What identity hardening includes
Identity-based threats are on the rise, with 67% of organizations having seen identity-related incidents increase in just the past three years, and more than one in three say identity-based attacks now make up over 40% of all their security incidents.
More and more, attackers are attempting to compromise legitimate user accounts rather than risking noisier intrusions.
Enforcing strong MFA and conditional access policies
Multi-factor authentication is non-negotiable at this point. But MFA just isn’t consistently implemented. Across our analysis of over 12,000 Microsoft 365 tenants, 66% had weak MFA posture. Additionally, traditional MFA methods (for example, SMS messages and basic push notifications) are no longer sufficient for high-risk environments. Attackers are increasingly bypassing these controls through techniques such as MFA fatigue (also known as “push bombing”), adversary-in-the-middle phishing proxies, and session cookie theft.
To guard against this, organizations should adopt phishing-resistant MFA, such as FIDO2/WebAuthn hardware security keys or modern passkeys, and platform biometrics like Windows Hello or Apple Touch ID.
MFA should be paired with conditional access. Conditional access policies look beyond login credentials to include additional context—such as device health, location, time of day, and risk signals—before granting access and are commonly used to block or restrict legacy authentication protocols (IMAP, POP3, SMTP) that don’t support modern MFA.
Reducing excessive privileges
The principle of least privilege (PoLP) ensures that users receive only the level of access required to do their jobs. Enforcing this requires auditing and restricting overprivileged accounts. This can be taken further by making sure no single human administrator holds domain-level rights in Active Directory while also having global admin rights in cloud directories like Microsoft Entra ID. Broad cross-platform access can be reserved for tightly controlled emergency accounts. This prevents an attacker who compromises an on-premises server from automatically taking control of cloud infrastructure as well.
PoLP can also be extended to include just-in-time (JIT) access, granting elevated privileges only for a limited time to perform a specific task.
Removing stale or risky accounts
Stale accounts are those that haven’t been logged into for a prolonged period (often 90–180 days). This occurs for many reasons: employees leave the organization, temporary accounts are created for testing, or service accounts are forgotten. The result is that these accounts lie dormant, just waiting to be exploited. Adding to the risk is that stale accounts often escape modern security enforcement, such as mandatory MFA. Identity hardening requires continuously identifying and removing inactive accounts.
Reviewing admin roles and service accounts
Admin privileges should be granted to the fewest accounts possible, with extra emphasis on enforcing strict security policies for them. For example, global admin accounts shouldn’t be used for day-to-day tasks. With the increasing use of automation, special attention must also be paid to non-human service accounts. These accounts are designed to run background processes and system-level integrations, giving them high-level access. The problem is that machines can’t complete biometric challenges, enter one-time codes, or respond to push notifications—meaning they bypass MFA.
Hardening service accounts means auditing their permissions to restrict their reach, migrating them to Group Managed Service Accounts (gMSAs) to automate password rotation, and using Kerberos to limit where and how they can authenticate.
Preventing policy drift over time
Configuration drift is the tendency for gaps to creep in between security policies and the actual state of the environment. These deviations accrue over time from employee turnover, mergers and acquisitions, software updates, support exceptions, and troubleshooters who disable settings and forget to restore them.
Periodic, manual reviews can leave these vulnerabilities unnoticed for long periods. Identity hardening involves moving to continuous, automated configuration audits that automatically detect, alert on, or revert unauthorized changes—before attackers can exploit them.