5 Microsoft Entra Security Features You Might Not Know About

Microsoft Entra has a wealth of security features that often fly under the radar—yet they can make a significant difference in protecting your environment. The best part? Many of these settings are already included in base licenses like Microsoft 365 Business Premium.

Let’s walk through five lesser-known Entra settings that you can enable today to improve your security posture.

1. Custom Banned Passwords

Even in 2025, password security is still one of the most common weak points in an organization’s defenses. Users often select predictable passwords like “Summer2025” or “CompanyNameHQ2025,” making them easy targets for password spray attacks.

Microsoft Entra includes a Custom Banned Password List option under Authentication Methods → Password Protection. While Microsoft already maintains a global banned list (not published to avoid helping attackers), you can add organization-specific words and patterns such as:

• Company name or abbreviation
• Product names
• Locations or office nicknames
• Common cultural or industry terms

By doing so, you block attackers from exploiting predictable patterns that could otherwise lead to account compromise—even if MFA is enabled (since techniques like MFA fatigue or social engineering can bypass it if the attacker already has the password).

More Info: Configure custom Microsoft Entra password protection lists – Microsoft Entra ID | Microsoft Learn

2. Restrict Access to the Microsoft Admin Center

By default, any user—even without an admin role—can log in to the Microsoft Admin Center and view information about your environment, including:

• All user accounts and metadata
• Admin role assignments (i.e. I can see who is a Global Admin)
• Key organizational details useful for reconnaissance

You can change this under User Settings → Restrict Access to Microsoft Admin Center. Set it to Yes, and ideally pair it with a Conditional Access policy to fully block access, both through the UI and programmatically via PowerShell.

This prevents compromised non-admin accounts from becoming an attacker’s reconnaissance tool.

More Info: Default user permissions – Microsoft Entra | Microsoft Learn

3. Conditional Access: Require Managed Devices

If you’re cloud-only or not ready to fully deploy Intune device compliance, there’s still a way to ensure only corporate-owned devices can access organizational data.

In Conditional Access → New Policy, configure a filter for devices where trustType = “Microsoft Entra Joined” or "Microsoft Entra Registered". Then:

• Target all users (except break-glass accounts, guests, and necessary service accounts)
• Block access for unmanaged devices
• Apply to all cloud resources

This setting helps stop Adversary-in-the-Middle attacks and token theft by ensuring access only comes from devices you control.

More info on using this to prevent token theft: Token Theft Playbook: Proactive Protections 

4. Block User Consent and App Registrations

By default, users can grant consent to third-party apps and register their own applications in Entra. This is risky—attackers can exploit this after compromising an account to set up malicious persistence.

To lock this down:

• Go to User Settings → Set “Users can register applications” to No
• In Enterprise Applications → Consent and Permissions, set “User Consent for Applications” to Do not allow
• Enable Admin Consent Requests to review and approve legitimate needs

This eliminates a common backdoor that attackers exploit post-compromise.

More on this topic: Find risky apps in Microsoft 365

5. Global Secure Access (P1)

Included with Entra ID P1, Global Secure Access is part of Microsoft’s SASE/ZTNA solutions. It routes traffic through a secure tunnel, protecting apps like Outlook and SharePoint from threats such as token theft.

Benefits include:

• Easy deployment to end-user devices via client software
• Integration with Conditional Access for granular control
• Flexible remote access without exposing legacy VPN weaknesses

While full capabilities require additional licensing, the included Microsoft Traffic profile in P1 is a great starting point.

More info: What is Global Secure Access? – Global Secure Access | Microsoft Learn