The following table describes the vulnerabilities identified in the pre-defined Entra Discovery for Initial Access.

Vulnerability Template Vulnerability Risk What to find
Entra ID tenant security defaults status Name:

Security defaults are enabled

 

Default scope:

N/A

Enabling security defaults is recommended for organizations that are using the free tier of Microsoft Entra ID licensing and want to increase their security posture. Organizations with premium Entra ID licensing should use Conditional Access polices for more granular control to achieve a higher security posture.

Remediation

If the organization is using the free tier of Microsoft Entra ID licensing, continue using security defaults. If the organization is using Microsoft Entra ID P1 or P2 licenses, continue using security defaults while the deployment of Conditional Access policies is planned. When security defaults are disabled, organizations should immediately enable Conditional Access policies to protect the organization. These policies should include at least those policies in the secure foundations category of Conditional Access templates. Organizations with Microsoft Entra ID P2 licenses that include Microsoft Entra ID Protection can expand on this list to include user and sign in risk-based policies to further strengthen the posture.

Entra ID tenants in scope that have security defaults enabled
Entra ID Guest account last used

Name:

Entra ID guest user accounts that are inactive

Default scope:

All users

When external partners no longer access your tenant, the guest accounts may become stale and vulnerable to attack.

Remediation:

Review inactive guest users, block them from signing in, and delete them from the directory.

Entra ID user accounts in scope that were last used more than 90 days ago

NOTE: The number of days is editable.

 

Entra ID Microsoft Authenticator number matching and additional contexts status

Name:

Entra ID Microsoft Authenticator policy does not require geographic location and application name contexts for all users

Default scope:

All users

Microsoft has added features for strong multifactor authentication (MFA to help reduce MFA fatigue attacks and accidental MFA approvals.

Remediation:

In Authentication methods, enforce the use of Microsoft Authenticator passwordless push notifications with show geographic location context and show application name context.

Entra ID user accounts in scope that do not have the Microsoft Authenticator policy assigned with geographic location and application name enabled
Entra ID users synchronized from Active Directory status

Synchronized Active Directory user is assigned an Entra ID privileged role

Default scope:

All users

 

NOTE: If no Active Directory collection is available, an Inconclusive message is returned.

Active Directory is considered less secure than Entra ID. By assigning an Entra ID Privileged role to a synchronized on-premises Active Directory user, attackers have a clear pathway to take over Entra ID if Active Directory is compromised.

Remediation:

Microsoft recommends using cloud-only accounts for Microsoft Entra ID privileged roles.

Remove synchronized Active Directory user accounts from direct and indirect membership of privileged roles. Active Directory users that require privileged access to Entra ID should be provided with a separate cloud-only Entra ID account.

Entra ID users in scope that are synchronized Active Directory users
Entra ID User consent for applications setting

Name:

Entra ID users are allowed to consent for all applications

Default scope:

All tenants selected at the time an Assessment is created

 

 

Before an application can access an organization's data, a user must grant the application permissions. Different permissions allow different levels of access. By default, all users are allowed to consent to applications for permissions that don't require administrator consent. To reduce the risk of malicious applications being granted access to the organization’s data by users, it is recommended that users can only consent to applications that have been published by a verified publisher.

Remediation:

Sign in to the Microsoft Entra admin center as a Global Administrator.

Browse to Identity | Applications | Enterprise applications | Consent and permissions | User consent settings.

Under User consent for applications, select “Allow user consent for apps from verified publishers, for selected permissions”. Alternatively, if appropriate, “Do not allow user consent” can be selected.

Entra ID tenants in scope that have “User consent for applications” set to allow user consent for apps
Entra ID Conditional Access Continuous Access Evaluation strictly enforce location

Name:

Entra ID Conditional Access policies do not protect all users with strictly enforce location for Continuous Access Evaluation

Default scope:

All users

 

Strictly enforce location is an enforcement mode for Continuous Access Evaluation that is configured in Conditional Access policies. This mode provides protection by immediately stopping access if the IP address detected by the resource provider isn't allowed by Conditional Access policy. This option is the highest security setting for Continuous Access Evaluation.

Remediation:

Implementing strictly enforce location for Continuous Access Evaluation requires that administrators understand the routing of authentication and access requests in their network environment. Policies like this one should be tested with a subset of users and applied cautiously. The setting to strictly enforce location for Continuous Access Evaluation is located in “Session”, “Customize continuous access evaluation”, “Strictly enforce location policies”.

Entra ID user accounts in scope that do not have Continuous Access Evaluation strictly enforce location enabled in an assigned Conditional Access policy
Entra ID Conditional Access policy mfa status

Name:

Entra ID Conditional Access

policies do not protect all non-privileged users with multi-factor authentication (MFA)

Default scope:

All except Privileged users

 

Attackers frequently target end users. After attackers gain entry, additional access to privileged information can be requested for the exposed account. Attackers can also download other data such as the entire directory to do a phishing attack on the organization.

Remediation:

Improve protection by requiring multi-factor authentication (MFA) for all users. Enable a Conditional Access policy for the tenant that has:

“Users” set to include “All users” and exclude emergency access or break-glass accounts.

In “Target resources”, “Cloud apps” set to include “All cloud apps”.

In “Access controls” “Grant”, set “Grant access” to “Require multifactor authentication”

Organizations with Security Defaults enabled will enforce MFA for all users in some situations (based on factors such as location, device, role, and task) without requiring a Conditional Access policy.

NOTE: Microsoft recommends excluding the following accounts from Conditional Access policies:

  • Emergency access or break-glass accounts (to prevent tenant-wide account lockout)

  • Service accounts and service principals (non-interactive accounts normally used by back-end services which cannot programmatically complete MFA).

Entra ID user accounts in scope that do not have require multi-factor authentication enabled in an assigned Conditional Access policy
Entra ID tenant on-premises synchronization time

Name:

Synchronization with on-premises Active Directory is delayed

Scope:

All tenants selected at the time an Assessment is created

 

NOTE: If no Active Directory collection is available, an Inconclusive message is returned.

Delays in synchronization with on-premises Active Directory can be due to misconfiguration or issues with the Microsoft Entra Connect server.

Remediation:

Login to Microsoft Entra Connect Health and review any potential sync errors.

Entra ID tenants in scope that have not synchronized with on-premises Active Directory in 12 hours.