Protect all users with MFA
This is the starting point of securing your environment
PreviousBulk deletion of users in Entra IDNextReview and clean up applications with excessive permissions
Last updated
This is the starting point of securing your environment
Last updated
Most companies started an MFA registration campaign to make sure that all users use MFA when signing in. Many have also trained their end-users in how to detect phishing and so on.
One big problem is to handle all the inactive users, service accounts, resources and such. It's common to allow end-user to register MFA from anywhere. The password is then the only protection of those accounts. These accounts are then vulnerable for password sprays.
If the account to your previous CFO that left the company 7 years ago wasn't deleted due to issues in the offboarding routine, is that account protected with registered MFA?
Token theft is also popular amongst the evil ones. Helping your end-users to protect themselves by providing phishing resistant MFA or passwordless sign-in would prevent tokens being stolen by fake/malicious websites and other phishing attacks. Adopting a passwordless and phishing resistant strategy is easier than you might think. Jonathan Edwards created a great video for inspiration/demo on how to achieve .
MFA is the fundament in securing your environment, and we encourage everyone to spend an hour watching John Savill explaining
Normal user accounts should be protected from time of creation, meaning you should ensure no one else than the person/service account was created for could start using the account by guessing the correct username and password.
Some organisations choose to create the users with extremely long and complex passwords, some creates them as disabled and end-users needs contact support to get them enabled and some preregister an authentication method like phone or sms.
Using Temporary Access Pass (TAP) in combination with MFA requirement to register security information could be a great way of enhancing your
Many accounts like meeting rooms, shared resources and service accounts doesn't support a traditional two factor. You should protect these accounts by creating specific conditional access rules to protect the usage of these accounts.
report will list all accounts available for everyone guessing the correct username and password:
Require that all users register MFA regardless of location
Exceptions only for service accounts and location based users. Create specific network locations and create separate conditional access rules to allow usage of these accounts from specific ip
Ensure that the security information registration page is protected. Guessing correct username and password will then not be sufficient to take over an unused identity within your Entra ID.
Under session - add sign-in frequency = Every time
Requires that users are allowed to change their password in Entra ID if passwords are needed.
Create new users as you always done but with a crazy long and complex password that you just forget.
Create and provide a temporary access pass when the user or manager requests it.
Sign in and follow wizard to register security information
Follow the self service password reset instructions
This way you ensure that inactive accounts without MFA registration completed can't be taken over by attackers.
Create conditional access rule to
Provide only the
Create a conditional access policy to require MFA ever time user want to register security information.
Make sure you exclude all guest accounts (already taken care of if you use the provided)
End-user goes to and type in username and gets asked for temporary access pass:
When done, user should set a new password if needed using the link provided on
