Entra ID, the identity platform formerly known as Azure Active Directory, sits at the centre of most modern Microsoft environments. The same centrality that makes it useful to legitimate administrators makes it the prime target for attackers. Misconfigurations in Entra ID rarely look dramatic in a dashboard but can quietly hand a determined attacker the entire tenant. The pattern is familiar, the defences are well documented and yet the misconfigurations keep appearing.
Default Settings Were Designed For Convenience
Many of the defaults in Entra ID prioritise getting a tenant working quickly over locking it down tightly. Self-service application registration, user consent to third party applications, the legacy authentication endpoints that bypass conditional access and the broad permissions assigned to standard user roles all create routes that a competent attacker will probe early. A focused Azure pen testing engagement should evaluate each of these defaults against the actual risk posture the business intends.
Privileged Roles Spread Quietly
Global Administrator is the headline role and most teams know to limit it. The same teams often miss that User Administrator, Privileged Authentication Administrator and Application Administrator each carry capabilities that, combined, allow full tenant takeover. Role assignments tend to accumulate over the years as people change jobs and roles get added for one-off tasks. A periodic review of who holds what privilege is cheap, useful and almost universally overdue.
Expert Commentary
William Fieldhouse, Director of Aardwolf Security Ltd
The most damaging Entra ID compromises I have investigated did not involve breaking the platform. They involved a service principal with excessive permissions whose credentials had been committed to a public repository. The attacker authenticated through the front door with valid credentials and walked away with the directory before anyone noticed.
Service Principals Need The Same Discipline
Service principals proliferate quickly in active Entra ID tenants. Every application registration creates one. Every automation script needs one. The credentials get rotated inconsistently, the permissions accumulate over time and the audit trail of who created what becomes unclear. Apply the same discipline to service principals that you apply to user accounts. Inventory them, review their permissions regularly and remove the ones that no longer have a current purpose. Service principal abuse is one of the highest impact attack patterns in Entra ID. The credentials are non-human, the activity often looks like automation and the audit trail is thinner than for user accounts. Worth investing in specific monitoring for service principal sign-ins from unfamiliar locations or with unusual patterns.
Conditional Access Needs Real Tests
A conditional access policy in the portal looks reassuring. A policy that actually blocks the scenarios it claims to block is something quite different. Testing requires attempting to authenticate from contexts that should be blocked and confirming the failure. Test from blocked geographies, with legacy protocols, with non compliant devices and at unusual hours. A capable best pen testing company will run these tests structurally rather than spot checking. Without the tests, conditional access is theatre rather than control.
Entra ID is powerful, complex and forgiving. Each of those attributes is also why attackers love it. Entra ID misconfigurations rarely look dangerous in the portal. They become dangerous when chained together by someone who knows what they are looking at. Cloud security is a shared responsibility model in name and a fully owned responsibility model in practice. The configuration choices that matter live on your side of the line, regardless of how the provider markets the platform.