Entra ID (formerly Azure AD) is the identity backbone for most Microsoft-centric SaaS companies, and it's also one of the first things auditors and enterprise security reviewers ask about. Here's the checklist we run through with every client, in priority order.
1. Multi-factor authentication
- MFA enforced for all users, not just admins
- Legacy authentication protocols (which bypass MFA) blocked entirely
- Phishing-resistant methods (FIDO2, Windows Hello) prioritized over SMS
2. Conditional access policies
- Block access from unmanaged devices for sensitive apps
- Require compliant device or MFA for all cloud app access
- Location-based restrictions for high-risk sign-ins
- Session controls to limit persistent sign-in on shared or unmanaged devices
3. Role-based access control (RBAC)
- No standing Global Admin assignments — use Privileged Identity Management (PIM) for just-in-time elevation
- Custom roles scoped to least privilege rather than broad built-in roles
- Quarterly access reviews for all privileged roles
4. Application and consent management
- Admin consent required for all app registrations — no user consent for high-risk permissions
- Regular audit of third-party apps with delegated access to your tenant
- Legacy or unused app registrations removed
5. Identity protection and monitoring
- Risky sign-in and risky user policies configured and enforced, not just monitored
- Sign-in and audit logs exported to a SIEM or retained for at least one year (SOC 2/ISO 27001 requirement)
- Alerts configured for impossible travel, unfamiliar sign-in properties, and password spray patterns
Where most companies fall short: MFA and conditional access get configured early, but PIM and quarterly access reviews get skipped because they require ongoing process discipline, not just a one-time setup. Auditors specifically look for evidence of the review cadence, not just the policy existing.
6. Guest and external access
- Guest access restricted to specific domains where possible
- Expiration policies on guest accounts tied to project or contract length
- Regular cleanup of stale guest accounts
Bottom line
This checklist maps directly to control requirements in SOC 2's Common Criteria and ISO 27001's Annex A access control domain — get this right and you've already satisfied a large share of your audit evidence requirements for identity and access management.