logs in the agency’s centralized security detection infrastructure. This makes security events available for auditing, query, and incident response.
- Last modified: June 2023
- Note: The following Microsoft Entra ID logs (configured in diagnostic settings), are required:
AuditLogs, SignInLogs, RiskyUsers, UserRiskEvents, NonInteractiveUserSignInLogs, ServicePrincipalSignInLogs, ADFSSignInLogs, RiskyServicePrincipals, ServicePrincipalRiskEvents, EnrichedOffice365AuditLogs, MicrosoftGraphActivityLogs. If managed identities are used for Azure resources, also send theManagedIdentitySignInLogslog type. If the Microsoft Entra ID Provisioning Service is used to provision users to software-as-a-service (SaaS) apps or other systems, also send theProvisioningLogslog type. - Note: Agencies can benefit from security detection capabilities offered by the CISA Cloud Log Aggregation Warehouse (CLAW) system. Agencies are urged to send the logs to CLAW. Contact CISA at cyberliason@cisa.dhs.gov to request integration instructions.
- MITRE ATT&CK TTP Mapping:
Resources
License Requirements
- An Azure subscription may be required to send logs to an external system, such as the agency’s Security Information and Event Management (SIEM).
Security Solutions
5. Application Registration and Consent
This section provides policies that help reduce security risk of malicious applications or service principals added to the tenant by non-privileged users. Malicious applications can perform many of the same operations as interactive users and can access data on behalf of compromised users. These policies apply to custom-developed applications and applications published by third-party vendors.
Policies
MS.AAD.5.1v1 – Only administrators SHALL be allowed to register applications.
- Rationale: Application access for the tenant presents a heightened security risk compared to interactive user access because applications are typically not subject to critical security protections, such as MFA policies. Reduce risk of unauthorized users installing malicious applications into the tenant by ensuring that only specific privileged users can register applications.
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
MS.AAD.5.2v1 – Only administrators SHALL be allowed to consent to applications.
- Rationale: Limiting applications consent to only specific privileged users reduces risk of users giving insecure applications access to their data via consent grant attacks.
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
MS.AAD.5.3v1 – An admin consent workflow SHALL be configured for applications.
- Rationale: Configuring an admin consent workflow reduces the risk of the previous policy by setting up a process for users to securely request access to applications necessary for business purposes. Administrators have the opportunity to review the permissions requested by new applications and approve or deny access based on a risk assessment.
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
Resources
License Requirements
- N/A
Security Solutions
6. Passwords
This section provides policies that reduce security risks associated with legacy password practices.
Policies
MS.AAD.6.1v1 – User passwords SHALL NOT expire.
- Rationale: The National Institute of Standards and Technology (NIST), OMB, and Microsoft have published guidance indicating mandated periodic password changes make user accounts less secure. For example, OMB-22-09 states, “Password policies must not require use of special characters or regular rotation.”
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
- None
Resources
Eliminate bad passwords using Microsoft Entra Password Protection
NIST Special Publication 800-63B – Digital Identity Guidelines
License Requirements
- N/A
Security Solutions
7. Highly Privileged User Access
This section provides policies that help reduce security risks related to the usage of highly privileged Microsoft Entra ID built-in roles. Privileged administrative users have access to operations that can undermine the security of the tenant by changing configurations and security policies. Special protections are necessary to secure this level of access.
Some of the policy implementations in this section reference specific features of the Microsoft Entra ID Privileged Identity Management (PIM) service that provides Privileged Access Management (PAM) capabilities. As an alternative to Microsoft Entra ID PIM, third-party products and services with equivalent PAM capabilities can be leveraged.
Policies
MS.AAD.7.1v1 – A minimum of two users and a maximum of eight users SHALL be provisioned with the Global Administrator role.
- Rationale: The Global Administrator role provides unfettered access to the tenant. Limiting the number of users with this level of access makes tenant compromise more challenging. Microsoft recommends fewer than five users in the Global Administrator role. However, additional user accounts, up to eight, may be necessary to support emergency access and some operational scenarios.
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
MS.AAD.7.2v1 -Privileged users SHALL be provisioned with finer-grained roles instead of Global Administrator.
- Rationale: Many privileged administrative users do not need unfettered access to the tenant to perform their duties. By assigning them to roles based on least privilege, the risks associated with having their accounts compromised are reduced.
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
MS.AAD.7.3v1 – Privileged users SHALL be provisioned cloud-only accounts separate from an on-premises directory or other federated identity providers.
- Rationale: By provisioning cloud-only Microsoft Entra ID user accounts to privileged users, the risks associated with a compromise of on-premises federation infrastructure are reduced. It is more challenging for the adversary to pivot from the compromised environment to the cloud with privileged access.
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
MS.AAD.7.4v1 -Permanent active role assignments SHALL NOT be allowed for highly privileged roles.
- Rationale: Instead of giving users permanent assignments to privileged roles, provisioning access just in time lessens exposure if those accounts become compromised. In Microsoft Entra ID PIM or an alternative PAM system, just in time access can be provisioned by assigning users to roles as eligible instead of perpetually active.
- Last modified: June 2023
- Note: Exceptions to this policy are:
- Emergency access accounts that need perpetual access to the tenant in the rare event of system degradation or other scenarios.
- Some types of service accounts that require a user account with privileged roles; since these accounts are used by software programs, they cannot perform role activation.
- MITRE ATT&CK TTP Mapping:
MS.AAD.7.5v1 – Provisioning users to highly privileged roles SHALL NOT occur outside of a PAM system.
- Rationale: Provisioning users to privileged roles within a PAM system enables enforcement of numerous privileged access policies and monitoring. If privileged users are assigned directly to roles in the M365 admin center or via PowerShell outside of the context of a PAM system, a significant set of critical security capabilities are bypassed.
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
MS.AAD.7.6v1 – Activation of the Global Administrator role SHALL require approval.
- Rationale: Requiring approval for a user to activate Global Administrator, which provides unfettered access, makes it more challenging for an attacker to compromise the tenant with stolen credentials and it provides visibility of activities indicating a compromise is taking place.
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
MS.AAD.7.7v1 – Eligible and Active highly privileged role assignments SHALL trigger an alert.
- Rationale: Closely monitor assignment of the highest privileged roles for signs of compromise. Send assignment alerts to enable the security monitoring team to detect compromise attempts.
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
MS.AAD.7.8v1 – User activation of the Global Administrator role SHALL trigger an alert.
- Rationale: Closely monitor activation of the Global Administrator role for signs of compromise. Send activation alerts to enable the security monitoring team to detect compromise attempts.
- Last modified: June 2023
- Note: It is recommended to prioritize user activation of Global Administrator as one of the most important events to monitor and respond to.
- MITRE ATT&CK TTP Mapping:
MS.AAD.7.9v1 – User activation of other highly privileged roles SHOULD trigger an alert.
- Rationale: Closely monitor activation of high-risk roles for signs of compromise. Send activation alerts to enable the security monitoring team to detect compromise attempts. In some environments, activating privileged roles can generate a significant number of alerts.
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
Resources
Assign Microsoft Entra roles in Privileged Identity Management
Approve or deny requests for Microsoft Entra roles in Privileged Identity Management
Configure security alerts for Microsoft Entra roles in Privileged Identity Management
License Requirements
- Policies MS.AAD.7.4v1, MS.AAD.7.5v1, MS.AAD.7.6v1, MS.AAD.7.7v1, MS.AAD.7.8v1, and MS.AAD.7.9v1 require a Microsoft Entra ID P2 license; however, a third-party Privileged Access Management (PAM) solution may also be used to satisfy the requirements. If a third-party solution is used, then a P2 license is not required for the respective policies.
Security Solutions
8. Guest User Access
This section provides policies that help reduce security risks related to integrating M365 guest users. A guest user is a specific type of external user who belongs to a separate organization but can access files, meetings, Teams, and other data in the target tenant. It is common to invite guest users to a tenant for cross-agency collaboration purposes.
MS.AAD.8.1v1 – Guest users SHOULD have limited or restricted access to Microsoft Entra ID directory objects.
- Rationale: Limiting the amount of object information available to guest users in the tenant, reduces malicious reconnaissance exposure, should a guest account become compromised or be created by an adversary.
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
MS.AAD.8.2v1 – Only users with the Guest Inviter role SHOULD be able to invite guest users.
- Rationale: By only allowing an authorized group of individuals to invite external users to create accounts in the tenant, an agency can enforce a guest user account approval process, reducing the risk of unauthorized account creation.
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
MS.AAD.8.3v1 – Guest invites SHOULD only be allowed to specific external domains that have been authorized by the agency for legitimate business purposes.
- Rationale: Limiting which domains can be invited to create guest accounts in the tenant helps reduce the risk of users from unauthorized external organizations getting access.
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
Resources
License Requirements
- N/A
Our Expertise
Why Choose
Crimson Line?
01.
Crimson Line
Innovation
We stay ahead of the curve by embracing AI-driven tools like Copilot.
02.
Crimson Line
Expertise
Our experienced team architects and manages cloud-native solutions.
03.
Crimson Line
Cost-Effective
Enjoy the benefits of PaaS with minimal risk.
04.
Crimson Line
Flexibility
We tailor solutions to meet your unique needs.
Get Started
Create a Customized
Security Strategy
At Crimson Line, security is not just a product—it’s our commitment to your peace of mind.