Identity & Access Management

Phishing attacks steal passwords daily. Without multi-factor authentication, stolen credentials grant immediate access to email, OneDrive, and applications. Attackers download sensitive data and send phishing emails from legitimate accounts before detection.

We enforce MFA universally using Microsoft Authenticator, hardware security keys, or biometric authentication. Legacy authentication protocols that bypass MFA are disabled. Risk-based Conditional Access detects unusual sign-in patterns like impossible travel or unfamiliar locations, requiring additional verification or blocking access when risk is high.

Users often receive Global Administrator rights when they only need basic permissions. Service desk staff have full admin access for minor troubleshooting. Former contractors retain admin rights months after projects end.

We implement least privilege access and use Privileged Identity Management for just-in-time elevation. Admin access is requested with business justification, granted for specific durations, and expires automatically. All privileged operations are logged and we regularly audit accounts to remove unnecessary permissions.

Users connect third-party applications to Microsoft 365 without IT approval. These apps request broad permissions like “read all mail” and retain access indefinitely. Many come from unknown publishers with questionable security practices.

We monitor OAuth consent grants, block risky applications, and require admin approval for apps requesting sensitive permissions. Regular reviews identify and remove applications no longer needed or posing security risks.

Permissions accumulate as users change roles. Someone who moved from sales to marketing retains sales system access. Contractors keep access after projects complete. Shared mailboxes have excessive users with access they no longer need.

We implement regular access reviews where managers certify who should maintain access. Uncertified access is automatically removed. Role-based access ensures permissions align with current job functions.

Default policies allow simple passwords like “Password123” that meet technical requirements but are easily guessed. Users reuse passwords across personal and corporate accounts. When personal accounts are breached, attackers try those passwords against corporate systems successfully.

We implement strong password policies blocking commonly used passwords and patterns. Where possible, we encourage passwordless authentication using Windows Hello, biometrics, or hardware security keys.

Former employees’ and contractors’ accounts remain active indefinitely. These dormant accounts rarely get monitored, making them attractive targets. Nobody expects activity from these accounts, so their use doesn’t trigger alerts.

We automate account lifecycle management with joiner/mover/leaver processes that disable accounts immediately upon departure. Regular audits identify inactive accounts, and automated alerts notify administrators of accounts requiring review.

Teams share generic accounts with passwords known to multiple people. When incidents occur, there’s no way to determine who performed specific actions. When someone leaves, passwords rarely change, leaving access open to former employees.

We eliminate shared credentials through proper shared mailbox configuration and group-based permissions. Every action is logged with the specific user who performed it, supporting accountability and incident investigation.

Businesses rely entirely on MFA without emergency access procedures. When MFA systems experience outages, entire organisations get locked out with no way to regain admin access.

We implement properly secured break glass accounts with strong passwords stored offline. These accounts are excluded from MFA requirements and monitored constantly. Emergency access procedures are documented and tested regularly.