Entra ID Security Hardening
Entra ID ships with permissive defaults that attackers love -- Security Defaults, MFA enforcement, legacy auth blocking, and restrictive consent policies transform a vulnerable tenant into a hardened one.
A brand-new Entra ID tenant comes with many features that make life easy but also make it easy for attackers. Legacy authentication protocols (like SMTP and IMAP) do not support MFA, so attackers target them for password spraying. Users can consent to third-party applications that request broad permissions, which attackers exploit for OAuth phishing. Guest users might have too much access. Admin roles might be permanently assigned. Entra ID security hardening systematically closes these gaps: enable Security Defaults or Conditional Access to enforce MFA everywhere, block legacy authentication, restrict user consent to admin-approved apps, configure identity protection policies for risky sign-ins, and audit all privileged role assignments.
When a new office building opens, all the doors default to unlocked, visitors can walk in freely, and there are no security cameras. The building works, but it is wide open. Hardening is the process of installing locks on every door (MFA), closing the side entrances (blocking legacy auth), requiring visitor sign-in (app consent policies), and installing cameras (audit logging). Entra ID tenants ship similarly open by default -- hardening closes these gaps systematically.
Key Takeaways
- Enable Security Defaults or Conditional Access with MFA as the absolute minimum for every Entra ID tenant.
- Block legacy authentication protocols -- they bypass MFA and are the top password spraying target.
- Restrict user consent for applications to prevent OAuth phishing and illicit consent grants.
- Use cloud-only accounts for privileged roles -- never sync Global Admin from on-prem AD.
- Stream sign-in and audit logs to a SIEM for detection of credential attacks and configuration changes.
The default Entra ID configuration leaves multiple doors wide open for attackers. Hardening closes these gaps and is the foundation on which all other Entra ID security controls depend.