Skip to content

01 - Entra ID

1. Entra Group Creations

Within Entra ID, navigate to the Groups section and create the following groups, taking note of the requirements for each:

Group: Devices - Cloud PCs - Dynamic

  • Description: A dynamic group which automatically captures any Cloud PC devices for usage with policy application
  • Membership Type: Dynamic Device
  • Dynamic Rule:
  • Property: deviceModel
  • Operator: Starts With
  • Value: Cloud PC

Group: Users - Cloud PC Licensing - Static

  • Description: A statically assigned group which allocates the user a Windows 365 Cloud PC license

Group: Users - M365 G5 Licensing - Static

  • Description: A statically assigned group which allocates the user a Microsoft 365 G5 GCC-High license. It has granular assignment so that no M365 applications which contain CUI are available unless the user is also within the 'CUI User Access' group

Group: Users - CUI User Access - Static

  • Description: A statically assigned group which is used to grant access to M365 Apps, SharePoint + Teams which are considered CUI-storage areas. Achieved using granular licensing assignments. Also works as a 'master-list' for who in the system has CUI access

Group: Users - HaloPSA Users - Static

  • Description: A statically assigned group which is used to grant access to HaloPSA (ITSM) Portal via User Sync
  • Description: Users in this group can approve application consent requests (enterprise application registrations)

Group: Users - Intune Administrator Role - Static

  • Description: A statically assigned group which allocates the user PIM-level assignment of the Intune Administrator Role. This will make the role 'available' for activation to whomever is in this group
  • NOTE: Ensure you select YES for this group to be eligible for Entra Role Assignments

Group: Users - Global Administrator Role - Static

  • Description: A statically assigned group which allocates the user PIM-level assignment of the Global Administrator Role. This will make the role 'available' for activation to whomever is in this group
  • NOTE: Ensure you select YES for this group to be eligible for Entra Role Assignments

Group: Users - Security Administrator Role - Static

  • Description: A statically assigned group which allocates the user PIM-level assignment of the Security Administrator Role. This will make the role 'available' for activation to whomever is in this group
  • NOTE: Ensure you select YES for this group to be eligible for Entra Role Assignments

Group: Users - User Administrator Roles - Static

  • Description: A statically assigned group which allocates the user PIM-level assignment of the Privileged Role Administrator + User Administrator Role. This will make the role 'available' for activation to whomever is in this group
  • NOTE: Ensure you select YES for this group to be eligible for Entra Role Assignments

Group: Users - SharePoint Administrator - Static

  • Description: A statically assigned group which allocates the user PIM-level assignment of the SharePoint Administrator Role. This will make the role 'available' for activation to whomever is in this group
  • NOTE: Ensure you select YES for this group to be eligible for Entra Role Assignments

Group: Users - DEACTIVATED USER - Static

  • Description: A statically assigned group which classifies the user as deactivated and ensures that nothing of privileged nature will be accessible to users within this group

Group: Users - Huntress SAT - Static

  • Description: A statically assigned group which grants users access to SAML SSO into the MyCurricula (Huntress SAT) platform as well as syncs the user into the platform itself via an SCIM provisioning configuration

Group: Users - MFA Pending - Static

  • Description: A statically assigned group which allows the user to access the required Cloud Apps for MFA Registration but blocks them from ALL other apps. Once a user has registered MFA, they are to be removed from this group

2. Establish the Intune Administrator Role Group to Utilize PIM

  1. In Entra ID go to ID Governance > Privileged Identity Management

  2. Go to 'Microsoft Entra Roles' under the manage section

  3. Go to 'Roles' under the manage section

  4. Search for Intune Administrator and select it

  5. Ensure you are under the 'Eligible assignments' tab

  6. Add assignments > "Users - Intune Administrator Role - Static"

    • Ensure the assignment is for Eligible activation
    • Ensure Permanent eligibility is ticked
    • Save/Assign this to complete the assignments

  7. While still on the 'Intune Administrator' role go to Role Settings on the left side

    • Select Edit and change the 'Activation maximum duration (hours)' to 2 hour(s)
    • Select Next: Assignment and select 'Require Azure Multi-Factor Authentication on active assignment'
    • Select Next: Notification and leave this as default and Update to finish

3. Establish the Global Administrator Role Group to Utilize PIM

  1. In Entra ID go to ID Governance > Privileged Identity Management

  2. Go to 'Microsoft Entra Roles' under the manage section

  3. Go to 'Roles' under the manage section

  4. Search for Global Administrator and select it

  5. Ensure you are under the 'Eligible assignments' tab

  6. Add assignments > "Users - Global Administrator Role - Static"

    • Ensure the assignment is for Eligible activation
    • Ensure Permanent eligibility is ticked
    • Save/Assign this to complete the assignments

  7. While still on the 'Global Administrator' role go to Role Settings on the left side

    • Select Edit and change the 'Activation maximum duration (hours)' to 2 hour(s)
    • Select Next: Assignment and select 'Require Azure Multi-Factor Authentication on active assignment'
    • Select Next: Notification and leave this as default and Update to finish

4. Establish the User Administrator Roles Group to Utilize PIM

  1. In Entra ID go to ID Governance > Privileged Identity Management

  2. Go to 'Microsoft Entra Roles' under the manage section

  3. Go to 'Roles' under the manage section

  4. Search for Privileged Role Administrator and select it

  5. Ensure you are under the 'Eligible assignments' tab

  6. Add assignments > "Users - User Administrator Roles - Static"

    • Ensure the assignment is for Eligible activation
    • Ensure Permanent eligibility is ticked
    • Save/Assign this to complete the assignments

  7. While still on the 'Privileged Role Administrator' role go to Role Settings on the left side

    • Select Edit and change the 'Activation maximum duration (hours)' to 2 hour(s)
    • Select Next: Assignment and select 'Require Azure Multi-Factor Authentication on active assignment'
    • Select Next: Notification and leave this as default and Update to finish

  8. Repeat steps 3-7 for the User Administrator role

5. Establish the Security Administrator Role Group to Utilize PIM

  1. In Entra ID go to ID Governance > Privileged Identity Management

  2. Go to 'Microsoft Entra Roles' under the manage section

  3. Go to 'Roles' under the manage section

  4. Search for Security Administrator and select it

  5. Ensure you are under the 'Eligible assignments' tab

  6. Add assignments > "Users - Security Administrator Role - Static"

    • Ensure the assignment is for Eligible activation
    • Ensure Permanent eligibility is ticked
    • Save/Assign this to complete the assignments

  7. While still on the 'Security Administrator' role go to Role Settings on the left side

    • Select Edit and change the 'Activation maximum duration (hours)' to 2 hour(s)
    • Select Next: Assignment and select 'Require Azure Multi-Factor Authentication on active assignment'
    • Select Next: Notification and leave this as default and Update to finish

6. Establish the SharePoint Administrator Role Group to Utilize PIM

  1. In Entra ID go to ID Governance > Privileged Identity Management

  2. Go to 'Microsoft Entra Roles' under the manage section

  3. Go to 'Roles' under the manage section

  4. Search for SharePoint Administrator and select it

  5. Ensure you are under the 'Eligible assignments' tab

  6. Add assignments > "Users - SharePoint Administrator - Static"

    • Ensure the assignment is for Eligible activation
    • Ensure Permanent eligibility is ticked
    • Save/Assign this to complete the assignments

  7. While still on the 'SharePoint Administrator' role go to Role Settings on the left side

    • Select Edit and change the 'Activation maximum duration (hours)' to 2 hour(s)
    • Select Next: Assignment and select 'Require Azure Multi-Factor Authentication on active assignment'
    • Select Next: Notification and leave this as default and Update to finish

7. Create Emergency Access Account

  1. Head into the M365 Admin Portal (https://portal.office365.us/adminportal)

  2. Create a new user:

    • Username: emergencyaccess@clientdomain.us
    • Password: Generate a 50+ character complex password
    • Store credentials securely in Keeper

  3. Assign Global Administrator role (Active, not Eligible)

  4. Exclude this account from all Conditional Access policies

  5. Configure MFA using the Microsoft Authenticator app

  6. Document the account creation date and access credentials securely

8. Configure User Risk Policy

  1. In Entra ID, navigate to Protection > Identity Protection

  2. Go to User risk policy

  3. Configure the following settings:

    • Assignments: All users (exclude Emergency Access Account)
    • User risk level: High
    • Controls: Require password change
    • Policy enforcement: On

User Risk Policy Configuration

9. Configure Sign-In Risk Policy

  1. In Entra ID, navigate to Protection > Identity Protection

  2. Go to Sign-in risk policy

  3. Configure the following settings:

    • Assignments: All users (exclude Emergency Access Account)
    • Sign-in risk level: High
    • Controls: Require multi-factor authentication
    • Policy enforcement: On

Sign-In Risk Policy Configuration

10. Configure MFA Registration Policy

  1. In Entra ID, navigate to Protection > Identity Protection

  2. Go to MFA registration policy

  3. Configure to require all users to register for MFA

  4. Exclude the Emergency Access Account

11. Configure Password Protection

  1. In Entra ID, navigate to Protection > Authentication methods > Password protection

  2. Configure custom banned password list with common passwords and company-specific terms

  3. Enable password protection for Windows Server Active Directory (if hybrid environment)

12. Configure Self-Service Password Reset (SSPR)

  1. In Entra ID, navigate to Password reset

  2. Enable SSPR for All users

  3. Configure authentication methods (require 2 methods):

    • Mobile phone
    • Email
    • Security questions (optional)

  4. Registration: Require users to register when they next sign in

13. Configure Named Locations

  1. In Entra ID, navigate to Security > Named locations

  2. Create named locations for:

    • Company office IPs (if applicable)
    • Trusted locations

  3. These will be used in Conditional Access policies later

14. Enable Security Defaults (If Not Using Conditional Access)

Note: Skip this if you're implementing full Conditional Access policies (which is recommended for CMMC compliance)

Head into this area within Entra ID (entra.microsoft.us) and set the following:

Security Defaults Configuration

15. Enable Additional Service Principal IDs for Usage in Conditional Access

  1. Go to the Stratus Cyber GitHub Repository into the following path: CMMC Level 2/Entra ID/Entra ID Scripts

  2. Download and open the Add Service Principals.ps1 script into PowerShell ISE (Administrator)

  3. Run the lines one by one:

    • Installing MgGraph
    • Connecting to GCC-High (With Global Admin Account)
    • Adding additional Service Principals