Entra Hardening Tip #4 - Block legacy authentication

Problem:
Legacy auth (SMTP/IMAP/ROPC) doesn’t support MFA, making it a prime target for password attacks and an easy entry point for attackers using stolen creds.
1/4

Entra Hardening Tip #3: Block device code authentication flow

Device code flow allows users to sign into headless devices like Teams meeting rooms and CI/CD pipelines.

The problem:
1/5

Entra Hardening Tip #2: Require MFA for device join & device registration using 'User Action'

If you don’t enforce a Conditional Access policy for “Register or join devices”, you’re leaving a gap.

Attackers can take advantage of this and register new devices without MFA.
1/6

👋 Folks, I'm starting a new series of Entra Hardening tips from today.

Here's how it will work. One new tip every weekday (I take a break on weekends).

Tip #1: Privileged accounts in Entra ID should be cloud native identities
1/7

Sneak peek at something new I'm building...

I'm so excited, I can't wait to share with everyone. You are all going to ❤️ it.

Who wants to take a guess what it is?

For the handful of folks who I've told, your excluded from answering 😂

Just dropped a new Entra Chat episode with Sean Metcalf and honestly my brain is full 🤯

Sean has been doing Microsoft identity security since Azure AD was barely a thing and he still sees the same misconfigs in enterprise environments every. single. day.

🎙️ Watch → https://entra.news/p/stop-leaving-the-door-open-the-entra

Most IT admins treat Conditional Access like Whac-A-Mole. 🔨

In this episode of Entra.Chat, Per Torben breaks down why the standard docs aren't enough and how to build a scalable security framework that actually works.

Don't get locked out. Get secure. 🔒

🎧 https://entra.news/p/how-to-design-bullet-proof-conditional