Originally published March 31, 2023. Updated November 15, 2024.
GDPR law states that non-compliance with its data regulations can result in fines of up to $22.07 million or 4% of the company’s annual revenue, whichever is greater. As data protection regulations around the world ramp up enforcement with severe fines and penalties, it’s simply too expensive not to comply.
According to a study from Enlyft, Entra ID (formerly Azure AD) accounts for more than 8% of the market share under Identity and Access Management Platforms. That translates to thousands of enterprise customers both within and beyond the United States.
In this article, we’ll walk you through how to make sure that your identity management and access control policies are in line with regulations like HIPAA, GDPR, and more. We’ll share some of our tried and tested best practices for data security, with an emphasis on the principle of least privilege. Here’s a breakdown of what the article covers:
At CoreView, we’ve spent years perfecting an exhaustive set of Entra and Microsoft 365 best practices. These best practices have now become a baseline configuration that we recommend to all our clients to improve their security and compliance posture.
While needs can vary between organizations and businesses, this baseline provides an excellent starting point for developing more customized and thorough compliance policies and security-focused configurations across Entra.
You shouldn’t hand out Global Administrator privileges in Entra to every single user with admin duties. Instead, Microsoft recommends having no more than 5 global admins and using specialized roles and user groups to assign limited admin privileges to other key personnel.
Moreover, employees with admin privileges should maintain separate accounts for their admin duties to make sure that accounts with day-to-day access to apps and email cannot be abused to hack into admin accounts.
It’s also wise to configure a set of emergency access admin accounts as a backup plan in case all your admin accounts are somehow compromised. These accounts should all have global admin roles and use different multi-factor authentication methods for login. It’s also important to ensure that these accounts are only used in case of actual emergencies.
As the primary entry point to all services and applications associated with Microsoft 365, Entra ID offers a host of authentication methods depending on the circumstance.
Password-based authentication is the most basic and common authentication method. This involves the user supplying a username and password to access the service. While this is still a secure method, it is susceptible to brute-force attacks and password reuse, making it less secure than other options.
Multi-factor authentication (MFA) adds an extra layer of security by requiring a user to provide another form of authentication. This could be a code sent to the user's email or phone, or a physical token. This is a much more secure option as it reduces the risk of malicious actors using stolen credentials to gain access.
Did you know? Cyberattackers are exploiting excessive Entra app permissions to gain access to Microsoft tenants. Check your apps today with CoreView’s free security tool.
Passwordless authentication involves the user authenticating without the need for a password. This can be done through biometric data, such as a fingerprint or face recognition, or through a token, such as a USB key. This method is highly secure and ensures that the user's credentials are not susceptible to malicious actors.
While Microsoft imposes a fee for all MFA verifications performed using non-Microsoft accounts, you should at least enable multi-factor or passwordless authentication for all your global admins.
User groups are an effective tool that can be used to manage access in Microsoft 365 and Entra. By creating user groups, you can centralize access control and ensure that users and admins only have access to the resources they need.
You can use groups to provide different levels of access to different users. Administrators can assign roles to each user group, such as access to specific applications and services or the ability to modify certain settings. This ensures that users only have the necessary access to resources and reduces the risk of data breaches from privileged users.
User groups can also be used to control administrative privileges within the organization. Global Administrators can set up user groups with different levels of access to specific administrative functions, such as creating new users, managing devices, and managing groups. This helps to ensure that only the necessary personnel have access to administrative privileges.
Conditional Access Policies (CAP) are a set of rules in Entra (Azure AD) that define the conditions under which a user can access resources.
These policies control who can access what, where, and when. CAPs allow organizations to define granular access control parameters, such as requiring multi-factor authentication for accessing data and allowing access only from specific locations or devices.
Conditional Access Policies provide much more granular control over access to resources than the cookie-cutter Security Defaults offered by Microsoft. Now, Microsoft even has a series of readymade templates for conditional access in Entra ID, offering a quicker way to get started.
Privileged Identity Management (PIM) in Entra is a security feature that gives organizations control over who has access to the most powerful roles and resources.
With PIM, administrators can control who can perform privileged actions when, as well as audit and review those activities. This improves overall security by limiting the risk of accidental or malicious activity, while also improving compliance with industry standards and regulations.
For example, PIM allows organizations to assign privileged roles to users for a specific time period or for a specific task — this is called Just-In-Time (JIT) Access. After the allotted time is up, or the task is complete, the access is automatically revoked.
If your M365 license includes a Premium P2 subscription, you already have access to Privileged Identity Management and can start using it to immediately secure access to your organization’s most important roles in Microsoft 365.
Entra ID (Azure AD) is a complex platform with hundreds of settings and configurations that can take days to learn and months to master. If you want to scale up your compliance posture in Microsoft 365 but don’t have the time to start from a blank slate in Entra, consider automating the process with a platform like CoreView.
With CoreView, you can automate the entire Entra ID configuration process through our no-code web portal. You can use it to implement our security baseline — complete with all its best practices — to your tenant with a single click.
Moreover, CoreView also allows you to:
You can have complete peace of mind knowing that changes made to your production environment are properly documented and accounted for and all permissions are granted based on the principle of least privileged access.
Ready to see CoreView in action? Schedule a free demo today!
