Table of contents
Now that we have created our Azure/Microsoft 365 tenant, let’s apply security practices to protect our organization’s users and data.
Security defaults
This feature offers the basic / recommended security settings from Microsoft, once enabled it will:
Require all users to register for Azure Multi-Factor Authentication (MFA).
Require administrators to perform MFA before performing privileged actions.
Block legacy authentication protocols that don't support modern authentication.
Automatically protect user accounts from identity attacks like password spray and brute force attacks.
Let’s go ahead and configure it:
As we can see it’s already enabled:
Based on the following article: Security Defaults, If your tenant was created on or after October 22, 2019, security defaults might be enabled in your tenant. To protect all of our users, security defaults are being rolled out to all new tenants at creation.
Since we created the tenant recently it’s already enabled as we can see below:
Let’s test by creating a test user:
Once we try to login it will require to set up Multi-Factor Authentication (MFA), we can skip it for 14 days:
If we go next we can set up the Microsoft Authenticator on the user’s phone and they should be able to log in without any issues.
As then log in successfully:
Now notice the following, if we sign out and sign back in
We are allowed to sign in without any MFA requirements:
Why is that?
Because we’ve previously registered the MFA but have NOT enforced/enabled it yet.
NOTE: We can set up Phone numbers and Email as MFA methods but Microsoft recommends using the Authenticator app instead.
Let’s fix it.
First, we need to disable Security Defaults:
Navigate to MFA Settings:
MFA is Disabled for all users:
We have 2 options:
Enable MFA per user
Enable/Enforce MFA with Conditional Access policies (Microsoft recommendation)
Conditional Access
Let’s go with the Conditional Access Policy option:
Navigate to: Conditional Access
To be able to create Policies we need a Microsoft Entra Suite license, let’s get the Trial:
Once enabled, let’s assign It to our Superadmin
Now if we go back to Conditional Access
We can create a new policy:
Let’s now create a Conditional policy to enforce MFA to only HR (members of the HR Microsoft 365 Group).
We can confirm that it was created successfully:
Testing:
Once logged in we will be asked to set up Multifactor Authentication (MFA)
Then we can download the Microsoft Authenticator App to our phone and follow the instructions:
And we are in!
Now every time any HR Group members would try to login with any Microsoft 365 app (including Outlook web), they will be required to approve the sign in request:
Let’s now create a Conditional Access policy to prevent HR group members from opening their Microsoft 365 apps (Including Outlook) outside of the office location:
Let’s create a new named location:
Then let’s create a new policy
Navigate to: Conditional Access
After the Policy is created we can check our Name location Beyond Bare Metal HQ:
Notice it shows it’s tied now with the recently created policy.
Testing:
Let’s try logging in to Outlook web from outside the office with teddy@beyondbaremetal.com (an HR group member).
We get the following error:
Now let’s verify the Sign-in logs:
Navigate to: Conditional Access
Notice the public IP starts with 150.x which is different than the Public IP from Beyond Bare Metal HQ (16.x) We can select that event and see more information:
As we see it was blocked by the Conditional Access policy previously created:
Working!
Password Policies
Unfortunately, we are not able to modify the password complexity for our user accounts (as it happens on Windows Server On-Premise):
Based on this KB: Password policies and account restrictions in Microsoft Entra ID:
A password policy is applied to all user accounts that are created and managed directly in Microsoft Entra ID. Some of these password policy settings can't be modified, though you can configure custom banned passwords for Microsoft Entra password protection or account lockout parameters.
By default, an account is locked out after 10 unsuccessful sign-in attempts with the wrong password. The user is locked out for one minute. The lockout duration increases after further incorrect sign-in attempts. Smart lockout tracks the last three bad password hashes to avoid incrementing the lockout counter for the same password. If someone enters the same bad password multiple times, they aren't locked out. You can define the smart lockout threshold and duration.
The following Microsoft Entra password policy options are defined. Unless noted, you can't change these settings:
Property | Requirements |
Characters allowed | A – Z |
a - z | |
0 – 9 | |
@ # $ % ^ & * - _ ! + = [ ] { } | \ : ' , . ? / ` ~ " ( ) ; < > |
Blank space | |
Characters not allowed | Unicode characters |
Password restrictions | A minimum of 8 characters and a maximum of 256 characters. |
Requires three out of four of the following types of characters: | |
- Lowercase characters | |
- Uppercase characters | |
- Numbers (0-9) | |
- Symbols (see the previous password restrictions) | |
Password expiry duration (Maximum password age) | Default value: 90 days. If the tenant was created after 2021, it has no default expiration value. You can check current policy with Get-MgDomain. |
The value is configurable by using the Update-MgDomain cmdlet from the Microsoft Graph module for PowerShell. | |
Password expiry (Let passwords never expire) | Default value: false (indicates that passwords have an expiration date). |
The value can be configured for individual user accounts by using the Update-MgUser cmdlet. | |
Password change history | The last password can't be used again when the user changes a password. |
Password reset history | The last password can be used again when the user resets a forgotten password. |
But there are few settings we can adjust:
Password Protection:
Navigate to Microsoft Entra Admin Center > Password protection
Here we can set the following settings:
Lockout threshold: How many failed sign-ins are allowed on an account before its first lockout. If the first sign-in after a lockout also fails, the account locks out again.
Lockout duration in seconds: The minimum length in seconds of each lockout. If an account locks repeatedly, this duration increases.
Custom banned passwords: Passwords we don’t want to set up for our users.
Enable password protection on Windows Server Active Directory: This will take effect if we have Entra ID Sync enabled.
Mode: If set to Enforce, users will be prevented from setting banned passwords and the attempt will be logged. If set to Audit, the attempt will only be logged.
Test:
After 3 failed attempts we are locked out:
Self-service password reset:
NOTE: To enable this feature the user must have a Multifactor Authentication already method set up.
Now let’s allow our user to reset their passwords, this comes in handy to reduce the number of helpdesk tickets and IT interventions overall.
Navigate to: Microsoft Entra admin center and select All:
Once hit Save we get the confirmation:
Testing:
We will be required to Authenticate ourselves via Multifactor Authentication (MFA)
Once authenticated we can enter the new password and Finish:
Success:
Conclusion
This post explored essential security practices for Microsoft 365 tenants, focusing on comprehensive protection strategies. We implemented conditional access policies to enforce multi-factor authentication, control user access, and set up sophisticated password protection mechanisms. Organizations can significantly enhance their digital security posture by leveraging Microsoft Entra's security features like MFA, location-based restrictions, and self-service password reset. These configurations provide a robust framework for protecting user identities, preventing unauthorized access, and reducing potential security vulnerabilities across the Microsoft 365 environment.
The next steps will be expanding the Microsoft 365 setup with additional features for Groups, and Rules.
Stay tuned for more content.
Thanks for reading!
Link to the series 👉 beyondbaremetal.hashnode.dev/series/beyond-..