As more businesses fully embrace cloud environments, the main security permitter is moving from traditional routers and firewalls to Identity. With services such as Microsoft Entra ID being most business’s primary identity management, it is also becoming the most likely avenue for compromise. Mismanaged identities, stale permissions, orphaned accounts and creeping permissions becoming attack vectors that grow over time if not properly pruned and managed.
Tools like Microsoft Entra ID (Formerly known as Azure AD) gives businesses powerful security measures and tools, but they can also lull administrators into complacency, believing that by handing identity over to cloud tools they have now handed off responsibility for maintaining those tools. In truth good hygiene regarding identity is more important than ever, in this article we will walk through a suggested cadence of tasks, split into daily, weekly and monthly tasks that will help keep your identity environment, clean, controlled, and protect you from Identity Drift
Before we jump into the tasks, let’s establish what we mean when we say, “Identity Drift” and why identity hygiene matters.
Identity Drift refers to the gradual accumulation of excess risks in your identity environment over time, old accounts that have not been deprovisioned, temporary roles that have not been revoked, elevated privileges accumulating over time, excess guest users with over permissive permissions, undocumented service accounts, etc. Over time these, sometimes small, risks add up and can become the vector through which compromise occurs.
Attackers often focus on attacking identity as their main focus. Using phishing, credential spray attacks, password bombing, etc. Good identity hygiene keeps this threat landscape as small as possible and helps to contain any incidents before they become full blown compromises.
Most identity providers come with robust security tools, however these tools are often treated as “set and forget” when the real name of the game is “Continuous, vigilant maintenance”, whoever is in charge of maintaining identity for your organisation should be less of an “Architect”, designing and building walls and then moving onto the next project, but more of a “Gardener” continuously pruning, sculpting and caring for the system, provided below is a suggested cadence of tasks, daily, weekly and monthly, that can assist this “Gardener” in keeping your identity secure.
Our daily tasks focus on responding to events, alerts, requests, etc. This is our monitoring window.
1. Review risky sign-ins
Microsoft Entra ID Protection tracks and alerts for user risk, impossible travel, leaked credentials and more.
Respond to high-severity alerts immediately, disabling accounts with high risk, enforcing password resets, etc. Triage lower severity alerts according to your organisation’s security appetite.
2. Check Entra ID Recommendations and Secure score changes
The Entra portal continuously analysis and reviews events, and provides daily, organisation specific, recommendations.
Look for any recommendations related to Identity, for example, “Remove Dormant accounts”, “Renew expiring app credentials” and action items.
Track changes in your organisations Secure Score, and when the score drops, determine reasons why, and if there are related recommendations or alerts that need to be actioned.
3. Monitor Privileged Role Activation and PIM Activity
If using Privileged Identity Management (PIM) for Just-In-Time (JIT) role activation, verify recent activations, review who, why and when.
Confirm that the activations and reasons for activation align with business justification, did the users need to activate their privileged roles to accomplish their stated goals?
Be on the lookout for activations outside normal business hours, or by unusual accounts.
Monitor for New Privileged Role Assignments
Ensure that no new privileged roles, EG Global Admin, are assigned without oversight. These roles are powerful and can become vectors of compromise, and should only be assigned when required, and following your organisations change policies and procedures.
Use Entra ID audit logs to detect new role assignments, ensure that the security team, or whoever is in charge of monitoring Identity is informed when a new role assignment is approved.
5. Review Break Glass Account Usage
These daily tasks are small, and often require no more than a few minutes effort, but go a long way to ensuring that you are informed of any suspicious activity immediately, allowing you to better respond to possible incidents. Over time they also build a pattern which can be useful when unusual events occur.
Once a week, spend more time digging into accumulated drift. This is your “cleanup” window.
1. Review Inactive / Dormant Accounts & Orphaned Identities
Identify user accounts that haven’t signed in for a defined period (e.g. 90 days) and flag them for disable or removal.
Determine if these inactive user accounts exist due to a failure in the off-boarding policy of the organisation.
2. Review Enterprise Application Permissions
Review Enterprise Application identities and credentials, ensuring that all registrations, credentials remain justified by the organisation’s needs.
Ensure that the permissions (API / Graph permissions, role assignments) are minimal, with the goal of having the least privileges required by the application.
Review application credentials for expiring credentials, or unused secrets.
Check that the owners of the application remain justified, and that there are no unknown or excessive numbers of owners.
3. Inspect Legacy / Weak Auth Protocol Usage
Use Conditional Access or other telemetry to track legacy authentication across users and applications.
Where possible, block legacy auth or require modern authentication only.
Where applications require legacy authentication ensure to monitor their use and where possible block all other legacy authentication via the use of Conditional Access Policy.
Weekly cleanups such as these help prevent the accumulation of dept over the long term.
Once a month (or quarterly, depending on the size of the organisation), take a deeper posture review and process maturity check. This is our Secure phase, where larger changes can be reviewed, approved and implemented.
1. Full Privileged Role & Permission Audit
Using graph API, PowerShell or other reporting, generate a list of All roll assignments.
Verify that every assignment has business justification, review expiration dates of assignments to ensure they align with business needs.
Remove roles that no longer make sense.
Consider consolidating or retiring seldom-used custom roles.
2. Identity Lifecycle & Deprovisioning Review
Audit the HR provisioning and deprovisioning pipeline. When employees enter or exit the organisation are roles and group memberships being applied and removed correctly? Are accounts remaining orphaned? Is application ownership reviewed during deprovisioning?
Look for “orphaned identities” left behind by broken automation.
3. Conditional Access Policy Review
Go through Conditional Access policies, identity protection policies, MFA settings, password protection settings.
Ensure that all Conditional Access Policies are enabled and correctly configured.
Review exclusions to Conditional Access Policies, ensuring that these exclusions are still justified and recorded in organisations risk register.
4. Security Posture & Trend Analysis
Plot trends: count of risky sign-ins over time, number of PIM activations, number of stale accounts cleaned up, how your Secure Score moves.
Identify patterns (e.g. certain departments often lag in reviews).
Review these patterns to identify anomalous behaviours.
5. Penetration Test / Red Team / Risk Simulation
If possible, engage internal or external red teams to simulate identity compromise (e.g. privilege escalation, lateral movement) to validate your controls.
Use the results to feed improvements back into hygiene tasks.
By dedicating time every month, or quarter, to a more thorough investigation, we ensure that identity remains a strong perimeter for the organisation.
Identity hygiene isn’t glamorous, but it is foundational. By embedding daily, weekly, and monthly tasks into your security operations rhythm, you can prevent identity drift from becoming a crisis, and stop attacks before they begin.
