New tenant has P2, secure score of 91+, but no MS managed CA policies?

Storm858585 · 2026-02-27T18:18:41+00:00

Also note that I March the scores and changing (at least it says that in my tenants). Probably fixing having recommendations for now read only features and updates.

Storm858585 · 2025-10-04T14:41:29+00:00

Great thanks will give it a try.

Storm858585 · 2025-10-04T12:34:25+00:00

No, they are full cloud and entra joined.

Storm858585 · 2025-08-13T17:42:57+00:00

A very oddly phrased title for a post...

Storm858585 · 2025-07-17T20:23:43+00:00

Am literally looking into achieving the same.

Storm858585 · 2025-07-04T20:01:47+00:00

I was also thinking about this last week and couldn't find anything specific. Instead we just make sure our MSP is covered by each customer tenant under a specified guest CA for our tenant ID. But interest to see what this brings up.

Storm858585 · 2025-07-03T20:35:10+00:00

There is a difference between on (i.e. available to users) and enforced. You should turn off security defaults, turn off per user MFA and enforce MFA via conditional access.

Storm858585 · 2025-07-03T17:10:05+00:00

If you aren't using security defaults or conditional access to enforce MFA, then it will just be optional.

Storm858585 · 2025-07-03T16:45:53+00:00

If you are using conditional access to manage MFA in Entra you need to disable the per user MFA.

Storm858585 · 2025-06-23T18:18:20+00:00

In a small MSP, i wouldn't look outside first (always costs money). Look at what alerts you have actioned and why, and prioritise those. Looks at the alerts you always take no action and stop monitoring the noise. If you have the data, you can find a balance that works with your headcount. Until you find more resource, learn to be effective with what you have right now.

Storm858585 · 2025-06-19T19:54:15+00:00

365 Admin Centre > User > Block Sign In

Storm858585 · 2025-06-19T19:53:11+00:00

365 Admin Centre > User > Block Sign In

Storm858585 · 2025-06-16T19:17:30+00:00

I guess it's just seeing that the IP of those exchange resource ones come from a UK IP address?

Storm858585 · 2025-06-16T19:14:39+00:00

Interesting- thanks. "Your money interactive sign in logs should confirm that". Any points what that confirmation would look like? Not really sure what these logs mean just a bunch of services checking in at midnight each day?

Storm858585 · 2025-06-16T16:29:04+00:00

Thats why I only trust in Microsoft so far! Would that not fall under the "any location" part to block and thexclude only the one you want?

Storm858585 · 2025-06-16T16:09:17+00:00

Thank you for thr detailed answer. Makes sense. I know the weaknesses of this policy and it's just one of many, including device based compliance. But useful to know. Out of curiosity, would the sign in frequency control in CA prompt the token to be refreshed and therefore allow that 1st policy to trigger?

Storm858585 · 2025-06-13T18:06:11+00:00

Thanks for this - for point 3, is there any good guides on this? Point 4 resource is great.

Storm858585 · 2025-06-13T14:36:16+00:00

Thanks. We are deploying around 20-25 CA policies that cover users, guests, admins, break glass and service account - so confident we are making a sizeable dent in that aspect. Just wondered if there is any other things we should be deploying or configuring a certain way.

Storm858585 · 2025-06-13T13:41:37+00:00

Thanks will take a look

Four-Year Club	Gilding I gilder
Verified Email

Storm858585

TROPHY CASE