Want to Avoid Accidently Deleting your Resources in Azure? It's Easier Than You Think
Sometimes, knowingly or unknowingly you might delete a resource group in Azure. In this article let's talk about how to configure Azure Resource Locking in order to protect them from being deleted or modified accidentally.Efficiently Removing Inactive Guest Users in M365/Azure
At the heart of this post is Kairos IMS, an innovative Impact Management System designed to empower human-serving nonprofits and social impact organizations. Co-developed by the Urban League of Broward County and our trusted technology partner, Impactful, Kairos IMS reduces administrative burdens, enhances holistic care, and enables organizations to leverage data for increased agility and seamless service delivery. In this blog series, we’ll take a closer look at the powerful technologies that fuel Kairos IMS, from Azure services to security frameworks, offering insight into how modern infrastructure supports mission-driven impact. Click here to learn more. Many organizations forget to offboard their guest users. Whether students drop out, graduate, or are removed from the program, their guest accounts often linger in your tenant—quiet, forgotten, and potentially risky. Let’s talk about why it matters and what you should be doing about it. The Hidden Risk of Inactive Guest Users It’s easy to think of guest users as harmless—after all, they’re just there temporarily, right? But the reality is that each inactive user is an open door. A door that, if left unlocked, could be used by someone with bad intentions. Here’s why: Their credentials may be compromised elsewhere. If a former student reused a password or their email account is breached, an attacker could gain access to your tenant through their still-active guest account. They may retain access to sensitive files. Even if you think they’ve moved on, inactive users might still be able to view shared documents, recordings, or internal communication threads. Your organization becomes a bigger target. The more accounts you have—especially inactive or unmonitored ones—the more surface area an attacker can exploit. Nonprofits are particularly vulnerable. You’re working hard to do good in the world, but limited time, resources, and staff often mean security takes a back seat. That’s why it’s critical to develop lightweight, repeatable processes that protect your community and your mission. Guest Access Shouldn’t Be Set and Forget Inviting students into your tenant helps them feel part of something bigger. But just as important as the welcome is the send-off. Not everyone who starts the program finishes it, and not everyone who finishes needs continued access to your resources. Here are a few things to consider: Do you have a system to track who’s still active? Are you reviewing guest user activity periodically? Do you know how to remove or disable users when they’re no longer part of the program? If the answer to any of these is “no,” you’re not alone—and you’re not too late. The Benefits of Cleaning Up Your Tenant Beyond improving your security posture, removing inactive guest users can: Keep your environment organized. It’s easier to manage active cohorts when your tenant isn’t cluttered with outdated accounts. Reduce licensing conflicts. Even though guest users don’t typically consume licenses, having too many users can complicate group access, permissions, and automated workflows. Show respect for your participants. Offboarding users when their participation ends is a sign of professionalism—and it protects their data, too. Up Next: How to Remove Inactive Guest Users Now that you understand why it's important to remove inactive guest users, the next step is knowing how. Fortunately, Microsoft 365 provides built-in tools and settings to help you manage and clean up guest access safely and efficiently. In our next section, we’ll walk you through a step-by-step guide to identify and remove inactive guest users from your tenant. How to Create a Dynamic Group for Guest Users in Microsoft Entra ID The first thing we need to do is create a dynamic group for guest users. This step is important because dynamic groups automatically include users based on specific attributes—in this case, identifying anyone with a user type of "Guest." Instead of manually adding or removing users from a group each time someone joins or leaves your program, dynamic groups keep everything up to date for you. It’s a simple way to ensure your access management stays clean, organized, and secure. Step-by-Step Instructions Sign in to the Microsoft Entra admin center You’ll need to access the admin portal to manage groups and set up dynamic rules. Go to https://entra.microsoft.com and log in with your admin credentials > navigate to Manage Entra ID. Access the Groups section This is where all your groups are managed within Entra ID. In the left-hand menu, select Groups under the “Manage” section. Create a new group This begins the process of defining your dynamic group. Click + New group to start creating a new group from scratch. Configure group settings You’ll choose the group type, give it a name, and specify that it will use dynamic membership. Select Security as the group type, enter a name (like "Guest Users"), and choose Dynamic User under Membership type. Add dynamic membership rule This is where you set the condition that defines who will be in the group. Under Dynamic user members, click Add dynamic query to build a rule based on user attributes. Define the membership rule We’ll configure the rule so that it targets users where the userType equals Guest. Select + Add expression > set the Property to userType, Operator to Equals, and Value to Guest. Add second expression to filter active guests This ensures only active guest accounts are included. Click Add expression again > set the Property to accountEnabled, Operator to Equals, and Value to true. Validate the rules This helps confirm that your rule works as intended before applying it. Select Validate Rules > click + Add users and choose a guest user from the list. Save the dynamic rule Once your conditions are set, saving them will apply the logic to the group. Click Save to finalize the rule and return to the group creation screen. Create the group Review all the settings and create the group so it begins auto-populating. Click Create, and your dynamic group will now include all guest users automatically. Navigate back to the group tab > select Dynamic Groups > and select your group to view the members and verify all guest users have been added. We're not done just yet! Now let's automate the review and removal of inactive guest users. 🔍 How to Set Up an Access Review for Inactive Guest Users in Microsoft Entra ID After establishing a dynamic group for guest users, the next crucial step is to regularly review their activity. Access reviews in Microsoft Entra ID allow you to automate the process of identifying and removing inactive guest users, thereby maintaining a secure and compliant environment. Step-by-Step Instructions Access the Identity Governance section In the Azure search bar, type and select Identity Governance, then click on Access Reviews. Initiate a new access review Click on + New access review to start the configuration process. Select what to review • Resource type: Choose Teams + Groups • Review scope: Select Select Teams + groups • Group selection: Choose the dynamic group you previously created for guest users • Scope: Set to Guest users only • User scope: Check the box for Inactive users only • Days inactive: Specify the number of days (e.g., 30) to define inactivity Configure the review settings • Reviewers: Select Selected user(s) or group(s) • Users or Groups: Select your desired reviewer(s) • Duration: Set the number of days the review will be open (e.g., 5 days) • Recurrence: Choose the frequency (e.g., monthly, quarterly) or set it as a one-time review • Start date: Specify when the review should begin • End date: Define when the review should end or select Never for ongoing reviews Set up review settings • Auto apply results to resource: Enable this to automatically apply the review outcomes • If reviewers don't respond: Choose Remove access or Take recommendations to revoke access for users not reviewed • Action to apply on denied guest users: Select Block user from signing in for 30 days, then remove user from the tenant Configure advanced settings (optional) • Justification required: Require reviewers to provide reasons for their decisions • Email notifications: Enable to send notifications to reviewers at the start and end of the review • Reminders: Set up reminders for reviewers during the review period • Additional content for reviewer email: Add any specific instructions or information for reviewers Review and create the access review • Name: Provide a descriptive name for the access review • Description: Optionally, add details about the purpose of the review • Review: Ensure all settings are correct • Create: Click Create to initiate the access review Managing guest access might feel like a behind-the-scenes task, but it plays a frontline role in protecting your nonprofit’s data, resources, and reputation. Whether a guest user is a student who graduated, a volunteer who moved on, or someone who left unexpectedly, leaving their access unchecked can expose your organization to unnecessary risk. By creating a dynamic group for guest users and setting up regular access reviews, you’re putting smart guardrails in place. These steps not only strengthen your security but also keep your Microsoft 365 environment tidy, efficient, and aligned with best practices. Security doesn’t have to be complicated—and it shouldn’t be an afterthought. With tools already available in Microsoft Entra ID, you can stay proactive, stay protected, and keep your mission moving forward with confidence.Don't Be Vulnerable - The Necessity of Having Emergency Access Accounts
Don't Get Locked Out! Nonprofit organizations face unique challenges when it comes to managing their Microsoft accounts. Limited budgets and allocations require for stringent measures when adopting new software. More importantly, nonprofits handle sensitive data such as Personal Identifiable Information (PII), Protected Health Information (PHI), and financial information just to name a few. Maintaining privacy and security is of the utmost importance and violations of these standards can come with steep penalties and erode trust. Being locked out, can spell disaster and leave your organization vulnerable to attack. Which is why it is imperative to have a Emergency Access Account. What Are Emergency Access Accounts? Emergency Access (Break Glass) Accounts are high-privilege, cloud-only accounts created to ensure administrators can access your tenant during identity-related outages, misconfigurations, or Conditional Access lockouts. Emergency accounts play a pivotal role in safeguarding financial security and ensuring uninterrupted access to critical resources during times of crisis. Whether it’s a natural disaster, a cyberattack, or an internal administrative challenge, having a well-structured emergency account strategy allows organizations to maintain operational stability and protect the communities they serve. It is recommended to have at least two emergency access accounts. A Break Glass Accounts ensures that authorized personnel can regain control promptly and mitigate further risks or operational downtime. Microsoft has been steadily enforcing Multifactor Authentication in Azure, Microsoft Admin portals, and Office 365 in phases since 2024. Phase 1 rolled out officially around October 2024 within Azure Portal, Microsoft Entra Admin Center, and Intune Admin Center. Common Scenarios Organizations Face Privilege Roles Left Organization: The sole Global Administrator or Billing Administrator has left the organization. Privilege Roles are Eligible and Not Active: Global Administrator or Privilege Role Administrators were configured to be eligible which needs approval. Therefore, no approval can be given and now the account is locked out. Federated Accounts with Identity Providers: Federated devices through identity provider and can't access Microsoft Entra ID for authentication. Cellular Network outage for Authentication: Cellular network is down or natural disaster impacting authentication since only authentication method is using SMS phone authentication. Emergency Access Accounts Prevent Ensures access during emergencies when standard methods are compromised. Prevents delays in critical activities like payroll and funding allocation. Mitigates risks from technical failures, such as system outages. Safeguards operational stability during crises like cyberattacks or natural disasters. Allows authorized personnel to promptly regain control and minimize downtime. These scenarios leave the organization, potentially leaving access credentials in limbo. This could delay critical activities like payroll, funding allocation, or payments to service providers. Similarly, technical failures such as system outages or inaccessible online platforms can hinder account access, disrupting ongoing projects and community services. Moreover, scenarios are just some of the challenges that nonprofits face. Creating preventative measures help minimize downtime. Beware of Phishing Setting up phishing-resistant Multifactor Authentication (MFA) for emergency access accounts is an essential step in keeping your organization secure during critical situations. Below is a list of the different types of phishing that target accounts. Types of Phishing Business Email Compromise (BEC): is a targeted cybercrime involving the impersonation of a trusted person or organization to manipulate victims into transferring money, sharing sensitive information, or granting access to systems. Whaling: A specialized form of phishing that targets high-ranking individuals, such as executives or decision-makers, within an organization. Email Phishing: A widespread form of phishing where attackers send deceptive emails pretending to be legitimate organizations or individuals to trick recipients into sharing sensitive information, such as passwords, credit card details, or downloading malicious software. Spear Phishing: A targeted phishing attack using personalized messages to trick specific individuals or organizations into sharing sensitive information or performing actions like wire transfers. Clone Phishing: A phishing technique where attackers duplicate legitimate emails previously sent by trusted sources, replacing links or attachments with malicious ones to deceive recipients into sharing sensitive information or installing malware. Voice Phishing (Vishing): A phishing method where attackers use phone calls to impersonate trusted entities, such as banks or government agencies, aiming to extract sensitive information like account details or personal data from victims. SMS Phishing (Smishing): A phishing attack using deceptive text messages that impersonate trusted entities, such as banks or service providers, to trick victims into sharing sensitive information or clicking malicious links. As phishing techniques grow more sophisticated and pervasive, the need for dynamic security measures becomes paramount. Phishing-resistant Multifactor Authentication (MFA) serves as a vital defense mechanism by incorporating multiple layers of verification, making unauthorized access significantly more challenging. By moving beyond traditional passwords, MFA ensures that even if credentials are compromised, attackers face additional barriers to breach systems, mitigating risks and fortifying overall security. Phishing Resistant Authentication Methods An authentication method is a security mechanism used to verify the identity of a user before granting access to systems or resources. It may involve techniques such as security keys, certificates, biometrics, or passkeys, ensuring secure and often password-less access while minimizing risks of unauthorized entry and phishing. Phishing Resistant MFA Passkeys (FIDO2): Fast IDentity Online 2 (FIDO2) is the second iteration of password-less protocol used as an authentication method within the Microsoft authentication app or a FIDO2-compatible USB device to securely log into systems without relying on passwords. These keys are ideal for desktop computers (Work Identities/ Managed Devices) and servers requiring physical access. Certificate-Based Authentication: Certificate-Based Authentication (CBA) in Microsoft Entra ID uses digital certificates to verify user identity. Instead of passwords, it relies on cryptographic keys within certificates issued by trusted Certificate Authorities (CAs). This method enhances security by preventing phishing and impersonation since certificates are difficult to duplicate. Widow Hello for Business/ Platform Credential: Windows Hello for Business/Platform Credentials is a secure, multi-authentication method replacing traditional passwords. It uses biometrics like fingerprints, facial recognition, or a PIN tied to the device, ensuring only authorized access. As phishing techniques grow more sophisticated and pervasive, the need for dynamic security measures becomes paramount. By using authentication methods like Passkeys for security keys or app-based authenticators, phishing-resistant MFA helps block unauthorized access attempts, even when sophisticated phishing techniques are at play. This ensures that emergency accounts remain safe and accessible only to authorized personnel, allowing them to respond quickly and confidently without risking sensitive data or systems. Requirements & Considerations Passkeys can be used with the Microsoft Authentication App (Currently in Preview) and FIDO2 USB Security Keys. However, it is critical that you complete the multifactor authentication steps within 5 minutes before you can register a Passkey (FIDO2). Make sure your FIDO2 Security key is Microsoft & FIDO2 compliant. Learn more about it here attestation and compliance here: Microsoft Entra ID attestation for FIDO2 security key vendors - Microsoft Entra ID | Microsoft Learn. Emergency accounts can be used across various platforms, including Windows, macOS, Linux, iOS, and Android, ensuring cross-platform accessibility during critical situations. Passkey (FIDO2) must comply with Attestation GUID (AAGUID) standards to ensure enhanced security and compatibility with trusted systems. Conclusion Emergency access accounts are not a luxury—they are a necessity. For nonprofits, which are often targets of cyber threats and face limited resources to respond, having a contingency plan is mission critical. These accounts serve as a lifeline during emergencies like identity lockouts, outages, or cyberattacks. By following the best practices outlined in this guide, nonprofits can dramatically reduce downtime, maintain access to donor and client data, and continue operations seamlessly even when adversity strikes. Planning, documenting, securing, and testing these accounts ensure you’re prepared for the unexpected. Implementing these safeguards today could be what protects your organization tomorrow. What’s Next? In our next blog, we’ll walk through how to create an Emergency Access Account in your Microsoft Entra ID tenant, step-by-step. We’ll cover naming conventions, secure password practices, how to create an emergency access account, and more—so your nonprofit can be prepared for anything. Stay tuned! Hyperlinks Manage emergency access admin accounts - Microsoft Entra ID | Microsoft Learn Password-less sign-in with Authenticator - Microsoft Entra ID | Microsoft Learn Microsoft Entra ID attestation for FIDO2 security key vendors - Microsoft Entra ID | Microsoft Learn Enable passkeys in Authenticator for Microsoft Entra ID - Microsoft Entra ID | Microsoft Learn Phishing resistant authentication in Microsoft Entra ID - Microsoft Entra ID | Microsoft LearnHow to Re-Register MFA
Working closely with nonprofits every day, I often come across a common challenge faced by MFA users. Recently, I worked with a nonprofit leader who faced an issue after getting a new phone. She was unable to authenticate into her Microsoft 365 environment because her MFA setup was tied to her old device. This experience highlighted how important it is to have a process in place for MFA re-registration. Without it, even routine changes like upgrading a phone can disrupt access to your everyday tools and technologies, delaying important work such as submitting a grant proposal. Why MFA is Essential for Nonprofits Before we discuss how to reset MFA, let’s take a step back and discuss why MFA is a necessity for nonprofits the way it is important for any organization. In the nonprofit world, protecting sensitive or confidential data—like donor information, financial records, and program details—is a top priority. One of the best ways to step up your security game is by using Multi-Factor Authentication (MFA). MFA adds an extra layer of protection on top of passwords by requiring something you have (like a mobile app or text message) or something you are (like a fingerprint). This makes it a lot harder for cybercriminals to get unauthorized access. If your nonprofit uses Azure Active Directory (AAD), or Microsoft Entra (as it is now called), with Microsoft 365, MFA can make a big difference in keeping your work safe. Since Microsoft Entra is built to work together with other Microsoft tools, it’s easy to set up and enforce secure sign-in methods across your whole organization. To make sure this added protection stays effective, it’s a good idea to occasionally ask users to update how they verify their identity. What Does MFA Re-Registration Mean for Nonprofits? MFA re-registration is just a fancy way of saying users need to update or reset how they authenticate, or verify, themselves. This might mean setting up MFA on a new phone (like the woman in the scenario above), adding an extra security option (like a hardware token), or simply confirming their existing setup. It’s all about making sure the methods and devices your users rely on for MFA are secure and under their control. When and Why Should Nonprofits Require MFA Re-Registration? Outside of getting a new phone, there may be other situations that raise cause for reason to re-register your MFA. A few scenarios include: Lost or Stolen Devices: Similar to the scenario above, if someone loses their phone or it gets stolen, you will have to re-register the new device. Role Changes: If someone’s responsibilities change, their MFA setup can be adjusted to match their new access needs. Security Enhancements: Organizations may require users to re-register for MFA to adopt more secure authentication methods, such as moving from SMS-based MFA to an app-based MFA like Microsoft Authenticator Policy Updates: When an organization updates its security policies, it might require all users to re-register for MFA to comply with new standards Account Compromise: If there is a suspicion that an account has been compromised, re-registering for MFA can help secure the account by ensuring that only the legitimate user has access With Microsoft Entra, managing MFA re-registration is straightforward and can be done with an administrator to the organization’s tenant. How to require re-registration of MFA To reset or require re-registration of MFA in Microsoft Entra, please follow the steps below. Navigate to portal.azure.com with your nonprofit admin account. Select Microsoft Entra ID Select the drop-down for Manage In the left-hand menu bar select Users > Select the user's name that you want to reregister to MFA (not shown). Once in their profile, select Manage MFA authentication methods Select Require re-register multifactor authentication Congratulations! The user will now be required to re-register the account in the Microsoft Authentication app.Simple Cybersecurity Steps Every Nonprofit Can Take Using Microsoft 365
Your granted Microsoft 365 Business Premium licenses offer a suite of cybersecurity tools that can help protect your organization from cyber threats, even if you're not tech-savvy. This blog post will guide you through simple steps every nonprofit can implement to enhance their cybersecurity using Microsoft 365.
Beyond Visibility: Hybrid Identity Protection with Microsoft Entra & Defender for Identity
In a previous blog, we explored how Microsoft Entra and Defender for Identity form a powerful duo for hybrid identity protection. But visibility alone isn’t enough. To truly defend your organization, you need to operationalize that visibility—turning insights into action, and strategy into security outcomes. Let’s explore how to take your hybrid identity protection to the next level. From Detection to Response: Building a Unified Identity SOC Security teams often struggle with fragmented signals across cloud and on-prem environments. Defender for Identity and Entra solve this by feeding identity-based alerts into Microsoft 365 Defender and Microsoft Sentinel, enabling: Centralized incident response: Investigate identity threats alongside endpoint, email, and cloud signals. Automated playbooks: Trigger actions like disabling accounts or enforcing stricter access policies. Advanced hunting: Use KQL queries to uncover stealthy attacks like domain dominance or golden ticket abuse. This unified approach transforms your SOC from reactive to proactive. Strengthening Identity Posture with Entra ID Protection Once threats are detected, Entra ID Protection helps you contain and prevent them: Risk-based Conditional Access: Automatically block or challenge risky sign-ins based on Defender for Identity signals. User risk remediation: Force password resets or MFA enrollment for compromised accounts. Policy tuning: Use insights from past incidents to refine access controls and reduce false positives. This adaptive security model ensures that your defenses evolve with the threat landscape. To learn more about these and additional policy-driven security mechanisms, please visit: Risk policies - Microsoft Entra ID Protection | Microsoft Learn Least Privilege at Scale with Entra ID Governance Identity protection isn’t just about stopping attacks—it’s about minimizing the blast radius. Entra ID Governance helps enforce least privilege by: Automating access reviews: Regularly audit who has access to sensitive resources. Just-in-time access: Grant temporary permissions only when needed. Entitlement management: Control access to apps and groups with policy-based workflows. By reducing unnecessary access, you make lateral movement harder for attackers—and easier for auditors. To learn more about least privilege, please visit: Understanding least privilege with Microsoft Entra ID Governance | Microsoft Learn Real-Time Insights with Microsoft Sentinel Sentinel supercharges your hybrid identity protection with: Custom dashboards: Visualize risky users, sign-in anomalies, and privilege escalations. Threat intelligence fusion: Correlate identity signals with external threat feeds. Data connectors: Stream Entra and Defender for Identity logs for deep analysis and long-term retention. This gives you the clarity to spot patterns and the context to act decisively. To learn more about Microsoft Sentinel, please visit: What is Microsoft Sentinel SIEM? | Microsoft Learn Next Steps: Operationalize Your Identity Strategy To move from visibility to action: Deploy Defender for Identity sensors across all domain controllers. Integrate with Microsoft 365 Defender and Sentinel for unified threat detection. Enable risk-based Conditional Access in Entra to respond to identity threats in real time. Implement least privilege policies using Entra ID Governance. Use Sentinel for advanced hunting and analytics to stay ahead of attackers. Final Thoughts Hybrid identity protection isn’t a checkbox—it’s a continuous journey. By operationalizing the integration between Microsoft Entra and Defender for Identity, you empower your security teams to detect, respond, and prevent identity threats with precision and speed.Comprehensive Identity Protection—Across Cloud and On-Premises
Hybrid IT environments, identity is the new perimeter—and protecting it requires visibility across both cloud and on-premises systems. While Microsoft Entra secures cloud identities with intelligent access controls, Microsoft Defender for Identity brings deep insight into your on-premises Active Directory. Together, they form a powerful duo for comprehensive identity protection. Why Hybrid Identity Protection Matters Most organizations haven’t fully moved to the cloud. Legacy systems, on-prem applications, and hybrid user scenarios are still common, and attackers know it. They exploit these gaps using techniques like: Pass-the-Hash and Pass-the-Ticket attacks Credential stuffing and brute-force logins Privilege escalation and lateral movement Without visibility into on-prem identity activity, these threats can go undetected. That’s where Defender for Identity steps in. What Is Microsoft Defender for Identity? Defender for Identity is part of Microsoft Defender XDR—a cloud-based solution that monitors on-premises Active Directory for suspicious behavior. It uses behavioral analytics and threat intelligence to detect identity-based attacks in real time. Key capabilities: Detects compromised accounts and insider threats Monitors lateral movement and privilege escalation Surfaces risky users and abnormal access patterns Integrates with Microsoft 365 Defender and Sentinel for unified response Why It Pairs Perfectly with Microsoft Entra Microsoft Entra (formerly Azure AD) protects cloud identities with features like Conditional Access, Multifactor Authentication, and Identity Governance. But Entra alone can’t see what’s happening in your on-prem AD. By combining Entra and Defender for Identity, you get: End-to-end visibility across cloud and on-prem environments Real-time threat detection for suspicious activities like lateral movement, privilege escalation, and domain dominance Behavioral analytics to identify compromised accounts and insider threats Integrated response capabilities to contain threats quickly and minimize impact Actionable insights that help strengthen your identity posture and reduce risk Together, they deliver comprehensive identity protection—giving you the clarity, control, and confidence to defend against modern threats. Real-World Impact Imagine a scenario where an attacker gains access to a legacy on-prem account and begins moving laterally across systems. Defender for Identity detects the unusual behavior and flags the account as risky. Entra then blocks cloud access based on Conditional Access policies tied to that risk signal—stopping the attack before it spreads. Getting Started Deploy Defender for Identity sensors on your domain controllers Install a sensor - step-by-step instructions to install Defender for Identity sensors on your domain controllers to begin monitoring on-premises identity activity. Activate the sensor on a domain controller - Guidance on activating the installed sensor to ensure it starts collecting and analyzing data. Deployment overview - A high-level walkthrough of the Defender for Identity deployment process, including prerequisites and architecture. Connect Defender for Identity to Microsoft 365 Defender Integration in the Microsoft Defender portal - Learn how to connect Defender for Identity to Microsoft 365 Defender for centralized threat detection and response. Pilot and deploy Defender for Identity - Best practices for piloting Defender for Identity in your environment before full-scale deployment. Enable risk-based Conditional Access in Entra Configure risk policies in Entra ID Protection - Instructions for setting up risk-based policies that respond to identity threats in real time. Risk-based access policies overview - An overview of how Conditional Access uses risk signals to enforce adaptive access controls. Use Entra ID Governance to enforce least privilege Understanding least privilege with Entra ID Governance - Explains how to apply least privilege principles using Entra’s governance tools. Best practices for secure deployment - Recommendations for securely deploying Entra ID Governance to minimize identity-related risks. Integrate both with Microsoft Sentinel for advanced hunting Microsoft Defender XDR integration with Sentinel - How to connect Defender for Identity and other Defender components to Microsoft Sentinel for unified security operations. Send Entra ID data to Sentinel - Instructions for streaming Entra ID logs and signals into Sentinel for deeper analysis. Microsoft Sentinel data connectors - A catalog of available data connectors, including those for Entra and Defender for Identity, to expand your threat detection capabilities. Final Thoughts It's the perfect time to evaluate your identity protection strategy. By pairing Microsoft Entra with Defender for Identity, you gain full visibility across your hybrid environment—so you can detect threats early, respond quickly, and protect every identity with confidence. Ready to strengthen your identity perimeter? Start by deploying Defender for Identity and configuring Entra policies today.Enabling Self-Service Password Reset for Your Organization
What Is SSPR? It is a frigid February morning. The time is approximately 6:30 AM. Your morning cup of joe is interrupted by an urgent call from your system administrator Jonathan. He informs you about a suspicious email incident over the weekend that potentially impacted numerous employees. He suggests resetting all passwords to reduce any potential impact after handling most of the preliminary measures. Jonathan is thinking about enabling Self-Service Password Reset (SSPR) to maximize time and efficiency. SSPR allows organizations to members to reset their own password. In this blog we will cover a useful feature that can be enabled in your Microsoft Entra Admin Center. Naturally, this blog assumes that you have not enabled this feature as you are just getting started. However, I do suggest looking into the links below for a deeper dive. Navigating to Microsoft Entra Admin Center First, before beginning to enable this feature, make sure to have your admin credentials handy. You must have the appropriate administrative role and access. Lastly, if you want to enable this policy for on-premises integration. You will need to set up a sync engine to be connected to your account. Please see the following link to learn more: Enable Microsoft Entra password writeback - Microsoft Entra ID | Microsoft Learn. Let us continue to the login page. Sign In Navigate to the following website https://entra.microsoft.com. Using your administrative credentials type in your “Username and Password.” If you have forgotten your password, click on “Forgot my password” then follow the prompts accordingly. You will be prompted to authenticate using your phone via the “Microsoft Authentication app.” After you sign in, you'll arrive at the Microsoft Entra Admin Center Home directory. From there, we'll guide you through the process of enabling the feature, one step at a time. Enabling SSPR In the home screen, select the “Protection” tab in the left-hand menu, then click “Password reset.” The first menu item is “Properties” on the right side you will see “Self-service password reset enabled.” Select between three options: None: No users within the organization selected for reset (this is selected by default if never enabled). Selected: Select the Microsoft groups within your organization to apply for self-reset. All: Apply for all users within the organizations for self-reset. Select one then click the “Save” button. Now that SSPR is enabled, you will see “Forgot my password” based on the option you selected. If all options were chosen, all members would see it; otherwise, it will be visible according to the groups you specified. This allows the Systems admin to send just one email to reset their passwords. Conclusion Moving forward, this policy aims to enhance self-sufficiency and improve security measures. By enabling Self-Service Password Reset (SSPR), organizations can streamline password management, lighten IT support loads, and boost security. Users can reset their passwords quickly and securely keeps productivity high and mitigates risks associated with forgotten credentials. Monitor its effectiveness and adjust settings as needed to meet your organization's unique needs and security standards. Hyperlinks License self-service password reset - Microsoft Entra ID | Microsoft Learn Enable Microsoft Entra password writeback - Microsoft Entra ID | Microsoft Learn Self-service password reset deep dive - Microsoft Entra ID | Microsoft Learn Microsoft Entra Admin Center - Secure, Protect, & Manage | Microsoft Community Hub
