M365 Microsoft Entra ID Capability Group

The RBAC control can be used to implement the principle of least privilege for account management, reducing the available actions an adversary can perform with a default account. This scores Partial for its ability to minimize the overall accounts with management privileges. License Requirements: ME-ID Built-in Roles (Free)

The RBAC control can be used to implement the principle of least privilege for access to SharePoint repositories to only those required for an account. This scores Partial for its ability to minimize the attack surface of accounts with access to potentially valuable information. License Requirements: ME-ID Built-in Roles (Free)

The RBAC control can generally be used to protect against and limit adversary access to valuable information repositories. Although it does not have full coverage of this technique's sub-techniques, it also helps protect against Procedure examples, resulting in an overall score of Partial. License Requirements: ME-ID Built-in Roles (Free)

The RBAC control can be used to implement the principle of least privilege to properly manage accounts and permissions of parties in trusted relationships. This scores Partial for its ability to minimize the the potential abuse by the party and if it is comprised by an adversary. License Requirements: ME-ID Built-in Roles (Free)

The RBAC control can be used to implement the principle of least privilege to limit users with permission to modify logging policies to those required. This scores Partial for its ability to minimize the overall accounts with the ability to modify cloud logging capabilities. License Requirements: ME-ID Built-in Roles (Free)

The RBAC control can be used to partially protect against the ability to Disable or Modify Cloud Logs, but has minimal coverage against this technique's other sub-techniques and example procedures. Due to its Minimal coverage score, it receives an overall score of minimal. License Requirements: ME-ID Built-in Roles (Free)

The RBAC control can be used to implement the principle of least privilege for cloud data storage access to only those required. This scores Partial for its ability to minimize the attack surface of accounts with storage solution access. License Requirements: ME-ID Built-in Roles (Free)

The RBAC control can be used to implement the principle of least privilege to limit accounts with the access to domain trusts. This scores Partial for its ability to minimize the overall accounts with these privileges. License Requirements: ME-ID Built-in Roles (Free)

The RBAC control can be used to implement the principle of least privilege to limit administrative accounts. This scores Partial for its ability to minimize the overall accounts that can modify domain policies. License Requirements: ME-ID Built-in Roles (Free)

The RBAC control can be used to implement the principle of least privilege to limit Global Administrator accounts, and ensure these accounts are cloud-only. This scores Partial for its ability to minimize hybrid accounts with administrative privileges. License Requirements: ME-ID Built-in Roles (Free)

The RBAC control can be used to implement the principle of least privilege to limit account management control of MFA. This scores Partial for its ability to minimize overall accounts with the ability to change or disable MFA. License Requirements: ME-ID Built-in Roles (Free)

The RBAC control can be used to limit cloud accounts with authentication modification relevant privileges, but does not provide protection against this technique's other sub-techniques or example procedures. Due to its Minimal coverage score, it receives a score of minimal. License Requirements: ME-ID Built-in Roles (Free)

The RBAC control can be used to implement the principle of least privilege to limit accounts with permissions for serverless services to those required. This scores Partial for its ability to minimize the overall accounts with this ability. License Requirements: ME-ID Built-in Roles (Free)

The RBAC control can be used to implement the principle of least privilege to limit API functionality administrative accounts can take. This scores Partial for its ability to minimize the actions these accounts can perform. License Requirements: ME-ID Built-in Roles (Free)

The RBAC control can be used to partially protect against the abuse of Cloud APIs but does not provide protection against this technique's other sub-techniques or other example procedures. Due to its Minimal coverage score, it receives a score of minimal. License Requirements: ME-ID Built-in Roles (Free)

The RBAC control can be used to implement the principle of least privilege for account management, limiting the number of Global and Intune administrators to those required. This scores Partial for its ability to minimize the overall accounts with associated privileges. License Requirements: ME-ID Built-in Roles (Free)

The RBAC control can be used to implement the principle of least privilege, limiting accounts with access to application tokens. This receives a score of Partial for its ability to minimize the attack surface of accounts this ability. License Requirements: ME-ID Built-in Roles (Free)

The RBAC control can be used to implement the principle of least privilege, limiting dashboard visibility to necessary accounts. This receives a score of Partial for its ability to minimize the discovery value a dashboard may have in the event of a compromised account. License Requirements: ME-ID Built-in Roles (Free)

The RBAC control can be used to implement the principle of least privilege for account management in order to limit the number of accounts with the ability to add additional cloud roles. This receives a score of Partial for its ability to minimize known accounts with the ability to add roles. License Requirements: ME-ID Built-in Roles (Free)

The RBAC control can be used to implement the principle of least privilege for account management in order to limit the number of accounts with the ability to add additional cloud credentials. This receives a score of Partial for its ability to minimize known accounts with the ability to add credentials. License Requirements: ME-ID Built-in Roles (Free)

The RBAC control can generally be used to implement the principle of least privilege to protect against the number of accounts with management capabilities. This has Partial coverage of Account Manipulation sub-techniques, resulting in an overall score of Partial. License Requirements: ME-ID Built-in Roles (Free)

The RBAC control can be used to implement the principle of least privilege for account management in order to limit the number of accounts that can create new accounts. This receives a score of Partial for its ability to minimize known accounts with the ability to create new accounts. License Requirements: ME-ID Built-in Roles (Free)

The RBAC control can generally be used to implement the principle of least privilege to protect against account creation. For the given product space, this control helps protect against only against Cloud Account creation, and none of this technique’s other sub-techniques or procedures. Due to overall Minimal coverage, it receives an overall score of Minimal. License Requirements: ME-ID Built-in Roles (Free)

The RBAC control can be used to implement the principle of least privilege for account management, reducing the available actions an adversary can perform with a cloud account. This scores Partial for its ability to minimize the overall accounts with management privileges. License Requirements: ME-ID Built-in Roles (Free)

The RBAC control can be used to implement the principle of least privilege for account management, reducing the potential actions that can be taken with Valid Default and Cloud Accounts. Although RBAC can limit the actions the adversary can take if a Valid Account has been compromised, it does not protect against different variations of the technique's procedure. Due to overall Minimal coverage, it receives an overall score of Minimal. License Requirements: ME-ID Built-in Roles (Free) License Requirements: ME-ID Built-in Roles (Free)

The RBAC control can be used to implement the principle of least privilege for account management, limiting the accounts that can be used to perform account discovery. This scores Partial for its ability to minimize the overall accounts with these role privileges. License Requirements: ME-ID Built-in Roles (Free)

The RBAC control can be used to partially protect against Cloud Account Discovery, but does not provide protection against this technique's other sub-techniques or example procedures. Due to its Minimal coverage score, it receives an overall score of minimal. License Requirements: ME-ID Built-in Roles (Free)

The RBAC control can be used to implement the principle of least privilege to limit the ability of cloud accounts to assume, create, or impersonate only required privileges. This scores Minimal for its ability to protect against the actions temporary elevated accounts can take. License Requirements: ME-ID Built-in Roles (Free)

Microsoft recommended the use of Passwordless authentication. This method provides the most secure MFA sign-in process by replacing the password with something you have, plus something you are or something you know.(e.g., Biometric, FIDO2 security keys, Microsoft’s Authenticator app). When combined with Conditional Access policies, Passwordless Authentication can significantly protect against the likelihood of adversary activity from credential attacks (e.g., token theft, etc.). License Requirements: All Microsoft Entra ID licenses

Microsoft recommended the use of Passwordless authentication. This method provides the most secure MFA sign-in process by replacing the password with something you have, plus something you are or something you know.(e.g., Biometric, FIDO2 security keys, Microsoft’s Authenticator app). When combined with Conditional Access policies, use of strong two-factor for remote service accounts will mitigate an adversary's ability to leverage stolen credentials. License Requirements: All Microsoft Entra ID licenses

Microsoft recommended the use of Passwordless authentication. This method provides the most secure MFA sign-in process by replacing the password with something you have, plus something you are or something you know.(e.g., Biometric, FIDO2 security keys, Microsoft’s Authenticator app). When combined with Conditional Access policies, Passwordless Authentication can significantly protect against the likelihood of adversary activity from credential attacks (e.g., brute force, token theft, etc.). License Requirements: All Microsoft Entra ID licenses

Microsoft recommended the use of Passwordless authentication. This method provides the most secure MFA sign-in process by replacing the password with something you have, plus something you are or something you know.(e.g., Biometric, FIDO2 security keys, Microsoft’s Authenticator app). When combined with Conditional Access policies, Passwordless Authentication can significantly protect against the likelihood of adversary activity from credential attacks (e.g., brute force, token theft, etc.). License Requirements: All Microsoft Entra ID licenses

Microsoft recommended the use of Passwordless authentication. This method provides the most secure MFA sign-in process by replacing the password with something you have, plus something you are or something you know.(e.g., Biometric, FIDO2 security keys, Microsoft’s Authenticator app). When combined with Conditional Access policies, Passwordless Authentication can significantly protect against the likelihood of adversary activity from credential attacks (e.g., brute force, token theft, etc.). License Requirements: All Microsoft Entra ID licenses

Microsoft recommended the use of Passwordless authentication. This method provides the most secure MFA sign-in process by replacing the password with something you have, plus something you are or something you know.(e.g., Biometric, FIDO2 security keys, Microsoft’s Authenticator app). When combined with Conditional Access policies, Passwordless Authentication can significantly protect against the likelihood of adversary activity from credential attacks (e.g., brute force, token theft, etc.). License Requirements: All Microsoft Entra ID licenses

Microsoft recommended the use of Passwordless authentication. This method provides the most secure MFA sign-in process by replacing the password with something you have, plus something you are or something you know.(e.g., Biometric, FIDO2 security keys, Microsoft’s Authenticator app). When combined with Conditional Access policies, Passwordless Authentication can significantly protect against the likelihood of adversary activity from credential attacks (e.g., brute force, token theft, etc.). License Requirements: All Microsoft Entra ID licenses

Microsoft recommended the use of Passwordless authentication. This method provides the most secure MFA sign-in process by replacing the password with something you have, plus something you are or something you know.(e.g., Biometric, FIDO2 security keys, Microsoft’s Authenticator app). When combined with Conditional Access policies, Passwordless Authentication can significantly protect against the likelihood of adversary activity (e.g., account creation, etc.). License Requirements: All Microsoft Entra ID licenses

Microsoft recommended the use of Passwordless authentication. This method provides the most secure MFA sign-in process by replacing the password with something you have, plus something you are or something you know.(e.g., Biometric, FIDO2 security keys, Microsoft’s Authenticator app). When combined with Conditional Access policies, Passwordless Authentication can significantly protect against the likelihood of adversary activity (e.g., additional cloud permissions, etc.). License Requirements: All Microsoft Entra ID licenses

Microsoft recommended the use of Passwordless authentication. This method provides the most secure MFA sign-in process by replacing the password with something you have, plus something you are or something you know.(e.g., Biometric, FIDO2 security keys, Microsoft’s Authenticator app). When combined with Conditional Access policies, Passwordless Authentication can significantly protect against the likelihood of adversary activity (e.g., additional cloud roles, etc.). License Requirements: All Microsoft Entra ID licenses

Microsoft recommended the use of Passwordless authentication. This method provides the most secure MFA sign-in process by replacing the password with something you have, plus something you are or something you know.(e.g., Biometric, FIDO2 security keys, Microsoft’s Authenticator app). When combined with Conditional Access policies, Passwordless Authentication can significantly protect against the likelihood of adversary activity (e.g., account creation, account deletion etc.). License Requirements: All Microsoft Entra ID licenses

Microsoft recommended the use of Passwordless authentication. This method provides the most secure MFA sign-in process by replacing the password with something you have, plus something you are or something you know.(e.g., Biometric, FIDO2 security keys, Microsoft’s Authenticator app). When combined with Conditional Access policies, Passwordless Authentication can significantly protect against the likelihood of adversary activity from credential attacks (e.g., brute force, token theft, etc.). License Requirements: All Microsoft Entra ID licenses

Cloud accounts should have complex and unique passwords across all systems on the network. Passwords and access keys should be rotated regularly. By default, an account is locked out after 10 unsuccessful sign-in attempts with the wrong password. Further incorrect sign-in attempts lock out the user in real time for increasing durations of time. License Requirements: Microsoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2

A password policy is applied to all user accounts that are created and managed directly in Microsoft Entra ID. By default, an account is locked out after 10 unsuccessful sign-in attempts with the wrong password. Further incorrect sign-in attempts lock out the user in real time for increasing durations of time. License Requirements: Microsoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2

A password policy is applied to all user accounts that are created and managed directly in Microsoft Entra ID. By default, an account is locked out after 10 unsuccessful sign-in attempts with the wrong password. Further incorrect sign-in attempts lock out the user in real time for increasing durations of time. License Requirements: Microsoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2

A password policy is applied to all user accounts that are created and managed directly in Microsoft Entra ID. By default, an account is locked out after 10 unsuccessful sign-in attempts with the wrong password. Further incorrect sign-in attempts lock out the user in real time for increasing durations of time. License Requirements: Microsoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2

A password policy is applied to all user accounts that are created and managed directly in Microsoft Entra ID. By default, an account is locked out after 10 unsuccessful sign-in attempts with the wrong password. Further incorrect sign-in attempts lock out the user in real time for increasing durations of time. License Requirements: Microsoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2

Accounts should have complex and unique passwords across all systems on the network. Passwords and access keys should be rotated regularly. License Requirements: Microsoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2

A password policy is applied to all user accounts that are created and managed directly in Microsoft Entra ID. By default, an account is locked out after 10 unsuccessful sign-in attempts with the wrong password. License Requirements: Microsoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2

The PIM control can notify administrators when the Global Administrator and other administrator roles are assigned to an account, allowing it to be a method of detection for Additional Cloud Roles execution. PIM supports multiple security alerts, with customizable triggers, including numeric specificity. Following Microsoft's role based access control Best Practices, assignment of Global Administrator, among other administrative roles should be uncommon, resulting in an overall low false positive rate for detecting unexpected privileged role assignments. License Requirements: Microsoft Entra ID P2 or Microsoft Entra ID Governance

The PIM control can assist post-execution detection by alerting on the assignment of privileged Additional Cloud Roles. This is not extendable to detect against the technique's other sub-techniques, resulting in overall minimal detection coverage. License Requirements: Microsoft Entra ID P2 or Microsoft Entra ID Governance

The PIM control can enforce on-activation requirements for privileged roles, such as Global Administrators. Configuration can include an MFA requirement, which can help limit the overall privileged accounts available and their ability to execute administration commands. PIM can also be used to assigned privileged roles as "eligible" rather than "active" to further, requiring activation of the assigned role before use. Due to these features, a score of Significant is assigned. License Requirements: Microsoft Entra ID P2 or Microsoft Entra ID Governance

The PIM control can enforce on-activation requirements for privileged roles, such as the Global Administrator. Configuration can include an MFA requirement, which can provide additional protection against Additional Cloud Roles. MFA can be required both when assigning these administrative roles, and/or when a user activates the role. License Requirements: Microsoft Entra ID P2 or Microsoft Entra ID Governance

The PIM control can enforce on-activation requirements for privileged roles, such as the Application Administrator. Configuration can include an MFA requirement, which can provide additional protection against Additional Cloud Credentials. PIM can also be used to assigned privileged roles as "eligible" rather than "active" to further, requiring activation of the assigned role before use. Due to these features, a score of Significant is assigned. License Requirements: Microsoft Entra ID P2 or Microsoft Entra ID Governance

The PIM control provides significant protection against multiple sub-techniques, although not all, resulting in partial coverage. The control scores Significant for the temporal aspects of its protection, which include requiring activation by eligible privileged roles, and confirming user identity with MFA before execution. License Requirements: Microsoft Entra ID P2 or Microsoft Entra ID Governance

The PIM control can enforce on-activation requirements for privileged roles, such as the User Administrator. Configuration can include an MFA requirement, which can provide additional protection against Cloud Account creation. PIM can also be used to assigned privileged roles as "eligible" rather than "active" to further, requiring activation of the assigned role before use. Due to these features, a score of Significant is assigned. License Requirements: Microsoft Entra ID P2 or Microsoft Entra ID Governance

The PIM control provides significant protection against Create Account: Cloud Account, but not against the technique's other sub-techniques. An overall score of Partial is provided, although overall coverage for the across the sub-techniques is minimal. License Requirements: Microsoft Entra ID P2 or Microsoft Entra ID Governance

The PIM control supports an Access Review feature, which can be created to review privileged access to avoid stale role assignments. Access Reviews can be scheduled routinely, and used to help evaluate the state of privileged access. Performing this review can help minimize the availability of valid accounts to adversaries. Although this review can be scheduled periodically, it would not occur at real-time frequency, and is therefore assigned Partial. License Requirements: Microsoft Entra ID P2 or Microsoft Entra ID Governance

The PIM control supports an Access Review feature, which can partially be used to avoid stale role assignment for Valid Accounts: Cloud Accounts. The control does not protect against this technique's other sub-techniques, resulting in a Minimal coverage score, for an overall score of Minimal. License Requirements: Microsoft Entra ID P2 or Microsoft Entra ID Governance

The PIM control can enforce on-activation requirements for privileged roles, such as the Global Administrator, which may be used for modifying the hybrid identity authentication process from the cloud. Ideally, ensure these accounts are dedicated cloud-only rather than hybrid accounts. MFA can be required both when assigning Global Administrator, and/or when a user activates the role. PIM can also be used to assigned privileged roles as "eligible" rather than "active" to further, requiring activation of the assigned role before use. This scores Significant for its limitation of the overall accounts with these privileges, and the conditions for use. License Requirements: Microsoft Entra ID P2 or Microsoft Entra ID Governance

The PIM control can enforce on-activation requirements for privileged roles, such as the Conditional Access Administrator, Global Administrator or Security Administrator, which include privileges necessary to modify certain MFA settings. Configuration can include an MFA requirement, which can provide additional protection against modifying Multi-Factor Authentication. MFA can be required both when assigning these administrative roles, and/or when a user activates the role. PIM can also be used to assigned privileged roles as "eligible" rather than "active" to further, requiring activation of the assigned role before use. This scores Significant for its limitation of the overall accounts with these privileges, and the conditions for use. License Requirements: Microsoft Entra ID P2 or Microsoft Entra ID Governance

The PIM control significantly protects against the modification of Multi-Factor Authentication by placing limitations and restrictions on relevant privileged accounts. However, this is overall Minimal coverage relative to the all the technique's sub-techniques. License Requirements: Microsoft Entra ID P2 or Microsoft Entra ID Governance

Cloud accounts should have complex and unique passwords across all systems on the network. When a password is changed or reset for any user in a Microsoft Entra tenant, the current version of the global banned password list is used to validate the strength of the password. This validation check results in stronger passwords for all Microsoft Entra customers. License Requirements: Microsoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2

Accounts should have complex and unique passwords across all systems on the network. When a password is changed or reset for any user in a Microsoft Entra tenant, the current version of the global banned password list is used to validate the strength of the password. This validation check results in stronger passwords for all Microsoft Entra customers. License Requirements: Microsoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2

With Microsoft Entra Password Protection, you can define entries in a custom banned password list. When a password is changed or reset for any user in a Microsoft Entra tenant, the current version of the global banned password list is used to validate the strength of the password. This validation check results in stronger passwords for all Microsoft Entra customers. License Requirements: Microsoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2

Microsoft Entra Password Protection efficiently blocks all known weak passwords likely to be used in password spray attacks. License Requirements: Microsoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2

With Microsoft Entra Password Protection, default global banned password lists are automatically applied to all users in a Microsoft Entra tenant. To support your own business and security needs, you can define entries in a custom banned password list. When a password is changed or reset for any user in a Microsoft Entra tenant, the current version of the global banned password list is used to validate the strength of the password. This validation check results in stronger passwords for all Microsoft Entra customers. License Requirements: Microsoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2

Requiring the use of MFA for all users can significantly reduce the likelihood of adversaries gaining access to the environment's cloud accounts.

Requiring the use of MFA along with conditional access policies may reduce the likelihood of adversaries making modifications, such as creating cloud accounts.

Requiring the use of MFA along with conditional access policies may reduce the likelihood of adversaries making modifications, such as changes to email delegate permissions.

Requiring the use of MFA along with conditional access policies may reduce the likelihood of adversaries making credential modifications, administrator changes, account manipulation, changes to permissions, etc.

Requiring the use of MFA along with conditional access policies may reduce the likelihood of adversaries making credential modifications, administrator changes, account manipulation, changes to permissions, etc.

Requiring the use of MFA along with conditional access policies may reduce the likelihood of adversaries making credential modifications, administrator changes, account manipulation, changes to permissions, etc.

MFA can significantly reduce the impact of a password spraying, requiring the adversary to complete an additional authentication method before access is permitted. Based on studies, your account is less likely to get compromised by 99.9% by enabling MFA against the following techniques: phishing, brute force, credential stuffing, key logging, etc.

MFA can significantly reduce the impact of a password spraying, requiring the adversary to complete an additional authentication method before access is permitted. Based on studies, your account is less likely to get compromised by 99.9% by enabling MFA against the following techniques: phishing, brute force, credential stuffing, key logging, etc.

MFA can significantly reduce the impact of a password cracking, requiring the adversary to complete an additional authentication method before access is permitted. Based on studies, your account is less likely to get compromised by 99.9% by enabling MFA against the following techniques, for example: phishing, brute force, credential stuffing, key logging, etc.

MFA can significantly reduce the impact from adversaries creating accounts by requiring an additional authentication method for verification (e.g., Microsoft Authenticator, Authenticator Lite (in Outlook), Windows Hello for Business, FIDO2 security key, OATH hardware token (preview), OATH software token, SMS, Voice call, etc.)

MFA can significantly reduce the impact of a password compromise, requiring the adversary to complete an additional authentication method before access is permitted.

MFA provides significant protection against password compromises, requiring the adversary to complete an additional authentication method before their access is permitted.

MFA provides significant/partial/minimal security protection against phishing tactics and related sub-techniques.

MFA provides significant/partial/minimal security protection against phishing tactics and related sub-techniques.

MFA provides significant/partial/minimal security protection against phishing tactics and related sub-techniques.

MFA provides significant protection by enforcing and restricting access to resources (e.g., cloud storage, APIs, etc.).

Microsoft Entra ID Protection helps organizations detect, investigate, and remediate identity-based risks. These identity-based risks can be further fed into tools like Conditional Access to make access decisions or fed back to a security information and event management (SIEM) tool for further investigation and correlation. Identity Protection requires users be a Security Reader, Security Operator, Security Administrator, Global Reader, or Global Administrator in order to access the dashboard. Risk-based Conditional Access policies can be enabled to require access controls such as providing a strong authentication method, perform multi-factor authentication, or perform a secure password reset based on the detected risk level. If the user successfully completes the access control, the risk is automatically remediated. License Requirements: Microsoft Entra ID P2

Microsoft Entra ID Protection helps organizations detect, investigate, and remediate identity-based risks. These identity-based risks can be further fed into tools like Conditional Access to make access decisions or fed back to a security information and event management (SIEM) tool for further investigation and correlation. Identity Protection requires users be a Security Reader, Security Operator, Security Administrator, Global Reader, or Global Administrator in order to access the dashboard. Risk-based Conditional Access policies can be enabled to require access controls such as providing a strong authentication method, perform multi-factor authentication, or perform a secure password reset based on the detected risk level. If the user successfully completes the access control, the risk is automatically remediated. License Requirements: Microsoft Entra ID P2

Microsoft Entra ID Protection helps organizations detect, investigate, and remediate identity-based risks. These identity-based risks can be further fed into tools like Conditional Access to make access decisions or fed back to a security information and event management (SIEM) tool for further investigation and correlation. Identity Protection requires users be a Security Reader, Security Operator, Security Administrator, Global Reader, or Global Administrator in order to access the dashboard. License Requirements: Microsoft Entra ID P2

Microsoft Entra ID Protection helps organizations detect, investigate, and remediate identity-based risks. These identity-based risks can be further fed into tools like Conditional Access to make access decisions or fed back to a security information and event management (SIEM) tool for further investigation and correlation. During each sign-in, Identity Protection runs all real-time sign-in detections generating a sign-in session risk level, indicating how likely the sign-in has been compromised. Based on this risk level, policies are then applied to protect the user and the organization. Risk-based Conditional Access policies can be enabled to require access controls such as providing a strong authentication method, perform multi-factor authentication, or perform a secure password reset based on the detected risk level. If the user successfully completes the access control, the risk is automatically remediated. License Requirements: Microsoft Entra ID P2

Microsoft Entra ID Protection helps organizations detect, investigate, and remediate identity-based risks. These identity-based risks can be further fed into tools like Conditional Access to make access decisions or fed back to a security information and event management (SIEM) tool for further investigation and correlation. During each sign-in, Identity Protection runs all real-time sign-in detections generating a sign-in session risk level, indicating how likely the sign-in has been compromised. Based on this risk level, policies are then applied to protect the user and the organization. Risk-based Conditional Access policies can be enabled to require access controls such as providing a strong authentication method, perform multi-factor authentication, or perform a secure password reset based on the detected risk level. If the user successfully completes the access control, the risk is automatically remediated. License Requirements: Microsoft Entra ID P2

Microsoft Entra ID Protection helps organizations detect, investigate, and remediate identity-based risks. These identity-based risks can be further fed into tools like Conditional Access to make access decisions or fed back to a security information and event management (SIEM) tool for further investigation and correlation. During each sign-in, Identity Protection runs all real-time sign-in detections generating a sign-in session risk level, indicating how likely the sign-in has been compromised. Based on this risk level, policies are then applied to protect the user and the organization. Risk-based Conditional Access policies can be enabled to require access controls such as providing a strong authentication method, perform multi-factor authentication, or perform a secure password reset based on the detected risk level. If the user successfully completes the access control, the risk is automatically remediated. License Requirements: Microsoft Entra ID P2

Microsoft Entra ID Protection helps organizations detect, investigate, and remediate identity-based risks. These identity-based risks can be further fed into tools like Conditional Access to make access decisions or fed back to a security information and event management (SIEM) tool for further investigation and correlation. During each sign-in, Identity Protection runs all real-time sign-in detections generating a sign-in session risk level, indicating how likely the sign-in has been compromised. Based on this risk level, policies are then applied to protect the user and the organization. Risk-based Conditional Access policies can be enabled to require access controls such as providing a strong authentication method, perform multi-factor authentication, or perform a secure password reset based on the detected risk level. If the user successfully completes the access control, the risk is automatically remediated. License Requirements: Microsoft Entra ID P2

Microsoft Entra ID Protection helps organizations detect, investigate, and remediate identity-based risks. These identity-based risks can be further fed into tools like Conditional Access to make access decisions or fed back to a security information and event management (SIEM) tool for further investigation and correlation. During each sign-in, Identity Protection runs all real-time sign-in detections generating a sign-in session risk level, indicating how likely the sign-in has been compromised. Based on this risk level, policies are then applied to protect the user and the organization. Risk-based Conditional Access policies can be enabled to require access controls such as providing a strong authentication method, perform multi-factor authentication, or perform a secure password reset based on the detected risk level. If the user successfully completes the access control, the risk is automatically remediated. License Requirements: Microsoft Entra ID P2

During each sign-in, Identity Protection runs all real-time sign-in detections generating a sign-in session risk level, indicating how likely the sign-in has been compromised. Based on this risk level, policies are then applied to protect the user and the organization. Risk-based Conditional Access policies can be enabled to require access controls such as providing a strong authentication method, perform multi-factor authentication, or perform a secure password reset based on the detected risk level. If the user successfully completes the access control, the risk is automatically remediated. License Requirements: Microsoft Entra ID P2

During each sign-in, Identity Protection runs all real-time sign-in detections generating a sign-in session risk level, indicating how likely the sign-in has been compromised. Based on this risk level, policies are then applied to protect the user and the organization. Risk-based Conditional Access policies can be enabled to require access controls such as providing a strong authentication method, perform multi-factor authentication, or perform a secure password reset based on the detected risk level. If the user successfully completes the access control, the risk is automatically remediated. License Requirements: Microsoft Entra ID P2

During each sign-in, Identity Protection runs all real-time sign-in detections generating a sign-in session risk level, indicating how likely the sign-in has been compromised. Based on this risk level, policies are then applied to protect the user and the organization. Risk-based Conditional Access policies can be enabled to require access controls such as providing a strong authentication method, perform multi-factor authentication, or perform a secure password reset based on the detected risk level. If the user successfully completes the access control, the risk is automatically remediated. License Requirements: Microsoft Entra ID P2

Cloud accounts should have complex and unique passwords across all systems on the network. Microsoft Entra ID Protection helps organizations detect, investigate, and remediate identity-based risks. These identity-based risks can be further fed into tools like Conditional Access to make access decisions or fed back to a security information and event management (SIEM) tool for further investigation and correlation. During each sign-in, Identity Protection runs all real-time sign-in detections generating a sign-in session risk level, indicating how likely the sign-in has been compromised. Based on this risk level, policies are then applied to protect the user and the organization. License Requirements: Microsoft Entra ID P2

Accounts should have complex and unique passwords across all systems on the network. Microsoft Entra ID Protection helps organizations detect, investigate, and remediate identity-based risks. These identity-based risks can be further fed into tools like Conditional Access to make access decisions or fed back to a security information and event management (SIEM) tool for further investigation and correlation. During each sign-in, Identity Protection runs all real-time sign-in detections generating a sign-in session risk level, indicating how likely the sign-in has been compromised. Based on this risk level, policies are then applied to protect the user and the organization. License Requirements: Microsoft Entra ID P2

Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated: User Account is deleted or disabled Password for a user is changed or reset Multifactor authentication is enabled for the user Administrator explicitly revokes all refresh tokens for a user High user risk detected by Microsoft Entra ID Protection License Requirements: Continuous access evaluation will be included in all versions of Microsoft 365.

Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated: User Account is deleted or disabled Password for a user is changed or reset Multifactor authentication is enabled for the user Administrator explicitly revokes all refresh tokens for a user High user risk detected by Microsoft Entra ID Protection License Requirements: Continuous access evaluation will be included in all versions of Microsoft 365.

Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated: User Account is deleted or disabled Password for a user is changed or reset Multifactor authentication is enabled for the user Administrator explicitly revokes all refresh tokens for a user High user risk detected by Microsoft Entra ID Protection License Requirements: Continuous access evaluation will be included in all versions of Microsoft 365.

Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated: User Account is deleted or disabled Password for a user is changed or reset Multifactor authentication is enabled for the user Administrator explicitly revokes all refresh tokens for a user High user risk detected by Microsoft Entra ID Protection License Requirements: Continuous access evaluation will be included in all versions of Microsoft 365.

Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated: User Account is deleted or disabled Password for a user is changed or reset Multifactor authentication is enabled for the user Administrator explicitly revokes all refresh tokens for a user High user risk detected by Microsoft Entra ID Protection License Requirements: Continuous access evaluation will be included in all versions of Microsoft 365.

Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated: User Account is deleted or disabled Password for a user is changed or reset Multifactor authentication is enabled for the user Administrator explicitly revokes all refresh tokens for a user High user risk detected by Microsoft Entra ID Protection License Requirements: Continuous access evaluation will be included in all versions of Microsoft 365.

Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated: User Account is deleted or disabled Password for a user is changed or reset Multifactor authentication is enabled for the user Administrator explicitly revokes all refresh tokens for a user High user risk detected by Microsoft Entra ID Protection License Requirements: Continuous access evaluation will be included in all versions of Microsoft 365.

Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated: User Account is deleted or disabled Password for a user is changed or reset Multifactor authentication is enabled for the user Administrator explicitly revokes all refresh tokens for a user High user risk detected by Microsoft Entra ID Protection License Requirements: Continuous access evaluation will be included in all versions of Microsoft 365.

Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated: User Account is deleted or disabled Password for a user is changed or reset Multifactor authentication is enabled for the user Administrator explicitly revokes all refresh tokens for a user High user risk detected by Microsoft Entra ID Protection License Requirements: Continuous access evaluation will be included in all versions of Microsoft 365.

Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated: User Account is deleted or disabled Password for a user is changed or reset Multifactor authentication is enabled for the user Administrator explicitly revokes all refresh tokens for a user High user risk detected by Microsoft Entra ID Protection License Requirements: Continuous access evaluation will be included in all versions of Microsoft 365.

Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated: User Account is deleted or disabled Password for a user is changed or reset Multifactor authentication is enabled for the user Administrator explicitly revokes all refresh tokens for a user High user risk detected by Microsoft Entra ID Protection License Requirements: Continuous access evaluation will be included in all versions of Microsoft 365.

Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated: User Account is deleted or disabled Password for a user is changed or reset Multifactor authentication is enabled for the user Administrator explicitly revokes all refresh tokens for a user High user risk detected by Microsoft Entra ID Protection License Requirements: Continuous access evaluation will be included in all versions of Microsoft 365.

Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated: User Account is deleted or disabled Password for a user is changed or reset Multifactor authentication is enabled for the user Administrator explicitly revokes all refresh tokens for a user High user risk detected by Microsoft Entra ID Protection License Requirements: Continuous access evaluation will be included in all versions of Microsoft 365.

Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated: User Account is deleted or disabled Password for a user is changed or reset Multifactor authentication is enabled for the user Administrator explicitly revokes all refresh tokens for a user High user risk detected by Microsoft Entra ID Protection License Requirements: Continuous access evaluation will be included in all versions of Microsoft 365.

Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated: User Account is deleted or disabled Password for a user is changed or reset Multifactor authentication is enabled for the user Administrator explicitly revokes all refresh tokens for a user High user risk detected by Microsoft Entra ID Protection License Requirements: Continuous access evaluation will be included in all versions of Microsoft 365.

Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated: User Account is deleted or disabled Password for a user is changed or reset Multifactor authentication is enabled for the user Administrator explicitly revokes all refresh tokens for a user High user risk detected by Microsoft Entra ID Protection License Requirements: Continuous access evaluation will be included in all versions of Microsoft 365.

Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated: User Account is deleted or disabled Password for a user is changed or reset Multifactor authentication is enabled for the user Administrator explicitly revokes all refresh tokens for a user High user risk detected by Microsoft Entra ID Protection License Requirements: Continuous access evaluation will be included in all versions of Microsoft 365.

Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated: User Account is deleted or disabled Password for a user is changed or reset Multifactor authentication is enabled for the user Administrator explicitly revokes all refresh tokens for a user High user risk detected by Microsoft Entra ID Protection License Requirements: Continuous access evaluation will be included in all versions of Microsoft 365.

Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated: User Account is deleted or disabled Password for a user is changed or reset Multifactor authentication is enabled for the user Administrator explicitly revokes all refresh tokens for a user High user risk detected by Microsoft Entra ID Protection License Requirements: Continuous access evaluation will be included in all versions of Microsoft 365.

Multiple conditions along can be combined to create fine-grained and specific policies that partially enforce access controls to account resources that adversaries may attempt to abuse: conditional access to Cloud APIs, blocking legacy authentication, requiring multi-factor authentication for users, block access by location, block access to unsupported devices, failed login attempts, account lockout policies, etc.. These features may require Microsoft Entra ID P2.

Multiple conditions along can be combined to create fine-grained and specific policies that partially enforce access controls to account resources that adversaries may attempt to abuse: conditional access to Cloud APIs, blocking legacy authentication, requiring multi-factor authentication for users, block access by location, block access to unsupported devices, failed login attempts, account lockout policies, etc.. These features may require Microsoft Entra ID P2.

Multiple conditions along can be combined to create fine-grained and specific policies that partially enforce access controls to account resources that adversaries may attempt to abuse: conditional access to Cloud APIs, blocking legacy authentication, requiring multi-factor authentication for users, block access by location, block access to unsupported devices, failed login attempts, account lockout policies, etc.. These features may require Microsoft Entra ID P2.

Multiple conditions along can be combined to create fine-grained and specific policies that partially enforce access controls to account resources that adversaries may attempt to abuse: conditional access to Cloud APIs, blocking legacy authentication, requiring multi-factor authentication for users, block access by location, block access to unsupported devices, failed login attempts, account lockout policies, etc.. These features may require Microsoft Entra ID P2.

Multiple conditions along can be combined to create fine-grained and specific policies that partially enforce access controls to account resources that adversaries may attempt to abuse: conditional access to Cloud APIs, blocking legacy authentication, requiring multi-factor authentication for users, block access by location, block access to unsupported devices, failed login attempts, account lockout policies, etc.. These features may require Microsoft Entra ID P2.

Multiple conditions along can be combined to create fine-grained and specific policies that partially enforce access controls to account resources that adversaries may attempt to abuse: conditional access to Cloud APIs, blocking legacy authentication, requiring multi-factor authentication for users, block access by location, block access to unsupported devices, failed login attempts, account lockout policies, etc.. These features may require Microsoft Entra ID P2.

Multiple conditions along can be combined to create fine-grained and specific policies that partially enforce access controls to account resources that adversaries may attempt to abuse: conditional access to Cloud APIs, blocking legacy authentication, requiring multi-factor authentication for users, block access by location, block access to unsupported devices, failed login attempts, account lockout policies, etc.. These features may require Microsoft Entra ID P2.

Multiple conditions along can be combined to create fine-grained and specific policies that partially enforce access controls to account resources that adversaries may attempt to abuse: conditional access to Cloud APIs, blocking legacy authentication, requiring multi-factor authentication for users, block access by location, block access to unsupported devices, failed login attempts, account lockout policies, etc.. These features may require Microsoft Entra ID P2.

Multiple conditions along can be combined to create fine-grained and specific policies that partially enforce access controls to account resources that adversaries may attempt to abuse: conditional access to Cloud APIs, blocking legacy authentication, requiring multi-factor authentication for users, block access by location, block access to unsupported devices, failed login attempts, account lockout policies, etc.. These features may require Microsoft Entra ID P2.