Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Best Practices for Securing Enterprise Applications in Microsoft Entra ID

            Created by Andy Robinson, Modified on Tue, 2 Sep at 4:26 PM by Sam Cybulska

            Contents


            Overview

            This document outlines recommended practices for configuring Enterprise Applications in Microsoft Entra ID to ensure secure access to business-critical apps. It covers assignment requirements, conditional access, and geo/MFA-based controls.


            Enterprise Application Setup

            Assign Applications Securely

            • Use Groups for Assignment: Assign applications to security groups (static or dynamic), not to individuals.

            • Dynamic Groups: Base membership on attributes (e.g. ward nurses = CompucareWard_[organisation]_Live) to automate onboarding/offboarding. Example groups:

              • Compucare_[organisation]_Live
              • Compucare_[organisation]_Test
              • CompucareWard_[organisation]_Live
              • CompucareWard_[organisation]_Test
              • ReportGenerator_[organisation]_Live
              • ReportGenerator_[organisation]_Test

            • Application Owners: Always assign an application owner who can manage access and conduct reviews.


            Assignment Required

            • Enable “User Assignment Required” in app settings.

            • Ensures only explicitly assigned users/groups can sign in.

            • Prevents accidental tenant-wide access to sensitive apps.

            • Recommended for all non-public, business-sensitive apps (finance, HR, healthcare, customer data).


            Lifecycle & Review

            • Use Access Reviews (if licensed) to regularly check assignments.

            • Remove stale users and unused applications.


            Conditional Access Best Practices

            Baseline Policies

            • Require MFA for all users.

            • Require MFA for privileged roles (Global Admin, Security Admin, etc.).


            Geo-Based Access Controls

            • Define Named Locations:

              • Trusted: corporate offices, approved countries.

              • Risky: regions where your business does not operate.

            • Policies:

              • Block sign-ins from high-risk countries.

              • Require MFA or compliant device for logins outside trusted locations.


            App-Specific Conditional Access

            • Apply stricter rules to sensitive apps (e.g. Compucare Ward). For example:

              • Require MFA for every sign-in.

              • Require device compliance (Intune-managed).

              • Limit access to specific IP ranges (corporate VPN, office subnets).

            • Question where legitimate access would be wanted per application, e.g. why would you want to access Compucare Ward from outside of the hospital/clinic?


            Risk-Based Controls

            • Use Entra ID Identity Protection signals:

              • High sign-in risk → Block or require MFA.

              • Medium risk → Require password reset or MFA.


            Implementation Steps in Azure Portal

            Setting Assignment Required

            1. Go to Azure Portal → Entra ID → Enterprise Applications.

            2. Select the app.

            3. Under Properties, set User Assignment Required = Yes.

            4. Assign access via Groups.


            Creating Conditional Access Policies

            1. Go to Azure Portal → Entra ID → Security → Conditional Access.

            2. Create a New Policy:

              • Assignments: Select users/groups (or roles).

              • Cloud Apps: Choose apps to protect.

              • Conditions:

                • Locations → Configure trusted & blocked countries.

                • Device state → Require compliant device.

              • Grant Controls: Require MFA, device compliance, or block.

            3. Test in Report-only mode before enforcing.

              • To do this, go to Enable policy and select Report-only instead of On.


            Governance & Monitoring

            • Maintain at least two break-glass accounts excluded from Conditional Access (secured with long passwords + hardware MFA).

            • Forward sign-in and audit logs to Microsoft Sentinel or your SIEM.

            • Review Conditional Access policies quarterly to ensure alignment with business operations.


            Example Policy Scenarios

            1. Baseline: Require MFA for all users, block legacy authentication.

            2. Privileged Roles: Require MFA on every login, require compliant device.

            3. Geo Restriction: Block logins from non-business countries.

            4. App-Specific: Require compliant device and MFA for Compucare Ward or other apps.

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0