What Is Azure Tenant Hardening?
When a new Microsoft 365 or Azure tenant is created, it comes with a set of default configurations that are designed for ease of use — not security. Legacy authentication is enabled, Security Defaults may be off, guest access is unrestricted, and no Conditional Access policies are configured.
Tenant hardening is the process of systematically reviewing and correcting these defaults. It is not glamorous work, but it is foundational: every other Azure security control — Conditional Access, PIM, Identity Protection — depends on the tenant configuration being correct.
This article covers the most critical Azure tenant configuration checks and how to validate and fix them.
How It Works
Azure tenant configuration is managed across multiple locations:
- Entra ID > Properties — tenant-wide settings including Security Defaults
- Entra ID > External Identities — guest and B2B collaboration settings
- Entra ID > Authentication Methods — which MFA methods are allowed
- Exchange Online Admin Center — legacy auth settings for email protocols
- Microsoft 365 Admin Center — service-level security settings
Misconfigurations in any of these can create attack surface that bypasses all other controls. A perfectly configured Conditional Access policy is irrelevant if legacy authentication is still enabled at the Exchange level.
The Attack Chain
Exploiting Security Defaults Disabled
When Security Defaults are off and no Conditional Access policies fill the gap:
# Password spray against M365 with no MFA baseline
o365spray --spray -U users.txt -P passwords.txt --domain corp.com
# Legacy auth bypass — IMAP access ignores Conditional Access
curl -u [email protected]:Password1 imaps://outlook.office365.com/INBOX
Exploiting Open B2B Settings
# With any member account — invite attacker-controlled external identity
New-MgInvitation -InvitedUserEmailAddress "[email protected]" `
-InviteRedirectUrl "https://myapps.microsoft.com" `
-SendInvitationMessage $false
Configuration Audit Checklist
1. Security Defaults Status
Connect-MgGraph -Scopes "Policy.Read.All"
Get-MgPolicyIdentitySecurityDefaultEnforcementPolicy | Select-Object IsEnabled
# Should be True (if no CA policies in place)
2. Legacy Authentication Status
# Check Exchange Online legacy auth policies
Connect-ExchangeOnline
Get-AuthenticationPolicy | Select-Object Name, AllowBasicAuth*
# All AllowBasicAuth* values should be False
3. Guest Invitation Settings
# Check who can invite guests
Get-MgPolicyAuthorizationPolicy | Select-Object AllowInvitesFrom
# Should be: adminsAndGuestInviters or adminsOnly
4. Authentication Methods Policy
# List enabled authentication methods
Get-MgPolicyAuthenticationMethodPolicy | Select-Object -ExpandProperty AuthenticationMethodConfigurations |
Where-Object {$_.State -eq "enabled"} | Select-Object Id, State
# Verify SMS is not the only MFA method (phishable) — prefer Authenticator App or FIDO2
5. Cross-Tenant Access Settings
# Check if cross-tenant access is open to all external organizations
Get-MgPolicyCrossTenantAccessPolicyDefault | Select-Object -ExpandProperty B2BCollaborationInbound
# InboundTrust should not be "AllExternalOrganizations" without restrictions
Detection
Microsoft 365 Secure Score
Microsoft 365 Secure Score provides an automated assessment of tenant configuration against Microsoft's recommended baseline. Check it at security.microsoft.com > Secure Score.
Key actions that impact score:
- Enable Security Defaults or require MFA for all users (+5-15 points)
- Block legacy authentication (+10 points)
- Restrict guest invitation (+5 points)
- Enable Privileged Identity Management (+10 points)
Entra ID Audit Logs
# Detect Security Defaults being disabled
azure.auditlogs.operation_name: "Update security defaults" AND
azure.auditlogs.properties.target_resources.modified_properties.new_value: "false"
💡 Tip: Monitor your Microsoft Secure Score weekly. A significant drop is often the first indicator that a configuration change introduced a new security gap.
Remediation
💡 Quick Win: Run the audit checklist above and fix any finding where legacy auth is enabled or Security Defaults are off with no CA replacement.
Enable Security Defaults (If No Conditional Access)
Entra ID > Properties > Manage Security Defaults > Enabled = Yes
Disable Legacy Authentication Globally
# Create authentication policy blocking all basic auth
New-AuthenticationPolicy -Name "Block Basic Auth"
Set-AuthenticationPolicy -Identity "Block Basic Auth" `
-AllowBasicAuthImap $false -AllowBasicAuthPop $false `
-AllowBasicAuthSmtp $false -AllowBasicAuthWebServices $false `
-AllowBasicAuthRpc $false -AllowBasicAuthMapi $false
# Apply to all users
Get-User -ResultSize Unlimited | Set-User -AuthenticationPolicy "Block Basic Auth"
Restrict Guest Invitations
Entra ID > External Identities > External collaboration settings:
Guest invite settings = "Only users assigned to specific admin roles can invite"
Enable Phishing-Resistant MFA Methods
Entra ID > Authentication methods > FIDO2 security keys = Enabled (for all or admins)
Entra ID > Authentication methods > Microsoft Authenticator = Enabled
Entra ID > Authentication methods > SMS = Disabled (phishable, replace with Authenticator)
How EtcSec Detects This
EtcSec audits your complete Azure tenant configuration on every scan, checking every setting that affects the security baseline.
AZ_SECURITY_DEFAULTS_DISABLED identifies tenants where Security Defaults are off without equivalent Conditional Access coverage — a fundamental baseline gap.
CA_NO_LEGACY_AUTH_BLOCK flags the absence of a Conditional Access policy blocking legacy authentication protocols, leaving an MFA bypass open for any attacker with a stolen password.
B2B_CROSS_TENANT_OPEN detects overly permissive cross-tenant access settings that allow unrestricted external collaboration without security controls.
ℹ️ Note: EtcSec audits Azure tenant configuration automatically. Run a free audit to validate your tenant hardening posture.
Related articles: Azure Conditional Access Gaps | Azure Identity Security
