Azure AD Configuration

Secure your identity and access management layer by enabling combined registration, self-service password reset, configuring user settings, and deploying Conditional Access baseline policies.


Overview

Section Description
Combined Registration Enable simultaneous MFA + SSPR registration
Self-Service Password Reset Allow users to reset passwords via second factor
User Settings Edit default user and guest collaboration settings
Admin Consent Requests Prevent users from consenting to external app requests
Device Settings Enforce MFA for device join and enable Enterprise State Roaming
Conditional Access Baseline Block legacy auth and require MFA

Combined Registration

Enable the combined security information registration experience so users can register for both MFA and SSPR in a single flow.

Steps

  1. Go to Azure AD admin center > Users > User settings
  2. Click Manage user feature preview settings

Azure AD User Settings - Manage user feature preview settings

  1. Under Users can use the combined security information registration experience, select All

Combined Registration - Select All

  1. Click Save

This unified registration experience reduces friction for end users and is the recommended approach for new deployments.


Self-Service Password Reset

Allow users to reset their own passwords using their registered second factor of authentication.

SSPR as configured here applies to cloud-only accounts. For synced (hybrid) accounts, you must also configure password writeback in Azure AD Connect.

Steps

  1. Go to Azure AD admin center > Users > Password reset
  2. Configure the following:

    Properties tab — Set Self service password reset enabled to All

    SSPR Properties - Enable for All

    Authentication methods tab — Require 2 methods, enable: Mobile app notification, Mobile app code, Mobile phone, Email

    SSPR Authentication Methods

    Registration tab — Set Require users to register when signing in? to No

    SSPR Registration Settings

    Notifications tab — Set both user and admin notifications to Yes

    SSPR Notifications

  3. Click Save

User Settings

Configure default user and guest collaboration settings in Azure AD.

Default User Settings

  1. Go to Azure AD admin center > Users > User settings
  2. Make the following recommended selections:
    • Users can register applicationsNo
    • Restrict access to Azure AD administration portalYes

Azure AD User Settings

External Collaboration Settings (Guest Users)

  1. Scroll down and click Manage external collaboration settings
    (Also accessible via Azure AD > External identities > External collaboration settings)
  2. Recommended settings:
    • Enable Email One-Time PasscodeYes
    • Guests can inviteNo (recommended for most organizations)

External Collaboration Settings - Guest Users


Prevent users from independently consenting to third-party application permission requests.

Steps

  1. Navigate to Azure AD > Enterprise Applications > User settings
  2. Set Users can consent to apps accessing company data on their behalfNo
  3. Set Users can request admin consent to apps they are unable to consent toYes

Admin Consent - Block user consent

  1. Configure the admin consent request settings and expiration

Admin Consent - Request admin consent enabled

  1. Select approvers — choose admins who will review and approve consent requests

Admin Consent - Select Approvers

Delegating to Non-Admin Approvers

If you need to delegate consent approval to non-admin users:

  1. Navigate to Azure Active Directory > Roles and administrators
  2. Assign the Application administrator role to the designated approvers

Device Settings

Configure how devices can join Azure AD and enable Enterprise State Roaming.

Default Device Settings

  1. Go to Azure AD admin center > Users > Device settings
  2. Set Require Multi-factor Auth to join devicesYes

Device Settings - Require MFA to join

Enterprise State Roaming

  1. Navigate to Azure AD > Devices > Enterprise state roaming
  2. Under Users may sync settings and app data across devices, select All

Enterprise State Roaming - Enable for All


Conditional Access Baseline

Create the foundational Conditional Access policies to protect your tenant.

Before configuring Conditional Access policies, you must disable Security Defaults if it is currently enabled. Security Defaults and Conditional Access cannot be used simultaneously.

Step 1 — Disable Security Defaults

  1. Go to Azure AD > Properties
  2. Click Manage Security Defaults at the bottom
  3. Set Enable Security Defaults to No and click Save

Security Defaults - Turn Off

  1. Navigate to Azure AD > Security > Conditional Access > Named locations
  2. Create locations for Corporate Offices (IP-based) and allowed countries (country-based)

Conditional Access - Named Locations


Automate Conditional Access deployment with PowerShell — Install-BaselineCAPolicies.ps1     Install-DataProtectionCAPolicies.ps1     Install-GuestCAPolicies.ps1

Policy 1 — BLOCK: Legacy Authentication

Block legacy authentication protocols (Basic Auth, Exchange ActiveSync) that cannot enforce MFA.

  1. Navigate to Azure AD > Security > Conditional Access > New policy
  2. Configure Assignments — name the policy and include All users, exclude Excluded from CA group

    Block Legacy Auth - Assignments

  3. Cloud apps or actions — select All cloud apps

    Block Legacy Auth - Cloud Apps

  4. Conditions > Client apps — select Exchange ActiveSync clients and Other clients

    Block Legacy Auth - Conditions

  5. Access controls — select Block access, then Save and Enable

    Block Legacy Auth - Block Access


Policy 2 — GRANT: Require Multi-Factor Authentication

Require MFA for all users on all cloud apps.

  1. Navigate to Azure AD > Security > Conditional Access > New policy
  2. Configure Assignments — include All users, exclude guests and Excluded from CA group

    Require MFA - Assignments

  3. Cloud apps or actions — select All cloud apps

    Require MFA - Cloud Apps

  4. Conditions > Client apps — select Browsers and Modern authentication clients

    Require MFA - Conditions

  5. Access controls — Grant access, tick Require multi-factor authentication

    Require MFA - Grant Access

Test this policy in Report-only mode first before enabling it to avoid locking out users.


Policy 3 — BLOCK: Unsupported Device Platforms

Block access from unsupported operating systems (e.g., Linux) to prevent circumvention of device-based policies.

  1. Navigate to Azure AD > Security > Conditional Access > New policy
  2. Configure Assignments and Cloud apps as above, then under Conditions:
    • Device platforms > Include: Any device / Exclude: Android, iOS, macOS, Windows

    Block Unsupported Platforms - Conditions

    • Client apps: Browsers and Modern authentication clients

    Block Unsupported Platforms - Client Apps

  3. Access controls — Block access, then Save and Enable

    Block Unsupported Platforms - Block Access


Optional Advanced Policies

Only enable these additional policies after completing the prerequisites listed for each:

Policy Prerequisite
Require compliant device Complete Endpoint Manager setup + enroll all devices
Require Hybrid Azure AD joined device Complete Hybrid Azure AD Join setup + verify all devices registered
Require approved client app (MAM) Complete App Protection Policies setup + deploy them