← All glossary terms
Microsoft Entra ID5 min read

Common Microsoft Entra ID Misconfigurations

Most Entra ID compromises trace back to a familiar set of misconfigurations. Learn the most common ones and how to detect and fix them.

Common Microsoft Entra ID Misconfigurations

Most Entra ID compromises don't require novel exploits — they exploit familiar misconfigurations. Microsoft's own threat intelligence and major incident responders consistently identify the same patterns.

This article catalogs the most common Entra ID misconfigurations and how to remediate each.


1. Too Many Standing Global Administrators

Issue. Tens of standing GAs, often including service accounts and rarely-used admin accounts.

Why it matters. Each GA is a tenant-takeover-equivalent identity.

Fix. Reduce to <5 standing + 2 break-glass. Move the rest to PIM-eligible. Remove service accounts as GAs.


2. PIM Not Enabled or Weakly Configured

Issue. PIM available (P2 licensed) but not used; or activations have no MFA, no approval, 8-hour windows.

Why it matters. Standing privilege keeps blast radius high.

Fix. Enable PIM for all privileged roles. Require MFA + justification + approval (where appropriate). Activation ≤ 4 hours, target ≤ 2.


3. Legacy Authentication Not Blocked

Issue. POP, IMAP, SMTP basic, ActiveSync basic still allowed.

Why it matters. Bypasses MFA. Top vector for password spray.

Fix. Conditional Access policy: Block legacy auth for all users. Use modern auth replacements.


4. Weak / Incomplete Conditional Access

Issue. MFA only enforced via per-user MFA; no policies for compliant device, location, risk; admin accounts excluded "for convenience."

Why it matters. Gaps = open doors.

Fix. Build CA baseline: block legacy, require MFA for all, phishing-resistant MFA for admins, risk-based policies, device compliance for sensitive apps.


5. MFA Not Phishing-Resistant for Admins

Issue. Admins use SMS / Authenticator push only. Vulnerable to MFA fatigue, SIM swap, push bombing.

Why it matters. Strongest accounts protected by weakest MFA.

Fix. FIDO2 / passkeys for admins. Authentication strength CA policies.


Issue. Default tenant setting allows users to consent to any app, any scope.

Why it matters. Consent phishing → persistent OAuth access bypassing MFA.

Fix. Restrict user consent to verified publishers + selected low-risk scopes. Enable admin consent workflow for everything else.


7. Long-Lived App Registration Secrets

Issue. Client secrets with 1–2 year (or longer) lifetimes, never rotated.

Why it matters. Stolen secrets give long-term tenant access.

Fix. Short lifetimes (≤ 180 days). Prefer certificates. Use Managed Identities or Workload Identity Federation where possible.


8. Excessive Application Permissions

Issue. Apps granted Mail.ReadWrite.All, Files.Read.All, Directory.Read.All, Application.ReadWrite.All "for flexibility."

Why it matters. Compromise = tenant-wide data access or escalation.

Fix. Audit all admin-consented permissions. Right-size to least privilege. Quarterly review.


9. Stale Service Principals and Enterprise Applications

Issue. Hundreds of unused SPs / Enterprise Apps with permissions still granted.

Why it matters. Vendor compromise / re-use of stale credentials = silent backdoor.

Fix. Quarterly SP inventory. Decommission unused. Remove credentials and consents.


10. Application Administrator Backdoor

Issue. Application Administrator role can add credentials to any service principal — including those with Application.ReadWrite.All (path to Global Admin).

Why it matters. Effective Global Admin without GA membership.

Fix. Treat Application Admin and Cloud Application Admin as near-Tier 0. PIM-eligible only.


11. Privileged Authentication Administrator Misuse

Issue. Role granted to help desk for password reset convenience. Can reset MFA and password for any account, including GAs.

Why it matters. Effective tenant takeover via help desk.

Fix. Restrict severely. Use Authentication Administrator (which can't change admin credentials) for help desk.


12. Federation Trust Misconfigurations

Issue. ADFS or external IdP trust weakly configured; signing certificates long-lived; no SAML token validation hardening.

Why it matters. Golden SAML attacks (forged tokens) bypass cloud authentication entirely.

Fix. Harden ADFS (Microsoft hardening guide). Rotate signing certs. Monitor federation changes.


13. Hybrid Sync (Entra Connect) Server Not Tier 0

Issue. Entra Connect server in standard server tier; MSOL_ account credentials in standard places.

Why it matters. Compromise → DCSync on AD + Global Admin in Entra ID simultaneously.

Fix. Treat Entra Connect server as Tier 0. Vault MSOL_ credentials. Apply tiered admin model.


14. Risky Users / Sign-Ins Unactioned

Issue. Identity Protection shows hundreds of risky users; nobody acts.

Why it matters. Compromised accounts persist.

Fix. CA policies for risk-based response. SOC playbook with SLA. SIEM integration.


15. No Conditional Access for Workload Identities

Issue. Service principal sign-ins unrestricted by IP, location, etc.

Why it matters. Stolen SP credentials usable from anywhere.

Fix. Workload Identities Conditional Access (with Workload Identities Premium license). Restrict by IP / context.


16. Guest User Sprawl

Issue. Hundreds of B2B guests, many inactive, some with elevated rights.

Why it matters. Each guest is a third-party identity with possible access to your data.

Fix. Quarterly Access Reviews on guests. Auto-remove inactive (90+ day) guests. Restrict guest defaults (cannot view directory, etc.).


17. Cross-Tenant Access Settings Default

Issue. Default cross-tenant access permissive; allows MFA / device trust by default to all tenants.

Why it matters. Trust boundary unclear; partner compromise = your compromise.

Fix. Configure cross-tenant access deliberately per partner. Use Multi-Tenant Organization for related tenants.


18. Break-Glass Accounts Mismanaged

Issue. Break-glass with weak MFA, never tested, included in CA policies that could lock them out.

Why it matters. Tenant lockout during incidents — or quiet backdoor for insiders.

Fix. 2 break-glass GAs with hardware FIDO2, cloud-only, excluded from breaking CA policies, monitored on every sign-in.


19. License-Limited Logging

Issue. Sign-in / audit logs not exported beyond default 30-day retention.

Why it matters. Forensic gaps after detection delay.

Fix. Export to Sentinel / Log Analytics / SIEM with long retention (1+ year minimum).


20. Insufficient Detection on Identity Events

Issue. No detections for new Global Admin assignments, OAuth consents, app credential additions, federation changes.

Why it matters. Major identity changes go unnoticed.

Fix. SIEM detections aligned with these events. Alert ownership clear.


How to Use This List

  1. Score each item: Implemented / Partial / Not Started.
  2. Prioritize the top 5 highest-impact "Not Started" items.
  3. Make them quarterly goals.
  4. Re-score quarterly.

How Forestall Helps

Forestall continuously assesses every misconfiguration above (and many more), ranks by exploitability and privilege impact, and surfaces attack paths that exploit them. Findings come with remediation guidance and ownership data for ticketing integration.


Conclusion

Most Entra ID compromises trace to this familiar set of issues. Fix them and most attackers face slower, noisier, more detectable paths. Pick your worst three for your environment, fix them this quarter, then re-prioritize. Identity security in Entra ID is achievable — it just requires deliberate, continuous attention to a known list of risks.

Microsoft Entra IDConditional AccessHardening

Find your worst Entra ID misconfigurations in days.

Forestall continuously assesses Entra ID posture and ranks findings by exploitability and privilege impact.

We respect your privacy

We use cookies to keep this site secure and working properly. With your permission, we also use optional cookies to understand usage and improve the experience. Cookie Policy

You can change your choice at any time.

Common Microsoft Entra ID Misconfigurations | Forestall