Common Microsoft Entra ID Misconfigurations
Most Entra ID compromises trace back to a familiar set of misconfigurations. Learn the most common ones and how to detect and fix them.
Common Microsoft Entra ID Misconfigurations
Most Entra ID compromises don't require novel exploits — they exploit familiar misconfigurations. Microsoft's own threat intelligence and major incident responders consistently identify the same patterns.
This article catalogs the most common Entra ID misconfigurations and how to remediate each.
1. Too Many Standing Global Administrators
Issue. Tens of standing GAs, often including service accounts and rarely-used admin accounts.
Why it matters. Each GA is a tenant-takeover-equivalent identity.
Fix. Reduce to <5 standing + 2 break-glass. Move the rest to PIM-eligible. Remove service accounts as GAs.
2. PIM Not Enabled or Weakly Configured
Issue. PIM available (P2 licensed) but not used; or activations have no MFA, no approval, 8-hour windows.
Why it matters. Standing privilege keeps blast radius high.
Fix. Enable PIM for all privileged roles. Require MFA + justification + approval (where appropriate). Activation ≤ 4 hours, target ≤ 2.
3. Legacy Authentication Not Blocked
Issue. POP, IMAP, SMTP basic, ActiveSync basic still allowed.
Why it matters. Bypasses MFA. Top vector for password spray.
Fix. Conditional Access policy: Block legacy auth for all users. Use modern auth replacements.
4. Weak / Incomplete Conditional Access
Issue. MFA only enforced via per-user MFA; no policies for compliant device, location, risk; admin accounts excluded "for convenience."
Why it matters. Gaps = open doors.
Fix. Build CA baseline: block legacy, require MFA for all, phishing-resistant MFA for admins, risk-based policies, device compliance for sensitive apps.
5. MFA Not Phishing-Resistant for Admins
Issue. Admins use SMS / Authenticator push only. Vulnerable to MFA fatigue, SIM swap, push bombing.
Why it matters. Strongest accounts protected by weakest MFA.
Fix. FIDO2 / passkeys for admins. Authentication strength CA policies.
6. User Consent Allowed for All Apps and Scopes
Issue. Default tenant setting allows users to consent to any app, any scope.
Why it matters. Consent phishing → persistent OAuth access bypassing MFA.
Fix. Restrict user consent to verified publishers + selected low-risk scopes. Enable admin consent workflow for everything else.
7. Long-Lived App Registration Secrets
Issue. Client secrets with 1–2 year (or longer) lifetimes, never rotated.
Why it matters. Stolen secrets give long-term tenant access.
Fix. Short lifetimes (≤ 180 days). Prefer certificates. Use Managed Identities or Workload Identity Federation where possible.
8. Excessive Application Permissions
Issue. Apps granted Mail.ReadWrite.All, Files.Read.All, Directory.Read.All, Application.ReadWrite.All "for flexibility."
Why it matters. Compromise = tenant-wide data access or escalation.
Fix. Audit all admin-consented permissions. Right-size to least privilege. Quarterly review.
9. Stale Service Principals and Enterprise Applications
Issue. Hundreds of unused SPs / Enterprise Apps with permissions still granted.
Why it matters. Vendor compromise / re-use of stale credentials = silent backdoor.
Fix. Quarterly SP inventory. Decommission unused. Remove credentials and consents.
10. Application Administrator Backdoor
Issue. Application Administrator role can add credentials to any service principal — including those with Application.ReadWrite.All (path to Global Admin).
Why it matters. Effective Global Admin without GA membership.
Fix. Treat Application Admin and Cloud Application Admin as near-Tier 0. PIM-eligible only.
11. Privileged Authentication Administrator Misuse
Issue. Role granted to help desk for password reset convenience. Can reset MFA and password for any account, including GAs.
Why it matters. Effective tenant takeover via help desk.
Fix. Restrict severely. Use Authentication Administrator (which can't change admin credentials) for help desk.
12. Federation Trust Misconfigurations
Issue. ADFS or external IdP trust weakly configured; signing certificates long-lived; no SAML token validation hardening.
Why it matters. Golden SAML attacks (forged tokens) bypass cloud authentication entirely.
Fix. Harden ADFS (Microsoft hardening guide). Rotate signing certs. Monitor federation changes.
13. Hybrid Sync (Entra Connect) Server Not Tier 0
Issue. Entra Connect server in standard server tier; MSOL_ account credentials in standard places.
Why it matters. Compromise → DCSync on AD + Global Admin in Entra ID simultaneously.
Fix. Treat Entra Connect server as Tier 0. Vault MSOL_ credentials. Apply tiered admin model.
14. Risky Users / Sign-Ins Unactioned
Issue. Identity Protection shows hundreds of risky users; nobody acts.
Why it matters. Compromised accounts persist.
Fix. CA policies for risk-based response. SOC playbook with SLA. SIEM integration.
15. No Conditional Access for Workload Identities
Issue. Service principal sign-ins unrestricted by IP, location, etc.
Why it matters. Stolen SP credentials usable from anywhere.
Fix. Workload Identities Conditional Access (with Workload Identities Premium license). Restrict by IP / context.
16. Guest User Sprawl
Issue. Hundreds of B2B guests, many inactive, some with elevated rights.
Why it matters. Each guest is a third-party identity with possible access to your data.
Fix. Quarterly Access Reviews on guests. Auto-remove inactive (90+ day) guests. Restrict guest defaults (cannot view directory, etc.).
17. Cross-Tenant Access Settings Default
Issue. Default cross-tenant access permissive; allows MFA / device trust by default to all tenants.
Why it matters. Trust boundary unclear; partner compromise = your compromise.
Fix. Configure cross-tenant access deliberately per partner. Use Multi-Tenant Organization for related tenants.
18. Break-Glass Accounts Mismanaged
Issue. Break-glass with weak MFA, never tested, included in CA policies that could lock them out.
Why it matters. Tenant lockout during incidents — or quiet backdoor for insiders.
Fix. 2 break-glass GAs with hardware FIDO2, cloud-only, excluded from breaking CA policies, monitored on every sign-in.
19. License-Limited Logging
Issue. Sign-in / audit logs not exported beyond default 30-day retention.
Why it matters. Forensic gaps after detection delay.
Fix. Export to Sentinel / Log Analytics / SIEM with long retention (1+ year minimum).
20. Insufficient Detection on Identity Events
Issue. No detections for new Global Admin assignments, OAuth consents, app credential additions, federation changes.
Why it matters. Major identity changes go unnoticed.
Fix. SIEM detections aligned with these events. Alert ownership clear.
How to Use This List
- Score each item: Implemented / Partial / Not Started.
- Prioritize the top 5 highest-impact "Not Started" items.
- Make them quarterly goals.
- Re-score quarterly.
How Forestall Helps
Forestall continuously assesses every misconfiguration above (and many more), ranks by exploitability and privilege impact, and surfaces attack paths that exploit them. Findings come with remediation guidance and ownership data for ticketing integration.
Conclusion
Most Entra ID compromises trace to this familiar set of issues. Fix them and most attackers face slower, noisier, more detectable paths. Pick your worst three for your environment, fix them this quarter, then re-prioritize. Identity security in Entra ID is achievable — it just requires deliberate, continuous attention to a known list of risks.
Find your worst Entra ID misconfigurations in days.
Forestall continuously assesses Entra ID posture and ranks findings by exploitability and privilege impact.