What to lock down first
On average, organizations have 30 known, high-risk misconfigurations sitting open, according to a recent Huntress/UserEvidence survey of IT and security professionals. Given this backlog and potential impact to end users, organizations often take a triage approach, addressing the most critical gaps first.
MFA coverage and enforcement gaps
Multi-factor authentication (MFA) is possibly the single most important fundamental control in Entra ID identity management. CISA estimates that MFA makes a user 99% less likely to be hacked. And yet, MFA is often not consistently enforced. A single account without MFA leaves your business vulnerable to a wide array of credential abuse tactics. While MFA is non-negotiable, mature environments should move away from legacy authentication methods (e.g., SMS, voice calls, and standard push notifications), which are vulnerable to interceptive and MFA fatigue attacks. Instead, enforce phishing-resistant MFA (e.g., FIDO2 security keys, Windows Hello for Business), especially for administrative accounts.
Conditional Access policies
Sophisticated attackers find other ways around standard MFA, such as adversary-in-the-middle (AiTM) attacks. Using toolkits like Tycoon 2FA, attackers set up a proxy server between the victim and the Microsoft login page. When the user logs in, the attacker intercepts their credentials and the authenticated session token. The user has no idea that anything shady occurred, while the attacker gains immediate access.
To guard against AiTM, Entra ID conditional access policies should evaluate signals such as the user’s location, device posture, and risky sign-in patterns rather than just relying on static login credentials. Many of the over-privileged identities and misconfigurations highlighted in the Known Gaps, Open Doors report can be mitigated with well-designed Conditional Access policies that block sign-ins from suspicious locations, untrusted VPNs, or unmanaged devices.
Global admin and privileged role assignments
In Microsoft 365 identity and access management, the Global Administrator role has unrestricted write access across all services. The more accounts that are permanently assigned this role, the greater the risk an organization runs of a tenant-wide compromise. It’s a good idea to have more than one Global Admin, but no more than necessary.
These accounts should be cloud-only identities and strictly separated from on-premises or federated identity providers. This air-gapping helps prevent an on-prem Active Directory compromise from escalating laterally into the cloud.
Except for carefully controlled “break glass” accounts, organizations should avoid standing Global Administrator privileges. Through just-in-time (JIT) access via privileged identity management (PIM), organizations can restrict escalated privileges to a specific window for a task, then revoke them after completion.
Stale accounts and inactive users
A common and high-risk attack vector, dormant accounts accumulate when employees turn over, contractor projects end, or test accounts are left active. These accounts are risky because they often go unnoticed by day-to-day security monitoring. Older accounts may even predate modern MFA requirements, making them susceptible to credential stuffing or exploitation for lateral movement and privilege escalation.
Accounts that haven’t been logged into for six months should be disabled for several weeks to test for operational disruption, then removed or archived according to organizational retention requirements.
Risky mailbox forwarding rules
Business Email Compromise (BEC) is a primary threat to organizations. Once an attacker accesses a corporate email account, they can use it to phish other employees or initiate fraudulent transactions. They typically do this by setting up mailbox rules that forward emails containing terms like “invoice” or “payment” to an attacker-controlled domain then injecting themselves into the billing process. Automatic email forwarding to remote domains should be disabled unless explicitly authorized for verified partner domains.