ASD's Blueprint for Secure Cloud

Entra ID

This page describes the configuration of Microsoft Entra ID associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.

Estimated reading time: 3 minutes

Automated Configuration Deployment and Assessment

Overview

Some of the Entra ID configurations can be automatically deployed using Microsoft 365 Desired State Configuration (DSC).

Some of the Entra ID configurations cannot be assessed automatically with M365DSC Blueprint. Please refer to those configuration pages to conduct a manual assessment.

ConfigurationBlueprint Automation Provided
PropertiesNo
UsersNo
Groups
- GeneralNo
- ExpirationYes (DSC)
- Naming PolicyYes (DSC)
DevicesNo
ApplicationsNo
Protection
- Identity ProtectionNo
- Conditional Access PoliciesYes (DSC)1
- Authentication ContextsYes (DSC)
- Authentication StrengthsNo
- Named LocationsYes (DSC)2
- Authentication MethodsNo
- Password ResetNo
- Risky ActivitiesNo
Identity GovernanceNo
External IdentitiesYes (DSC)

1: All Conditional Access policies are set to report only in the DSC and will need to be enabled manually.

2: IP addresses must be set manually. Refer to Named Locations for configuration guidance.

Desired State Configuration

Before using the below DSC file, please refer to Automated Deployment for instructions.

Desired State Configuration File:
Download Entra ID DSC (.ps1)
Note: download the linked .txt file and rename to .ps1
Configuration Data File:
The Configuration Data File can be found on the Automated Deployment page.
Service Principal permissions

To import the DSC as per the instructions on the Automated Deployment page, the following permissions will need to be added to the Service Principal:

"AADAdministrativeUnit", "AADAuthenticationContextClassReference", "AADAuthorizationPolicy", "AADConditionalAccessPolicy", "AADCrossTenantAccessPolicyConfigurationDefault", "AADCrossTenantAccessPolicyConfigurationPartner", "AADEntitlementManagementAccessPackage", "AADEntitlementManagementAccessPackageAssignmentPolicy", "AADEntitlementManagementAccessPackageCatalog", "AADEntitlementManagementAccessPackageCatalogResource", "AADEntitlementManagementConnectedOrganization", "AADExternalIdentityPolicy", "AADGroupLifecyclePolicy", "AADNamedLocationPolicy", "AADSocialIdentityProvider", "AADTokenLifetimePolicy"

Identity properties

This page describes the configuration of identity properties within Microsoft Entra ID associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.

Properties

This page describes the configuration of properties within Microsoft Entra ID associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.

Users

This page describes the configuration of users within Microsoft Entra ID associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.

Groups

This page describes the configuration of groups within Microsoft Entra ID associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.

Devices

This page describes the configuration of devices within Microsoft Entra ID associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.

Applications

This page describes the configuration of applications within Microsoft Entra ID associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.

Protection

This page describes the configuration of protection within Microsoft Entra ID associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.

Identity Governance

This page describes the configuration of identity governance within Microsoft Entra ID associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.

External Identities

This page describes the configuration of external identities within Microsoft Entra ID associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra