Entra Security Settings
These foundational security settings in Microsoft Entra ID (formerly Azure AD) establish the "guardrails" for user autonomy and application integration. They enforce the principle of least privilege (NIST SP 800-171 3.1.5) and prevent unauthorized system access (3.1.1) across all regulated environments.
3.2.1.1 User | User settings
In a regulated environment, users should have the minimum permissions necessary to perform their jobs. Unrestricted access to the administration portal or the ability to create new tenants can lead to "shadow IT" and undocumented compliance boundaries.
| Setting | Recommended Value | Rationale |
|---|---|---|
| Restrict access to Microsoft Entra administration portal | Yes | Prevents non-administrators from browsing the directory, viewing other users' details, and exploring the tenant configuration. |
| Restrict non-admin users from creating tenants | Yes | Prevents users from spinning up unauthorized, unmanaged Entra tenants using corporate credentials, which creates an immediate compliance boundary violation. |
| Users can create security groups | No | (Environment dependent) Restricting group creation to admins or an automated governance process ensures that the RBAC model remains clean and auditable. |
| Users can create Microsoft 365 groups | No | Prevents the sprawl of unmanaged Teams and SharePoint sites, which often become undocumented repositories for sensitive data. |
3.2.1.2 Enterprise applications | Consent and permissions | User consent settings
User-led consent is one of the most significant risks to the authorization boundary. If a user consents to a malicious or unvetted application, that app can bypass MFA and Conditional Access to exfiltrate sensitive data directly from the tenant via the Graph API.
| Setting | Recommended Value | Rationale |
|---|---|---|
| User consent for applications | Do not allow user consent | Mandatory for GCC High. This ensures that no third-party application can access organizational data without an explicit security review and admin grant. |
| Group owner consent for apps accessing data | Do not allow group owner consent | Prevents Team/Group owners from bypassing IT governance by authorizing "bots" or "reporting tools" that may exfiltrate data from specific SharePoint sites or Teams channels. |
3.2.1.3 Enterprise applications | Consent and permissions | Admin consent settings
Disabling user consent requires a formal process for users to request the applications they need. The Admin Consent Workflow provides this "front door," creating an auditable request-and-approval trail for every integrated application.
| Setting | Recommended Value | Rationale |
|---|---|---|
| Users can request admin consent to apps they are unable to consent to | Yes | Provides a structured way for users to request new tools without resorting to insecure workarounds. |
| Admin consent request reviewers | Select 2-3 Admins | Assign specific Global Admins or Cloud Application Admins to receive and vet requests. |
| Selected users will receive email notifications for requests | Yes | Ensures timely review of application requests to minimize productivity friction. |
| Selected users will receive request expiration reminders | Yes | Prevents requests from languishing and ensures the governance process remains active. |
The Admin Consent Workflow directly satisfies NIST SP 800-171 3.1.22 (Control Publicly Accessible Content). By requiring admin review of all applications, you ensure that no internal data is inadvertently exposed to a public or unauthorized SaaS application.
📩 Don't Miss the Next Solution
Join the list to see the real-time solutions I'm delivering to my GCC High clients.