Keeping track of all the settings and resources regarding your security posture in your tenant can be overwhelming. The Microsoft Entra recommendations feature helps monitor the status of your tenant so you don’t have to. These recommendations ensure your tenant remains secure and healthy while also helping you maximize the value of Microsoft Entra ID features.
How Does It Work?
On a daily basis, Microsoft Entra ID analyses the configuration of your tenant. During this analysis, Microsoft Entra ID compares the configuration of your tenant with security best practices and recommendation data. If a recommendation is flagged as applicable to your tenant (based on the licence of your tenant), it appears in the Recommendations section of the Microsoft Entra identity overview area.
Each recommendation contains a description, a summary of the value of addressing the recommendation, and a step-by-step action plan. If applicable, impacted resources associated with the recommendation are listed, helping you resolve each affected area. If a recommendation doesn’t have any associated resources, the impacted resource type is Tenant level, impacting the entire tenant rather than a specific resource.
Recommendations
The recommendations listed in the following table are currently available in public preview or general availability. This table includes the types of resources addressed, availability status, and target roles for email notifications. The licence requirements for recommendations in public preview are subject to change. For the current and complete table, please refer to the official Microsoft documentation: Microsoft Entra Recommendations Overview.
Overview Table
| Recommendation | Impacted resources | Availability | Identity Secure Score | Target roles for email notifications |
|---|---|---|---|---|
| AAD Connect Deprecated | Tenant | Preview | No | Hybrid Identity Administrator |
| Convert per-user MFA to Conditional Access MFA | Users | Generally available | No | Security Administrator |
| Designate more than one Global Administrator | Users | Generally available | Yes | Global Administrator |
| Do not allow users to grant consent to unreliable applications | Tenant | Generally available | Yes | Global Administrator |
| Do not expire passwords | Tenant | Generally available | Yes | Global Administrator |
| Enable password hash sync if hybrid | Tenant | Generally available | Yes | Hybrid Identity Administrator |
| Enable policy to block legacy authentication | Users | Generally available | Yes | Conditional Access Administrator, Security Administrator |
| Enable self-service password reset | Users | Generally available | Yes | Authentication Policy Administrator |
| Ensure all users can complete multifactor authentication | Users | Generally available | Yes | Conditional Access Administrator, Security Administrator |
| Migrate applications from AD FS to Microsoft Entra ID | Applications | Generally available | No | Application Administrator, Authentication Administrator, Hybrid Identity Administrator |
| Migrate applications from the retiring Azure AD Graph APIs to Microsoft Graph | Applications | Preview | No | Application Administrator |
| Migrate from ADAL to MSAL | Applications | Generally available | No | Application Administrator |
| Migrate from MFA server to Microsoft Entra MFA | Tenant | Generally Available | No | Global Administrator |
| Migrate service principals from the retiring Azure AD Graph APIs to Microsoft Graph | Applications | Preview | No | Application Administrator |
| Migrate to Microsoft Authenticator | Users | Preview | No | Global Administrator |
| Minimize MFA prompts from known devices | Users | Generally available | No | Global Administrator |
| Protect all users with a sign-in risk policy | Users | Generally available | Yes | Conditional Access Administrator, Security Administrator |
| Protect all users with a user risk policy | Users | Generally available | Yes | Conditional Access Administrator, Security Administrator |
| Protect your tenant with Insider Risk Conditional Access policy | Users | Generally available | Yes | Conditional Access Administrator, Security Administrator |
| Remove unused applications | Applications | Preview | No | Application Administrator |
| Remove unused credentials from applications | Applications | Preview | No | Application Administrator |
| Renew expiring application credentials | Applications | Preview | No | Application Administrator |
| Renew expiring service principal credentials | Applications | Preview | No | Application Administrator |
| Require MFA for administrative roles | Users | Generally available | Yes | Conditional Access Administrator, Security Administrator |
| Review inactive users with Access Reviews | Users | Preview | No | Identity Governance Administrator |
| Secure and govern your apps with automatic user and group provisioning | Applications | Preview | No | Application Administrator, IT Governance Administrator |
| Use least privileged administrative roles | Users | Generally available | Yes | Privileged Role Administrator |
| Verify App Publisher | Applications | Preview | No | Global Administrator |
Microsoft Entra only displays the recommendations that apply to your tenant, so you might not see all supported recommendations listed (licences again).
Identity Secure Score
Your Identity Secure Score, which appears at the top of the page, is a numerical representation of the health of your tenant. Recommendations that apply to the Identity Secure Score are given individual scores in the table at the bottom of the page. You can filter the list of recommendations to only show the Identity Secure Score recommendations using the Security filter card. Identity Secure Score recommendations include secure score points, calculated as an overall score based on several security factors.
These scores add up to generate your Identity Secure Score. For more information, see What is Identity Secure Score.
Are Microsoft Entra Recommendations Related to Azure Advisor?
The Microsoft Entra recommendations feature is the Microsoft Entra implementation of Azure Advisor. Azure Advisor analyses your resource configuration and usage data to recommend solutions that can help you improve the cost-effectiveness, performance, reliability, and security of your Azure resources.
Microsoft Entra recommendations use similar data to support you with the roll-out and management of Microsoft’s best practices for Microsoft Entra tenants to keep your tenant in a secure and healthy state. The Microsoft Entra recommendations feature provides a holistic view into your tenant’s security, health, and usage.
Email Notifications
Microsoft Entra recommendations now send email notifications when a new recommendation is generated. This new preview feature dispatches emails to a predetermined set of roles for each recommendation. For example, recommendations related to the health of your tenant’s applications go to users with the Application Administrator role.
If your organization uses Privileged Identity Management (PIM), recipients need to be elevated to the indicated role to receive the email notifications. If no one is actively assigned to the role, email notifications will not be sent. Therefore, check the recommendations regularly to stay informed about any new updates.
To receive important notifications even if your administrative accounts are not licensed, refer to this blog post: Receiving Entra Admin Notifications without a Licensed Mailbox
Additional Resources
For more information and support, refer to the following resource: