Blog | CyberGuard Compliance - IT Audit Experts

Cloud Misconfiguration and Identity Risks in Focus

Written by CG Blogger | Oct 9, 2025 1:00:01 PM

Think Before You Click, And Configure: Cloud Misconfiguration and Identity Risks in Focus  

October is Cybersecurity Awareness Month, a reminder that even the most advanced cloud environments are only as secure as their configurations. If your organization runs on Microsoft 365, your identity plane has become your new perimeterand misconfigurations are among the most common ways attackers gain a foothold. 

The good news? Most of these risks are preventable with clear controls, repeatable checks, and a security mindset that treats identity as the backbone of protection. In this guide, we’ll walk through practical steps to strengthen your Microsoft Entra ID (formerly Azure AD) setup and safeguard the M365 components attackers most often target. 

Why identity is the main attack path in the cloud 

In the cloud, an authenticated session often matters more than an IP address or a network segment. If an attacker can log in, register a device, or activate a standing privilege, the rest becomes a permission game. That is why protecting authentication flows, stopping legacy protocols, and keeping privileges just-in-time are the highest value moves you can make.

The top 7 Entra ID checks to close the biggest gaps 

Treat these as non-negotiables. Each one closes a very common door that attackers use. 

MFA for all users, with two break-glass exceptions 

Enforce multifactor authentication for everyone, including any service or workload management accounts that are used interactively. Verify your MFA methods are strong and phishing-resistant. Create two break-glass (emergency access) accounts with long, machine-generated passwords, stored separately and securely, exclude these accounts from conditional access policies to facilitate tenant recovery, and configure monitoring and alerting so that your team is notified when those accounts do anything.  

 

Block legacy authentication everywhere, including SMTP AUTH 

Legacy protocols cannot enforce modern MFA and are a favorite for password-spray attacks. Disable legacy auth, including POP/IMAP/ActiveSync, and SMTP Auth tenant-wide via a dedicated conditional access policy. If an app truly needs legacy auth to function, grant it to that one application or account only and monitor it closely. 

 

Disable weak MFA methods like SMS, phone calls, and email 

Attackers can socially engineer phone carriers or intercept messages. Prefer Microsoft Authenticator with number matching, FIDO2 security keys, or platform passkeys. Keep your MFA factors as phishing-resistant as possible. 

 

Control device registration and then the OAuth 2.0 device authorization grant (device code) flow 

Device sign-in prompts are a popular lure in phishing campaigns. Restrict who can register or join devices, require devices to be compliant or hybrid joined via CA before granting access, and use Named Locations for network restrictions where appropriate. Additionally, disable the OAuth 2.0 device authorization grant (device code) flow unless you have a known dependency, as it is routinely abused for phishing. 

 

Disable auto-forwarding to external domains 

Forwarding rules that send mail outside the tenant are a quiet data exfiltration path. Block external auto-forwarding in the Outbound spam filter policy. Review existing rules in user mailboxes to catch any that slipped through. 

 

Use Privileged Identity Management (PIM) for all elevated roles 

Permanent privileged role assignments, like global admin, are an unnecessary risk. Move privileged roles to PIM so access is activated only when needed, require MFA and approval, capture business justification for activating the role, and expire the activation automatically. If you do not separate admin and user accounts, PIM becomes even more important. Remember to periodically review privileged roles and assignments. 

 

Turn on logging that actually helps you respond 

Enable the Unified Audit Log and Entra ID sign-in/audit logs. Send them to a SIEM or Defender. Make sure you can answer these three questions quickly: who authenticated, from where, and to what. 

Build on a structured baseline, not one-offs 

One-off hardening leaves gaps. Adopt a benchmark and work it methodically. 

  • Use the CIS Microsoft 365 and Entra ID Benchmarks to guide policy settings, admin roles, authentication strengths, and monitoring. 
  • Document exceptions with an owner and a review date. 
  • Bake the baseline into your deployment process so new sites, tenants, and apps inherit secure defaults. A good baseline prevents users from doing risky things without blocking legitimate work. 

Guard your privilege model 

  • Least privilege as a rule. Assign the smallest role that supports the task. Avoid tenant-wide roles for app teams if a scoped app role is available. 
  • Segregate sensitive duties. Keep billing, directory write, and security operations separate where possible. 
  • Use conditional access thoughtfully. Protect high-risk actions with stronger MFA and device compliance and require reauthentication for sensitive portals. 

Cut off common exfiltration paths 

  • Mail forwarding to external domains should be blocked, audited, and alerted. 
  • App consent should be admin-controlled. Require verified publishers, restrict user consent via Consent policies, and enable the Admin consent workflow. Attackers love malicious OAuth apps.  
  • Guest access should be explicit and time-boxed. Review stale guests quarterly. 

Prove it works: test and monitor 

  • Simulate attacks safely. Test password spray protections, legacy auth blocks, and consent governance with controlled exercises. 
  • Alert on the right signals. Repeated MFA denials, impossible travel, new device registrations, risky sign-ins, new consent to high-privileged app permissions, changes to CA policies, PIM activations outside business hours, and first-time use of SMTP AUTH are all high-value alerts. 
  • Review logs weekly. A short, focused review catches drift before it becomes exposure. 

A simple 30-day plan 

Week 1:

Enforce MFA, create emergency accounts, disable legacy auth, and block external forwarding. 

Week 2:

Refine conditional access policies, allowed auth methods, and device registration controls. 

Week 3:

Roll out PIM for global admin and other high-impact roles. 

Week 4:

Enable and route logs, set core alerts, and document your baseline exceptions. 

Conclusions

Most identity breaches in M365 are not zero-day stories. They start with legacy protocols that should have been off, weak MFA that should have been stronger, privileges that should have been temporary, and logging that should have been enabled. Close those gaps first. Work from an industry benchmark, not an ad-hoc checklist in someone’s head. Keep privileges just-in-time, keep your methods phishing resistant, and keep your logs flowing to a place you actually review. 

Do the simple things thoroughly, and you will remove a surprising amount of risk in a very short time. 

CyberGuard Advantage is Your Ally in your fight against cyber threats 

If you’re ready to take your security posture seriously, contact our team to start your next penetration test with confidence.
View full post