Skip to main content

The Entra Defenses You Already Pay For (and Probably Have Not Turned On)

Nick Ross3 min read

TL;DR

  • As of August 2025, any Microsoft 365 user without an admin role can browse the Microsoft Admin Center and see every account and admin role assignment unless you restrict access under User Settings.
  • Entra's custom banned password list blocks organization-specific patterns like company names and locations that password spray attacks target first.
  • A Conditional Access policy filtering on device trustType lets cloud-only tenants block unmanaged devices without deploying Intune compliance policies.
  • Blocking user app consent and app registrations removes a common persistence backdoor attackers set up after compromising an account.
  • The Microsoft Traffic profile in Global Secure Access is included with Entra ID P1 and tunnels Outlook and SharePoint traffic to protect against token theft.

Most Entra ID hardening conversations start with MFA and stop there. Meanwhile, a handful of settings that ship with Microsoft 365 Business Premium sit unconfigured in tenant after tenant, each one closing off a step attackers actually use: reconnaissance, password spray, rogue app consent, and token theft.

None of these require new licensing. As of August 2025, every setting below is available with the Entra ID P1 license already included in Business Premium. Here they are, ordered roughly by where they sit in an attack.

Why can any user browse your admin center?

By default, any user, even one with no admin role, can sign in to the Microsoft Admin Center and view information about your environment, including:

  • All user accounts and their metadata
  • Admin role assignments (anyone can see who holds Global Admin)
  • Key organizational details useful for reconnaissance

That means a single compromised standard account hands an attacker a map of who to target next.

To close it, go to User Settings → Restrict Access to Microsoft Admin Center and set it to Yes. Ideally, pair it with a Conditional Access policy so access is fully blocked, both through the UI and programmatically via PowerShell.

More info: Default user permissions in Microsoft Entra (opens in new tab)

Password spray still works because passwords are still predictable

Even in 2025, users pick passwords like "Summer2025" or "CompanyNameHQ2025," and password spray attacks are built around exactly that predictability.

Entra includes a Custom Banned Password List under Authentication Methods → Password Protection. Microsoft already maintains a global banned list (deliberately unpublished so it does not become an attacker's cheat sheet), but you can add organization-specific words and patterns on top:

  • Company name or abbreviation
  • Product names
  • Locations or office nicknames
  • Common cultural or industry terms

This matters even in tenants with MFA enforced. Techniques like MFA fatigue and social engineering can get past MFA when the attacker already holds a valid password, so blocking the predictable password in the first place still earns its keep.

More info: Configure custom Microsoft Entra password protection lists (opens in new tab)

Custom banned password list configuration in Entra password protection settings

Out of the box, users can grant consent to third-party apps and register their own applications in Entra. Attackers exploit both after compromising an account, setting up malicious apps that keep access alive long after the password is reset.

Three changes lock it down:

  1. Go to User Settings and set "Users can register applications" to No
  2. In Enterprise Applications → Consent and Permissions, set "User Consent for Applications" to Do not allow
  3. Enable Admin Consent Requests so legitimate app needs still get reviewed and approved

That removes a common post-compromise backdoor without blocking the apps your users genuinely need.

Related reading: Find risky apps in Microsoft 365

You can require managed devices without full Intune compliance

Not ready to deploy Intune device compliance everywhere? There is still a way to ensure only corporate-owned devices reach organizational data.

In Conditional Access → New Policy, configure a filter for devices where trustType = "Microsoft Entra Joined" or "Microsoft Entra Registered". Then:

  • Target all users (except break-glass accounts, guests, and necessary service accounts)
  • Block access for unmanaged devices
  • Apply to all cloud resources

This is one of the strongest moves against adversary-in-the-middle attacks and token theft, because a stolen session token replayed from an attacker's device fails the device filter.

Conditional Access policy using a device filter on trustType to block unmanaged devices

More on using this against token theft: Token Theft Playbook: Proactive Protections

Global Secure Access: the P1 entitlement most tenants ignore

Global Secure Access is part of Microsoft's SASE/ZTNA lineup, and the Microsoft Traffic profile is included with Entra ID P1. It routes traffic through a secure tunnel, protecting apps like Outlook and SharePoint from threats such as token theft.

What you get:

  • Easy deployment to end-user devices via client software
  • Integration with Conditional Access for granular control
  • Flexible remote access without exposing legacy VPN weaknesses

Full capabilities require additional licensing, but the Microsoft Traffic profile included in P1 is a strong starting point for tenants already paying for Business Premium.

More info: What is Global Secure Access? (opens in new tab)

Global Secure Access architecture diagram showing secure tunnel routing to Microsoft 365 services

Where to start

If you manage multiple tenants, work the list in attack order: restrict the admin center today (it is one toggle), set the banned password list this week, and schedule the consent and Conditional Access changes with proper exclusions for break-glass accounts. Every one of these is a setting your clients already paid for. The only cost is the configuration time.

Frequently asked questions

Do these Entra settings require an E5 license?

No. Four of the five are available in any tenant with Entra ID P1, which is included in Microsoft 365 Business Premium. Global Secure Access's Microsoft Traffic profile is also included with P1, though its full SASE capabilities require additional licensing.

Will restricting the Microsoft Admin Center break anything for regular users?

Regular users do not need Admin Center access for daily work. Pair the User Settings toggle with a Conditional Access policy so access is blocked both in the browser and programmatically through PowerShell.

What happens to legitimate apps if user consent is blocked?

Enable admin consent requests. Users can still ask for an app, and an admin reviews and approves the legitimate ones instead of every user being able to grant tenant data access on their own.

Are these five settings on in every tenant you manage?

CloudCapsule checks 250+ Microsoft 365 controls per tenant in about 60 seconds, including app consent, Conditional Access coverage, and admin portal restrictions, then tracks the drift so a setting you fixed in August cannot quietly revert by October.

Run a free scan
Nick Ross

Written by

Nick Ross

CEO · Microsoft MVP · Founder, T-Minus 365

Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.

Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.

Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.

Keep reading