Identity security
Identity is the perimeter now, and in Microsoft-shop reality that means Entra ID is the perimeter. Most real tenant compromises don't use exotic techniques; they walk through the same handful of open doors. These are the ten controls that close them, roughly in order of how often their absence shows up in incidents.
Protocols like IMAP, POP and SMTP basic auth cannot perform MFA, which makes them the universal MFA bypass: attackers with a password simply pick a legacy protocol. Block legacy authentication tenant-wide with Conditional Access, then watch sign-in logs for what breaks — the answer is usually one ancient scanner or script that deserved replacement years ago.
The exceptions are the breach. Every "temporary" exclusion for an executive, a service workflow, or a stubborn application is a standing invitation. If something genuinely cannot do MFA, it needs compensating controls and an expiry date, not a permanent pass.
Push notifications and SMS fall to real-time phishing kits and MFA fatigue. For Global Admins and other privileged roles, require FIDO2 security keys or passkeys — methods that cryptographically bind to the legitimate domain and cannot be relayed by a lookalike login page.
Two emergency accounts, excluded from Conditional Access so a misconfigured policy can't lock everyone out, with long random credentials stored offline — and an alert that fires on any use. An unmonitored break-glass account is just a backdoor with documentation.
Healthy tenants have a small, comprehensible policy set: require MFA for all users, block legacy auth, require compliant or hybrid-joined devices for sensitive apps, restrict or step up risky sign-ins. Unhealthy tenants have forty overlapping policies nobody dares touch. Use report-only mode to test, and document the intent of each policy.
Illicit consent grants are a quiet epidemic: users approve an OAuth app once and the attacker holds durable API access that survives password resets and MFA. Restrict user consent to verified publishers and low-risk permissions (or disable it), route the rest through admin consent workflow, and review existing grants — the archaeology is usually sobering.
Count your Global Administrators; if the number embarrasses you, you're typical. Keep standing GAs to a bare minimum, use least-privileged roles for daily work, and make elevation just-in-time through Privileged Identity Management with approval and time limits. Standing privilege is standing risk.
Entra's identity protection signals — leaked credentials, anomalous travel, unfamiliar sign-in properties — should at minimum alert, and ideally gate access via risk-based Conditional Access. A leaked-credential detection nobody reads is indistinguishable from no detection.
Sign-in and audit logs have limited native retention. Export them to your SIEM — they are the primary evidence in any identity incident, and the difference between answering "what did this account touch" in minutes versus never.
Service principals with expired owners, multi-tenant apps with broad Graph permissions, client secrets that never rotate — the application layer accumulates risk silently. Inventory it on a schedule.
We run structured Entra ID and Microsoft 365 hardening reviews — Conditional Access, privileged access, app consent, and the audit trail — with a prioritized fix list your team can execute.
Book a free assessment call