Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Keeping track of all the settings and resources in your tenant can be overwhelming. The Microsoft Entra recommendations feature helps monitor the status of your tenant so you don't have to. These recommendations help ensure your tenant is in a secure and healthy state while also helping you maximize the value of the features available in Microsoft Entra ID.
Microsoft Entra recommendations now include Identity Secure Score recommendations. These recommendations provide similar insights into the security of your tenant. For more information, see What is Identity Secure Score.
All these Microsoft Entra recommendations provide you with personalized insights with actionable guidance to:
- Help you identify opportunities to implement identity best practices.
- Improve the state of your Microsoft Entra tenant.
- Optimize the configurations for your scenarios.
This article gives you an overview of how you can use Microsoft Entra recommendations.
How does it work?
On a daily basis, Microsoft Entra ID analyzes the configuration of your tenant. During this analysis, Microsoft Entra ID compares the configuration of your tenant with security best practices and recommendation data. If a recommendation is flagged as applicable to your tenant, the recommendation appears in the Recommendations section of the Microsoft Entra identity overview area.

Each recommendation contains a description, a summary of the value of addressing the recommendation, and a step-by-step action plan. If applicable, impacted resources associated with the recommendation are listed, so you can resolve each affected area. If a recommendation doesn't have any associated resources, the impacted resource type is Tenant level, so your step-by-step action plan impacts the entire tenant and not just a specific resource. The system processes recommendation data daily, reflecting activity from the preceding 24-hour window. Occasionally, data synchronization may extend up to 72 hours.
Recommendations overview table
The recommendations listed in the following table are currently available in public preview or general availability the types of resources addressed by the recommendation, and more. The license requirements for recommendations in public preview are subject to change. The table provides links to available documentation for those recommendations that required separate guidance.
| Recommendation | Impacted resources | Availability | Identity Secure Score | Target roles for email notifications | 
|---|---|---|---|---|
| AAD Connect Deprecated | Tenant | Preview | No | Hybrid Identity Administrator | 
| Configure VPN integration | Users | Preview | Yes | N/A | 
| Convert per-user MFA to Conditional Access MFA | Users | Generally available | No | Security Administrator | 
| Designate more than one Global Administrator | Users | Generally available | Yes | Global Administrator | 
| Disable Print spooler service on domain controllers | Tenant | Preview | Yes | N/A | 
| Do not allow users to grant consent to unreliable applications | Tenant | Generally available | Yes | Global Administrator | 
| Do not expire passwords | Tenant | Generally available | Yes | Global Administrator | 
| Edit misconfigured Certificate Authority ACL | Applications | Preview | Yes | N/A | 
| Edit misconfigured certificate templates access control lists | Applications | Preview | Yes | N/A | 
| Edit misconfigured certificate templates owner | Applications | Preview | Yes | N/A | 
| Edit misconfigured enrollment agent certificate template | Applications | Preview | Yes | N/A | 
| Edit overly permissive Certificate Template with privileged EKU | Applications | Preview | Yes | N/A | 
| Edit vulnerable Certificate Authority setting | Applications | Preview | Yes | N/A | 
| Enable password hash sync if hybrid | Tenant | Generally available | Yes | Hybrid Identity Administrator | 
| Enable policy to block legacy authentication | Users | Generally available | Yes | Conditional Access Administrator, Security Administrator | 
| Enable self-service password reset | Users | Generally available | Yes | Authentication Policy Administrator | 
| Ensure all users can complete multifactor authentication | Users | Generally available | Yes | Conditional Access Administrator, Security Administrator | 
| Ensure privileged accounts are not delegated | Users | Preview | Yes | N/A | 
| Group Policy Object (GPO) assigns unprivileged identities to local groups with elevated privileges | Users | Preview | Yes | N/A | 
| Migrate applications from AD FS to Microsoft Entra ID | Applications | Generally available | No | Application Administrator, Authentication Administrator Hybrid Identity Administrator | 
| Migrate applications from the retiring Azure AD Graph APIs to Microsoft Graph | Applications | Preview | No | Application Administrator | 
| Migrate from ADAL to MSAL | Applications | Generally available | No | Application Administrator | 
| Migrate from MFA server to Microsoft Entra MFA | Tenant | Generally Available | No | Global Administrator | 
| Migrate service principals from the retiring Azure AD Graph APIs to Microsoft Graph | Applications | Preview | No | Application Administrator | 
| Migrate to Microsoft Authenticator | Users | Preview | No | Global Administrator | 
| Minimize MFA prompts from known devices | Users | Generally available | No | Global Administrator | 
| Modify unsecure Kerberos delegations to prevent impersonation | Applications | Preview | Yes | N/A | 
| Prevent Certificate Enrollment with arbitrary application policies | Applications | Preview | Yes | N/A | 
| Protect all users with a sign-in risk policy | Users | Generally available | Yes | Conditional Access Administrator, Security Administrator | 
| Protect all users with a user risk policy | Users | Generally available | Yes | Conditional Access Administrator, Security Administrator | 
| Protect and manage local admin passwords with Microsoft LAPS | Users | Preview | Yes | N/A | 
| Protect your tenant with Insider Risk Conditional Access policy | Users | Generally available | Yes | Conditional Access Administrator, Security Administrator | 
| Reduce lateral movement path risk to sensitive entities | Users | Preview | Yes | N/A | 
| Remove access rights on suspicious accounts with the Admin SDHolder permission | Users | Preview | Yes | N/A | 
| Remove dormant accounts from sensitive groups | Users | Preview | Yes | N/A | 
| Remove non-admin accounts with DCsync permissions | Users | Preview | Yes | N/A | 
| Remove unsafe permissions on sensitive Microsoft Entra Connect accounts | Users | Preview | Yes | N/A | 
| Remove unused applications | Applications | Preview | No | Application Administrator | 
| Remove unused credentials from applications | Applications | Preview | No | Application Administrator | 
| Renew expiring application credentials | Applications | Preview | No | Application Administrator | 
| Renew expiring service principal credentials | Applications | Preview | No | Application Administrator | 
| Replace Enterprise or Domain Admin account for Microsoft Entra Connect AD DS Connector | Users | Preview | Yes | N/A | 
| Require MFA for administrative roles | Users | Generally available | Yes | Conditional Access Administrator, Security Administrator | 
| Resolve Unsecure Account Attributes | Users | Preview | Yes | N/A | 
| Reversible passwords found in GPOs | Users | Preview | Yes | N/A | 
| Review inactive users with Access Reviews | Users | Preview | No | Identity Governance Administrator | 
| Rotate password for Microsoft Entra Connect AD DS Connector account | Users | Preview | Yes | N/A | 
| Secure and govern your apps with automatic user and group provisioning | Applications | Preview | No | Application Administrator, IT Governance Administrator | 
| Stop clear text credentials exposure | Users | Preview | Yes | N/A | 
| Stop weak cipher usage | Tenant | Preview | Yes | N/A | 
| Use least privileged administrative roles | Users | Generally available | Yes | Privileged Role Administrator | 
| Verify App Publisher | Applications | Preview | No | Global Administrator | 
Microsoft Entra only displays the recommendations that apply to your tenant, so you might not see all supported recommendations listed.
Identity Secure Score
Your Identity Secure Score, which appears at the top of the page, is a numerical representation of the health of your tenant. Recommendations that apply to the Identity Secure Score are given individual scores in the table at the bottom of the page. You can filter the list of recommendations to only the Identity Secure Score recommendations using the Security filter card. Identity Secure Score recommendations include secure score points, which are calculated as an overall score based on several security factors.
These scores add up to generate your Identity Secure Score. For more information, see What is Identity Secure Score.

Are Microsoft Entra recommendations related to Azure Advisor?
The Microsoft Entra recommendations feature is the Microsoft Entra specific implementation of Azure Advisor, which is a personalized cloud consultant that helps you follow best practices to optimize your Azure deployments. Azure Advisor analyzes your resource configuration and usage data to recommend solutions that can help you improve the cost effectiveness, performance, reliability, and security of your Azure resources.
Microsoft Entra recommendations use similar data to support you with the roll-out and management of Microsoft's best practices for Microsoft Entra tenants to keep your tenant in a secure and healthy state. The Microsoft Entra recommendations feature provides a holistic view into your tenant's security, health, and usage.
Email notifications (preview)
Microsoft Entra recommendations now generate email notifications when a new recommendation is generated. This new preview feature sends emails to a predetermined set of roles for each recommendation. For example, recommendations that are associated with the health of your tenant's applications are sent to users who have the Application Administrator role.
If your organization is using Privileged Identity Management (PIM), the recipients must be elevated to the role indicated in order to receive the email notification. If no one is actively assigned to the role, no emails are sent. For this reason, we recommend checking the recommendations regularly to ensure that you're aware of any new recommendations.