Best practices for securely deploying Microsoft Entra ID Governance

This document provides best practices for securing deploying Microsoft Entra ID Governance.

Least privilege

The principle of least privilege means giving users and workload identities the minimum level of access or permissions they need to perform their tasks. By limiting access to only required resources based on the specific roles or job functions of users and providing just-in-time access, you can reduce the risk of unauthorized actions. Additionally, performing regular audits helps mitigate potential security breaches.

Microsoft Entra ID Governance limits the user access based on the role that they're assigned. Ensure that your users have the least privileged role to perform the task that they need.

For more information, see least privilege with Microsoft Entra ID Governance

Preventing lateral movement

Recommendation: Don't use nested groups with PIM for groups.

Groups can control access to various resources, including Microsoft Entra roles, Azure SQL, Azure Key Vault, Intune, other application roles, and third-party applications. Microsoft Entra ID allows you to grant users just-in-time membership and ownership of groups through Privileged Identity Management (PIM) for Groups.

These groups can be “flat” or “nested groups” (a non-role assignable group is a member of a role assignable group). Roles such as the groups admin, exchange admin, and knowledge admin can manage the non-role assignable group, providing these admins a path to gain access to privileged roles. Ensure that role-assignable groups don't have non-role assignable groups as members.

For more information, see Privileged Identity Management (PIM) for Groups

Recommendation: Use Entitlement Management to provide access to sensitive resources, instead of hybrid groups.

Historically, organizations relied on Active Directory groups to access applications. Synchronizing these groups to Microsoft Entra ID makes it easy to reuse these groups and provide access to resources connected with Microsoft Entra ID. However, this creates lateral movement risk as a compromised account / group on-premises can be used to gain access to resources connected in the cloud.

When providing access to sensitive applications or roles, use entitlement management to drive assignment to the application instead of security groups synchronized from Active Directory Domain Services. For groups that need to be both in Microsoft Entra ID and Active Directory Domain Services, you can synchronize those groups from Microsoft Entra ID to Active Directory Domain Services using cloud sync.

Deny by default

The principle of "Deny by Default" is a security strategy that restricts access to resources by default, unless explicit permissions are granted. This approach minimizes the risk of unauthorized access by ensuring that users and applications don't have access rights until they're specifically assigned. Implementing this principle helps create a more secure environment, as it limits potential entry points for malicious actors.

Entitlement Management

Connected organizations are a feature of entitlement management that allows users to gain access to resources across tenants. Follow these best practices when configuring connected organizations.

Recommendations:

• Require an expiration date for access-to-access packages in a connected organization. If, for example, users need access during a fixed contract, set the access package to expire at the end of the contract.
• Require approval prior to granting access to guests from connected organizations.
• Periodically review guest access to ensure that users only have access to resources that they still need.
• Carefully consider which organizations you're including as connected orgs. Periodically review the list of connected organizations and remove any that you don't collaborate with anymore.

Provisioning

Recommendation: Set the provisioning scope to sync “assigned users and groups.”

This scope ensures that only users explicitly assigned to your sync configuration get provisioned. The alternative setting of allowing all users and groups should only be used for applications where access is required broadly across the organization.

PIM for roles

Recommendation: Require approval of PIM requests for Global Administrator.

With Privileged Identity Management (PIM) in Microsoft Entra ID you can configure roles to require approval for activation, and choose one or multiple users or groups as delegated approvers. 

For more information, see Approve or deny requests for Microsoft Entra roles in Privileged Identity Management

Defense in depth

The following sections provide additional guidance on multiple security measures you can take to provide a defense in depth strategy for your governance deployments.

Applications

Recommendation: Securely manage credentials for connectivity to applications

Encourage application vendors to support OAuth on their SCIM endpoints, rather than relying on long-lived tokens. Securely store credentials in Azure Key Vault, and regularly rotate your credentials.

Provisioning

Recommendation: Use a certificate from a trusted certificate authority when configuring on-premises application provisioning.

When configuring on-premises application provisioning with the ECMA host, you have the option to use a self-signed certificate or a trusted certificate. While the self-signed certificate is helpful for getting started quickly and testing the capability, it isn't recommended for production use. This is because the certificates can't be revoked and expire in 2 years by default.

Recommendation: Harden your Microsoft Entra Provisioning Agent server

We recommend that you harden your Microsoft Entra provisioning agent server to decrease the security attack surface for this critical component of your IT environment. The best practices described in Prerequisites for Microsoft Entra Cloud Sync in Microsoft Entra ID include:

• We recommend hardening the Microsoft Entra provisioning agent server as a Control Plane (formerly Tier 0) asset by following the guidance provided in Secure Privileged Access and Active Directory administrative tier model.
• Restrict administrative access to the Microsoft Entra provisioning agent server to only domain administrators or other tightly controlled security groups.
• Create a dedicated account for all personnel with privileged access. Administrators shouldn't be browsing the web, checking their email, and doing day-to-day productivity tasks with highly privileged accounts.
• Follow the guidance provided in Securing privileged access.
• Enable multifactor authentication (MFA) for all users that have privileged access in Microsoft Entra ID or in AD. One security issue with using Microsoft Entra provisioning agent is that if an attacker can get control over the Microsoft Entra provisioning agent server they can manipulate users in Microsoft Entra ID. To prevent an attacker from using these capabilities to take over Microsoft Entra accounts, MFA offers protections. Even if an attacker manages to reset a user's password using the Microsoft Entra provisioning agent, they still can't bypass the second factor.

For more information and additional best practices, see Prerequisites for Microsoft Entra Cloud Sync in Microsoft Entra ID

Entitlement management and lifecycle workflows

Recommendation: Follow security best practices for using custom extensions with entitlement management + lifecycle workflows. The best practices described in this article include:

• Securing administrative access to the subscription
• Disabling shared access signature (SAS)
• Using managed identities for authentication
• Authorizing with least privileged permissions
• Ensuring Proof-of-Possession (PoP) usage

Recommendation: All entitlement management policies should have an expiration date and / or periodic access review to right size access. These requirements ensure that only users that should have access continue to have access to the application.

Backup and recovery

Back up your configuration so you can recover to a known good state in case of a compromise. Use the following list to create a comprehensive backup strategy that covers the various areas of governance.

• Microsoft Graph APIs can be used to export the current state of many Microsoft Entra configurations.
• Microsoft Entra Exporter is a tool you can use to export your configuration settings.
• Microsoft 365 Desired State Configuration is a module of the PowerShell Desired State Configuration framework. You can use it to export configurations for reference and application of the prior state of many settings.
• Provisioning: Export Application Provisioning configuration and roll back to a known good state for disaster recovery in Microsoft Entra ID

Monitoring

Monitoring helps detect potential threats and vulnerabilities early. By watching for unusual activities and configuration changes, you can prevent security breaches and maintain data integrity.

• Alert when users activate privileged roles. Security alerts for Microsoft Entra roles in PIM - Microsoft Entra ID Governance
• Proactively monitor your environment for configuration changes and suspicious activity by integrating Microsoft Entra ID Audit Logs with Azure Monitor. Identity Governance custom alerts - Microsoft Entra ID Governance

Next steps

• What is identity governance?
• Understanding least privileged
• Govern the employee and guest lifecycle
• Govern access for applications in your environment