Microsoft 365 Identity Security Management: What to Lock Down First

Key Takeaways:

  • Organizations average 30 unresolved high-risk misconfigurations at any given time. Security teams must prioritize critical baseline identity controls—such as phishing-resistant MFA and keeping cloud admin accounts strictly isolated from on-prem directories.

  • Configuration drift, undocumented "temporary" business exceptions, and continuous SaaS platform updates will silently erode your hardened baseline unless proactively monitored.

  • Modern attackers easily bypass standard MFA. True defense requires detection and response of active threats alongside adaptive Conditional Access policies that evaluate live device posture, user location, and continuous application auditing.

As businesses increasingly rely on SaaS ecosystems like Microsoft 365, security teams have to manage a complex web of thousands of configurations to lock down the tenant. A single misconfiguration or forgotten account can open the door for a wide-ranging attack. Yet, far too often, organizations rely on periodic posture checks or discover configuration gaps only after an incident. Proactive Microsoft 365 identity security starts with locking down the settings attackers are most likely to exploit: authentication, privileges, access policies, and mailbox behavior. Let's break it down.

Learn more in our ISPM Guide.

Microsoft 365 Identity Security Management: What to Lock Down First

Key Takeaways:

  • Organizations average 30 unresolved high-risk misconfigurations at any given time. Security teams must prioritize critical baseline identity controls—such as phishing-resistant MFA and keeping cloud admin accounts strictly isolated from on-prem directories.

  • Configuration drift, undocumented "temporary" business exceptions, and continuous SaaS platform updates will silently erode your hardened baseline unless proactively monitored.

  • Modern attackers easily bypass standard MFA. True defense requires detection and response of active threats alongside adaptive Conditional Access policies that evaluate live device posture, user location, and continuous application auditing.

As businesses increasingly rely on SaaS ecosystems like Microsoft 365, security teams have to manage a complex web of thousands of configurations to lock down the tenant. A single misconfiguration or forgotten account can open the door for a wide-ranging attack. Yet, far too often, organizations rely on periodic posture checks or discover configuration gaps only after an incident. Proactive Microsoft 365 identity security starts with locking down the settings attackers are most likely to exploit: authentication, privileges, access policies, and mailbox behavior. Let's break it down.

Learn more in our ISPM Guide.

What to lock down first

On average, organizations have 30 known, high-risk misconfigurations sitting open, according to a recent Huntress/UserEvidence survey of IT and security professionals. Given this backlog and potential impact to end users, organizations often take a triage approach, addressing the most critical gaps first.

MFA coverage and enforcement gaps

Multi-factor authentication (MFA) is possibly the single most important fundamental control in Entra ID identity management. CISA estimates that MFA makes a user 99% less likely to be hacked. And yet, MFA is often not consistently enforced. A single account without MFA leaves your business vulnerable to a wide array of credential abuse tactics. While MFA is non-negotiable, mature environments should move away from legacy authentication methods (e.g., SMS, voice calls, and standard push notifications), which are vulnerable to interceptive and MFA fatigue attacks. Instead, enforce phishing-resistant MFA (e.g., FIDO2 security keys, Windows Hello for Business), especially for administrative accounts.

Conditional Access policies

Sophisticated attackers find other ways around standard MFA, such as adversary-in-the-middle (AiTM) attacks. Using toolkits like Tycoon 2FA, attackers set up a proxy server between the victim and the Microsoft login page. When the user logs in, the attacker intercepts their credentials and the authenticated session token. The user has no idea that anything shady occurred, while the attacker gains immediate access.

To guard against AiTM, Entra ID conditional access policies should evaluate signals such as the user’s location, device posture, and risky sign-in patterns rather than just relying on static login credentials. Many of the over-privileged identities and misconfigurations highlighted in the Known Gaps, Open Doors report can be mitigated with well-designed Conditional Access policies that block sign-ins from suspicious locations, untrusted VPNs, or unmanaged devices.

Global admin and privileged role assignments

In Microsoft 365 identity and access management, the Global Administrator role has unrestricted write access across all services. The more accounts that are permanently assigned this role, the greater the risk an organization runs of a tenant-wide compromise. It’s a good idea to have more than one Global Admin, but no more than necessary.

These accounts should be cloud-only identities and strictly separated from on-premises or federated identity providers. This air-gapping helps prevent an on-prem Active Directory compromise from escalating laterally into the cloud.

Except for carefully controlled “break glass” accounts, organizations should avoid standing Global Administrator privileges. Through just-in-time (JIT) access via privileged identity management (PIM), organizations can restrict escalated privileges to a specific window for a task, then revoke them after completion.

Stale accounts and inactive users

A common and high-risk attack vector, dormant accounts accumulate when employees turn over, contractor projects end, or test accounts are left active. These accounts are risky because they often go unnoticed by day-to-day security monitoring. Older accounts may even predate modern MFA requirements, making them susceptible to credential stuffing or exploitation for lateral movement and privilege escalation.

Accounts that haven’t been logged into for six months should be disabled for several weeks to test for operational disruption, then removed or archived according to organizational retention requirements.

Risky mailbox forwarding rules

Business Email Compromise (BEC) is a primary threat to organizations. Once an attacker accesses a corporate email account, they can use it to phish other employees or initiate fraudulent transactions. They typically do this by setting up mailbox rules that forward emails containing terms like “invoice” or “payment” to an attacker-controlled domain then injecting themselves into the billing process. Automatic email forwarding to remote domains should be disabled unless explicitly authorized for verified partner domains.



Why this cannot be a one-time project

Very few aspects of cybersecurity are set-and-forget, and SaaS environments are especially dynamic. An environment that’s secure today can become insecure tomorrow.

Microsoft 365 environments change constantly

Microsoft 365 itself is a continuously evolving ecosystem. New background security features, default tenant settings, collaboration tools, and software integrations are regularly added, often without the explicit awareness or formal review of IT leadership. These changes can have unexpected consequences elsewhere, including side effects on Conditional Access, guest access, or app consent policies.

Business exceptions can weaken the baseline

Security exceptions, even when intended to be temporary, can greatly weaken security posture. For example, syncing systems with a third party—such as onboarding a new vendor or integrating an acquired company—may require temporary legacy protocol access. Similarly, a contractor may be temporarily excluded from an MFA policy to execute an urgent database integration. These “temporary” exceptions are often not documented or scheduled to be revoked, leaving security gaps that are soon forgotten—until they’re exploited.

Drift creates new openings after initial hardening

Forgotten exceptions are just one way that security posture gradually drifts from a hardened baseline. Administrative updates, role changes, and ad hoc troubleshooting all chip away at an environment’s security posture unless proactively monitored and corrected.


Guard against Microsoft 365 identity threats with Huntress

Defending against identity-centric threats demands defense-in-depth. The Huntress agentic security platform tackles identity attacks in two ways: Our Managed ISPM continuously hardens your Microsoft 365 environment by finding and fixing misconfigurations, risky access, and policy drift—and enforcing expert-defined policies across Entra, Exchange, SharePoint, and more. Managed ITDR helps to rapidly detect and respond when suspicious identity activity appears. Learn more about how Huntress helps your organization guard against today’s sophisticated identity threats.


Protect What Matters

Secure endpoints, email, and employees with the power of our 24/7 SOC. Try Huntress for free and deploy in minutes to start fighting threats.
Try Huntress for Free