Entra (AAD) Standards

Low Impact

Standard Name

Description

Recommended By

PowerShell Equivalent

APIName

Enable OTP Software OAuth tokens

Enables OTP Software OAuth tokens for the tenant. This allows users to use OTP codes generated via software, like a password manager to be used as an authentication method.

Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration

allowOAuthTokens

Enable OTP via Authenticator

Allows you to use Microsoft Authenticator OTP token generator. Useful for using the NPS extension as MFA on VPN clients.

Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration

allowOTPTokens

Deploy Application

Uses the CIPP functionality that deploys applications across an entire tenant base as a standard.

Portal or Graph API

AppDeploy

Disable App creation by users

Disables the ability for users to create applications in Entra. Done to prevent breached accounts from creating an app to maintain access to the tenant, even after the breached account has been secured.

"CIS"

Update-MgPolicyAuthorizationPolicy

DisableAppCreation

Disable M365 Group creation by users

Users by default are allowed to create M365 groups. This restricts M365 group creation to certain admin roles. This disables the ability to create Teams, SharePoint sites, Planner, etc

Update-MgBetaDirectorySetting

DisableM365GroupUsers

Disable M365 Tenant creation by users

Users by default are allowed to create M365 tenants. This disables that so only admins can create new M365 tenants.

"CIS"

Update-MgPolicyAuthorizationPolicy

DisableTenantCreation

Enable App consent admin requests

Enables the ability for users to request admin consent for applications. Should be used in conjunction with the "Require admin consent for applications" standards

"CIS"

Update-MgPolicyAdminConsentRequestPolicy

EnableAppConsentRequests

Enable FIDO2 capabilities

Enables FIDO2 capabilities for the tenant. This allows users to use FIDO2 keys like a Yubikey for authentication.

Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration

EnableFIDO2

Enable Hardware OAuth tokens

Enables Hardware OAuth tokens for the tenant. This allows users to use hardware tokens like a Yubikey for authentication.

Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration

EnableHardwareOAuth

Sets the Cross-tenant access setting to trust external MFA

Sets the state of the Cross-tenant access setting to trust external MFA. This allows guest users to use their home tenant MFA to access your tenant.

Update-MgBetaPolicyCrossTenantAccessPolicyDefault

ExternalMFATrusted

Enable LAPS on the tenant

Enables the LAPS functionality on the tenant. Prerequisite for using Windows LAPS via Azure AD.

Portal or Graph API

laps

Sets the state for the request to setup Authenticator

Sets the state of the registration campaign for the tenant. If enabled nudges users to set up the Microsoft Authenticator during sign-in.

Update-MgPolicyAuthenticationMethodPolicy

NudgeMFA

Do not expire passwords

Sets passwords to never expire for tenant, recommended to use in conjunction with secure password requirements.

"CIS"

Update-MgDomain

PasswordExpireDisabled

Set Authenticator Lite state

Sets the Authenticator Lite state to enabled. This allows users to use the Authenticator Lite built into the Outlook app instead of the full Authenticator app.

Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration

PWcompanionAppAllowedState

Enable Passwordless with Location information and Number Matching

Allows users to use Passwordless with Number Matching and adds location information from the last request

"CIS"

Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration

PWdisplayAppInformationRequiredState

Enable Temporary Access Passwords

Enables Temporary Password generation for the tenant.

Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration

TAP

Medium Impact

Standard Name

Description

Recommended By

PowerShell Equivalent

APIName

Disable Guest accounts that have not logged on for 90 days

Blocks login for guest users that have not logged in for 90 days

Graph API

DisableGuests

Disable Security Group creation by users

Completely disables the creation of security groups by users. This also breaks the ability to manage groups themselves, or create Teams

Update-MgBetaPolicyAuthorizationPolicy

DisableSecurityGroupUsers

Disable Self Service Licensing

This standard disables all self service licenses and enables all exclusions

Set-MsolCompanySettings -AllowAdHocSubscriptions $false

DisableSelfServiceLicenses

Remove Legacy MFA if SD or CA is active

This standard currently does not function and can be safely disabled

Set-MsolUser -StrongAuthenticationRequirements $null

LegacyMFACleanup

Require admin consent for applications (Prevent OAuth phishing)

Requires users to get administrator consent before sharing data with applications. You can preapprove specific applications.

"CIS"

Update-MgPolicyAuthorizationPolicy

OauthConsent

Allow users to consent to applications with low security risk (Prevent OAuth phishing. Lower impact, less secure)

Allows users to consent to applications with low assigned risk.

Update-MgPolicyAuthorizationPolicy

OauthConsentLowSec

High Impact

Standard Name

Description

Recommended By

PowerShell Equivalent

APIName

Disables Email as an MFA method

This blocks users from using email as an MFA method. This disables the email OTP option for guest users, and instead promts them to create a Microsoft account.

Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration

DisableEmail

Disables SMS as an MFA method

Disables SMS as an MFA method for the tenant. If a user only has SMS as a MFA method, they will be unable to sign in.

Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration

DisableSMS

Disables Voice call as an MFA method

Disables Voice call as an MFA method for the tenant. If a user only has Voice call as a MFA method, they will be unable to sign in.

Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration

DisableVoice

Disables Certificates as an MFA method

This blocks users from using Certificates as an MFA method.

Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration

Disablex509Certificate

Enables per user MFA for all users.

Graph API

PerUserMFA

Enable Security Defaults

Enables SD for the tenant, which disables all forms of basic authentication and enforces users to configure MFA. Users are only prompted for MFA when a logon is considered 'suspect' by Microsoft.