Blog | 8-minute Read

Achieve identity security in 5 easy steps

Mat Richard profile headshot

Mathew Richards

Head of Mobility and Security

Published: 22 July 2019

When it comes to improving your identity security, here’s where you should start.

Security is a chief concern for every organisation. A concern that has only been amplified, given the recent news around what British Airways and Marriott International might have to pay for their previous lapses.

The security landscape has changed significantly over recent years and continues to evolve as new threats emerge. In today’s world, it can take a significant amount of time and investment to effectively protect, detect and respond to all the threats organisations face. Which, in turn, increases reliance on security technologies and skilled personnel.

But there are some easier steps you can take to see an almost immediate improvement in your security setup:

  1. Secure your identities.
  2. Reduce your attack surface area.
  3. Use automation to respond to security incidents.
  4. Review your audit logs.
  5. Enable self-service and attestation.

The advice in this blog is inspired by Microsoft’s own guidance, as well as best practice advice from the National Cyber Security Centre (NCSC) and the Cybersecurity and Infrastructure Security Agency (CISA). These are security principles and behaviours that we follow here at Kocho and recommend that our clients do too.

The complete guide to Microsoft Entra ID

Download your 34-page guide to Microsoft’s identity tools.

5 stages to improved identity security

1. Secure your identities

Be sure to use strong authentication and that your users have passwords that are hard to guess.

The vast majority of breaches stem from a users credentials being compromised. This can happen in a variety of ways, such as passwords being circumvented via brute force or spray attacks through to simple e-mail phishing attacks.

Back up user authentication requests with additional security measures, such as multi-factor authentication (MFA). MFA can be effectively implemented through a conditional access (CA) policy in Azure Active Directory.

The benefit of applying MFA this way is that it can be tailored to avoid adversely impacting the end-user experience. CA also allows for additional security measures to further strengthen your assurance. We’ve implemented this method many times now and have found it a useful way to tread that fine line between effective security and user experience.

If you take only one thing away from this blog, make it this – enable MFA for ALL of your privileged accounts. A privileged account is one that has heightened access to allow certain administrative capabilities within your tenant.

Global Admin is the king of access, and as such should be treated with special reverence and additional security measures such as ‘just in time’ access and hardened devices. MFA should always be enforced for the Global Admin account – no exceptions.

To take things one step further, you should consider using technologies that provide dynamic banned passwords. This should be based on a list that references standard weak passwords but also those that might be common to your organisation. An example of this could be Third5pace123 or 3rdspacexyz.

Azure Active Directory password protection provides this capability. The general consensus amongst most well respected security organisations is to not allow passwords to expire, but to ensure your users are using a hard-to-guess complex password.

If you regularly expire passwords, you are effectively encouraging your users to use easy to remember passwords, thus creating a vulnerability.

Other security benefits within Azure Active Directory and local Active Directory are the smart lockout features that protect against brute force attacks by preventing your user accounts from being locked out. Microsoft have plenty of documentation that can help you configure this in federated and non-federated scenarios.

Lastly, you should consider the use of biometric or PIN based authentication services such as Windows Hello, which works especially well in cloud and hybrid scenarios and provides a secure and easy way for users to sign in.

With the amount of extra investment Microsoft have put into passwordless authentication, it’s worth learning more about its benefits to your overall security posture.

2. Reduce your attack surface area

The fewer doors you present to access your systems, the easier it is to secure them. Review all applications and services that you provide to your users and identify the potential entry points.

Are you still using older legacy protocols to access services such as POP, IMAP and SMTP? If not, then disable these end points. If you are, then you should review what needs them and look at more modern ways of access. This usually involves updating to later versions of the applications you use or updating any custom written apps you may have.

Make sure you fully understand what (if anything) needs to use legacy authentication and update these as soon as possible to support MFA and CA.

Picture legacy authentication as the low-hanging fruit on your digital tree, making it really easy for an attacker to gain access to your environment.

CA has the ability to block this authentication type and I would strongly encourage you to use this policy. Legacy authentication accounts for the vast amount of breaches because MFA does not work with it. Without addressing this you are effectively putting advanced locks on your front door but leaving the back door wide open.

Top tip: Don’t allow users to consent to allowing third party applications that use OAuth 2.0. By default, Azure AD allows users to consent to these apps having access. Attackers are using this as a route to gain access, so change that default setting!

3. Automate threat response

There are many ways to apply automation to deal with threats but the focus here is more around the ability to automate things like determining if your users accounts are already compromised. Also, assessing things such as if the user is signing in from a device or location that has been positively identified as being a source of malicious content or activities.

In addition, having the ability to understand the impossible travel scenarios where a user signs in from a location within the UK, then five minutes later signs in from Sydney. This could well be a valid activity in some instances, but it does typically require additional validation. This validation could be automated through triggering an e-mail to the user in question and asking them to answer yes or no to this activity.

Consider the use of technologies such as Azure Identity Protection, Microsoft Cloud App Security and Flow to help with these scenarios.

You should assess the risk of your sign-ins and credentials and apply a risk value to them, this in turn can then drive different policies based on your risk appetite. Azure Identity Protection provides this functionality and can complement your overall CA approach.

In an advanced scenario, you could also consider making changes to your firewall to implement a blocking rule for a malicious IP address through technologies such as Azure Sentinel and logic apps.

Sentinel, supported by its playbooks functionality, can provide a comprehensive automation and orchestration capability to react to various types of security incident.

4. Review your audit logs and increase awareness

Awareness is key to managing a secure environment. Whilst there are many advanced security controls and technologies available within Microsoft 365, it can sometimes be difficult to consume all that information.

Organisations with well-established security functions will no doubt have dedicated teams and systems that centralise all of your security related data with technologies like a SIEM.

But even in these types of organisations there should be certain manual activities that you perform. Reviewing things like your authentication audit logs, 3rd party apps that have been granted access to your tenant (OAuth 2.0 mentioned above) and risk events generated within Azure AD.

You should ensure you have well defined processes that describe daily or weekly activities such as reviewing these logs for suspicious or anomalous activities.

Azure AD and Office 365 provide great visibility into the activities within your tenant, don’t just review these when something happens, review them regularly, especially things like sign-in events.

5. Enable self-service and attestation

Identity access governance is also important. This involves making sure that you regularly review whether the access granted to individuals is still valid and required, or if guest accounts within your tenant are still required.

Do you still have accounts within your directory for users that have left the business or accounts that still have privileged access based on historic requirements?

It might be that you have great processes to handle things like this, but without automation and delegation it can be very difficult to manage effectively.

Consider looking at Azure AD Access Reviews to help with reviewing your users’ access. This empowers the people responsible for certain systems to attest to the users that have access.

Microsoft have also recently released (in preview) the capability to manage entitlements. This greatly reduces the overhead in granting access to resources within your Azure tenant and works well with Access Reviews.

Enabling self-service password reset (SSPR) is really easy to do and can save you money. Enabling users to regain their own access when a password is forgotten is a huge time saver for your service desk.

These technologies improve your awareness and governance capabilities and have a positive effect on your security posture. Attesting regularly to your users’ access can help you keep a tight rein on things.


Ideally, you would take each of the five steps highlighted above and develop these into a comprehensive approach but taking some action in each of these areas will gain you an improved identity security position.

It’s about identifying and tackling the areas most at risk. Enforcing MFA on your Global Admin accounts and applying MFA and CA together while blocking (or managing) legacy authentication will result in mitigating most breaches.

The overriding theme here has been to focus on protecting your identities, this should be considered as a fundamental element in your overall security plan.

The complete guide to Microsoft Entra ID

Master Microsoft Identity. Grab your free 34-page guide and discover tools that:

  • Improve identity efficiency by 50%
  • Reduce data breach risk by 45%
tag icon

Great emails start here

Sign up for free resources and exclusive invites

Subscribe to the Kocho mailing list if you want:

  • Demos of the latest Microsoft tech
  • Invites to exclusive events and webinars
  • Resources that make your job easier
Butterfly overlay image
Mat Richard profile headshot


Mathew Richards

Mat is Kocho’s Head of Mobility and Security. He leads a team of consultants and architects that live and breathe secure transformation – delivering excellence across Microsoft 365 and Azure.

Butterfly overlay image

Got a question? Need more information?

Our expert team is here to help.