Identity and device access configurations
This series of articles describes how to configure secure access to cloud services through Enterprise Mobility + Security (EMS) products by implementing a recommended environment and configuration, including a prescribed set of conditional access policies and related capabilities. EMS is a core component of Microsoft 365. You can use this guidance to protect access to all services that are integrated with Azure Active Directory, including Microsoft 365 services, other SaaS services, and on-premises applications published with Azure AD Application Proxy.
These recommendations are aligned with Microsoft Secure Score as well as identity score in Azure AD, and will increase these scores for your organization. These recommendations will also help you implement these five steps to securing your identity infrastructure.
Microsoft understands that some organizations have unique environment requirements or complexities. If you are one of these organizations, use these recommendations as a starting point. However, most organizations can implement these recommendations as prescribed.
These recommendations are intended for enterprise architects and IT professionals who are familiar with Office 365 and Microsoft Enterprise Mobility + Security, which includes, among others, Azure Active Directory (identity), Microsoft Intune (device management), and Azure Information Protection (data protection).
The recommended policies are applicable to enterprise organizations operating both entirely within the Microsoft cloud and for customers with hybrid infrastructure (deployed both on-premises and the Microsoft cloud).
Many of the provided recommendations rely on services available only with Enterprise Mobility + Security (EMS) E5 licenses. Recommendations presented assume full EMS E5 license capabilities.
For those organizations who do not have Enterprise Mobility + Security E5 licenses, Microsoft recommends you at least implement Azure AD baseline protection capabilities that are included with all plans. More information can be found in the article, What is baseline protection, in the Azure AD library.
Your organization may be subject to regulatory or other compliance requirements, including specific recommendations that may require you to apply policies that diverge from these recommended configurations. These configurations recommend usage controls that have not historically been available. We recommend these controls because we believe they represent a balance between security and productivity.
We have done our best to account for a wide variety of organizational protection requirements, but we're not able to account for all possible requirements or for all the unique aspects of your organization.
Three tiers of protection
Most organizations have specific requirements regarding security and data protection. These requirements vary by industry segment and by job functions within organizations. For example, your legal department and administrators might require additional security and information protection controls around their email correspondence that are not required for other business unit users.
Each industry also has their own set of specialized regulations. Rather than providing a list of all possible security options or a recommendation per industry segment or job function, recommendations have been provided for three different tiers of security and protection that can be applied based on the granularity of your needs.
- Baseline protection: We recommend you establish a minimum standard for protecting data, as well as the identities and devices that access your data. You can follow these baseline recommendations to provide strong default protection that meets the needs of many organizations.
- Sensitive protection: Some customers have a subset of data that must be protected at higher levels, or they may require all data to be protected at a higher level. You can apply increased protection to all or specific data sets in your Microsoft 365 environment. We recommend protecting identities and devices that access sensitive data with comparable levels of security.
- Highly regulated: Some organizations may have a small amount of data that is highly classified, constitutes trade secrets, or is regulated data. Microsoft provides capabilities to help organizations meet these requirements, including added protection for identities and devices.
This guidance shows you how to implement protection for identities and devices for each of these tiers of protection. Use this guidance as a starting point for your organization and adjust the policies to meet your organization's specific requirements.
It's important to use consistent levels of protection across your data, identities, and devices. For example, if you implement this guidance, be sure to protect your data at comparable levels. These architecture models show you which capabilities are comparable.
Security and productivity trade-offs
Implementing any security strategy requires trade-offs between security and productivity. It's helpful to evaluate how each decision affects the balance of security, functionality, and ease of use.
The recommendations provided are based on the following principles:
- Know your audience and be flexible to their security and functional requirements.
- Apply a security policy just in time and ensure it is meaningful.
Services and concepts for identity and device access protection
Microsoft 365 Enterprise is designed for large organizations and integrates Office 365 Enterprise, Windows 10 Enterprise, and Enterprise Mobility + Security (EMS), to empower everyone to be creative and work together securely.
This section provides an overview of the Microsoft 365 services and capabilities that are important for identity and device access.
Microsoft Azure Active Directory
Azure AD provides a full suite of identity management capabilities. For securing access we recommend using the following capabilities:
Self-service password reset (SSPR): Allow your users to reset their passwords securely and without help-desk intervention, by providing verification of multiple authentication methods that the administrator can control.
Multi-factor authentication (MFA): MFA requires users to provide two forms of verification, such as a user password plus a notification from the Microsoft Authenticator app or a phone call. MFA greatly reduces the risk that a stolen identity can be used to access your environment.
Conditional access: Azure AD evaluates the conditions of the user login and uses conditional access policies you create to allow access. For example, in this guidance we show you how to create a conditional access policy to require device compliance for access to sensitive data. This greatly reduces the risk that a hacker with a stolen identity can access your sensitive data. It also protects sensitive data on the devices, because the devices meet specific requirements for health and security.
Azure AD groups: Conditional access rules, device management with Intune, and even permissions to files and sites in your organization, rely on assignment to user and/or Azure AD groups. We recommend you create Azure AD groups that correspond to the levels of protection you are implementing. For example, your executive staff are likely higher value targets for hackers. Therefore, it makes sense to assign these employees to an Azure AD group and assign this group to conditional access policies and other policies that enforce a higher level of protection for access.
Device registration: You register a device into Azure AD to provide an identity to the device. This identity is used to authenticate the device when a user signs in and to apply conditional access rules that require domain-joined or compliant PCs. For this guidance, we use device registration to automatically register domain-joined Windows computers. Device registration is a prerequisite for managing devices with Intune.
Azure AD Identity Protection: Azure AD Identity Protection enables you to detect potential vulnerabilities affecting your organization's identities and configure automated remediation policy to low, medium, and high sign-in risk and user risk. This guidance relies on this risk evaluation to apply conditional access policies for multi-factor authentication. This guidance also includes a conditional access policy that requires users to change their password if high-risk activity is detected for their account.
Intune is Microsoft's cloud-based mobile device management service. This guidance recommends device management of Windows PCs with Intune and recommends device compliance policy configurations. Intune determines whether devices are compliant and sends this data to Azure AD to use when applying conditional access policies.
Intune app protection
Intune app protection policies can be used to protect your organization's data in mobile apps, with or without enrolling devices into management. Intune helps protect information, making sure your employees can still be productive, and preventing data loss. By implementing app-level policies, you can restrict access to company resources and keep data within the control of your IT department.
This guidance shows you how to create recommended policies to enforce the use of approved apps and to determine how these apps can be used with your business data.
This guidance shows you how to implement a set of policies to protect access to Office 365, including Exchange Online, SharePoint Online, and OneDrive for Business. In addition to implementing these policies, we recommend you also raise the level of protection for your tenant using these resources:
- Configure your tenant for increased security: These recommendations apply to baseline security for your tenant.
- Microsoft 365 security roadmap: Top priorities for the first 30 days, 90 days, and beyond: These recommendations include logging, data governance, admin access, and threat protection.
Windows 10 and Microsoft 365 Apps for enterprise
Windows 10 and Microsoft 365 Apps for enterprise is the recommended client environment for PCs. We recommend Windows 10, as Azure is designed to provide the smoothest experience possible for both on-premises and Azure AD. Windows 10 also includes advanced security capabilities that can be managed through Intune. Microsoft 365 Apps for enterprise includes the latest versions of Office applications. These use modern authentication, which is more secure and a requirement for conditional access. These apps also include enhanced security and compliance tools.
Applying these capabilities across the three tiers of protection
The following table summarizes our recommendations for using these capabilities across the three tiers of protection.
|Protection mechanism||Baseline||Sensitive||Highly regulated|
|Enforce MFA||On medium or above sign-in risk||On low or above sign-in risk||On all new sessions|
|Enforce password change||For high-risk users||For high-risk users||For high-risk users|
|Enforce Intune application protection||Yes||Yes||Yes|
|Enforce Intune enrollment (COD)||Require a compliant or domain-joined PC, but allow BYOD phones/tablets||Require a compliant or domain-joined device||Require a compliant or domain-joined device|
The above table reflects the trend for many organizations to support a mix of corporate-owned devices, as well as personal or bring-your-own devices (BYODs) to enable mobile productivity across the workforce. Intune app protection policies ensure that email is protected from exfiltrating out of the Outlook mobile app and other Office mobile apps, on both corporate-owned devices and BYODs.
We recommend corporate-owned devices be managed by Intune or domain-joined to apply additional protections and control. Depending on data sensitivity, your organization may choose to not allow BYODs for specific user populations or specific apps.