Contents
- Overview
- Enterprise Application Setup
- Conditional Access Best Practices
- Implementation Steps in Azure Portal
- Governance & Monitoring
- Example Policy Scenarios
Overview
This document outlines recommended practices for configuring Enterprise Applications in Microsoft Entra ID to ensure secure access to business-critical apps. It covers assignment requirements, conditional access, and geo/MFA-based controls.
Enterprise Application Setup
Assign Applications Securely
Use Groups for Assignment: Assign applications to security groups (static or dynamic), not to individuals.
Dynamic Groups: Base membership on attributes (e.g. ward nurses = CompucareWard_[organisation]_Live) to automate onboarding/offboarding. Example groups:
- Compucare_[organisation]_Live
- Compucare_[organisation]_Test
- CompucareWard_[organisation]_Live
- CompucareWard_[organisation]_Test
- ReportGenerator_[organisation]_Live
- ReportGenerator_[organisation]_Test
Application Owners: Always assign an application owner who can manage access and conduct reviews.
Assignment Required
Enable “User Assignment Required” in app settings.
Ensures only explicitly assigned users/groups can sign in.
Prevents accidental tenant-wide access to sensitive apps.
Recommended for all non-public, business-sensitive apps (finance, HR, healthcare, customer data).
Lifecycle & Review
Use Access Reviews (if licensed) to regularly check assignments.
Remove stale users and unused applications.
Conditional Access Best Practices
Baseline Policies
Require MFA for all users.
Require MFA for privileged roles (Global Admin, Security Admin, etc.).
Geo-Based Access Controls
Define Named Locations:
Trusted: corporate offices, approved countries.
Risky: regions where your business does not operate.
Policies:
Block sign-ins from high-risk countries.
Require MFA or compliant device for logins outside trusted locations.
App-Specific Conditional Access
Apply stricter rules to sensitive apps (e.g. Compucare Ward). For example:
Require MFA for every sign-in.
Require device compliance (Intune-managed).
Limit access to specific IP ranges (corporate VPN, office subnets).
Question where legitimate access would be wanted per application, e.g. why would you want to access Compucare Ward from outside of the hospital/clinic?
Risk-Based Controls
Use Entra ID Identity Protection signals:
High sign-in risk → Block or require MFA.
Medium risk → Require password reset or MFA.
Implementation Steps in Azure Portal
Setting Assignment Required
Go to Azure Portal → Entra ID → Enterprise Applications.
Select the app.
Under Properties, set User Assignment Required = Yes.
Assign access via Groups.
Creating Conditional Access Policies
Go to Azure Portal → Entra ID → Security → Conditional Access.
Create a New Policy:
Assignments: Select users/groups (or roles).
Cloud Apps: Choose apps to protect.
Conditions:
Locations → Configure trusted & blocked countries.
Device state → Require compliant device.
Grant Controls: Require MFA, device compliance, or block.
Test in Report-only mode before enforcing.
To do this, go to Enable policy and select Report-only instead of On.
Governance & Monitoring
Maintain at least two break-glass accounts excluded from Conditional Access (secured with long passwords + hardware MFA).
Forward sign-in and audit logs to Microsoft Sentinel or your SIEM.
Review Conditional Access policies quarterly to ensure alignment with business operations.
Example Policy Scenarios
Baseline: Require MFA for all users, block legacy authentication.
Privileged Roles: Require MFA on every login, require compliant device.
Geo Restriction: Block logins from non-business countries.
App-Specific: Require compliant device and MFA for Compucare Ward or other apps.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article