top of page

Part 1: Identity Threat Protection Starts After the Login

  • Writer: Derek Morgan
    Derek Morgan
  • 15 hours ago
  • 4 min read

Most Microsoft 365 environments still treat the sign-in event as the finish line for identity security. In the division-of-labor attacks that made up 9% of Mandiant's 2025 investigations, the median hand-off from initial access to a second operator fell to 22 seconds, down from more than 8 hours in 2022. The sign-in event starts the risk clock.


Verizon's 2025 Data Breach Investigations Report found that among threat actors targeting Microsoft 365 accounts with MFA bypass techniques, 31% used token theft, ahead of MFA fatigue at 22% and adversary-in-the-middle attacks at 9%. Multi-factor authentication remains worth enforcing. These numbers describe what happens to the accounts that already have it.


Authentication proves identity. It does not prove trust.


What "after the login" actually contains

A successful sign-in tells you who authenticated. It does not tell you what that identity can now reach, and in most Microsoft 365 tenants, nobody has fully mapped the answer.


Excessive privilege. Privileged Identity Management (PIM) usually protects the roles everyone already worries about, Global Administrator chief among them, while other highly privileged roles stay permanently assigned. Compass Security's 2026 Entra ID assessment series describes this as a recurring pattern across real-world tenants: PIM gets configured for the well-known roles and quietly skipped for the rest.


Split-screen Microsoft Entra Global Administrator assignments page, comparing active vs eligible users with red boxes and arrows.
Managing Global Administrator Roles: The first panel shows active assignments, listing CHC Demo User, Derek Morgan, and Ichigo Kurosaki. The second panel highlights eligible assignments, featuring Alex Wilber.

Unmanaged devices and token handling. A stolen session token skips MFA entirely, because the token already proves the authentication happened. Adversary-in-the-middle proxies exist specifically to harvest that token at the moment of sign-in. Conditional Access token protection counters this by binding a token to the device that requested it, so a copied token fails on any other machine.


Entra Conditional Access policy page with Session settings open; token protection for sign-in sessions is checked and highlighted.
Conditional Access policy "CA-SIG007-Internal-TokenProtection" is configured to enable token protection for sign-in sessions, shown as active for Windows and in preview for MacOS and iOS. The policy is set to report-only mode and focuses on enhancing security by blocking unsupported devices and client applications.

Application and workload access. OAuth consent and service principal ownership create a path that never touches a human sign-in at all. An over-permissioned app registration, or a service principal owned by an account nobody reviews, gives an attacker a way in that most identity monitoring never looks at. Compass Security's assessment series on foreign enterprise applications documents a sharper version of the same problem: when an app's credentials live in a tenant you don't control, the permissions you granted outlive your ability to review who's actually using them.


Entra ID App registrations page for Test-Service-Principal showing API permissions granted, with highlighted Microsoft Graph permissions.
The Test-Service-Principal page displays configured API permissions within Azure, showcasing granted admin consent for Microsoft Graph’s Directory, Files, and Sites functionalities.

These three gaps chain together into what's usually called an identity attack path: group membership grants eligibility for a role, that role's activation requirements are weaker than they look, and the account holding it was never reviewed. An attacker can reach your most privileged account without ever touching it directly, through any account that eventually connects to it.


Dark slide titled IDENTITY ATTACK PATH shows a chain: low-privilege user > group membership > PIM-eligible role > high-value target
Diagram illustrating an identity attack path transforming a low-privilege user into a high-value target through strategic control points, including group membership and PIM-eligible roles.

What this looks like in production

I worked with a client whose environment was managed in part by an MSP with rotating engineering staff. There was no identity lifecycle process tied to that rotation. An access review surfaced PIM-eligible roles still assigned to administrator accounts belonging to MSP staff who had rotated off the engagement months earlier; no one had removed the eligibility when the engagement changed hands. We implemented recurring access reviews with multi-stage approval, so an eligible assignment can't persist past a set window without someone actively signing off on it.


A similar gap showed up in application access. A client's app registration held Directory.ReadWrite.All among a broad set of Graph permissions, granted to support a third-party vendor integration. The vendor couldn't produce documentation justifying the scope, and no one had required approval before the consent was granted. We built a consent approval process that requires vendor documentation justifying each requested permission before consent is granted, not after.


In a recent client engagement, I saw the Conditional Access gap manifest directly: the PIM activation policy required only the built-in Azure MFA claim, so administrators authenticated with whatever MFA method they had registered, phishing-resistant or not. A stolen token that already carried an MFA claim could complete the PIM activation on its own. We migrated administrators to phishing-resistant MFA, built an authentication context specifically for PIM activation, assigned it to the relevant roles, and configured a Conditional Access policy that enforces phishing-resistant MFA whenever that authentication context is invoked.


Business case

Mandiant's 2026 report puts the global median dwell time at 14 days, up from 11 days in 2024. Multiply that window by the number of systems reachable from a single compromised identity's attack path, and you get the real scope of remediation: every system that identity could touch during those 14 days. Standing privilege multiplies that blast radius even when detection is fast, because the attacker isn't waiting on a slow escalation process. They're already positioned.


Dark bar chart titled Remediation scope by privilege posture shows smallest standard access, wider eligible role, widest standing privileged access
Bar chart illustrating the remediation scope by privilege posture, showing the smallest scope for standard access, a wider scope for eligible but unreviewed roles, and the widest scope for standing privileged access.

What to validate this week

  • Inventory which roles are PIM-eligible versus permanently assigned, and who approved that assignment

  • Require phishing-resistant authentication and "sign-in frequency: every time" for sensitive authentication contexts, including PIM activation and admin portal access

  • Turn on token protection Conditional Access policies for Exchange and SharePoint scopes where supported

  • Review high-privilege app consents and service principal ownership quarterly, not annually

  • Use Continuous Access Evaluation as a backstop for the gap between compromise and detection, on top of the controls above


Microsoft Entra conditional access policy with PIM Activation selected and Grant access set to AdminAuth authentication strength.
Setting up a Conditional Access policy in Entra ID to require admin authentication for PIM activation, with a focus on enforcing authentication strength through AdminAuth.

The takeaway

Authentication proves identity. It does not prove trust. Everything past the sign-in screen, privilege, device posture, application access, is where that trust actually gets tested. Part 2 turns to the identities most organizations never audit at all: the service principals, workload identities, and agents that now outnumber the humans in most Microsoft 365 tenants.

bottom of page