Configure Microsoft Entra ID#

These instructions will configure the Microsoft Entra ID where you will manage your users. You only need one Microsoft Entra ID for your deployment of the Data Safe Haven.

Setting up your Microsoft Entra tenant#

Tip

We suggest using a dedicated Microsoft Entra tenant for your DSH deployment, but this is not a requirement.

We also recommend using a separate tenant for managing your users from the one where your infrastructure subscriptions live, but this is not a requirement.

If you decide to deploy a new tenant for user management, follow the instructions here:

How to deploy a new tenant

Follow the instructions here.

  • set the Organisation Name to something appropriate for your deployment (e.g. Contoso Production Safe Haven)

  • set the Initial Domain Name to the lower-case version of the organisation name with spaces and special characters removed (e.g. contosoproductionsafehaven)

  • set the Country or Region to whichever country is appropriate for your deployment (e.g. United Kingdom)

Create a native Microsoft Entra administrator account#

If you created a new Microsoft Entra tenant, an external administrator account will have been automatically created for you. If you do not already have access to a native administrator account, create one using the steps below.

How to create a native Entra administrator

Follow the instructions here. Use the following settings:

  • Basics tab:

    • User principal name: entra.admin.first_name.last_name

      • If you have a choice of domains use YOUR_ORGANISATION.onmicrosoft.com, which will create a clearer separation between administrators and users

    • Display name: Entra Admin - first_name last_name

    • Other fields: leave them with their default values

  • Properties tab:

    • Usage location: set to the country being used for this deployment

  • Assignments tab:

    • Click the + Add role button

    • Search for Global Administrator, and check the box

    • Click the Select button

Click the Review + Create button

Register allowed authentication methods#

In this section, you will determine which methods are permitted for multi-factor authentication (MFA). This is necessary both to secure logins and to allow users to set their own passwords.

  • Sign in to the Microsoft Entra admin centre

  • Browse to Protection ‣ Authentication methods from the menu on the left side

  • Browse to Manage ‣ Policies from the secondary menu on the left side

  • For each of Microsoft Authenticator, SMS, Third-party software OATH tokens, Voice call and Email OTP click on the method name

    • Ensure the slider is set to Enable and the target to All users

    • ‼️ For SMS ensure that Use for sign-in is unchecked

    • ‼️ For Voice call switch to the Configure tab and ensure that Office is checked

    • Click the Save button

Microsoft Entra authentication summary

Microsoft Entra authentication methods

  • Browse to Protection ‣ Authentication methods ‣ Authentication strengths from the menu on the left side

  • Click the + New authentication strength button

  • Enter the following values on the Configure tab

Configure app-based authentication

  • Name: App-based authentication

  • Description: App-based authentication

  • Under Multi-factor authentication:

    • Check Password + Microsoft Authenticator (Push notification)

    • Check Password + Software OATH token

  • Click the Next button

  • Click the Create button

Activate your native Microsoft Entra account#

In order to use this account you will need to activate it. Start by setting up authentication methods for this user, following the steps below.

How to set up authentication for an Entra user

  • Follow the instructions here.

  • Ensure that you provide both a phone number and an email address.

Now you can reset the password for this user, following the steps below.

How to reset your Entra user password

  • Follow the instructions here to set your password

  • You will need access to the phone number and/or email address from the previous step

Delete any external administrators#

Warning

In this step we will delete any external account with administrator privileges which might belong to Microsoft Entra ID. Before you do this, you must ensure that you can log into Entra using your native administrator account.

Start by identifying whether you have any external users.

How to identify external users

The User principal name field for external users will contain the external domain and will have #EXT# before the @ sign.

  • Sign in to the Microsoft Entra admin centre

  • Click on your profile picture at the top right of the page

  • Click the Sign out button to log out of any accounts

  • Log in with your native administrator credentials

  • Follow the instructions here to delete each external user

Note

We recommend deleting all external users, but if these users are necessary, you can instead remove administrator privileges from them.

Create additional administrators#

Important

In order to avoid being a single point of failure, we strongly recommend that you add other administrators in addition to yourself.

For each other person who will act as an administrator, create an account for them following the steps above and then allow them to reset their own password.

Caution

You may want to set up an emergency administrator to ensure access to this tenant is not lost if you misconfigure MFA. To do so, follow the instructions here. Since this account will be exempt from normal login policies, it should not be used except when absolutely necessary.

Purchase Microsoft Entra licences#

At least one user needs to have a Microsoft Entra Licence assigned in order to enable self-service password reset and conditional access policies.

Tip

P1 Licences are sufficient but you may use another licence if you prefer.

  • Sign in to the Microsoft Entra admin centre

  • Browse to Identity ‣ Billing ‣ Licenses from the menu on the left side

  • Browse to All products from the secondary menu on the left side

  • If you have not currently licenced a product:

    • Click on +Try/Buy and choose a suitable product

    • Click the Activate button

  • Wait a few minutes until the selected licence appears on the All products view

Enable self-service password reset#

In order to enable self-service password reset (SSPR) you will need to do the following:

  • Sign in to the Microsoft Entra admin centre

  • Browse to Protection ‣ Password reset from the menu on the left side

  • Browse to Manage ‣ Properties from the secondary menu on the left side

  • Under the option Self service password reset enabled, choose All

Disable security defaults#

  • Sign in to the Microsoft Entra admin centre

  • Browse to Identity ‣ Overview ‣ Properties from the menu on the left side

  • Click Manage security defaults at the bottom of the page

  • In the pop-up menu on the right, set

    • Security defaults to Disabled (not recommended)

    • Select My organization is planning to use Conditional Access

    • Click the Save button

  • At the prompt click the Disable button

Apply conditional access policies#

  • Sign in to the Microsoft Entra admin centre

  • Browse to Protection ‣ Conditional Access from the menu on the left side

  • Browse to Policies from the secondary menu on the left side

Require MFA#

These instructions will create a policy which requires all users (except the emergency administrator if you have created one) to use multi-factor authentication (MFA) to log in.

Require MFA policy details

  • Create a new policy named Require MFA

  • Under Users:

    • Include: Select All users

    • Exclude:

      • Check Users and groups

      • If you created an emergency access admin account, select it here

  • Under Target resources:

    • Include: Select All cloud apps

  • Under Conditions:

    • Select Device platforms and set:

      • Configure: Select Yes

      • Select device platforms: Check all the boxes

      • Click the Done button

  • Under Grant:

    • Check Grant access

    • Check Require authentication strength

    • In the drop-down menu select App-based authentication

    • Click the Select button

  • Under Session:

    • Check Sign-in frequency

    • Check Periodic reauthentication

      • Set the value to 1 day(s)

  • Under Enable policy:

    • Select On

    • Check I understand that my account will be impacted by this policy. Proceed anyway.

  • Click the Create button

Restrict Microsoft Entra ID access#

These instructions will prevent non-administrators from being able to view the Entra ID configuration.

Restrict Microsoft Entra ID access policy details

  • Create a new policy named Restrict Microsoft Entra ID access

  • Under Users:

    • Include: Select All users

    • Exclude:

      • Check Directory roles

      • In the drop-down menu select Global administrator

  • Under Target resources:

    • Include:

      • Select Select apps

      • Click the Select button

      • In the pop-up menu on the right, select

        • Windows Azure Service Management API and

        • Microsoft Graph Command Line Tools then

      • Click the Select button

    • Exclude: Leave unchanged as None

  • Under Grant:

    • Check Block access

    • Click the Select button

  • Under Enable policy

    • Select On

  • Click the Create button