Originally published November 15, 2022, updated October 30, 2024

50%+ of Microsoft 365 users are not currently covered by default security and governance policies. Not to mention, IDSA figures that an eye-watering 84% of firms experienced identity-type breaches in 2022. So, it’s fair to say identity management needs a major overhaul for most companies. 

This article covers: ‍

• The Types of Microsoft Identities
• Access Control and Authentication Best Practices
• Identity Governance for Inactive Users, Guest Users, and External Users
• Alternative Way to Govern Identities and Access in M365

Identity Governance: The Three Microsoft Identities

The purpose of Identity governance is to protect, manage, and authorize access to software systems by only approving access after the username and password have been validated. There are 3 different Microsoft 365 identity types you can deploy, depending on your company's needs and the infrastructure you have in place: cloud-only identities, synchronized identities, and federated identities.

Below are each of these identity types in Microsoft:

Cloud-only identities

All Microsoft 365 user accounts and their passwords are stored, managed, and verified in Entra ID. Because Entra ID doesn’t sync with other company systems, any time a user resets their Microsoft 365 password, it doesn’t impact their other account logins.  

Synchronized identities

Synchronized identity should be used if you’re already using Active Directory for your central list of user accounts or if you want to leverage Multi-Factor Authentication (MFA) with Entra ID. 

Entra ID Connect's software utility synchronizes Active Directory Domain Services (AD DS) user accounts into Entra ID.  

So, users log into Microsoft 365 with the same credentials. This makes for a better user experience, but the sync only flows 1 way. User accounts must always be managed in AD DS with tools such as Active Directory admin center, or Microsoft PowerShell. 

Also, you need to decide where the authentication occurs.  

• Password Hash Synchronization (PSH) is cloud authenticated. Entra ID authenticates a hash of a hashed version of both the user account name and the password. This option transfers a hashed version of passwords to the cloud for authentication, supporting cloud-based identity checks.‍
• Pass-through Authentication (PTA) is authenticated on-premises with AD DS. Entra ID Connect's Pass-through Authentication (PTA) enables password validation directly against the on-premises AD without storing user passwords in the cloud. This is a good option where stricter authentication or compliance regulations are needed.

Federated identities

Federated Identity requires Active Directory Federation Services, (AD FS) to be in place. It’s more suitable for large enterprise organizations with scalable infrastructure and companies with enhanced security requirements (such as smart cards, work-hour restrictions or fingerprint identification).

With federated identity, a partnership, or federation is formed between your on-premises Active Directory and Entra ID in the cloud. AD FS automatically synchronizes user accounts and attributes with Entra ID Connect but accounts are maintained through Active Directory or your third-party tool.  

Organizations increasingly prefer third-party federation solutions or Microsoft Entra ID Conditional Access with SSO, as AD FS is less frequently recommended due to complexity.

User experience is improved with federated identity, as users use single sign-on like the PTA authentication above. However, unlike cloud identity, federated identity is environment-dependent so any on-premises issues will impact Microsoft 365 connectivity.  

For this reason, both synchronized and federated identities should have a cloud administrator account configured to ensure Microsoft 365 is always accessible.    

Access Control and Authentication Best Practices for Microsoft 365

Enable Multi-Factor Authentication

Enable multi-factor authentication (MFA) for all users Microsoft 365’s conditional access policy allows for custom MFA requirements under specific conditions. However, unconfigured default MFA methods leave organizations vulnerable.  

If a hacker gains access to a user’s credentials and sets the MFA method, they obtain unauthorized access to Microsoft 365. One of the most effective ways to secure your data is by implementing multi-factor authentication (MFA) for all users. MFA provides an additional layer of protection beyond the traditional username and password by requiring the user to provide a second form of verification, such as a fingerprint, facial recognition, or a one-time code sent via text message.  

MFA default policies in Microsoft 365 are pre-configured, but organizations often need to customize them via Conditional Access to meet specific security needs. Relying solely on these defaults without customization could leave gaps.

By implementing MFA for all users, organizations can protect sensitive information, prevent account takeovers, increase security for cloud-based services, meet regulatory requirements, and provide a simple and effective solution for enhancing security.

To automate the MFA process, your action plan should include these steps:

• Run regular audits by generating a report that identifies users, including other M365 admins, without multi-factor authentication enabled.  
• Schedule the remediation action to recur on a weekly, monthly, or yearly basis.  
• Configure the workflow to alert the Microsoft admin responsible for MFA if the workflow fails.

Cloud Administrators Must Use Strong Passwords

Admin accounts with cloud identities in Microsoft 365 must be managed meticulously. Strong passwords are vital as administrators have access to sensitive information and control over crucial settings and configurations. Weak passwords put this information at risk of compromise.  

Microsoft 365 admin accounts with cloud identities are entirely managed in the cloud, meaning on-premises identity policies are not applied to these admins, potentially increasing the risk of unauthorized access or a breach.  

Consider using password policies alongside Entra Password Protection for complex password enforcement.

A compromised cloud identity admin account can lead to a significant security breach, as the attacker would have access to sensitive information and control over essential settings and configurations. In some cases, regulations may require additional security measures for cloud-based admin accounts, such as two-factor authentication or monitoring of administrative activity.

Your action plan should include these steps:  

• Regularly run audits to identify admin accounts with weak passwords.
• Schedule the remediation action to recur on a weekly, monthly, or yearly basis.  
• Configure the workflow to alert the Microsoft admin responsible for password security if the workflow fails.

Admins must use passwordless login solutions  

While there are no specific regulations that mandate changing admin passwords on a regular basis, security guidelines from various authorities recommend doing so to maintain the security of an organization’s information systems.  

Follow these steps to enforce this best practice:

• Set a policy to change admin passwords every 90 days.  
• Schedule the password change to recur every 90 days.
• Send attestation to the manager (or a custom address), with the option to include an additional message.  
• Configure the workflow to alert the Microsoft admin responsible for password management if the workflow fails.

Identity Governance for Inactive Users, Guest Users, and External Users in Microsoft 365

Block credentials of users inactive after 60 days  

Inactive user accounts with unblocked credentials pose a significant security risk to your Microsoft 365 environment. These accounts may still have access to sensitive information such as data and emails. If compromised, they could lead to data breaches, unauthorized access, and potential compliance violations.  

By reducing the number of active user accounts, you decrease your system’s attack surface, providing fewer opportunities for attackers. Blocking credentials of inactive users after 60 days minimizes the risk of security breaches and better protects your sensitive information.

Include these steps in your action plan:

• Set a time-out period for the inactive users (minimum: 1 day, maximum: 180 days).
• Regularly run audits to identify user accounts that have been inactive for more than 60 days.  
• Upon identifying inactive users, send an attestation to the manager or a custom address, with the option to include an additional message.  
• Schedule the remediation action to recur on a weekly, monthly, or yearly basis.  
• Configure the workflow to alert the Microsoft admin responsible for user activity monitoring if the workflow fails.

To automate your action plans, consider using Power Automate, Entra ID’s built-in-automation, or CoreView’s automated workflows.

Remove inactive guests after 90 Days  

While no specific regulation mandates the removal of inactive external users, it is considered a best practice for security and privacy reasons. Cybersecurity standards, such as ISO 27001 and NIST SP 800-53, recommend regular reviews and removal of inactive user accounts to minimize the risk of unauthorized access and potential data breaches. These standards also emphasize implementing access control and maintaining an accurate inventory of system users.  

To streamline the process of monitoring inactive users, consider using Entra Access Reviews. This function can help you manage user and group access with customizable review settings, automated access recertifications, and compliance and audit support.

Here are the recommended steps to complete this action:

• Set a policy to identify and remove guest users who have been inactive for more than 90 days.  
• Schedule the remediation action to recur on a weekly, monthly, or yearly basis.  
• Configure the workflow to alert the Microsoft admin responsible for guest user activity monitoring if the workflow fails.  

Regularly review and manage external users in Microsoft 365 groups

External users, especially those without proper training and security awareness, can increase the risk of a security breach or unauthorized access to your data. It’s crucial to have proper policies and guidelines in place for external users and ensure ongoing monitoring and security training to minimize these risks.  

While reviewing external users, consider using Microsoft Entra Access Reviews and Privileged Identity Management (PIM) features to help manage guest user access more dynamically.

Enforce this best practice with these steps:

• Regularly run audits to identify external users in the Microsoft 365 group.  
• Remove external users who are no longer necessary from the Microsoft 365 group.  
• Send attestation to the group owners or a custom address, with the option to include an additional message.  
• Schedule the remediation action to recur on a weekly, monthly, or yearly basis.  
• Configure the workflow to alert the Microsoft admin responsible for Microsoft 365 group management if the workflow fails.

Regularly review and manage external users in security groups  

Just like with Microsoft 365 groups, external users in security groups can pose a risk if not properly managed. Regular monitoring, training, and adequate access control measures need to be in place to minimize risks associated with external users in security groups.  

Here are the steps to take to enforce this policy:

• Regularly run audits to identify external users in the security groups.  
• Remove external users who are no longer necessary from the security groups.  
• Send attestation to the group owners or a custom address, with the option to include an additional message.  
• Schedule the remediation action to recur on a weekly, monthly, or yearly basis.
• Configure the workflow to alert the Microsoft admin responsible for security group management if the workflow fails

The Alternative Way to Govern Identities and Access in Microsoft 365

Setting up complete identity and access governance policies can be complex, especially for organizations with large user bases or intricate access structures. Plus, with over 5,000 configurations in Microsoft 365, your hard-working teams miss critical risks like external or anonymous users in collaboration environments, mailboxes with dangerous mail-forwarding, or files that are being shared externally.

With CoreView, you can continuously monitor your governance posture and auto-detect risky access. The platform even triggers automated remediations to ensure that your ideal policies are enforced—without your IT team having to work overtime.  

Dive deeper into CoreView’s automated governance and policy enforcement for identity and access management.

Or, access a free copy of our Microsoft 365 Governance Best Practices Guide. The guide not only covers identity and access governance best practices, but it also covers best practices for Teams, SharePoint, Exchange, and more.