Talk: Microsoft Entra ID – Defense

Finally, the part for which I delved into the whole study of Entra ID. As defenders, we need to properly secure/protect the Entra ID environments of our clients. However, without studying the attacks – motivations, tactics, techniques, and procedures (TTP 😊), our defense would be based only on feelings.

With this part, I conclude our short series (in terms of the number of parts, not the amount of time – approximately 6 hours of training) on Entra ID:

If you haven’t seen the previous parts, I definitely recommend starting with them – the entire training is interconnected.

Microsoft Entra ID – Defense

Just like with the defense of on-premise environments, we build the defense of Entra ID on several pillars:

  • Hardening: The default settings of Entra ID are not miraculous. With a few switches, we can significantly enhance security.
  • Conditional Access: This is a step within hardening (modifying configuration for higher security). However, since CA is an extensive technology that we didn’t have in on-prem Active Directory, I dedicated a separate chapter to it.
  • Monitoring: Even with the best security (hardening), an incident can occur (as you’ve seen in previous episodes). It is therefore necessary to monitor the environment to see if our security has been breached. Simply put, the goal of hardening is to make the attack as difficult and slow as possible for attackers, so that within monitoring, we have time to detect them before they achieve their goal (cause damage).
  • Backup: In case the worst happens and we lose data, or its integrity is compromised (e.g., partial modification/falsification).

As always, I have prepared the mentioned topics for you, including illustrative demonstrations. I hope you will enjoy the training and that it will bring you new information, knowledge, or perspective. (slides)

As I mention at the end of the training, securing Entra ID doesn’t end with this episode, it rather begins. Microsoft 365 / Office 365 is an extensive and rapidly evolving environment. And it doesn’t look like the development will slow down in the coming years.

Tools we chose

When I was recording the training, I was still hesitating between several tools. In the end, we chose AdminDroid for archiving logs, reporting, and alerting.

This year we invested in new powerful servers, and we like the option of operating AdminDroid ourselves. We gain (at a good price):

  • A fast tool (much quicker than going through logs directly in M365),
  • The ability to archive logs for several years (without having to deal with subscriptions to Log Analytics for each customer – a significant administrative burden),
  • Relatively high security (given the stored tokens, accesses, and data, this is a critical server [see my lecture at Hacker Fest], hence the server is not accessible from the internet),
  • A multitenant tool (we see the data of all customers simultaneously – we don’t have to check the logs for each customer separately),
  • The possibility of collaboration (we can share access to individual tenants/data with internal IT).

We supplement AdminDroid with our own scripts that check the configuration of individual tenants and audit things with more complex logic.


This internal training was a matter for us in August/September (I’m publishing it on the blog with a delay). Now I’m already rested and working on internal training for Intune and MS Defender. Hopefully, everything goes smoothly 🤞.

May your networks stay secure,


Do you like topics, I write about?

It is not necessary to periodically visit my blog to check if there is a new article. Subscribe below for notifications. You will be the first one who will know about new article.


Leave a Reply

Your email address will not be published. Required fields are marked *