Conditional Access evidence
UK teams are often asked whether MFA, break-glass access, unmanaged device policy, and legacy auth controls are really enforced. A proper Entra review answers that with policy-level detail rather than assumption.
Entra ID Security Audit UK
Entra ID Security Audit UK — Review Your Microsoft Entra Tenant Properly
Microsoft Entra ID is your cloud identity backbone — and it is full of configuration risks that standard tools do not surface. IdentityFirst maps every gap for UK organisations running Microsoft 365 and hybrid identity: Conditional Access blind spots, PIM bypass paths, over-privileged app registrations, and guest account exposure.
Read-Only via Microsoft Graph
Full Review in 24 Hours
Board-Ready PDF Report
Cyber Essentials Certified
What UK organisations usually need from an Entra ID security audit
The useful output is not just a tenant config dump. It is a clear view of identity risk, Conditional Access coverage, and evidence that management or auditors can actually work with.
Guest and application governance
External collaboration and app consent are common weak points in Microsoft 365 estates. The review shows which guest users, service principals, and app registrations still carry risk and where ownership is unclear.
Reportable output for UK buyers
The useful deliverable is a prioritised report that management, insurers, procurement teams, or auditors can follow. That is different from simply exporting Graph data or listing every policy object without interpretation.
Why Entra ID Security Reviews Are Critical
Cloud identity attacks grew by more than 300% in 2024. Entra ID is the most targeted cloud identity platform in the world — and most organisations have no visibility into its configuration risks.
Token Theft Bypasses MFA
Adversary-in-the-Middle (AiTM) phishing attacks steal authenticated session tokens — bypassing MFA entirely. Without token protection policies and sign-in frequency enforcement in Conditional Access, MFA provides no protection against these attacks.
Guest Accounts Accumulate Silently
B2B guest accounts are created freely through Teams, SharePoint, and Power Platform. They accumulate over months and years — many belonging to former partners, vendors, or contractors — with no automated review or expiry.
App Registrations Get Forgotten
App registrations are created for integrations, PoCs, and automated processes — and then forgotten. Client secrets expire or are rotated without removing the permission grants. Many carry Directory.ReadWrite.All or Mail.ReadWrite — tenant-wide write permissions.
Legacy Auth Bypasses Conditional Access
Basic Authentication, legacy SMTP AUTH, and older Office protocols cannot enforce Conditional Access policies. If these protocols are not explicitly blocked, any Conditional Access policy with MFA or device compliance requirements can be bypassed completely.
What an Entra ID Security Audit Covers
IdentityFirst structures its Entra ID assessment across six risk areas — each mapped to specific attack techniques and compliance controls.
Conditional Access
- Legacy authentication protocols not explicitly blocked — Conditional Access bypass path
- MFA gaps: which users, apps, and sign-in conditions are excluded from MFA enforcement
- Location-based policy completeness: trusted locations, named locations, and compliance gaps
- Device compliance enforcement gaps: users signing in from unmanaged devices to sensitive apps
- Break-glass account exposure: emergency accounts included in — or excluded from — policies inappropriately
Privileged Identity Management (PIM)
- Global Administrators assigned outside PIM — standing Tier-0 access in the cloud tenant
- Permanent role assignments vs eligible-only: every permanent assignment is a persistent attack surface
- Privileged Role Administrator count: who can grant themselves any role in the tenant
- Activation approval gaps: high-risk roles activatable without approval or MFA step-up
- PIM alert coverage: whether Entra ID PIM alerts are configured and monitored
Guest & External Access
- Guest user count vs active guests: percentage of guest accounts that have not signed in for 90+ days
- Guest access to sensitive SharePoint sites and Teams: external users with access to confidential content
- B2B collaboration policy: whether any external domain can invite guests without restriction
- External domain allowlist: which external organisations are trusted for collaboration
- Guest user MFA requirements: whether guests are subject to MFA Conditional Access policies
App Registrations & Enterprise Apps
- Client secret expiry: app registrations with expired or near-expiry secrets — often indicating abandonment
- Over-permissioned apps: registrations with Mail.ReadWrite, Directory.ReadWrite.All, or Files.ReadWrite.All
- User consent policy: whether users can grant app permissions without admin approval
- App Proxy exposure: on-premises applications published via App Proxy without pre-authentication
- Service principal ownership: app registrations with no current owner — abandoned and unreviewed
MFA Methods
- Authenticator app vs SMS vs voice: downgrade paths to weaker factors that are SIM-swappable
- Number matching enforcement: whether Microsoft Authenticator push fatigue protection is enabled
- Passwordless coverage: proportion of users enrolled in phishing-resistant (FIDO2/WHfB) MFA
- SSPR with weak factors: Self-Service Password Reset configured with email or security questions only
- MFA registration policy: whether all users are required to register MFA within a defined window
Monitoring & Alerts
- Sign-in risk policy coverage: Identity Protection risk-based Conditional Access policies configured and enforced
- Identity Protection licencing: whether P2 features (risk-based CA, risky user remediation) are licensed and active
- Audit log retention: whether Entra ID sign-in and audit logs are forwarded to SIEM with adequate retention
- High-risk sign-in alerting: whether risky sign-in events trigger automated or manual response workflows
- Diagnostic settings: whether Entra ID audit, sign-in, and non-interactive logs are exported to a Log Analytics workspace
Common Entra ID Findings
Representative examples of findings from real Entra ID environments — the configuration risks that exist in most organisations and are invisible without structured assessment.
Critical
d.walsh — Permanent Global Administrator, No PIM
d.walsh is assigned the Global Administrator role as a permanent (active) assignment — not via PIM eligible assignment. The account last signed in 12 days ago from a non-compliant device. No MFA step-up is required for role activation because the role is already permanently active.
Blast Radius: Critical — Global Admin provides full tenant control including user creation, app consent, and Conditional Access policy modification.
High
34% of Users MFA-Exempt via Legacy Auth Exception
Conditional Access Policy CA-002-MFA-All-Users excludes the "Legacy Auth Service Accounts" group, which currently contains 312 user accounts — 34% of the tenant user base. Legacy authentication is not blocked at the tenant level. Basic Auth SMTP and IMAP are active on Exchange Online.
Blast Radius: High — any of these 312 accounts can authenticate without MFA via legacy protocols.
High
127 Guest Accounts — 89 Inactive for 90+ Days
The tenant contains 127 B2B guest accounts. 89 of these have not signed in for 90 or more days. 34 of the inactive guests retain access to at least one SharePoint site or Teams channel. No access review campaign has been run against guest accounts in the past 12 months.
Blast Radius: Medium — inactive guest accounts represent an unmonitored external access surface.
Critical
3 App Registrations with Directory.ReadWrite.All — Never Reviewed
Three app registrations hold Directory.ReadWrite.All application permission (not delegated). Owner records show departed employees for two of them. Client secrets are valid. No conditional access policy applies to service principals. These apps can read and write all directory objects in the tenant.
Blast Radius: Critical — Directory.ReadWrite.All provides near-equivalent access to a Global Admin.
High
Conditional Access Policy Excludes Break-Glass and 6 Service Accounts
The primary MFA enforcement policy (CA-001-MFA-Privileged) excludes two break-glass accounts and six service accounts. The break-glass accounts have no sign-in monitoring alert configured. The six service accounts are used for automation but their credentials are stored in a shared spreadsheet, not a secrets vault.
Blast Radius: Critical — break-glass accounts without monitoring are a common lateral movement pivot.
How IdentityFirst Reviews Entra ID
A structured, five-stage read-only pipeline from Microsoft Graph OAuth to board-ready report — completed within 24 hours.
1
Day 1
OAuth Read-Only
A dedicated app registration is created in your tenant with read-only Microsoft Graph permissions (User.Read.All, Policy.Read.All, RoleManagement.Read.Directory, Directory.Read.All). No write permissions. Admin consent granted once by a Global Admin or Privileged Role Administrator.
2
Day 1–2
Complete Enumeration
IdentityFirst enumerates all users, groups, roles, app registrations, service principals, Conditional Access policies, PIM assignments, guest accounts, and sign-in risk policies via Microsoft Graph. Every object and every attribute relevant to identity security is captured.
3
Day 2
Cross-Platform Correlation
Entra ID findings are correlated with on-premises Active Directory (where connected) — surfacing hybrid identity gaps, accounts that exist in AD but are not managed in Entra ID, and Entra ID accounts without corresponding on-premises identities that should not exist.
4
Day 2
MFA Coverage Score
MFA coverage is calculated per-user and per-role, accounting for Conditional Access exclusions, legacy authentication bypass paths, and MFA method strength. The score is expressed as a percentage of users with effective phishing-resistant MFA coverage.
5
Day 2–3
Prioritised Report
Board-ready PDF with ranked findings, blast radius per finding, MFA coverage score, PIM coverage analysis, guest account exposure, app registration risk, and compliance mapping — delivered within 24 hours of scan completion.
Entra ID Security Audit — Common Questions
Straight answers to the questions we hear most often about Entra ID and Microsoft Entra ID security reviews.
What is Microsoft Entra ID?
Microsoft Entra ID is Microsoft’s cloud identity and access management service. IdentityFirst uses the current Microsoft Entra ID naming consistently across the platform, reporting, and supporting content.
What permissions does the Entra ID audit require?
IdentityFirst requires the following read-only Microsoft Graph API application permissions:
User.Read.All— read all user profilesGroup.Read.All— read all group membershipsDirectory.Read.All— read directory objectsPolicy.Read.All— read Conditional Access policiesRoleManagement.Read.Directory— read role assignments and PIM assignments
These are application permissions granted to a dedicated app registration — no Global Admin rights are required for the connector itself. The one-time admin consent step requires a Global Admin or Privileged Role Administrator. We walk you through the setup in under 30 minutes.
How does Conditional Access auditing work?
IdentityFirst reads all Conditional Access policies via Microsoft Graph and evaluates them against a structured risk model: which users and groups are excluded, which applications are not covered, whether legacy authentication is explicitly blocked, whether device compliance is enforced for high-risk applications, and whether break-glass accounts are appropriately scoped.
Each gap is reported with the specific policy name, exclusion scope, affected user count, and recommended remediation — including the exact Conditional Access policy configuration to apply.
Does the audit cover Azure RBAC as well?
The Entra ID audit covers Entra ID roles (Global Administrator, Privileged Role Administrator, Application Administrator, etc.) and Entra ID-level permissions including app registration grants and PIM assignments.
Azure RBAC (subscription and resource-level role assignments — Owner, Contributor, User Access Administrator) is covered by the Azure/AWS cloud IAM connector, which enumerates resource-level role assignments across all subscriptions. Both can be included in the same assessment engagement.
How do I fix Conditional Access gaps found in the audit?
Every Conditional Access finding in the IdentityFirst report includes a step-by-step remediation playbook: the specific policy to modify or create, the recommended settings (named locations, grant controls, session controls), the users or groups to include or exclude, and the estimated implementation time.
For each finding, the report also includes the compliance control reference (NIS2, SOC 2, ISO 27001) and the blast radius if the gap is exploited — so you can prioritise remediation by risk, not alphabetical order of finding names.
Is this Entra ID audit suitable for UK organisations?
Yes. The Entra ID review is relevant for UK organisations using Microsoft 365 and hybrid Microsoft identity, especially where evidence is needed for governance, customer diligence, cyber insurance, or regulated access control reviews.
IdentityFirst keeps the engagement read-only and aligns findings to the public trust and compliance posture described on the site, so the output stays grounded in the product boundary rather than in exaggerated platform claims.
Ready to Audit Your Entra ID Tenant?
Explore a representative IdentityFirstMRI Entra ID assessment report, or book a session to see how IdentityFirst maps your own tenant in 24 hours, read-only.
Read-only via Microsoft Graph • No agents • Results in 24 hours • UK-hosted & ICO registered