TickYouOff
Sign in
Back
🔒

Microsoft Entra ID (Azure AD) — SCuBA Security Checklist

Hard 15 items · 4 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist consolidates core Secure Configuration Baseline (SCuBA) recommendations for Microsoft Entra ID (Azure AD). It’s designed for IT administrators and security teams securing cloud identities and access in enterprise or government environments.

Source: https://ncp.nist.gov/checklist/1082

Progress
0 / 15
  1. Enable multi-factor authentication for all users — Require MFA for interactive sign-ins and critical roles.
  2. Disable legacy authentication protocols — Block basic auth (IMAP, POP, SMTP AUTH, etc.) to reduce credential theft.
  3. Enforce Conditional Access policies for sign-ins and device compliance — Require compliant devices and MFA for risky or privileged access.
  4. Enable Azure AD Identity Protection — Activate tenant-level risk detection and reporting.
  5. Configure sign-in risk and user risk policies — Define actions (require MFA, block) for risk detections.
  6. Harden administrative accounts — Apply strict controls and monitoring to privileged identities.
  7. Remove unnecessary global administrators — Reduce number of permanent global admins; use least privilege.
  8. Enable Privileged Identity Management (PIM) for elevated roles — Require just-in-time elevation and approval for admin roles.
  9. Review and restrict application permissions and consent policies — Audit app permissions and block excessive delegated permissions.
  10. Enable auditing and logging for sign-ins and directory changes — Stream logs to a SIEM and enable adequate retention.
  11. Require device compliance and enroll devices in Intune — Use device compliance policy checks in Conditional Access.
  12. Configure password protection and smart lockout — Enforce banned password lists and lockout thresholds.
  13. Review external collaboration and guest user settings — Limit guest access scope and require guest MFA where appropriate.
  14. Apply cross-tenant access settings for inbound/outbound collaboration — Configure trusted tenant relationships and default restrictions.
  15. Monitor Secure Score and implement recommended remediations — Track improvements and prioritize high-impact fixes.
Sign in to save
📝 My Notes