Entra ID
This page describes the configuration of Microsoft Entra ID associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.
Estimated reading time: 3 minutes
Instruction
The below pages outline the as built configuration for ASD’s Blueprint for Secure Cloud (the Blueprint) for the Microsoft Entra admin portal at the following URL:
The settings described on these pages provide a baseline implementation for a system configured using the Blueprint. Any implementation implied by these pages should not be considered as prescriptive as to how an organisation must scope, build, document, or assess a system.
Implementation of the guidance provided by the Blueprint will differ depending on an organisation’s operating context and organisational culture. Organisations should implement the Blueprint in alignment with their existing change management, business processes and frameworks.
When using automated configuration files, organisations should note they will configure the relevant settings in a Microsoft tenancy exactly as outlined in the Configuration pages of the Blueprint. Organisations should ensure they customise configuration of their Microsoft tenancies in accordance with their own design decisions and requirements, deviating from the Blueprint (including automated configuration files) where appropriate.
Placeholders such as <ORGANISATION.GOV.AU>, <BLUEPRINT.GOV.AU> and <TENANT-NAME> should be replaced with the relevant details as required.
Automated Configuration Deployment and Assessment
Overview
Some of the Entra ID configurations can be automatically deployed using Microsoft 365 Desired State Configuration (DSC).
Some of the Entra ID configurations cannot be assessed automatically with M365DSC Blueprint. Please refer to those configuration pages to conduct a manual assessment.
| Configuration | Blueprint Automation Provided |
|---|---|
| Properties | No |
| Users | No |
| Groups | |
| - General | No |
| - Expiration | Yes (DSC) |
| - Naming Policy | Yes (DSC) |
| Devices | No |
| Applications | No |
| Protection | |
| - Identity Protection | No |
| - Conditional Access Policies | Yes (DSC)1,4 |
| - Authentication Contexts | Yes (DSC) |
| - Authentication Strengths | No2 |
| - Named Locations | Yes (DSC)3 |
| - Authentication Methods | No |
| - Password Reset | No |
| - Risky Activities | No |
| Identity Governance | No |
| External Identities | Yes (DSC) |
1: All Conditional Access policies are set to report only in the DSC and will need to be enabled manually.
2: The Phishing-resistant MFA and TAP authentication strength must be created manually before performing a DSC import.
3: IP addresses must be set manually. Refer to Named Locations for configuration guidance.
4: The Microsoft Intune Enrolment app used in the DEV - G - Intune enrolment with strong auth Conditional Access policy is not created by default in new tenants, see the require multifactor authentication for Intune device enrollments page for instructions to create it before performing a DSC import.
Desired State Configuration
Before using the below DSC file, please refer to Automated Deployment for instructions.
Warning
Any existing settings in a tenancy that match the Name or UID of any settings in the DSC will be overwritten.
| Desired State Configuration File: |
|---|
| Download Entra ID DSC (.ps1) Note: download the linked .txt file and rename to .ps1 |
| Configuration Data File: |
| The Configuration Data File can be found on the Automated Deployment page. |
Extra Parameters
The above DSC file requires the following parameters to be populated or they will be prompted for on import:
| Parameter Name | Contents |
|---|---|
| ConditionalExclude | Name of an existing security group to be used as a placeholder for Conditional Access exclusion1 |
| PrivUsers | Name of an existing security group containing all privileged users |
| TermsOfUse | Name of the acceptable use policy used by the organisation |
1: Exclude groups specific to each Conditional Access policy will need to be manually configured post-DSC import.
Service Principal permissions
To import the DSC as per the instructions on the Automated Deployment page, the following permissions will need to be added to the Service Principal:
"AADAdministrativeUnit", "AADAuthenticationContextClassReference", "AADAuthorizationPolicy", "AADConditionalAccessPolicy", "AADCrossTenantAccessPolicyConfigurationDefault", "AADCrossTenantAccessPolicyConfigurationPartner", "AADEntitlementManagementAccessPackage", "AADEntitlementManagementAccessPackageAssignmentPolicy", "AADEntitlementManagementAccessPackageCatalog", "AADEntitlementManagementAccessPackageCatalogResource", "AADEntitlementManagementConnectedOrganization", "AADExternalIdentityPolicy", "AADGroupLifecyclePolicy", "AADNamedLocationPolicy", "AADSocialIdentityProvider", "AADTokenLifetimePolicy"
Identity properties
This page describes the configuration of identity properties within Microsoft Entra ID associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.
Users
This page describes the configuration of users within Microsoft Entra ID associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.
Groups
This page describes the configuration of groups within Microsoft Entra ID associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.
Devices
This page describes the configuration of devices within Microsoft Entra ID associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.
Applications
This page describes the configuration of applications within Microsoft Entra ID associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.
Protection
This page describes the configuration of protection within Microsoft Entra ID associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.
Identity Governance
This page describes the configuration of identity governance within Microsoft Entra ID associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.
External Identities
This page describes the configuration of external identities within Microsoft Entra ID associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.