LogoLogo
Get CIPPJoin Discord
  • ☕CIPP Documentation
  • 🦸Setup
    • Self Hosting Guide
      • Prerequisites
      • Installation
      • Setup automatic API updates
      • Configuring Automatic Updates
      • Adding Users and Managing Roles
      • Updating Versions
      • Migrating to Hosted CIPP
      • Self-hosted API Setup
    • Service Account Setup
      • GDAP's Importance in CIPP
      • Creating the CIPP Service Account
      • Conditional Access best practices
      • Recommended Roles
    • Configuring CIPP
      • Adding Users and Managing Roles
      • Executing the Setup Wizard
      • Tenant Onboarding
      • Adding Tenants & Consenting the CIPP-SAM Application
      • Adding a custom domain name
      • I want to manage my own tenant
    • Implementing CIPP
      • Recommended First Steps
      • Standards Setup
    • Resources
      • Professional Onboarding Services
      • Sponsor Quick Start
  • 🙋User Documentation
    • Shared Features
      • Menu Bar
        • Tenant Select
        • Display Mode
        • 🔍Search
        • Bookmarks
        • User Preferences
      • Table Features
      • Speed Dial
      • Keyboard Shortcuts
    • CIPP Dashboard
    • Identity Management
      • Administration
        • Users
          • Bulk Add
          • Invite Guest
          • Add User
          • View Individual User
            • Edit User
            • Exchange Settings
            • Compromise Remediation
            • Conditional Access
        • Risky Users
        • Groups
          • Add Group
          • Edit Group
        • Group Templates
          • Add Group Template
          • Deploy Group Templates
          • Edit Group Template
        • Devices
        • Deleted items
        • Roles
        • JIT Admin
          • Add JIT Admin
        • Offboarding Wizard
      • Reports
        • MFA Report
        • Inactive Users
        • Sign-in Report
        • AAD Connect Report
        • Risk Detections
    • Tenant Administration
      • Administration
        • Tenants
          • Edit Tenant
          • Tenant Groups
            • Add Tenant Group
            • Edit Tenant Group
        • Alert Configuration
          • Add Alert
        • Audit Logs
          • View Audit Log
        • Applications
        • App Registrations
        • Permission Sets
          • Add Permission Set
          • Edit Permission Set
        • Templates
          • Add App Approval Template
          • Edit App Approval Template
        • Secure Score
        • App Consent Requests
        • Authentication Methods
        • Partner Relationships
      • GDAP Management
        • Relationships
          • Relationship Summary
        • Role Mappings
          • Map GDAP Roles
        • Role Templates
          • Add Template
        • Invites
          • New Invite
        • Onboarding
        • Offboarding
      • Configuration Backup
        • Backups
          • Restore Configuration Backup
          • Add Configuration Backup Task
      • Standards
        • List Standards Templates
        • Add Standards Template
        • Compare Tenant to Standard
        • Best Practice Analyser
          • Best Practice Templates
          • Custom Reports
        • Domains Analyser
      • Conditional Access
        • CA Policies
          • Deploy CA Policies
        • CA Vacation Mode
          • Add Vacation Schedule
        • CA Templates
        • Named Locations
          • Add Named Location
      • Reports
        • License Report
        • Sherweb License Report
          • Add Subscription
        • Consented Applications
    • Security & Compliance
      • Incidents & Alerts
        • Incidents
        • Alerts
      • Defender
        • Defender Status
        • Defender Deployment
        • Vulnerabilities
      • Reports
        • Device Compliance
    • Intune
      • Applications
        • Applications
          • Add Application
            • Add MSP App
            • Add Store App
            • Add Choco App
            • Add Office App
        • Application Queue
      • Autopilot
        • Autopilot Devices
        • Add Autopilot Device
        • Profiles
          • Add Profile
        • Status Pages
        • Add Status Page
      • Device Management
        • Devices
        • Configuration Policies
        • Compliance Policies
        • Protection Policies
        • Apply Policy
        • Policy Templates
        • Scripts
      • Reports
        • Analytics Device Score
        • Work from Anywhere
    • Teams & SharePoint
      • OneDrive
      • SharePoint
        • Add Site
        • Bulk Add Sites
      • Teams
        • Teams
          • Add Team
        • Teams Activity
        • Business Voice
    • Email & Exchange
      • Administration
        • Mailboxes
          • Add Shared Mailbox
        • Deleted Mailboxes
        • Mailbox Rules
        • Contacts
          • Add Contact
          • Edit Contact
        • Quarantine
        • Tenant Allow/Block Lists
          • Add Entry
      • Transport
        • Transport Rules
          • Deploy Transport Rule Template
        • Transport Templates
        • Connectors
          • Deploy Connector Templates
        • Connector Templates
      • Spamfilter
        • Spamfilter
          • Deploy Spamfilter
        • Spamfilter Templates
        • Connection filter
          • Deploy Connection Filter
        • Connection filter templates
      • Resource Management
        • Rooms
          • Add Room
          • Edit Room
        • Room Lists
      • Reports
        • Mailbox Statistics
        • Mailbox Client Access Settings
        • Anti-Phishing Filters
        • Malware Filters
        • Safe Link Filters
        • Safe Attachment Filters
        • Shared Mailbox with Enabled Account
        • Global Address List
    • Tools
      • Tenant Tools
        • Graph Explorer
        • Application Approval
        • Tenant Lookup
        • IP Database
        • Individual Domain Check
      • Email Tools
        • Message Trace
        • Mailbox Restores
        • Message Viewer
      • Dark Web Tools
        • Tenant Breach Lookup
        • Breach Lookup
      • Template Library
      • Community Repositories
        • View Repository Templates
      • Scheduler
        • Add Job
    • CIPP
      • Application Settings
        • Permissions
        • Tenants
        • Backend
        • Notifications
        • Partner Webhooks
        • Licenses
        • CIPP Backup
        • Global Variables
      • Logbook
      • Setup Wizard
      • Integrations
        • Integration Sync
        • CIPP-API
        • Sherweb
        • Gradient
        • Halo PSA Ticketing
        • NinjaOne
        • Hudu
        • Password Pusher
        • Have I Been Pwned?
        • Cloudflare
        • GitHub
      • Custom Data
        • Directory Extensions
          • Add Directory Extension
        • Schema Extensions
          • Add Schema Extension
        • Mappings
          • Add Mapping
          • Edit Mapping
      • Advanced
        • Super Admin
          • Tenant Mode
          • Function Offloading
          • CIPP Roles
          • SAM App Roles
          • SAM App Permissions
        • Exchange Cmdlets
        • Timers
        • Table Maintenance
  • 📂Troubleshooting
    • Error codes
    • Troubleshooting instructions
      • Refreshing a Specific Tenant's Permissions via CPV API
    • Frequently Asked Questions
      • I got a "Potential Phishing page detected" alert. What do I do with that?
  • 🔐Security
    • CIPP Security and Compliance
      • Security Policy
      • Security reports
    • CIPP Community Vulnerability Disclosure Policy
  • 👩‍💻👩💻 Dev Documentation
    • CIPP Dev Guide
      • Setting Up for Local Development
      • Executing Local Development
      • Project Structure
      • Development Tips
      • CIPP v7 Developer Brief
    • Contributing to the Code
    • Contributing to the Documentation
  • ⚙️API Documentation
    • Setup & Authentication
    • Endpoints
  • 🧰MSP Adoption Toolkit
    • Building a CIPP Business Case
  • ☕Sip & CIPP
    • Conditional Access
    • Autopilot & Intune
  • CIPP New Interface Release Candidate 2 (rc2)
Powered by GitBook
On this page
  • Low Impact
  • Medium Impact
  • High Impact

Was this helpful?

Edit on GitHub
Export as PDF
  1. User Documentation
  2. Tenant Administration
  3. Standards
  4. List Standards Templates

Entra (AAD) Standards

Low Impact

Standard Name
Description
Recommended By
PowerShell Equivalent
APIName

Enable OTP Software OAuth tokens

Enables OTP Software OAuth tokens for the tenant. This allows users to use OTP codes generated via software, like a password manager to be used as an authentication method.

Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration

allowOAuthTokens

Enable OTP via Authenticator

Allows you to use Microsoft Authenticator OTP token generator. Useful for using the NPS extension as MFA on VPN clients.

Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration

allowOTPTokens

Deploy Application

Uses the CIPP functionality that deploys applications across an entire tenant base as a standard.

Portal or Graph API

AppDeploy

Configure Authentication Methods Policy Settings

Controls the authentication methods policy settings for reporting suspicious activity and system credential preferences. These settings help enhance the security of authentication in your organization.

Update-MgBetaPolicyAuthenticationMethodPolicy

AuthMethodsSettings

Disable App creation by users

Disables the ability for users to create applications in Entra. Done to prevent breached accounts from creating an app to maintain access to the tenant, even after the breached account has been secured.

"CIS"

Update-MgPolicyAuthorizationPolicy

DisableAppCreation

Disable M365 Group creation by users

Users by default are allowed to create M365 groups. This restricts M365 group creation to certain admin roles. This disables the ability to create Teams, SharePoint sites, Planner, etc

Update-MgBetaDirectorySetting

DisableM365GroupUsers

Disable M365 Tenant creation by users

Users by default are allowed to create M365 tenants. This disables that so only admins can create new M365 tenants.

"CIS"

Update-MgPolicyAuthorizationPolicy

DisableTenantCreation

Enable App consent admin requests

Enables the ability for users to request admin consent for applications. Should be used in conjunction with the "Require admin consent for applications" standards

"CIS"

Update-MgPolicyAdminConsentRequestPolicy

EnableAppConsentRequests

Enable FIDO2 capabilities

Enables FIDO2 capabilities for the tenant. This allows users to use FIDO2 keys like a Yubikey for authentication.

Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration

EnableFIDO2

Enable Hardware OAuth tokens

Enables Hardware OAuth tokens for the tenant. This allows users to use hardware tokens like a Yubikey for authentication.

Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration

EnableHardwareOAuth

Sets the Cross-tenant access setting to trust external MFA

Sets the state of the Cross-tenant access setting to trust external MFA. This allows guest users to use their home tenant MFA to access your tenant.

Update-MgBetaPolicyCrossTenantAccessPolicyDefault

ExternalMFATrusted

Enable LAPS on the tenant

Enables the LAPS functionality on the tenant. Prerequisite for using Windows LAPS via Azure AD.

Portal or Graph API

laps

Sets the state for the request to setup Authenticator

Sets the state of the registration campaign for the tenant. If enabled nudges users to set up the Microsoft Authenticator during sign-in.

Update-MgPolicyAuthenticationMethodPolicy

NudgeMFA

Do not expire passwords

Sets passwords to never expire for tenant, recommended to use in conjunction with secure password requirements.

"CIS"

Update-MgDomain

PasswordExpireDisabled

Set Authenticator Lite state

Sets the Authenticator Lite state to enabled. This allows users to use the Authenticator Lite built into the Outlook app instead of the full Authenticator app.

Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration

PWcompanionAppAllowedState

Enable Passwordless with Location information and Number Matching

Allows users to use Passwordless with Number Matching and adds location information from the last request

"CIS"

Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration

PWdisplayAppInformationRequiredState

Enable Temporary Access Passwords

Enables Temporary Password generation for the tenant.

Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration

TAP

Medium Impact

Standard Name
Description
Recommended By
PowerShell Equivalent
APIName

Disable Guest accounts that have not logged on for 90 days

Blocks login for guest users that have not logged in for 90 days

Graph API

DisableGuests

Disable Security Group creation by users

Completely disables the creation of security groups by users. This also breaks the ability to manage groups themselves, or create Teams

Update-MgBetaPolicyAuthorizationPolicy

DisableSecurityGroupUsers

Disable Self Service Licensing

This standard disables all self service licenses and enables all exclusions

Set-MsolCompanySettings -AllowAdHocSubscriptions $false

DisableSelfServiceLicenses

Guest Invite setting

This setting controls who can invite guests to your directory to collaborate on resources secured by your company, such as SharePoint sites or Azure resources.

GuestInvite

Remove Legacy MFA if SD or CA is active

This standard currently does not function and can be safely disabled

Set-MsolUser -StrongAuthenticationRequirements $null

LegacyMFACleanup

Require admin consent for applications (Prevent OAuth phishing)

Requires users to get administrator consent before sharing data with applications. You can preapprove specific applications.

"CIS"

Update-MgPolicyAuthorizationPolicy

OauthConsent

Allow users to consent to applications with low security risk (Prevent OAuth phishing. Lower impact, less secure)

Allows users to consent to applications with low assigned risk.

Update-MgPolicyAuthorizationPolicy

OauthConsentLowSec

High Impact

Standard Name
Description
Recommended By
PowerShell Equivalent
APIName

Disables Email as an MFA method

This blocks users from using email as an MFA method. This disables the email OTP option for guest users, and instead promts them to create a Microsoft account.

Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration

DisableEmail

Disables SMS as an MFA method

Disables SMS as an MFA method for the tenant. If a user only has SMS as a MFA method, they will be unable to sign in.

CIPP

Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration

DisableSMS

Disables QR Code Pin as an MFA method

Disables QR Code Pin as an MFA method for the tenant. If a user only has QR Code Pin as a MFA method, they will be unable to sign in.

Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration

DisableQRCodePin

Disables Voice call as an MFA method

Disables Voice call as an MFA method for the tenant. If a user only has Voice call as a MFA method, they will be unable to sign in.

CIPP

Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration

DisableVoice

Disables Certificates as an MFA method

This blocks users from using Certificates as an MFA method.

Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration

Disablex509Certificate

Enables per user MFA for all users.

Enables per user MFA for all users.

Graph API

PerUserMFA

Enable Security Defaults

Enables SD for the tenant, which disables all forms of basic authentication and enforces users to configure MFA. Users are only prompted for MFA when a logon is considered 'suspect' by Microsoft.

SecurityDefaults

Cleanup stale Entra devices

Remove-MgDevice, Update-MgDevice or Graph API

StaleEntraDevices

Undo App Consent Standard

Disables App consent and set to Allow user consent for apps

Update-MgPolicyAuthorizationPolicy

UndoOauth

Last updated 3 months ago

Was this helpful?

Cleans up Entra devices that have not connected/signed in for the specified number of days. First disables and later deletes the devices. More info can be found in the

🙋
Read more here
Microsoft documentation