ASD's Blueprint for Secure Cloud

Entra ID Tenant Settings

This section describes the design decisions associated with a tenant's Entra ID base settings for system(s) built using ASD's Blueprint for Secure Cloud.

Estimated reading time: 5 minutes

In terms of Microsoft 365, a tenant is a container for the set of services assigned to an organisation. Within the core of a tenant sits a dedicated instance of Microsoft Entra. The following sections provide details on the design decisions for base tenant settings.

User default permissions (user settings)

To reduce the risk of shadow IT and rogue applications, the Blueprint recommends restricting the ability to create Microsoft Entra ID entities such as applications and security groups. This capability is limited to administrators.

Corporate branding

Microsoft 365 authentication screens provide the ability to identify the organisation to which the user is authenticating. Corporate branding enables a consistent sign-in experience for users where the branding is applied.


The Blueprint is built using Microsoft 365 E5 licences, which includes Microsoft Entra ID P2. The E5 license provides enhanced features such as self-service, enhanced monitoring, security reporting, and just in time access, which are required to meet maturity level 3 under ASD’s Essential Eight Maturity Model. Additional feature comparisons and mapping of Essential Eight to Microsoft 365 features is available at

Mobile device and application management

By design the configuration and security policies of user endpoints, as well as the applications deployed to these endpoints, is centrally controlled.

Cloud-native deployment

For cloud-native deployments, all devices are enrolled and joined to Microsoft Entra ID. Microsoft Intune is used for mobile device management (MDM) / mobile application management (MAM). Devices are deployed using Windows Autopilot user-driven mode for Entra ID join which involves the following process:

  1. Joins device to organisation
  2. Enrol in Intune
  3. Configure device as defined by the Blueprint/organisation

As part of step two, a Automatic enrolment feature registers the device and joins Microsoft Entra ID. Once registered, the device is managed with Intune.

Hybrid deployments

For hybrid deployments, organisations will need to determine the most appropriate solution for their devices. In order to leverage other features within the Blueprint, it is recommended that organisations, at a minimum, enable co-management for all devices. See Microsoft’s Co-management documentation. Devices are deployed using Windows Autopilot user-driven mode for hybrid Entra ID join.

Custom domain

When a new Microsoft Entra ID tenant is created it is automatically assigned a default Microsoft domain name ( This domain is internet routable and aligns to <TENANTNAME> A second internet routable domain name is also provisioned if Exchange Online is activated within the tenant. The second internet routable domain aligns to <TENANTNAME> Additional custom domains can also be registered to the tenant to be used by Exchange Online and other Azure services. These domains can be used for receiving email and/or be utilised as the User Principal Name (UPN).

The Blueprint recommends organisations register a new or existing domain (e.g. <ORGANISATION.GOV.AU>) and use it as the default for User Principal Names and email addresses.

Security & Governance

  • None identified



  • None identified


Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra