Purpose of Phase 1
Phase 1 introduces security controls that:
Increase enforcement
May impact user experience
Require communication and change management
Strengthen identity governance and app consent controls
Unlike Phase 0 (Quick Wins), these settings can have a noticeable operational impact if changed abruptly.
Important: Why Voice & SMS Are Addressed in Phase 1
In Phase 0, we identify legacy authentication methods but may not immediately disable them.
Why?
In many Business Standard tenants:
Voice and SMS MFA are actively in use
Users may not yet be enrolled in Microsoft Authenticator
Security Defaults may still allow these methods
Turning these off without preparation can:
Lock out users
Break sign-in flows
Disrupt onboarding
Therefore:
🔹 Phase 0 = Identify & prepare
🔹 Phase 1 = Enforce & modernize
Voice and SMS are considered legacy MFA methods due to:
SIM swap attacks
Telecom interception
MFA fatigue & OTP phishing kits
Microsoft’s guidance supports moving toward modern app-based MFA and phishing-resistant methods. See: Phishing-resistant MFA | Microsoft Learn
Phase 1 – M365 Admin
Password Expiration Policy
Recommendation: Disable forced password expiration.
Why:
Microsoft no longer recommends periodic password expiration in modern environments.
When MFA is enabled:
Frequent password changes encourage weaker passwords
Users increment patterns (Password1 → Password2)
Security benefit is minimal
Phase 1 aligns with modern password guidance:
Strong password + MFA > Expiration cycling
🔐 Phase 1 – Entra Controls
Registration Campaign
Encourages users to register Microsoft Authenticator.
Why Phase 1?
Before disabling SMS and Voice MFA, we ensure:
Users are enrolled in modern MFA
Number matching is enabled
Authentication method coverage is complete
This bridges the gap before enforcing stronger controls.
Voice Call Authentication Configuration
Action: Disable (if not already).
Why Now?
By Phase 1:
Registration campaign has run
Authenticator adoption has increased
Change communication has occurred
Voice MFA is vulnerable to:
SIM swap attacks
VoIP manipulation
Telecom redirection fraud
SMS Authentication Configuration
Action: Disable (unless exception required).
SMS OTP is vulnerable to:
Phishing proxy kits
SIM hijacking
SS7 telecom exploits
Disabling SMS is a strong security posture improvement — but must follow enrollment planning.
Security Defaults
Security Defaults provide baseline identity protection for Business Standard tenants.
Includes:
MFA enforcement
Legacy authentication blocking
Admin protection
Risk mitigation
This is critical if Conditional Access is not deployed.
Security Defaults is often misunderstood — Phase 1 ensures it is evaluated, configured correctly, or replaced with Conditional Access if licensing changes.
Entra Password Protection
Password protection: On by default for Business Standard needs P1 for advanced implementation.
Block common passwords
Enforce banned password lists
Protect against spray attacks
Especially important in Business Standard where P2 risk policies are unavailable.
Entra Enterprise Application – User Consent Settings
Restrict default user consent to applications.
Why?
Unrestricted user consent allows:
OAuth phishing attacks
Malicious app registrations
Data exfiltration via Graph permissions
Best Practice:
Disable broad user consent
Allow admin-approved app workflows
Enterprise Application – Admin Consent Settings
Require admin review for high-permission applications.
This prevents:
Users granting Directory.ReadWrite.All
Global API abuse
Token persistence attacks
Enable Guest Self-Service Sign-Up via User Flows
This must be carefully evaluated.
In many Business Standard tenants:
This should be disabled unless explicitly needed.
Why?
Self-service external onboarding can:
Bypass governance
Introduce unmanaged external identities