Azure AD security: how to audit and harden what is now Entra ID

Microsoft renamed Azure Active Directory to Entra ID, but the security problems did not rename themselves. If you searched for Azure AD security, this page is for you: what to audit, the settings that matter most, and how to keep the tenant hardened after the audit is done.

Run a free Azure AD security scan

Azure AD is Entra ID now

Microsoft completed the rename in 2023: Azure Active Directory (Azure AD) became Microsoft Entra ID. Same directory, same tenants, same settings, new name. Every Azure AD security practice below applies unchanged to Entra ID, and our detailed hardening guidance lives in the Entra ID security best practices guide.

The Azure AD security audit checklist

These are the areas where our scans find real exposure in nearly every tenant, in the order an attacker would care about them:

  1. MFA coverage, measured from the data. Not "does a policy exist" but which enabled users can still sign in with a password alone. Exclusions accumulate; verify coverage, not intent.
  2. Conditional Access exclusions. Review every policy's exclusion list quarterly. Every exclusion needs a name, a reason, and an expiration.
  3. Legacy authentication. Block it with Conditional Access and confirm in sign-in logs. SMTP AUTH basic still survives in most tenants and password spray targets it around the clock.
  4. Privileged roles and PIM. Two to four human Global Administrators plus break-glass, everything else PIM-eligible instead of permanently active, no privileged roles on guest accounts.
  5. App registrations and service principals. Inventory permissions, delete what nothing uses, replace client secrets with certificates or managed identities, rotate anything old.
  6. User consent settings. Restrict user consent to applications and turn on the admin consent workflow; consent phishing walks straight past MFA.
  7. Stale accounts and guests. Enabled accounts with no sign-in for 90 days are unmonitored attack surface. Disable or document every one.
  8. Audit and sign-in log retention. Confirm retention actually covers your investigation window before you need it.

Each of these maps to checks in our engine and to the misconfigurations we catalog on the Microsoft 365 misconfigurations page, with CISA SCuBA control mappings on the SCuBA compliance page.

An audit is a snapshot. Azure AD keeps moving.

The uncomfortable part of Azure AD security is that the audit above starts going stale the day you finish it. Admins add exclusions under pressure, roles get granted during projects, Microsoft moves defaults. That decay is security drift, and the fix is not a bigger annual audit, it is continuous drift management: baseline the tenant, detect divergence as it happens, and close each gap while it is one item instead of a backlog. Senserva runs nearly 700 checks across Entra ID, Microsoft 365, Intune, and Defender continuously, with validated remediation for what it finds.

Frequently asked questions

Is Azure AD the same as Entra ID?

Yes. Microsoft renamed Azure Active Directory to Microsoft Entra ID in 2023. It is the same identity service; only the name and portal branding changed. Security guidance written for Azure AD applies to Entra ID.

How do I run an Azure AD security audit?

Work the checklist above: measure MFA coverage from sign-in data, review Conditional Access exclusions, confirm legacy authentication is blocked, inventory privileged roles and app permissions, and check stale accounts and log retention. Or run a scan: Senserva audits all of it in minutes and ranks what it finds by risk.

What are the most common Azure AD security mistakes?

Hollow MFA policies (broad exclusions), standing Global Administrator assignments instead of PIM, unrestricted user consent to applications, long-lived service principal secrets, and stale enabled accounts. None of them fire an alert, which is why they survive.

How often should Azure AD security be reviewed?

Continuously. A quarterly review leaves a full quarter for drift to accumulate unseen. Continuous monitoring produces a short list of fresh findings each cycle, each one minutes to fix because it is small and has an obvious owner.

Sponsored by Senserva

Siemserva by Senserva reports patch status for your own devices: which ones are missing the updates on this page, ranked by what attackers actually exploit.

Please link to this page to stay current.

  • Patch status in one scan: which devices are affected, which are not
  • Missing updates ranked by CISA KEV and EPSS, so you fix the right things first
  • Data from Intune, Microsoft Defender, Windows Autopatch, and Azure Update Manager, with more sources on the way
  • Third-party app patching too: updates published to Intune by PatchMyPC, Scappman, Robopack, or any vendor, read vendor-neutrally
  • Optional AI Enhanced Reporting: plain-language summaries and recommended next steps written into your reports
  • Then go further: 650+ security checks find the drift management gaps across Microsoft 365, Intune, Defender, and Entra ID, with compliance evidence and Senserva Trustworthy AI remediation
Senserva patching for Microsoft 365
Two minutes, click to play

Patching in action in two minutes. Watch page · All videos.

3 actively exploited CVEs are unmitigated on devices in this tenant, per CISA KEV.View fix-first list ↓
312
Devices scanned
Intune + Autopatch + Defender
3
Exploited updates missing
CISA KEV, unmitigated
905
Microsoft updates tracked
Refreshed daily, MSRC + NVD
650+
Security checks in scan
Patch, config, identity, logs

Triage order for this list

Same order in the dashboard, the report, and every AI answer
1st · overrides everything
Actively exploited (KEV)
e.g. KB5040219, CVE-2026-31210
2nd · tiebreaker
Severity (Critical → Low)
MSRC + EPSS probability
3rd · tiebreaker
Days waiting
Oldest unresolved first

Ranked missing updates, fix-first order

27 findings · showing top 2
#UpdateCVESeveritySourceDevicesWaiting
1KB5040219
Windows 11 23H2 cumulative
CVE-2026-31210
KEV EPSS 0.94
CriticalDefender4119 daysAdd to fix-first
2KB5040088
.NET Framework security update
CVE-2026-29981
KEV
CriticalIntune1712 daysAdd to fix-first
Estimated dashboard, sample data for illustration

Ask Senserva

via Claude + MCP
Which devices are still missing the fix for CVE-2026-31210?
41 devices are missing KB5040219, which resolves CVE-2026-31210. This CVE is on CISA KEV, so CISA BOD 22-01 calls for remediation within 14 days. You are at 19 days and counting.
source: scan_db · defender_posture · kev_join, not model memory
Senserva is a Microsoft Intelligent Security Association member. Get Going with Senserva Senserva patching Built for IT admins and security teams, with audit-ready data for compliance.