Recently, I conducted a hardening assessment on a Microsoft Entra Active Directory tenant. As part of this process, I utilized the latest CIS Hardening Assessment, carefully following each item to evaluate the current security posture.

Today, I will present some of the essential, straightforward hardening rules that you should implement to enhance the security of your Microsoft Entra (formerly Azure) Active Directory.

Let’s begin with the following configuration table, based on CIS recommendations.

The Basic Rules:

Navigate to Entra AD -> Users -> User Settings:

  1. Disabling the “Users can register apps” setting prevents users from creating and registering applications in Azure Active Directory without administrator approval. The security concern with allowing users to register apps is that it can lead to unauthorized or misconfigured applications, potentially creating vulnerabilities, such as backdoors or excessive permissions. This increases the risk of data breaches, malicious use, or accidental exposure of sensitive information. Disabling this option ensures tighter control over which applications have access to the organization’s resource
  2. “Ensure ‘Restrict non-admin users from creating tenants’ is set to ‘Yes” – Restricting tenant creation helps prevent users from setting up resources without proper oversight, ensuring that the organization stays in control of its infrastructure. When users create unauthorized environments (shadow IT), it can lead to scattered systems that are hard for IT to manage and secure. This becomes especially risky if others in the organization start using these environments
  3. This setting is based on your organizations Policies. From my point of view, users without any kind of permissions are not enabled to create any kind of groups. As we are going to see bellow , users will not be able to even access the admin portal.
  4. THE MOST IMPORTANT ! “Ensure ‘Restrict access to the Azure AD administration portal’ is set to ‘Yes'” – Restrict non-privileged users from signing into the Microsoft Entra admin center. By default everyone on your tenant can login to MS Entra and see all users and groups! Desable it as soon as possible.
  5. Again this is based on your organization’s policy. “Disabling LinkedIn integration prevents potential phishing attacks and risk scenarios where an external party could accidentally disclose sensitive information.”
  6. Finally Disable the option for users to “check the keep my signed in option” This option is a point of concern because users can stay signed in without MFA Push outside of your organization

Guest Users and settings

Managing guest user access in Microsoft Entra Active Directory can be a bit challenging, requiring careful attention to ensure secure collaboration without compromising sensitive data.


The dangers of guest users in Microsoft Entra (Azure) Active Directory include

Data Exposure: Guest users may gain access to sensitive information, either intentionally or unintentionally, if permissions are not properly configured.

Insufficient Control: Organizations may have less control over guest users’ devices and security hygiene, which can introduce vulnerabilities, such as malware or phishing attacks.

Privilege Escalation: If guest users are granted excessive permissions or misconfigurations occur, they could gain access to areas beyond their intended scope.

Account Compromise: If a guest user’s account is compromised, it could serve as an entry point for attackers to exploit the organization’s network or data.

Shadow IT: Guest users could introduce unmanaged applications or services (shadow IT), creating security blind spots that the organization’s IT team is unaware of and cannot properly secure.

    So what are the best recommendations based on the CIS : First navigate to Entra AD -> Users -> User Settings:And then press Manage external collaboration Settings.

    You are going to view these settings :

    1. Select the most restrictive access rules. You don’t want from your guests going around your tenant.
    2. You do not want everyone to invite Guest users on your tenant. Especially the users. Go ahead and select the option that allows only Help Desk admins eta to invite guests.
    3. Finally do not allow guest sign up their selves !

    Hope that the above post helps you improve your tenant security. This is a product of my own work and experience based on the CIS Hardening assessment.