Entra ID (formerly Azure AD) is your cloud identity backbone — and it is full of configuration risks that standard tools do not surface. IdentityFirst maps every gap: Conditional Access blind spots, PIM bypass paths, over-privileged app registrations, and guest account exposure.
Cloud identity attacks grew by more than 300% in 2024. Entra ID is the most targeted cloud identity platform in the world — and most organisations have no visibility into its configuration risks.
Adversary-in-the-Middle (AiTM) phishing attacks steal authenticated session tokens — bypassing MFA entirely. Without token protection policies and sign-in frequency enforcement in Conditional Access, MFA provides no protection against these attacks.
B2B guest accounts are created freely through Teams, SharePoint, and Power Platform. They accumulate over months and years — many belonging to former partners, vendors, or contractors — with no automated review or expiry.
App registrations are created for integrations, PoCs, and automated processes — and then forgotten. Client secrets expire or are rotated without removing the permission grants. Many carry Directory.ReadWrite.All or Mail.ReadWrite — tenant-wide write permissions.
Basic Authentication, legacy SMTP AUTH, and older Office protocols cannot enforce Conditional Access policies. If these protocols are not explicitly blocked, any Conditional Access policy with MFA or device compliance requirements can be bypassed completely.
IdentityFirst structures its Entra ID assessment across six risk areas — each mapped to specific attack techniques and compliance controls.
Representative examples of findings from real Entra ID environments — the configuration risks that exist in most organisations and are invisible without structured assessment.
d.walsh is assigned the Global Administrator role as a permanent (active) assignment — not via PIM eligible assignment. The account last signed in 12 days ago from a non-compliant device. No MFA step-up is required for role activation because the role is already permanently active.
Blast Radius: Critical — Global Admin provides full tenant control including user creation, app consent, and Conditional Access policy modification.
Conditional Access Policy CA-002-MFA-All-Users excludes the "Legacy Auth Service Accounts" group, which currently contains 312 user accounts — 34% of the tenant user base. Legacy authentication is not blocked at the tenant level. Basic Auth SMTP and IMAP are active on Exchange Online.
Blast Radius: High — any of these 312 accounts can authenticate without MFA via legacy protocols.
The tenant contains 127 B2B guest accounts. 89 of these have not signed in for 90 or more days. 34 of the inactive guests retain access to at least one SharePoint site or Teams channel. No access review campaign has been run against guest accounts in the past 12 months.
Blast Radius: Medium — inactive guest accounts represent an unmonitored external access surface.
Three app registrations hold Directory.ReadWrite.All application permission (not delegated). Owner records show departed employees for two of them. Client secrets are valid. No conditional access policy applies to service principals. These apps can read and write all directory objects in the tenant.
Blast Radius: Critical — Directory.ReadWrite.All provides near-equivalent access to a Global Admin.
The primary MFA enforcement policy (CA-001-MFA-Privileged) excludes two break-glass accounts and six service accounts. The break-glass accounts have no sign-in monitoring alert configured. The six service accounts are used for automation but their credentials are stored in a shared spreadsheet, not a secrets vault.
Blast Radius: Critical — break-glass accounts without monitoring are a common lateral movement pivot.
A structured, five-stage read-only pipeline from Microsoft Graph OAuth to board-ready report — completed within 24 hours.
Day 1
A dedicated app registration is created in your tenant with read-only Microsoft Graph permissions (User.Read.All, Policy.Read.All, RoleManagement.Read.Directory, Directory.Read.All). No write permissions. Admin consent granted once by a Global Admin or Privileged Role Administrator.
Day 1–2
IdentityFirst enumerates all users, groups, roles, app registrations, service principals, Conditional Access policies, PIM assignments, guest accounts, and sign-in risk policies via Microsoft Graph. Every object and every attribute relevant to identity security is captured.
Day 2
Entra ID findings are correlated with on-premises Active Directory (where connected) — surfacing hybrid identity gaps, accounts that exist in AD but are not managed in Entra ID, and Entra ID accounts without corresponding on-premises identities that should not exist.
Day 2
MFA coverage is calculated per-user and per-role, accounting for Conditional Access exclusions, legacy authentication bypass paths, and MFA method strength. The score is expressed as a percentage of users with effective phishing-resistant MFA coverage.
Day 2–3
Board-ready PDF with ranked findings, blast radius per finding, MFA coverage score, PIM coverage analysis, guest account exposure, app registration risk, and compliance mapping — delivered within 24 hours of scan completion.
Straight answers to the questions we hear most often about Entra ID and Azure AD security reviews.
Yes. Microsoft rebranded Azure Active Directory (Azure AD) to Microsoft Entra ID in July 2023. The underlying service and architecture are the same — all references to Azure AD in legacy documentation, PowerShell modules, and Microsoft Graph API responses are equivalent to Entra ID. IdentityFirst supports both the legacy Azure AD naming and the current Entra ID naming.
IdentityFirst requires the following read-only Microsoft Graph API application permissions:
User.Read.All — read all user profilesGroup.Read.All — read all group membershipsDirectory.Read.All — read directory objectsPolicy.Read.All — read Conditional Access policiesRoleManagement.Read.Directory — read role assignments and PIM assignmentsThese are application permissions granted to a dedicated app registration — no Global Admin rights are required for the connector itself. The one-time admin consent step requires a Global Admin or Privileged Role Administrator. We walk you through the setup in under 30 minutes.
IdentityFirst reads all Conditional Access policies via Microsoft Graph and evaluates them against a structured risk model: which users and groups are excluded, which applications are not covered, whether legacy authentication is explicitly blocked, whether device compliance is enforced for high-risk applications, and whether break-glass accounts are appropriately scoped.
Each gap is reported with the specific policy name, exclusion scope, affected user count, and recommended remediation — including the exact Conditional Access policy configuration to apply.
The Entra ID audit covers Entra ID roles (Global Administrator, Privileged Role Administrator, Application Administrator, etc.) and Entra ID-level permissions including app registration grants and PIM assignments.
Azure RBAC (subscription and resource-level role assignments — Owner, Contributor, User Access Administrator) is covered by the Azure/AWS cloud IAM connector, which enumerates resource-level role assignments across all subscriptions. Both can be included in the same assessment engagement.
Every Conditional Access finding in the IdentityFirst report includes a step-by-step remediation playbook: the specific policy to modify or create, the recommended settings (named locations, grant controls, session controls), the users or groups to include or exclude, and the estimated implementation time.
For each finding, the report also includes the compliance control reference (NIS2, SOC 2, ISO 27001) and the blast radius if the gap is exploited — so you can prioritise remediation by risk, not alphabetical order of finding names.
Explore a live IdentityMRI Entra ID assessment report — no sign-up required — or book a session to see how IdentityFirst maps your own tenant in 24 hours, read-only.
Read-only via Microsoft Graph • No agents • Results in 24 hours • UK-hosted & ICO registered