Design Tenant Configuration

Configuration in Azure AD is done within each tenant. Configuration settings control your security and access policies. Document your security and access policies to ensure consistency across tenants where applicable.

Configuration consistency across tenants

In a large EDU environment where you have a central administration team, ensuring that most configurations are consistent across tenants will:

  • Simplify management and make your Central IT team more efficient.

  • Make it easier to identify and troubleshoot issues.

  • Make it easier to develop, test, and deploy software across tenants.

  • Make the user experience across tenants more consistent and intuitive.

  • Ease the process of migrating users from one tenant to another.

Create policies on which tenant configurations will be standard and managed by your central IT team, and which can be adjusted by the tenant-specific IT team. Some areas where a tenant-specific administration team may need to have flexibility include:

  • Allowing external partners to access the tenant. While your organization may have a policy that only allows its other tenants access, a specific region may need a region-specific vendor to the Azure AD B2B collaboration Allow list.

  • Adjusting the required access policies, for example requiring managed devices to meet tenant- or region-specific security requirements, or to account for the availability of managed devices.

  • Piloting new features, for example a region trying out MyStaff to let a school's director cover certain IT tasks for the staff at that school.

Configure external identities

External identities represent users from outside an Azure AD tenant, such as users from other tenants in the EDU organization. In a large EDU organization that spans multiple tenants, you can use Azure Active Directory (Azure AD) business-to-business (B2B) collaboration to provide access across those tenants. Azure AD B2B lets you securely share your organization’s applications and services with guests from another organization, while maintaining control over your own data.

Control external collaboration

External collaboration settings let you turn guest invitations on or off for different types of users in your organization. You can also delegate invitations to individual users by assigning roles that allow them to invite guests. External collaboration settings are managed in the Azure AD portal under Azure Active Directory.

Enable external users to appear in the Global Address List

You can display external users in your Global Address List (GAL) by either:

  • Inviting users as guests using Azure AD B2B (Recommended)

  • Using GAL Synchronization (Not recommended)

Note

GAL synchronization doesn't create user accounts. Rather, each contact it creates is an object that is counted against your object limit in the tenant.

Security and access policies

Managing security can be difficult with identity-related attacks being so prevalent. Security defaults and access policies make it easier to help protect your organization from attacks such as password spray, replay, and phishing.

Security defaults

Security Defaults provide secure settings that we manage on behalf of your organization to keep you safe until you're ready to manage your own identity security story. When security defaults are enabled, we can help you protect your organization with the following pre-configured policy settings:

  • Requiring all users to register for Azure Multi-Factor Authentication

  • Requiring administrators to perform multi-factor authentication

  • Blocking legacy authentication protocols

  • Requiring users to perform multi-factor authentication when necessary

  • Protecting privileged activities like access to the Azure portal

Enabling security defaults is recommended if you are an organization that wants to increase your security posture now, and you haven't configured robust security. If you are an organization with Azure Active Directory Premium licenses and are currently using Conditional Access policies to enforce organizational policies, security defaults are probably not right for you.

Enable Security defaults in the Azure portal as shown in the following image.

Screenshot of the Azure portal with the toggle to enable security defaults.

Managed devices for IT and staff

To protect resources in your tenant, prevent access by devices with unknown protection levels. Implement a device management solution so that users are only able to access resources using a device that is managed by the organization.

In Azure AD, a minimum requirement for a device to be considered managed is when it's registered with Azure AD. Admins can choose to implement the following types of device management in Azure AD:

  • Hybrid Domain Joined. Devices that are owned by the organization and joined to both the on-premises Active Directory and Azure AD. Typically a device purchased and managed by an organization and managed by System Center Configuration Manager.

  • Azure AD Domain Joined. Devices that are owned by the organization and joined to the organization’s Azure AD tenant. Usually a device purchased and managed by an organization, joined to Azure AD, and managed by a service such as Microsoft Intune.

  • Azure AD Registered. Devices owned by the organization, or personal devices, used to access company resources. Usually a personal device used to access corporate resources. Organizations may require the device be enrolled via Mobile Device Management (MDM), or enforced through Mobile Application Management (MAM) without enrollment to access resources. This capability can be provided by a service such as Microsoft Intune.

To learn more, see Choose your integration methods.

To further enhance security, we also recommend that you create an Azure AD Conditional Access policy for IT and staff. With Conditional Access, you can create a single policy that grants access:

  • To selected cloud apps.

  • For selected users and groups.

  • Requiring a managed device.

Use MFA for admins

Accounts that are assigned elevated permissions are valuable targets for attackers. To minimize the risk of privileged account compromise, provision all accounts with elevated permissions with strong authentication credentials such as Azure Multi-Factor Authentication (MFA).

At a minimum, we recommend that you create a Conditional Access policy to require MFA for the following administrative roles:

  • Billing administrator

  • Conditional Access administrator

  • Exchange administrator

  • Global administrator

  • Helpdesk (password) administrator

  • Security administrator

  • SharePoint administrator

  • User administrator

If users have a multi-factor authentication method available to them, enforce MFA for users that have access to sensitive information like student records.

Risk policies

With Azure AD, admins can create policies to protect against certain types of risks:

  • Sign-in risk. The probability that a given authentication request is not authorized by the identity owner.

  • User risk. The probability that a give identity or account is compromised.

Sign-in risk policies and user risk policies automate the response to risk detections in your environment, and allow users to self-remediate risk.

Educational organizations with Microsoft 365 A5 licenses (or Azure AD Premium P2 licenses) can use Azure AD Identity Protection to secure their accounts. You can also create sign-in risk-based Conditional Access policies and user risk-based Conditional Access policies.

Configure user risk policy so that high-risk users are required to change their password after sign-in.

Best practices

  • Define Conditional Access policies to enforce identity security posture by and minimize sign-in risks and user risks. This should include controls on MFA and device-based controls to enable access only through managed devices and expected locations.

  • All applications should have explicit Conditional Access policies applied.

  • Minimize the number of Conditional Access policies by applying to multiple apps with the same requirements.

  • Plan for disruption by setting up emergency access accounts to mitigate the affects of accidental lockout.

  • Configure a Conditional Access policy in report-only mode.

For general guidance on Conditional Access policies for individual environments, check the CA Best practices and Azure AD Operations Guide:

App registrations

Only users with elevated permissions can perform tasks such as adding applications to the application gallery or configuring an application to use Application Proxy. However, by default, all users in your directory have the ability to register application and service principal objects. They also have discretion over which applications can access their organization data through user consent.

We recommend that you disable user consent so that non-privileged accounts can't create application and service principal objects in the tenant. Instead delegate team members application administration roles such as the Application Administrator, Application Developer, or the Cloud Application Administrator roles. Using roles will centralize the decision-making process around consent with your organization’s security and identity teams.

App integration

When possible, integrate supported SaaS applications using the Azure AD application gallery where you can find pre-configured apps that work with Azure AD. If your application is not available in the Azure AD application gallery, you can add the unlisted application in the Azure AD portal.

In hybrid environments, you can enable secure remote access to your legacy applications using Azure AD Application Proxy. Application proxy enables users to access on-premises web apps without a VPN using their Azure AD account.

Alternatively, you can secure access to legacy apps if you are currently using any of the following third-party application delivery or network solutions:

Design tenant security

In addition to the recommendations above, we also recommend that you lock down your tenant further by configuring the following settings in the Azure AD portal.

User settings

Setting Value Reason
Administration portal
Restrict access to Azure AD administration portal Yes This setting will block non-privileged accounts from accessing the Azure AD section of the Azure portal.
LinkedIn account connections No No business need
App registrations
Users can register applications No For educational organizations Microsoft recommends preventing non-privileged accounts to create application and service principal objects in the tenant. Instead, assign team members explicitly to application administration roles such as the Application Administrator, Application Developer or the Cloud Application Administrator roles.

External identities settings

Setting Value Reason
Only allow tenants from same organization
Guest permissions are limited No Guests come from well-known tenants.
Admins and users in the guest inviter role can invite Yes Guest invitation can be delegated when invitations are only allowed to specified domains.
Members can invite, Guests can invite No More control over who is invited into the tenant by only allowing certain administrators or administrators/users with the guest inviter role to invite guests.
Enable Email One-Time Passcode for guests (Preview) No Guests come from well-known tenants.
Enable guest self-service sign-up via user flows (Preview) No Invitations are only allowed to specified domains and user accounts are Azure AD accounts in those other tenants.
Collaboration restrictions – Allow invitations only to the specified domains Most restrictive Microsoft recommends this setting for large organizations with multiple tenants that will use the B2B collaboration features to provide access between the tenants.
When you set your collaboration settings to Allow invitation only to specified domains (most restrictive), you include all domains that are part of your organization to the allow list which will automatically deny invitations to any other domains. Or, if your school has a partnership with other organizations, you can restrict invitations to only those organizations by adding them to the allow list.
Allow collaboration outside own organization
Guest permissions are limited Yes Guests can be from outside the own organization, this setting will limit them from certain directory tasks like enumerating users, groups, or other directory objects.
Admins and users in the guest inviter role can invite No We recommend keeping invitations controlled with a group of delegated administrators when collaboration restrictions are set to allow invitation to be sent to any domain.
Members can invite, Guests can invite No More control over who is invited into the tenant by only allowing certain administrators or administrators/users with the guest inviter role to invite guests.
Enable Email One-Time Passcode for guests (Preview) Yes OTP is recommended when inviting users from outside your own organization.
Enable up guest self-service sign via user flows (Preview) No It's preferred to control invitations over letting guests self-service sign up to the tenant.
Collaboration restrictions – Allow invitations to be sent to any domain Most inclusive Recommended setting when there is a need to collaborate with multiple other tenants, e.g. when collaborating with partners, external consultants, other educational organizations etc.

User feature previews settings

Setting Value Reason
Users can use preview feature for My Apps None/Selected/All Setting depends on use and need for My Apps portal and its features. You can consider using the My Apps portal to provide access to your organization’s cloud-based apps to only staff or to everyone including students.
Users can use the combined security information registration experience All It is recommended to use enhanced authentication methods such as passwordless credentials, and conditional access for securing security info registration.
Administrators can access My Staff None/Selected/All Setting depends on use and need for My Staff. You can consider using My Staff to delegate common helpdesk tasks to staff.
My Staff enables you to delegate to a figure of authority, such as a school director, the permissions to ensure that their staff members are able to access their Azure AD accounts. Instead of relying on a central helpdesk, organizations can delegate common tasks such as resetting passwords or changing phone numbers to e.g. a school director. With My Staff, a user who cannot access their account can regain access in just a couple of clicks with no helpdesk or IT staff required.

Group management settings

Setting Value Reason
Self-service group management
Owners can manage group membership requests in the Access Panel No Groups in EDU tenants might have sensitive resource access (e.g. access to student information) that should be structured and governed. User-initiated management is not recommended for these scenarios
Restrict user ability to access groups features in the Access Panel. Administrators (Global, Group and User Admin) will have access regardless of the value of this setting Yes Groups in EDU tenants might have sensitive resource access (e.g. access to student information) that should be structured and governed. User-initiated management is not recommended for these scenarios
Security groups
Users can create security groups in Azure portals No Groups in EDU tenants might have sensitive resource access (e.g. access to student information) that should be structured and governed. User-initiated management is not recommended for these scenarios
Owners who can assign members as group owners in Azure portals None Groups in EDU tenants might have sensitive resource access (e.g. access to student information) that should be structured and governed. User-initiated management is not recommended for these scenarios
Office 365 groups
Users can create Office 365 groups in Azure portals No Groups in EDU tenants might have sensitive resource access (e.g. access to student information) that should be structured and governed. User-initiated management is not recommended for these scenarios
Owners who can assign members as group owners in Azure portals None Groups in EDU tenants might have sensitive resource access (e.g. access to student information) that should be structured and governed. User-initiated management is not recommended for these scenarios

Enterprise applications settings

Setting Value Reason
Enterprise applications
Users can consent to apps accessing company data on their behalf No Applications that require consent should be reviewed through a defined process with established ownership using Admin Consent Request Workflows
Users can consent to apps accessing company data for the groups they own No Applications that require consent should be reviewed through a defined process with established ownership using Admin Consent Request Workflows
Users can add gallery apps to their Access Panel No Groups in EDU tenants might have sensitive resource access (e.g. access to student information) that should be structured and governed. User-initiated management is not recommended for these scenarios
Admin consent requests (Preview)
Users can request admin consent to apps they are unable to consent to​ No Enabling this setting will give the all users in your tenant the ability to request consent, potentially leading to a lot of consent requests sent to admins. If admins can't or do not want to manage the requests, users can be confused.
Select users to review admin consent requests​ N/A Only applicable if Admin Consent Request feature is enabled
Selected users will receive email notifications for requests​ N/A Only applicable if Admin Consent Request feature is enabled
Selected users will receive request expiration reminders​ N/A Only applicable if Admin Consent Request feature is enabled
Consent request expires after (days) N/A Only applicable if Admin Consent Request feature is enabled
Office 365 Settings
Users can only see Office 365 apps in the Office 365 portal No When using My Apps portal this setting should be set to ‘No’ if you want Office 365 apps to show in My Apps. https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/access-panel-deployment-plan

Identity governance settings

Manage the lifecycle of external users added via access packages by specifying what happens when they lose their last access package assignment.

Setting Value Reason
Block external user from signing into this directory Yes When an external user loses their last assignment to any access package you should block, then remove them from the tenant. ​
Remove external user​ Yes When an external user loses their last assignment to any access package you should block, then remove them from the tenant. ​
Number of days before removing external user from this directory 30 When an external user loses their last assignment to any access package you should block, then remove them from the tenant​

Password reset settings

Setting Value Reason
Properties
Self-service password reset enabled Select users We recommend self-service password reset for all users who can use their mobile phone for text and can install and set up the Microsoft Authenticator app.
Authentication methods
Number of methods required to reset 2 Two methods provide a balance between usability and security.
Methods available to users Mobile app notification, mobile app code, email, and mobile phone (SMS only) Mobile App provides the most modern and secure cryptographic methods. ​
Then, email or SMS can be used as an additional option.
We strongly recommended deploying passwordless authentication methods to accounts in EDU tenants. This improves user experience.
Registration
Require users to register when signing in? Yes With this value, accounts will be interrupted to provide registration to SSPR upon first sign in. This helps to onboard accounts with a consistent baseline.
Number of days before users are asked to reconfirm their authentication information 180
Notifications
Notify users on password resets? Yes Notifications will provide visibility of this sensitive credential management operation.
Notify all admins when other admins reset their password? Yes Notifications will provide visibility of this sensitive credential management operation.

Security settings

Setting Value Reason
Authentication method policy
FIDO2 Security Key Yes – Select users
Microsoft Authenticator passwordless sign in Yes – Select users
Text message No Phone number must be assigned to all users who need to use this feature.
If there's no strong use case for this capability, the overhead of adding the phone numbers is not warranted.

Next steps

Design an account strategy