The Top 5 Ways to Secure Your Entra ID Identities
Keytos Team |
- Updated: March 4, 2026Why Entra ID Identity Security is Important
With organizations moving to the cloud, Entra ID has become a critical component of their security infrastructure. It is the backbone of identity and access management in Azure and Microsoft 365, and it is responsible for authenticating and authorizing users and applications. As such, it is a prime target for hackers who want to gain access to sensitive data and resources.
This guide will walk you through the top 5 best practices for securing your Entra ID identities. By following these best practices, you can significantly reduce the risk of identity theft and unauthorized access to your resources.
Hear Directly from the Experts on Entra ID Identity Security Best Practices
Want to learn more about Entra ID identity security best practices? Check out our episode of No Password Required where we go over all the best practices we follow to secure our Azure infrastructure and how you can implement them in your organization.
TODO: Add video of the episode here once it’s published.
Number 1: Go Fully Passwordless with Unphishable Identities
Entra ID offers various identity protection features, including conditional access and monitoring risky sign-ins. However, the highest level of security is achieved when there are no passwords to compromise at all. To guard against identity theft, we’ve adopted a fully passwordless approach here at Keytos for both user and machine identities. This goal might seem challenging, but with the right tools it not only enhances security but also boosts productivity.
How to Implement Unphishable User Identities
To achieve passwordless user authentication, you should employ SmartCard (CBA) and/or FIDO2 (passkey) authentication. FIDO2 is a longstanding industry standard, yet there are instances (including in Entra ID) where it’s not an accepted authentication method. To address this, we combine FIDO2 with Entra CBA. We can easily use these two methods by having users self-onboard to their passwordless identity with EZCMS, the best FIDO2 and smartcard CMS for Entra.
How to Implement Unphishable Machine Identities
Passwords are not limited to user identities. They’re also prevalent in machines for accessing Entra ID, databases, and more. Examples include connection strings, passwords on Entra ID service principals, and SAS keys. To eliminate these, we primarily use Azure Managed Identities (MSIs), which are passwordless and managed by the good folks over at Microsoft, simplifying authentication with other Microsoft services.
In cases where MSIs aren’t applicable, like cross-tenant authentication or when applications are hosted externally (such as on customer on-premises servers), we use Azure Service Principals with certificate-based authentication. This method differs from MSIs or standard certificate authentication, as each new certificate must be registered in Entra. To avoid issues related to certificate expiration, we utilize EZCA’s automatic certificate rotation for Azure AD applications.
Number 2: How to Isolate Your Entra ID Identities to Enhance Security
It is of the utmost importance to isolate your Entra ID identity to bolster your Entra ID identity security. For example, here at Keytos, we manage essential services for numerous large organizations, necessitating top-tier security measures. While our advanced passwordless approach significantly minimizes our vulnerability, we further enhance our security by adhering to Microsoft’s identity best practices. This includes establishing an independent production Entra ID & Azure tenant, completely separate and untrusted by our corporate tenant. Consequently, if a corporate account is breached, the intruder cannot access our production resources. This isolation enables us to implement stringent measures like smart conditional access policies. These policies grant permissions based on risk assessments, considering factors like intelligent login scores and device health.
Take it from us: isolating your Entra identity is paramount to enhancing your organization’s cybersecurity posture.
Number 3: How to Isolate Your Devices
Although isolating identities significantly boosts resource security, it primarily safeguards against identity theft. Nowadays, hackers are becoming more and more sophisticated, launching malware attacks that can pilfer credentials or exploit your computer to access resources. To counter this threat, we recommend adopting a contemporary version of Microsoft’s PAW (Privileged Access Workstation) model. Instead of relying on outdated on-premises technologies like domain controllers, it’s more effective to use Microsoft Intune for device management and Entra conditional access to verify device health before each login session.
Number 4: How to Employ Just-in-Time (JIT) Access to Production Resources
We have strong confidence in our secure identity and device management approach, yet we also believe that human access to production should be restricted to essential instances only. This policy not only enhances security but also encourages robust engineering practices. By making production access more challenging, it incentivizes the development of automated deployment processes and self-repairing features which, in turn, boost our system’s reliability and efficiency. To uphold this standard, we’ve adopted a policy of no permanent access to production, and we strongly recommend that your organization does the same. Engineers requiring access to production resources must formally request it, either through Microsoft Privileged Identity Management (PIM) for general resources or via EZSSH for Linux endpoints and git repositories.
Number 5: How to Monitor Your SSL Certificates
Adopting Microsoft’s “assume breach” approach, we recognize that relying solely on security protocols isn’t enough to completely safeguard infrastructure. Active monitoring and anomaly detection are also crucial. Beyond using Microsoft Sentinel and Microsoft Defender for Cloud, we recommend using CloudWatcher. This free, open-source solution was developed by the ex-Microsoft engineers at Keytos, and it closely observes any minor alterations in our Entra environment, alerting our on-call engineer about any detected changes. As a security-focused company, we also suggest heeding Google’s recommendation to monitor CT Logs using EZMonitor. This practice will not only shield your organization from potential SSL certificate based MITM attacks but also from other threats, like subdomain takeovers.
Keytos Meets and Exceeds These Entra ID Identity Security Best Practices
Here at Keytos, we practice what we preach. We follow every single one of the best practices listed in this blog to a T, and doing so has allowed us to meet and exceed some of the most respected compliance requirements in the cybersecurity space, such as SOC 2 type 2 and PCI level 4. As such, we can confidently say that we are the experts when it comes to helping your organization secure its infrastructure. Don’t believe us? Feel free to **schedule a FREE consultation with one of our security experts today to see how you can start your journey to bolstering your cybersecurity posture with Keytos today!
