In the last decade we have seen a majority of workplaces begin to move their data, infrastructure and services into the cloud, and with the recent trend of work from home seemingly here to stay cybersecurity has become more important than ever. With an ever-increasing threat landscape, and cyber criminals becoming more sophisticated, traditional security approaches are becoming less sufficient, this is especially true in regard to Identity and Access Management (IAM), which has often been the weakest link in an unfortunate organisation’s infrastructure that has led to breaches and compromises. For these reasons assessing organisation’s Entra ID (formally known as Azure Active Directory) Security Assessments have become more important than ever, to help organisations highlight the weaknesses in their Identity and Access Management, before malicious actors can exploit them.
As stated previously, with cloud computing and remote work, the attack surface for many corporations has become wider and far less centralised. Cybercriminals have been quick to take advantage of this, according to the Identity Defined Security Alliance (IDSA) 90% of organisations surveyed experienced at least one identity-related incident in 2024, with 84% of stakeholders reporting they suffered a direct business impact as a result, a number which has risen from 68% in 2023, with the majority of those impacted citing distraction from core business as the main impact.
Entra ID provides a cloud-based alternative to the traditional on-premise active directory. Allowing businesses to manage identities, authentication, policies, and permissions both on and off premises. However, due to the wide-ranging services offered by Entra ID, it is not uncommon to uncover misconfigurations or security flaws. Misconfigurations in Entra ID can expose organisations to serious security threats. Below are some of the most common risks identified during Spartans Security’s Entra ID Security Assessments.
1. Misconfigured Permissions: Overly broad or improperly assigned access rights often occur when organisations grant permissions directly to users rather than managing them through groups, increasing the risk ofunauthorized access.
2. Privileged Account Management: An excessive number of privileged accounts creates a larger attack surface, making it easier for cybercriminals to escalate their privileges and target high-value accounts.
3. Weak Multi Factor Authentication Configuration: Without proper multifactor authentications systems in place, user accounts can be compromised via password or phishing attacks.
4. Enabling but not Enforcing Multi Factor Authentication: It is common to find organisations have enabled MFA for all users within their Entra ID but have not taken the extra step of Enforcing it, allowing users to bypass the requirement and leaving accounts exposed to potential threats.
5. Lack of Conditional Access Policies Enforcing MFA: The absence of Conditional Access Policies means privileged or high-risk users are not required to re-authenticate with MFA, reducing overall security.
6. Unrestricted Guest Access: Many organisations inadvertently allow all users to invite external guests and fail to properly restrict their access, increasing the risk of unauthorized users gaining entry to sensitive data and cloud services.
7. Dormant Accounts & Invites: Organisations frequently accumulate dormant user accounts and unused guest invitations in Entra ID, providing unnecessary entry points that attackers can exploit.
8. External Identity misconfiguration: Organisations provide access to third party partners that need privileged access to their environment for example, Web developers, Database Administrators or any third party that needs privileged access to organisation’s data.
Our team of cybersecurity and cloud experts can provide a comprehensive security review of Entra ID and Microsoft 365 by combing cutting-edge open source and proprietary tools alongside manual assessments to ensure a thorough review of the configuration and deployment of Entra ID. Going beyond automated scans to analyze and review the setup, permissions, groups and policies, to identify vulnerabilities, expose security flaws, and ensure compliance with best practices. Offering actionable insights along with remediation advice and assistance, we aim to ensure you have all the information and help required to ensure that you can protect against the evolving threat landscape and stay secure.
During the past years our team completed many reviews on Entra ID Security Assessments for various organisations, we have discovered many vulnerabilities and issues. the below section provides details on top issues commonly detected across organisations.
Below is an example of an organisation that has enabled multifactor authentications for all accounts, but has failed to enforce the policy, and has not configured proper conditional access policies to force MFA upon privileged users, leading to 6 administrator accounts that do not have multifactor authentication enabled.
It is crucial to the security of privileged accounts in the Azure and Microsoft 365 environment to enable just-in-time access, rather than permanently assigning high-level permissions. This means that users with privileged access must go through a process of activating this privilege for a limited period of time when commencing work that requires elevated privileges. This is achieved in Azure through Privileged Identity Management, with proper configuration this will force users to re-authenticate with multi-factor authentication when activating their elevated privileges, gaining another layer of security between your privileged accounts and a determined attacker.
Conditional Access Policies are a keyway to securing your environment, by ensuring that only trusted and correctly authenticated users can access critical portals and assets. Geo-Blocking allows an organisation to block access to particular assets, applications and portals from foreign countries, including high risk locations, which reduces the risks of brute force attacks against the user accounts. While requiring MFA to be reauthenticated when accessing management portals helps to prevent account takeover attacks and ensures that only the appropriate user is accessing their accounts. Conditional access policies can also be leveraged to require users to be using properly enrolled devices, such as in In-Tune or Entra ID before allowing users to access management portals. There are a huge number of ways Conditional Access Policies can be used to further secure your Azure & 365 environment, consider talking with us today about a review of your Conditional Access Policies and for assistance in improving them.
Below is an example of a recent review we completed for a small organisation, who has been overly permissive with privileged accounts, in this example we detected 14 global administrator accounts, raising the risk of one of them being compromised. We consider best practice (per Microsoft best practices) to limit the number of global administrators to less than 5 where possible, providing other users more restricted access scoped to their roles and responsibilities.
Another company has failed to properly secure their external identity and collaboration settings. This has left a vulnerability where any user of the organisation can invite guests to the tenant, who can then themselves invite further guests. This exposes a large security flaw where a user may be phished or coerced into sending a guest invite to a malicious actor, who can then use these settings to create additional guest invites for profit or persistence.
With the increased complexity of today's workforce, it is more important than ever to properly secure identity and access management. Entra ID is a complex service, rife with potholes and traps that may lead to misconfigurations. Spartans Security believes that performing regular Entra ID Security Assessments is one key to keeping your organisations secure in today's threat landscape. Some of the benefits of Entra ID Security Assessments include:
Proactive Risk Mitigation: Being aware of vulnerabilities before they lead to breaches and compromises.
Comprehensive Risk Identification: Security assessments help uncover misconfigurations and vulnerabilities in services that organisations may not often aware of, such as external collaboration, Access Control, and permissions, providing a clear understanding of security gaps.
Improved Regulatory Compliance: Regular assessments help ensure that the organisation remains in compliance with industry standards and regulations.
Continuous Improvement: Security is marathon not a sprint, with ever changing goalposts as technology, threat actors, compliances standards and the way we interact with them all changes. Regular assessments are one way to show year on year progress, and to ensure that the organisation is always moving forwards to a more secure future.
With today’s evolving threats, organisations cannot afford to overlook identity security. Regular Entra ID Security Assessments provide critical insights to mitigate risks, strengthen compliance and ensure long-term protection. By taking a proactive approach to IAM security, businesses can safeguard their digital environments from ever-growing threats. Spartans Security offers solutions to assess and enhance your identity security, ensuring your systems remain resilient to evolving threats while supporting growth and operational efficiency.
