How to Setup Microsoft 365
Managing settings in Micrsoft’s admin centers can be confusing.
It’s not always clear what each setting does, and with so many options, it can feel overwhelming.
But skipping these configurations and not adjusting them – can leave your organization vulnerable to security risks.
That’s why it’s crucial to take a proactive approach to secure your systems, limit access to only what’s necessary, and safeguard your environment.
This post is part of our multi-part series, guiding you through key Microsoft 365 and Entra ID security settings to help you fine-tune your setup.
Entra ID and Microsoft 365 Admin Tuning
There are 54 settings overall between Microsoft 365, Azure, and Entra Admin Center that we audit and review prior to an engagement with our customers. While this may sound like a lot, these settings are vital to ensure your organization’s security posture remains strong.
At the time of writing this post, these settings can be configured with administrative permissions in Microsoft 365 and Entra Admin Center using any type of licensing available.
However, depending on your organization’s subscription level, certain advanced features may require specific licenses.
NOTE: We strongly recommend that you audit, review, and configure these settings across Microsoft 365 and Entra for the security of your organization.
Why Should You Care About Auditing Microsoft 365 Settings?
If you don’t have these settings configured, you’re leaving your organization exposed to unnecessary risks. These are the simple, often overlooked settings that threat actors love to exploit.
If you do not have these configured, we suggest prioritizing them immediately.
NOTE: Before you adjust a setting, make sure you document and audit what the setting was before. READ THROUGH the impact of adjusting each setting to understand what you and your users can expect to change in your environment.
Lets Get Started
Now, let’s get started auditing your settings. You’ll need access to your Entra ID and Azure portals in order to make the below modifications.
Entra ID > Overview > Properties
Microsoft 365 audit log search' is 'Enabled'
This setting is a critical piece of Microsoft 365 and provides you with the abilty to go back 90 days and audit the actions of your users or admins within the environment.
Starting your deployment by enabling this setting will help get you started on the right foot.
Enabling audit log search in the Microsoft Purview compliance portal can help organizations improve their security posture, meet regulatory compliance requirements, respond to security incidents, and gain valuable operational insights.
To enable this setting, navigate to Compliance.microsoft.com > Audit > To enable auditing, click the Start recording user and admin activity and click Yes to complete organizational setup.
If you do not see the Start recording user and admin activity prompt, auditing is enabled. Whew.
ALTERNATELY, Verify Auditing is Enabled via PowerShell
Connect to Exchange Online using Connect-ExchangeOnline.
Run the following PowerShell command
Get-AdminAuditLogConfig | Select-Object UnifiedAuditLogIngestionEnabled
Ensure UnifiedAuditLogIngestionEnabled is set to True.
ALTERNATELY, Enforce Auditing via PowerShell
Connect to Exchange Online using Connect-ExchangeOnline.
Run the following PowerShell command
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
Verify command success with the Verify Auditing is Enabled PowerShell
IMPACT OF SETTING:
By enabling audit log search, you’ll have a clear record of actions taken within Microsoft 365, allowing for easy tracking of unusual or unauthorized behavior. This will significantly aid in incident response and compliance. However, the impact on your workflow is minimal—this setting operates in the background and does not interfere with day-to-day user activity.
Entra ID > Users > User Settings
'Users Can Register Applications' Is Set to 'No'
ℹ️ CIS recommendation
Enabling this configuration can allow privilege escalation through OAuth application access in your customer’s tenant. Azure App Registration should be restricted to tenant administrators. Otherwise, attackers can significantly increase their access with a single compromised account in just a few steps.
By default in Microsoft Entra ID, all users can register and manage applications they create, and consent to apps accessing company data on their behalf. To limit this, set the global switches to ‘No’ and add selected users to the Application Developer role.
Another option is to assign Application Owners who can manage all aspects of specific application registrations or enterprise applications.
Assigning owners is an easy way to allow users to manage Microsoft Entra configurations for particular applications.
IMPACT OF SETTING:
Disabling this option stops users from registering applications that could lead to unauthorized access. Only administrators will have the power to approve app registrations, ensuring that only secure, trusted applications are used within your organization. While it may slow down the ability to onboard new apps, this safeguard is essential for security.
'Restrict non-admin users from creating tenants' is set to 'Yes'
ℹ️ CIS recommendation
By restricting who can create new tenants, you can prevent unplanned or unauthorized use of resources, keeping infrastructure securely under organizational control.
Impact of Setting:
Restricting tenant creation ensures that only authorized personnel can create new tenants, preventing unnecessary or unauthorized use of company resources. This reduces the risk of rogue environments being created, which could lead to compliance issues or resource mismanagement. Users who need new tenants will need admin approval, adding a layer of control.
'Restrict access to Microsoft Entra admin center' is Set to 'Yes'
ℹ️ CIS recommendation
The Entra ID administrative center contains sensitive data and permission settings. To prevent exposure, non-administrators should be prohibited from accessing any data in the administration center.
All administrative tasks must be performed by administrators.
Note: This setting only affects access to the Entra ID web portal. Privileged users can still use methods like REST API or PowerShell to access sensitive information from Microsoft Entra ID.
Impact of Setting:
Restricting access to the Entra admin center ensures that only authorized administrators can view and modify sensitive settings. This prevents accidental or malicious changes by non-admin users. The impact is that admins retain full control over the system configuration while non-admins are prevented from accessing data they do not need, improving security with minimal disruption to users.
Entra ID > Users > Password reset
'Notify users on password resets?' is set to 'Yes'
ℹ️ CIS recommendation
Notifying users about password resets is a proactive way to confirm password reset activities. It helps users identify any unauthorized password resets.
Impact of Setting:
Notifying users of password resets provides an additional layer of security by ensuring that users are aware of any changes to their account. This allows for quick detection of unauthorized resets, reducing the potential for compromise. The impact is a slight increase in notifications, but the benefit is early detection of potential security incidents.
'Notify all admins when other admins reset their password?' is set to 'Yes'
ℹ️ CIS recommendation
Global Administrator accounts are sensitive. Sending password reset activity notifications to all Global Administrators allows them to confirm if the reset is typical within their group. For instance, if all Global Administrators change their passwords every 30 days, any reset before that might indicate unusual activity that needs evaluation.
All Global Administrators will receive a notification from Azure every time a password is reset. This helps confirm that there are no unusual password resets for Global Administrators. However, it requires additional time for Global Administrators to review the notifications. This setting is only effective if all Global Administrators pay attention to and audit each notification.
Impact of Setting:
This setting increases transparency among Global Administrators, ensuring that password resets within the admin group are properly monitored. The benefit is enhanced security for sensitive accounts, as unusual activity can be quickly identified. However, administrators will need to regularly review these notifications, which could require additional time but is critical for security oversight.
Entra ID > Groups > General
'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
ℹ️ CIS recommendation
Restrict security group creation to administrators only.
When security group creation is enabled, all users can create new security groups and add members. Unless your business needs this delegation, it should be restricted to administrators only.
Enabling this setting will require Admins to handle group membership for user accounts, which will require that users submit a ticket any time a change needs to be made to security groups.
Impact of Setting:
Limiting security group creation to administrators prevents unauthorized users from creating groups that could inadvertently expose sensitive data or resources. The downside is that users will need to submit tickets for group changes, adding an extra step in the process. However, the increased control ensures that group creation is done with proper oversight, reducing security risks.
'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
ℹ️ CIS recommendation
Microsoft 365 group creation should be restricted to administrators only.
This ensures that only administrators can create Microsoft 365 groups, maintaining control over group creation. Administrators should create and manage all groups, without delegating this right to other users.
Enabling this setting will require Admins to handle group membership for user accounts, which will require that users submit a ticket any time a change needs to be made to Microsoft 365 groups.
Impact of Setting:
Restricting Microsoft 365 group creation to administrators helps prevent unauthorized groups from being created, reducing the risk of misconfiguration and OAuth token misuse. The impact is similar to security groups—users will need to request group changes via admins, but the added security benefits far outweigh the slight inconvenience.
Entra ID > Enterprise Applications > Consent and Permissions
'User consent for applications' is set to 'Do not allow user consent'
ℹ️ CIS recommendation
Control when end users and group owners can grant consent to applications and when they need administrator approval. Allowing users to grant apps access to data can help productivity but poses risks if not carefully monitored.
Attackers often use custom applications to trick users into granting access to company data. Disabling future user consent operations reduces this risk and the threat surface. If user consent is disabled, existing consent will still be valid, but all future consent must be approved by an administrator.
If user consent is disabled, users can request tenant-wide admin consent through an integrated consent request workflow or organizational support processes.
Impact of Setting:
Disabling user consent prevents users from granting access to third-party applications without admin approval, reducing the risk of consent phishing attacks. While it may slow the process of integrating new applications, it ensures that only vetted apps are given access to your organization’s data, providing strong protection against malicious apps.
'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
ℹ️ CIS recommendation
The admin consent workflow provides a secure way for admins to grant access to applications that require approval. When a user tries to access an application but can’t provide consent, they can request admin approval. This request is emailed to designated admins, called reviewers, who take action and notify the user of the outcome.
To approve requests, a reviewer must be a global administrator, cloud application administrator, or application administrator.
Being designated as a reviewer does not increase their privileges; they must already hold one of these roles.
- Add the internal Users who will review admin consent requests (if any)
- Add the Roles who will review admin consent requests (Global Administrator)
- Set ‘Selected users will receive email notifications for requests’ to ‘Yes’
- Set ‘Selected users will receive request expiration reminders’ to ‘Yes’
- Set ‘Consent request expires after (days)’ to ’15’ or ’30’
Impact of Setting:
Requiring admin consent for applications adds a vital layer of security, ensuring that only trusted applications can access sensitive resources. Admins will need to review and approve requests, which adds a step to the workflow but ensures stronger control over app access. This setting is essential for reducing the risk of OAuth token abuse and consent phishing attacks.
Azure > Subscriptions > Advanced Options
Subscription leaving Microsoft Entra ID directory' and 'Subscription entering Microsoft Entra ID directory' Is Set To 'Permit No One'
ℹ️ CIS recommendation
Only appropriate administrative personnel should have permissions to move subscriptions in and out of the Microsoft Entra ID directory.
Moving a subscription into a directory might place it in a folder where other users have elevated permissions.
This ensures that potential bad actors cannot cause data loss or make unauthorized changes to objects within the directory.
Impact of Setting:
By preventing the movement of subscriptions in and out of your Microsoft Entra ID directory, you ensure that unauthorized personnel cannot move resources to environments where elevated permissions exist. This reduces the risk of unauthorized access and data exposure. The impact is minimal for day-to-day operations but provides a significant security enhancement, preventing potentially damaging changes by unauthorized users.
Impacts and Benefits
Microsoft offers countless security features that so often go overlooked.
In today’s rapidly evolving cybersecurity landscape, it’s critical to ensure your organization is proactive about securing its environment.
These settings are designed to block or restrict access that may be unnecessary and potentially harmful to your organization.
By configuring these settings, you take a vital step toward safeguarding your business and maintaining control over your IT infrastructure.
