Identity Is Your Real Security Perimeter

There's an old mental model where security is a wall around your building: firewall on the outside, trusted network on the inside. That model died the moment your business started running on Microsoft 365, and your team started logging in from home, from a phone, from an airport.
Once your data lives in the cloud, there is no inside. The thing standing between an attacker and your business isn't a firewall — it's whether they can convince your identity provider that they're one of your people. That's why I treat identity as the perimeter, and why it's the first thing I look at on almost every engagement.
Attackers don't break in — they log in
Most incidents I've worked didn't involve an exotic exploit. They involved a credential that worked. Someone reused a password, or approved an MFA prompt they didn't trigger, or clicked a convincing invoice link and typed their password into a page that looked exactly like the real sign-in screen.
That's the uncomfortable part: from the system's point of view, a stolen login and a legitimate login look identical. Your defense isn't detecting a break-in. It's making stolen credentials useless on their own, and making unusual sign-ins hard to pull off.
What actually moves the needle
Identity work has a long tail of nice-to-haves, but a short list does most of the work:
- MFA on every account — no exceptions, especially not for executives or admins
- Conditional Access: check the device, location, and risk level, not just the password
- Least privilege via RBAC — people get what their role needs, nothing more
- No standing admin rights; elevate only when needed, for as long as needed
- Access reviews on a schedule, so permissions get removed and not just granted
Notice that none of these require a new product. Most organizations already own the licensing to do all of it — it's sitting unconfigured in a tenant nobody has had time to tune.
The part almost everyone skips
Granting access is easy — someone asks, you click. Removing it is the part that quietly rots. Contractors finish and keep their accounts. People change roles and collect permissions like souvenirs. Service accounts get created for one project and outlive the person who made them.
Every one of those is a credential an attacker can use, attached to nobody who would notice it being used. Access reviews aren't exciting, but they're the difference between an environment that's actually least-privilege and one that just says so in a policy document.
When something does go wrong, identity contains it
I once investigated a phishing email that impersonated a known vendor and was convincing enough that automated filtering let it through — it targeted an executive. The thing that kept it to a single account wasn't the mail filter. It was identity: reset the credential, force MFA re-registration, validate the scope of what that account could reach, and watch it closely afterward.
If that account had held standing admin rights, or shared a password with other systems, the same email would have been a very different week.
Where to start
If you do nothing else this quarter: turn on MFA everywhere, find every account with admin rights and ask whether it still needs them, and put one access review on the calendar. That's not a transformation program — it's an afternoon, and it removes most of the easy paths into your business.
If you want a second set of eyes on how identity is configured in your environment, that's exactly the kind of thing I do. Reach out and we'll take a look.