5 More Azure AD Security Tips (After MFA Rollout) for Frictionless Teamwork in SharePoint

Email | Print

Part 1 of Azure AD Security Tips (After MFA Rollout) for Frictionless Teamwork in SharePoint” explored best practices around Microsoft’s Security Defaults, legacy protocols, guest user access, enterprise apps (and consent) and Azure Portal settings. These tips from IT expert and Cloud Practice Director of JourneyTEAM, Eric Raff, along with Multi-factor Authentication (MFA) work to tighten data security to prevent a breach of your invaluable organizational data and resource information living in Microsoft SharePoint. Implementing multiple Microsoft Azure 365 identity and access management security measures can exponentially increase your tenant’s protection.    

And now for tips 6-10! 

6. Set up Access Reviews 

You can have periodic reviews of group membership and application assignments with Access Reviews. Access Reviews can be set up for Azure AD Enterprise Apps (as mentioned in Part 1 #3), as well as Azure AD roles in Privileged Identity Management (PIM) (described in #7 below). The Access Review feature requires an Azure AD P2 license. 

7. Review Roles in Privileged Identity Management (“PIM”)  

PIM is an Azure AD service to manage resources in your organization including listing who has what roles. 

  • Log into the Azure AD portal ( 
  • From the Dashboard, go to “Privileged Identity Management” > “Azure AD Roles.” 
  • Here you’ll find the report of all the users in the tenant, along with their roles. This report can be exported to CSV. 

Ever need to take on a temporary Administrator role to complete a specific task? Set this up in PIM.  

  • In the Azure portal, go to Active Directory to view your current role.  
  • Go to “Privileged Identity Management” > “My Roles” to request an Admin role that you can use for up to 10 hours.  
  • Active Assignments, give you a view of your temporary role and allows you to deactivate once complete. 

8. Enable Real-time Monitoring with Microsoft Cloud App Security (MCAS) Policy  

Microsoft Cloud App Security (CAS) and OAuth policies can control access to cloud apps based on the user, location, device and apps. You can create a filter for the policy to alert and revoke access to uncommon or rare apps asking for high levels of permissions.  

  • Go to the Cloud App Security Portal at or through the Microsoft 365 Admin Center. Then “Control” > “Policies” > “Conditional Access.” 
  • Here you can create a policy for apps in which the permission levels are very high, and the community use is not common.   

9. Conditional Access Policy for Admin Roles 

In addition to MFA, Conditional Access (CA) policies can provide extra protection against attacks on your Admin Roles. Here is how to create a new CA policy specifically for Admins.   

  • From Azure Portal go to “Security.”  
  • “Conditional Access Policies” > “New Policy.” 
  • Give the policy a name, e.g., “Require MFA and Compliant Devices for Admin Roles.” 
  • “Select Users and Group” and select the specific roles that you want in this group.  
  • Go to “Cloud Apps or Actions” and select “All Cloud Apps.”  
  • Go to “Conditions” and select whatever is applicable. 
  • Go to “Access Controls” and select “Require Multi Factor Authentication” as well as “Require Device to be marked as compliant” and “For multiple controls, require all the selected controls.” 

10. Save your Log Files for Future Access and Reporting  

It is important to keep a log of sign-ins, changes to the tenant, and tracking of who did what (and when). A native integration between Azure AD and Azure Log Analytics (Azure Monitor) provides an easy way to save and export your log files. (Note: It is advised that you have at least one license of Azure AD premium to get monthly logs, instead of the standard 7 days or 24 hours).  

  • From the Azure AD Portal, go to “Monitoring” > “Logs” > “Diagnostic Settings.” Here you can edit your settings to configure the export of your logs including its destination. 
  • Click “+ Add Diagnostic Setting” to create an Azure Log Analytics workspace.   
  • Click “Edit settings” to select the destinations to stream to or archive, as well as select categories of platform logs and metrics (and indicating the length of retention, 1 – 365 days):  
    • “AuditLogs”  
    • “SigninLogs” 
    • “NotInteractiveUserSigninLogs” 
    • “ServicePrincipalSigninLogs” 
    • “ManagedIdentifySigninLogs” 
    • “ProvisioningLogs” 
  • Then send to the right Azure subscription to the Log Archiving Workspace. You can also send them to a storage account.  

This concludes the top 10 security tips to deploy in your tenant after enabling MFA! Read the full article here.

Microsoft 365 | Azure | Cloud | Office 365


  1. Join a free consultation and ask all the questions you wish.
  2. Plan your Deep Dive meeting – Get your organization’s Customized Solutions presentation.


Article by:Jenn Alba – Marketing Manager – 801.938.7816

JourneyTEAM is an award-winning consulting firm with proven technology and measurable results. They take Microsoft products; Dynamics 365, SharePoint intranet, Office 365, Azure, CRM, GP, NAV, SL, AX, and modify them to work for you. The team has expert level, Microsoft Gold certified consultants that dive deep into the dynamics of your organization and solve complex issues. They have solutions for sales, marketing, productivity, collaboration, analytics, accounting, security and more.

Related Posts

Ask This Expert a Question or Leave a Comment