Microsoft Entra is much more than just the successor to the classic directory service (formerly Azure AD). In the uniform administration portal, you have full control: Here you control identities, authorizations and access rights centrally in one place.
For you as an administrator, this means one thing above all: maximum transparency and a massive gain in security for your environment. Especially with regard to data protection (GDPR) and modern zero-trust architectures, Entra is the heart of your IT strategy.
In this series of articles, we’ll walk you through the most important configurations step-by-step, from the basics to pro governance.
🆕 Update: Since the cloud is constantly changing, we are constantly reviewing this guide. Nevertheless, a look at the official Microsoft documentation is mandatory to stay up to date with critical changes.
📅 Booth | 23.12.2025
Entra Admin Center
The Microsoft Entra Admin Center home page gives you quick insights (e.g., expiring client secrets or number of Global Admins), actionable recommendations, and links to learning modules.
Use these dashboards actively to not only manage data protection in your organization, but to strengthen it in the long term.
» To the article: Microsoft Entra ID – The Entry
User Settings
Managing user permissions is often a balancing act: If you share too much, security gaps arise. If you restrict too much, productivity suffers and your mailbox is overflowing with tickets.
We configure the three most important areas: the internal permissions, the external collaboration (guests) and the user features.
» To the article: Configuring user settings
Group Settings
Effective controls are essential when managing groups. A “group” is rarely just a list of names – behind it are often teams, SharePoint pages and entire file repositories. Without maintenance, massive data protection risks arise here (shadow IT, orphaned data).
We clarify three things: The creation (Who may?), the end (When will the deletion take place?) and the order (Which names are taboo?).
» To the article: Group Settings & Lifecycle
Device settings and security
Devices are the new security perimeter. Whether it’s a company laptop or a private smartphone (BYOD), as soon as a device accesses your data, it needs to be managed. In this article, we’ll harden the “join” of devices and ensure that users don’t accidentally become full administrators on their PCs – an essential step towards GDPR compliance.
» To the article: Device Security & Settings
Conditional Access
With Conditional Access, you define precise guardrails: Access to company data is no longer blanket, but context-based. The “if-then” principle for your security: For example, access to sensitive data is only granted if the device is managed and the user has securely authenticated. This is essential for compliance with strict data protection regulations.
» To the article: Setting up Conditional Access
Authentication Methods
If Conditional Access is the bouncer, then the authentication methods are your users’ IDs. The days when a simple password was enough are over. We’ll configure how your users are allowed to sign in. We rely on modern, phishing-resistant methods (such as FIDO2 or number matching) and switch off outdated, insecure technologies such as SMS.
» To the article: Authentication methods
APPS – Consent & Permissions
Thoughtless app approvals are a massive risk: A quick click on “Accept” and company data flows to third-party providers. By restricting user consent and replacing it with an admin workflow, you effectively stop shadow IT at the root. This allows you to maintain full control over the application landscape.
» To the article: Consent and permissions
Corporate branding & login look
Trust begins with login. Individual branding is much more than just aesthetics – it is an effective measure against phishing. When users see their usual company logo, fake standard login masks are immediately noticeable. In this step, we configure the corporate design and integrate the legally required links to imprint and data protection directly into the registration process.
» To the article: Custom branding
Monitoring and integrity
A clean configuration is only half the battle – in everyday operations, you need to know what’s happening in your tenant. If a login fails or a Conditional Access policy kicks in unexpectedly, the logs are your first port of call for troubleshooting.
We look at the two most important pillars:
- Sign-in logs: Who registered when, from where and with what? Was the access successful or was it blocked?
- Audit Logs: Who made changes to the tenant (e.g., created users, changed groups, adjusted policies)?
Important for your planning (licenses & roles): To gain access to these logs, you need at least the “Security Reader” or “Global Reader” role. Also note the retention periods: In the free edition , Microsoft only stores the logs for 7 days. From a P1/P2 license, you have access to the last 30 days and can export the data for long-term archiving.
In the detailed article, we show you how to read the logs correctly and perform error analyses efficiently.
» To the article: Microsoft 365 EntraID | Monitoring and integrity
OTHER CONSIDERATIONS
– Governance and monitoring
The previous settings harden your tenant against attacks. But security is not a one-off project, but a permanent condition. How do you ensure that permissions remain clean for years?
Here are the “Advanced” topics of identity governance:
1. Privileged Identity Management (PIM) (License Requirement: Entra ID P2) The permanent “Global Administrator” is an enormous risk.
- The solution: With PIM, you only assign admin rights “just-in-time” (on demand) and for a limited period of time.
- The added value: Every admin access is logged and must be justified.
Lifecycle Workflows & Access Reviews Employees come and go. Old authorizations often remain (“corpses”).
- Lifecycle workflows: Automate the “leaver” process.
- Access Reviews: Regularly automatically prompt managers to confirm their employees’ access.
Monitoring & SIEM Integration Entra ID stores logs for only 30 days by default.
- The strategy: Connect Entra ID to a SIEM (such as Microsoft Sentinel) or a Log Analytics Workspace to retain data for years and generate alerts in the event of anomalies (e.g., “Impossible Travel”).
Security as a process
The technical configuration is the foundation. But data protection only comes alive through regular reviews (audits), clean processes for entry and exit (JML) and seamless monitoring. Use the dashboards in the Entra Admin Center not only for configuration, but as a daily cockpit for the health status of your identities.
further links
| Microsoft Trust Center | GDPR-Microsoft Cloud Services |
| Microsoft eBook | :GDPR compliance best practices |
| Microsoft Entra Admin Center | Features, Navigation, and Uses |
| Microsoft Learn – GDPR | Privacy Policy Information |
| DPIA Azure for the GDPR | Conducting Data Protection Impact Assessments |
| User Profile Management in Entra | User Profile Management Guide |
| Microsoft Entra Setup Guides | Setup and Management Guides |
| Microsoft Compliance | Compliance and Regulatory Requirements |
| GDPR simplified: guide for small business | |
| Microsoft Entra ID Governance | Privacy, security, and compliance in the Microsoft Trust Center |
| Microsoft Trust Center | Privacy, Security, and Compliance |
Be the first to comment