Introduction
Securing Azure Entra ID (formerly Azure AD) is crucial for maintaining a robust security posture. This post covers essential security measures and how to implement them effectively.
Cleaning Up App Registrations
Identifying Unused Applications
First, identify app registrations with expired credentials:
# Get app registrations with expired secrets/certificates
Get-AzureADApplication | Where-Object {
$_.PasswordCredentials.EndDate -lt (Get-Date) -or
$_.KeyCredentials.EndDate -lt (Get-Date)
}
Verification Process
- Check service principal sign-in logs for the last 30 days
- Disable service principals showing no activity
- Delete the corresponding app registration
Implementing MFA Requirements
Assessing MFA Status
Navigate to Authentication Methods > User Registration Details to identify users without MFA:
- Filter by “Not Capable”
- Create exclusion list for service accounts
- Document impact before enforcement
Creating Conditional Access Policy
{
"conditions": {
"userRiskLevels": ["high"],
"signInRiskLevels": ["high"],
"applications": {
"includeApplications": ["all"]
}
},
"controls": {
"authenticationStrength": {
"requirementType": "mfa",
"methodsType": "phishingResistant"
}
}
}
User Consent Restrictions
Blocking User Consent
- Navigate to Enterprise Applications > Consent and permissions
- Disable “Users can consent to apps accessing company data”
- Enable admin consent workflow
Managing Enterprise Applications
- Review enterprise app usage patterns
- Document business-critical applications
- Implement regular review cycles
Best Practices
- Start policies in report-only mode
- Monitor impact through Azure Monitor
- Implement gradual rollout
- Maintain service account exceptions
- Document all policy changes
These measures significantly improve your security posture while maintaining operational efficiency.