Identity security: The 4 most common challenges

Working from home and working hybrid, you couldn’t ignore it for the past two years. The rapid transition created an entirely new security paradigm that was not known to users. In conversation with our customers, we discovered that a number of identity security issues were common. Below you can read the most common ones.


Customers often indicate that Multifactor Authentication (MFA) is “fully implemented”. But this is not always the case. We still see that some important users are excluded from Conditional Access policies. In other words: there are employees who are not included in groups that they must be in. There are also gaps in policy that make risky scenarios possible. Legacy authentication is often forgotten and enabled. This allows malicious attackers to find another way to access them, even if Conditional Access (CA) policies are in place for MFA.

The capabilities for CA are constantly evolving and additional access scenarios have now been enabled. That offers opportunities. Because this allows you to provide additional scenarios for company access or strengthen the environment without compromising the user experience.

Everything implemented more than six months ago should be assessed: for new capabilities, likelihood of configuration anomalies, and exceptions that may have been added.

When was the last time you reviewed the Conditional Access policy and determined that it is still in line with the access scenarios?

We often see that executives are the highest risk group because they have different policies, so they are excluded from some of the “nasty” MFA policies.

These managers often don’t lead by example, and if you want staff to take security seriously, they need to apply the same controls to executives as the rest of the organisation.

Identity security should be as well organized as a man at the top of the mountain as a


Secure Score is an excellent tool to generate insight and actions to improve the security posture of your tenant. Far too many organisations do not or do not regularly look at this available tool. An important part of any organisation’s security journey is ensuring that the items described on the scorecard are resolved completely, rather than partially.

While Secure Score helps identify some quick wins for improving your security posture, it still doesn’t cover all scenarios and isn’t an in-depth policy evaluation. It doesn’t take into account all the statuses of the policy configuration and doesn’t always capture the exceptions, so it’s important to use this information, but also to evaluate the controls you’ve set.

Want to know more about the secure score? In the webinar ‘this way you can easily increase the security of your M365 environment’ you will learn all about it.


We often see app passwords still being used by employees, intentionally or not. A good example is an iPad with a legacy ActiveSync mail client. An app password was used to “fix” changing user passwords and periodic MFA prompts. While it is likely that the specific generated app password was forgotten, it is still an entry point to the environment and user accounts. Email profiles need to be updated to support modern authentication, and often this hasn’t happened.



Make sure you have implemented all the elements of identity security just as you want to get all the parts for a mountain bike in the mountains right

Organisations may have implemented some of the identity protection controls available in Azure AD Premium, but have not yet configured other elements.

MFA and Conditional Access are important, of course, but what about:

  • Combined security information registration experience
  • Password protection (cloud and on-premises)
  • Self-service password protection (including writeback)
  • Disable legacy authentication.

Providing secure access to resources and data using strong authentication without compromising the user experience depends on all of these areas being fully configured and deployed to all users. Missing some of these areas affects the potential ability to normalise identity security checks on your end users. So check your tenant’s identity security and make sure you resolve the issues.

If you haven’t revised your policies in the last six months, your Secure Score is declining, or you just don’t know where to start securing your tenant, contact us today. We can work with you by, for example, carrying out our Cybersecurity Maturity Assessment on the environment.

Curious about how you can meet these challenges? Please contact us.

Related Posts

Handpicked content
Want to go deeper? Talk to one of the Rapid Circle team

Wilco Turnhout

Co-Founder (NL/EU)

Andrew Fix

Chief Technology Officer (AU/NZ)