5 Microsoft Azure AD and ERP Best Practices (Beside MFA) to Protect your ERP Data – Part 2

Visit Website View Our Posts

If you’ve read Part 1 in this 2-part series, you already know that MFA is just one security practice in your toolbox that you can deploy for your ERP business operations to prevent a data breach, but there’s still more you can do. Deploying multiple Microsoft Azure 365 identity and access management security measures can help you rest assured that the wide net of your ERP data is highly protected from cybersecurity attacks 

Part 1 covered Security Defaults, Legacy Protocols, Guest Access, Enterprise Apps (and consent), and your Azure Portal Settings. For a step-by-step guide on each best practice, check out Part 1! 

Without further delay, we continue onto 6 - 10. 


Access Reviews allow you to set up reviews for group membership and application assignments. You can set up Access Reviews for Azure AD Enterprise Apps (Part 1 #5), as well as Azure AD roles in Privileged Identity Management (PIM) (#7 below) 

Note that using the Access Review feature requires an Azure AD P2 license. 


PIM is an Azure AD service to manage resources in your organization including listing who has what roles.  

  • Log into the Azure AD portal (portal.azure.com).
  • From the Dashboard, go to “Privileged Identity Management” > “Azure AD Roles.”
  • Here you’ll find a report of all of the users in the tenant and their roles, which can be exported to csv.

If you ever need to take on a temporary administrator role to complete a specific task, you can set this up in PIM 

  • From the Azure portal, go to “Active Directory” to view your current role.
  • Go to “Privileged Identity Management” > “My Roles” to request to activate the new (temporary) role you need for up to 10 hours.
  • “Active Assignments,” provides information on your temporary role and allows you to deactivate as needed.


Microsoft Cloud App Security (CAS) and OAuth policies can control access to cloud apps based on the user, location, device and apps. You can create a filter for the policy to alert and revoke access to uncommon or rare apps asking for high levels of permissions 

  • Go to the Cloud App Security Portal at portal.cloudappsecurity.com or through the Microsoft 365 Admin Center.
  • “Control” > “Policies” > “Conditional Access.”

Here you can create a policy that can create an alert or revoke access for apps in which the permission levels are very high, and the community use is not common.


In addition to MFA, Conditional Access (CA) policies can provide extra protection against attacks on Admin Roles 

Create a new CA policy for Admin Roles:   

  • From the Azure Portal go to “Security.”
  •  “Conditional Access Policies” > “New Policy.”
  • Name the policy, e.g., “Require MFA and Compliant Devices for Admin Roles.”
  • “Select Users and Group” and select the specific roles that you want in this group.
  • Go to “Cloud Apps or Actions” select “All Cloud Apps.”
  • Go to “Conditions” and select whatever is applicable.
  • Go to “Access Controls” and select “Require Multi-Factor Authentication” as well as “Require Device to be marked as compliant” and “For multiple controls, require all the selected controls.”


It is important to keep a log of sign-ins, changes to the tenant, and tracking of who did what (and when). A native integration between Azure AD and Azure Log Analytics (Azure Monitor) provides an easy way to save and export your log files. (Note: It is advised that you have at least one license of Azure AD premium to get monthly logs, instead of the standard 7 days or 24 hours) 

  • To export logs in the Azure AD Portal: go to “Monitoring” > “Logs” > “Diagnostic Settings.” Here you can modify your log settings including export and destination.
  • Click “+ Add Diagnostic Setting” to create an Azure Log Analytics workspace.
  • Click “Edit settings” to select the destinations to stream to or archive, as well as select categories:
        • “AuditLogs”  
        • “SigninLogs” 
        • “NotInteractiveUserSigninLogs” 
        • “ServicePrincipalSigninLogs” 
        • “ManagedIdentifySigninLogs” 
        • “ProvisioningLogs” 
  • Then send to the right Azure subscription to the Log Archiving Workspace. You can also send them to a storage account.

To read the full article click here.


Get Started with JourneyTEAM 


JourneyTEAM was recently awarded Microsoft US Partner of the Year for Dynamics 365 Customer Engagement (Media & Communications) and the Microsoft Eagle Crystal trophy as a top 5 partner for Dynamics 365 Business Central software implementations. Let JourneyTEAM walk you through any of these security best practices to help you ensure your tenant is safe. We can provide demos and full custom introductions. Contact JourneyTEAM today! 



  1. Join a free consultation and ask all the questions you wish.
  2. Plan your Deep Dive meeting – Get your organization’s Customized Solutions presentation.

Jenn_Alba_JourneyTEAMArticle by:Jenn Alba - Marketing Manager - 801.938.7816

JourneyTEAM is an award-winning consulting firm with proven technology and measurable results. They take Microsoft products; Dynamics 365, SharePoint intranet, Office 365, Azure, CRM, GP, NAV, SL, AX, and modify them to work for you. The team has expert level, Microsoft Gold certified consultants that dive deep into the dynamics of your organization and solve complex issues. They have solutions for sales, marketing, productivity, collaboration, analytics, accounting, security and more. www.journeyteam.com

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Show Buttons
Hide Buttons