Microsoft Entra ID Recommendations — Solving Microsoft 365

The Microsoft Entra ID Recommendations dashboard surfaces tenant-specific improvement actions based on Microsoft's continuous analysis of your tenant's configuration, security posture, and feature adoption. It's like Secure Score for Entra ID specifically — concrete actionable items with stated benefit.

Where to find it

In the Microsoft Entra admin centre → Identity → Overview → Recommendations. Each recommendation has:

Title describing the action.
Impact — high / medium / low priority.
Category — security, identity, governance, etc.
Status — applies, completed, dismissed, postponed.
Description — why it matters and what to do.
Steps to remediate.

What gets recommended

A few common recommendations:

Security and identity

Enable MFA for all users — fundamental.
Block legacy authentication — closing a known bypass route.
Enable Microsoft Authenticator as preferred MFA method.
Configure self-service password reset (SSPR).
Enable Conditional Access policies for specific scenarios.
Migrate from per-user MFA to Conditional Access.
Remove unused application registrations.
Review high-risk service principals.

Governance

Enable PIM for privileged roles.
Configure access reviews for sensitive groups.
Enable group naming and expiration policies.
Review external collaboration settings.
Configure entitlement management access packages.

Hybrid identity

Migrate from Entra Connect to Entra Cloud Sync.
Enable password writeback for hybrid SSPR.
Migrate from federation (AD FS) to PHS.

Operational hygiene

Remove inactive users to reduce attack surface.
Review enterprise applications for unused or risky apps.
Configure tenant-wide branding for sign-in pages.

How to use it

A practical operating pattern:

Monthly review of new recommendations.
Triage by impact — high impact first.
Assess applicability — some recommendations don't fit every tenant.
Remediate or document why not — for recommendations you choose not to implement, capture the reason.
Track over time — completion rate and overall recommendation count are useful metrics.

Compared to other Microsoft surfaces

Entra ID Recommendations overlaps with:

Microsoft Secure Score (broader Microsoft 365 security posture).
Microsoft Defender for Cloud (Azure resource recommendations).
Microsoft Compliance Manager (compliance-framework alignment).
Microsoft Purview recommendations (data governance).

Each surface has its own area of focus; together they form Microsoft's improvement-guidance ecosystem. Entra ID Recommendations is identity-specific.

Don't blindly apply

Recommendations are generic best practices — they don't know your specific context. Examples where you might not apply:

"Disable legacy auth" — if you have a legacy app you can't yet replace, you're applying it differently.
"Enable PIM" — if your tenant has only 2 admins with valid reasons for standing access.
"Migrate from federation" — if specific business reasons keep AD FS in place.

For each recommendation, evaluate fit; apply or document the reason for not applying. Recommendations that don't fit and are persistently dismissed are signal — re-evaluate periodically as context changes.

Automation

For organisations operating Entra ID at scale, Entra ID Recommendations API lets you pull recommendations programmatically — integrate into your operations runbooks, dashboards, alerting.

Where this fits

Recommendations are tactical guidance. Strategy (covered in the Microsoft 365 strategy guide) is the broader direction. Together: strategy sets direction; recommendations are the next tactical actions consistent with that direction.

For Entra ID admins, periodic review of Recommendations is one of those low-effort, high-leverage habits. Microsoft is continuously updating the guidance as identity threats evolve; staying current is essentially free if you read regularly.