Azure AD security: how to audit and harden what is now Entra ID
Microsoft renamed Azure Active Directory to Entra ID, but the security problems did not rename themselves. If you searched for Azure AD security, this page is for you: what to audit, the settings that matter most, and how to keep the tenant hardened after the audit is done.
Microsoft completed the rename in 2023: Azure Active Directory (Azure AD) became Microsoft Entra ID. Same directory, same tenants, same settings, new name. Every Azure AD security practice below applies unchanged to Entra ID, and our detailed hardening guidance lives in the Entra ID security best practices guide.
The Azure AD security audit checklist
These are the areas where our scans find real exposure in nearly every tenant, in the order an attacker would care about them:
- MFA coverage, measured from the data. Not "does a policy exist" but which enabled users can still sign in with a password alone. Exclusions accumulate; verify coverage, not intent.
- Conditional Access exclusions. Review every policy's exclusion list quarterly. Every exclusion needs a name, a reason, and an expiration.
- Legacy authentication. Block it with Conditional Access and confirm in sign-in logs. SMTP AUTH basic still survives in most tenants and password spray targets it around the clock.
- Privileged roles and PIM. Two to four human Global Administrators plus break-glass, everything else PIM-eligible instead of permanently active, no privileged roles on guest accounts.
- App registrations and service principals. Inventory permissions, delete what nothing uses, replace client secrets with certificates or managed identities, rotate anything old.
- User consent settings. Restrict user consent to applications and turn on the admin consent workflow; consent phishing walks straight past MFA.
- Stale accounts and guests. Enabled accounts with no sign-in for 90 days are unmonitored attack surface. Disable or document every one.
- Audit and sign-in log retention. Confirm retention actually covers your investigation window before you need it.
Each of these maps to checks in our engine and to the misconfigurations we catalog on the Microsoft 365 misconfigurations page, with CISA SCuBA control mappings on the SCuBA compliance page.
An audit is a snapshot. Azure AD keeps moving.
The uncomfortable part of Azure AD security is that the audit above starts going stale the day you finish it. Admins add exclusions under pressure, roles get granted during projects, Microsoft moves defaults. That decay is security drift, and the fix is not a bigger annual audit, it is continuous drift management: baseline the tenant, detect divergence as it happens, and close each gap while it is one item instead of a backlog. Senserva runs nearly 700 checks across Entra ID, Microsoft 365, Intune, and Defender continuously, with validated remediation for what it finds.
Frequently asked questions
Yes. Microsoft renamed Azure Active Directory to Microsoft Entra ID in 2023. It is the same identity service; only the name and portal branding changed. Security guidance written for Azure AD applies to Entra ID.
Work the checklist above: measure MFA coverage from sign-in data, review Conditional Access exclusions, confirm legacy authentication is blocked, inventory privileged roles and app permissions, and check stale accounts and log retention. Or run a scan: Senserva audits all of it in minutes and ranks what it finds by risk.
Hollow MFA policies (broad exclusions), standing Global Administrator assignments instead of PIM, unrestricted user consent to applications, long-lived service principal secrets, and stale enabled accounts. None of them fire an alert, which is why they survive.
Continuously. A quarterly review leaves a full quarter for drift to accumulate unseen. Continuous monitoring produces a short list of fresh findings each cycle, each one minutes to fix because it is small and has an obvious owner.
Sponsored by Senserva
Siemserva by Senserva reports patch status for your own devices: which ones are missing the updates on this page, ranked by what attackers actually exploit.
Please link to this page to stay current.
- Patch status in one scan: which devices are affected, which are not
- Missing updates ranked by CISA KEV and EPSS, so you fix the right things first
- Data from Intune, Microsoft Defender, Windows Autopatch, and Azure Update Manager, with more sources on the way
- Third-party app patching too: updates published to Intune by PatchMyPC, Scappman, Robopack, or any vendor, read vendor-neutrally
- Optional AI Enhanced Reporting: plain-language summaries and recommended next steps written into your reports
- Then go further: 650+ security checks find the drift management gaps across Microsoft 365, Intune, Defender, and Entra ID, with compliance evidence and Senserva Trustworthy AI remediation
Patching in action in two minutes. Watch page · All videos.
Triage order for this list
Same order in the dashboard, the report, and every AI answerRanked missing updates, fix-first order
27 findings · showing top 2| # | Update | CVE | Severity | Source | Devices | Waiting | |
|---|---|---|---|---|---|---|---|
| 1 | KB5040219 Windows 11 23H2 cumulative | CVE-2026-31210 KEV EPSS 0.94 | Critical | Defender | 41 | 19 days | Add to fix-first |
| 2 | KB5040088 .NET Framework security update | CVE-2026-29981 KEV | Critical | Intune | 17 | 12 days | Add to fix-first |
